Certbot failed to authenticate some domains

gnite · November 11, 2022, 2:16pm

My domain is:

gnite.pl & www.gnite.pl

I ran this command:

certbot renew

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/gnite.pl-0001.conf

Renewing an existing certificate for gnite.pl and www.gnite.pl

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: gnite.pl
Type: unauthorized
Detail: 51.68.138.45: Invalid response from http://gnite.pl/.well-known/acme-challenge/RcWf0lSL1ycZEJTRv2h89ghrfAOGpUWPpI4bPxwQmBc: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Failed to renew certificate gnite.pl-0001 with error: Some challenges have failed.

All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/gnite.pl-0001/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):

Apache 2.4.52

The operating system my web server runs on is (include version):

Ubuntu Server 22.04

My hosting provider, if applicable, is:

VPS @ OVH

I can login to a root shell on my machine (yes or no, or I don't know):

yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 1.21.0

I recently moved my server, including all the configs. Whenever I try to renew my certs I get the above error, but if I'm reading the logs right, only for the naked domain, the www seems to work fine. I don't get it, if I manually put a file with the name of one of the tokens in the .well-known/acme-challenge directory it is accessible via browser both with and without www. What am I doing wrong here...

rg305 · November 11, 2022, 2:58pm

Hi @gnite, and welcome to the LE community forum

It's possible that the symlinks within the /etc/letsencrypt/live/ folder did not get moved properly.

Whenever I see:

I know something isn't quite right.

Please show:
certbot certificates
ls -la /etc/letsencrypt/live/*

gnite · November 11, 2022, 3:17pm

Hey, thanks for replying. Yeah, there are some old leftovers from other configs, but the -0001 is what I've been using in forever, and it's the one used in the apache config. The certificate does work on the site for now, it just doesn't renew.

certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: gnite.pl-0001
Serial Number: 3f30980e660acd71745783ffa70ae7e6acf
Key Type: RSA
Domains: gnite.pl www.gnite.pl
Expiry Date: 2022-11-28 23:51:23+00:00 (VALID: 17 days)
Certificate Path: /etc/letsencrypt/live/gnite.pl-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/gnite.pl-0001/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

ls -la /etc/letsencrypt/live/*
/etc/letsencrypt/live/gnite.pl:
total 8
drwxr-xr-x 2 root root 4096 Mar 1 2016 .
drwx------ 5 root root 4096 May 13 2016 ..
lrwxrwxrwx 1 root root 32 Mar 1 2016 cert.pem -> ../../archive/gnite.pl/cert7.pem
lrwxrwxrwx 1 root root 33 Mar 1 2016 chain.pem -> ../../archive/gnite.pl/chain7.pem
lrwxrwxrwx 1 root root 37 Mar 1 2016 fullchain.pem -> ../../archive/gnite.pl/fullchain7.pem
lrwxrwxrwx 1 root root 35 Mar 1 2016 privkey.pem -> ../../archive/gnite.pl/privkey7.pem

/etc/letsencrypt/live/gnite.pl-0001:
total 8
drwxr-xr-x 2 root root 4096 Aug 31 02:51 .
drwx------ 5 root root 4096 May 13 2016 ..
lrwxrwxrwx 1 root root 38 Aug 31 02:51 cert.pem -> ../../archive/gnite.pl-0001/cert40.pem
lrwxrwxrwx 1 root root 39 Aug 31 02:51 chain.pem -> ../../archive/gnite.pl-0001/chain40.pem
lrwxrwxrwx 1 root root 43 Aug 31 02:51 fullchain.pem -> ../../archive/gnite.pl-0001/fullchain40.pem
lrwxrwxrwx 1 root root 41 Aug 31 02:51 privkey.pem -> ../../archive/gnite.pl-0001/privkey40.pem

/etc/letsencrypt/live/gnite.pl-0002:
total 8
drwxr-xr-x 2 root root 4096 May 13 2016 .
drwx------ 5 root root 4096 May 13 2016 ..
lrwxrwxrwx 1 root root 37 May 13 2016 cert.pem -> ../../archive/gnite.pl-0002/cert1.pem
lrwxrwxrwx 1 root root 38 May 13 2016 chain.pem -> ../../archive/gnite.pl-0002/chain1.pem
lrwxrwxrwx 1 root root 42 May 13 2016 fullchain.pem -> ../../archive/gnite.pl-0002/fullchain1.pem
lrwxrwxrwx 1 root root 40 May 13 2016 privkey.pem -> ../../archive/gnite.pl-0002/privkey1.pem

rg305 · November 11, 2022, 5:51pm

That's a bit off, but should work as you need it.

Let's have a look the renewal config files:
ls -l /etc/letsencrypt/renewal/*

gnite · November 12, 2022, 11:59am

Just the one

-rw-r--r-- 1 root root 614 Nov 11 14:46 /etc/letsencrypt/renewal/gnite.pl-0001.conf

And its content

# renew_before_expiry = 30 days
cert = /etc/letsencrypt/live/gnite.pl-0001/cert.pem
privkey = /etc/letsencrypt/live/gnite.pl-0001/privkey.pem
chain = /etc/letsencrypt/live/gnite.pl-0001/chain.pem
fullchain = /etc/letsencrypt/live/gnite.pl-0001/fullchain.pem
version = 0.40.0
archive_dir = /etc/letsencrypt/archive/gnite.pl-0001

# Options used in the renewal process
[renewalparams]
account = 15c5008c805172e495c96be7ce48c450
authenticator = webroot
rsa_key_size = 4096
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
www.gnite.pl = /var/www/gnite.pl/html
gnite.pl = /var/www/gnite.pl/html

rg305 · November 12, 2022, 8:26pm

Ok, so now we just need to confirm that is the correct webroot for those names.
Let's find it starting with the output of:
apachectl -t -D DUMP_VHOSTS

gnite · November 12, 2022, 10:15pm

Here's the output

VirtualHost configuration:
*:80 gnite.pl (/etc/apache2/sites-enabled/gnite.pl.conf:1)
*:443 gnite.pl (/etc/apache2/sites-enabled/gnite.pl.conf:15)

And the configuration itself, it's based on Mozilla's generator. The directory is correct.

<VirtualHost *:80>
ServerName gnite.pl
ServerAlias www.gnite.pl
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</VirtualHost>

<VirtualHost *:443>
Protocols h2 http/1.1
ServerName gnite.pl
ServerAlias www.gnite.pl
DocumentRoot /var/www/gnite.pl/html
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/gnite.pl-0001/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/gnite.pl-0001/chain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/gnite.pl-0001/privkey.pem
Header always set Strict-Transport-Security "max-age=63072000"
</VirtualHost>

SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
SSLHonorCipherOrder off
SSLSessionTickets off

SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

gnite · November 12, 2022, 10:40pm

Alright, I found it. I added the DocumentRoot parameter to the first vhost as well and this seems to have solved the problem, the renewal process now finishes successful. Well, thanks for your time and for prompting me to look at this a little bit closer than I have before

system · December 12, 2022, 10:40pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.