Certbot fails on certificate renewal


#1

Hi,

I’m the admin of a non-profit human rights NGO and have used letsencrypt with certbot to use https on our website, saram-nk.org. We’ve recently updated our website and now it seems that something’s broken with the automatic certificate renewal process of certbot. The certificate is still valid for 9 days, but when I try a dry run of the certificate renewal process, I receive the error message you can see below.

I have manually created the directories /site/.well-known/acme-challenge, where /site is the web-root directory of the website and set the rights of these directories to 755. I have added the following lines to the .htaccess-file of the web-root directory:

RewriteEngine On
RewriteCond %{REQUEST_URI} !.well-known/acme-challenge
RewriteCond %{HTTP_HOST} ^www.(.)$ [NC]
RewriteRule ^(.
)$ https://%1/$1 [R=301,L]

The directory is now accessible: https://saram-nk.org/.well-known/acme-challenge/

Nevertheless, the dry run of the certification renewal process still fails.

Any help is highly appreciated.

My domain is: saram-nk.org

I ran this command:sudo certbot renew --dry-run

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/saram-nk.org.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for saram-nk.org
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (saram-nk.org) from /etc/letsencrypt/renewal/saram-nk.org.conf produced an unexpected error: Failed authorization procedure. saram-nk.org (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://saram-nk.org/.well-known/acme-challenge/_usoAhbG7TRL19QssHPzETod6HxQXLUWUfkCfKjpOsM: "<!doctype html>

<meta name="viewport" content="width=device-width, initi". Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/saram-nk.org/fullchain.pem (failure)

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/saram-nk.org/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version):

Distributor ID: Ubuntu
Description: Ubuntu 14.04.5 LTS
Release: 14.04
Codename: trusty

The operating system my web server runs on is (include version): Server version: Apache/2.4.25 (Ubuntu)

My hosting provider, if applicable, is: strato.de

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#2

Putting this at the top of your .htaccess might work better:

RewriteEngine On
RewriteRule ^\.well-known - [L]

Alternatively, you can use the Apache authenticator instead of the webroot authenticator, which will deal with setting the right rewrite rules for you.

certbot renew -a apache --dry-run

#3

Dear _az,

thank you for your help.

In the .htaccess-file, I have replaced

RewriteEngine On
RewriteCond %{REQUEST_URI} !.well-known/acme-challenge
RewriteCond %{HTTP_HOST} ^www.(.)$ [NC]
RewriteRule ^(.)$ https://%1/$1 [R=301,L]

with


RewriteEngine On
RewriteRule ^.well-known - [L]

I’ve then used the command you provided: certbot renew -a apache -d saram-nk.org --dry-run

The output was:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Currently, the renew verb is capable of either renewing all installed certificates that are due to be renewed or renewing a single certificate specified by its name. If you would like to renew specific certificates by their domains, use the certonly command instead. The renew verb may provide other options for selecting certificates to renew in the future.

I’ve accessed /var/log/letsencrypt/letsencrypt.log and it contains the following lines:


2018-06-19 04:25:00,839:DEBUG:certbot.main:certbot version: 0.19.0
2018-06-19 04:25:00,839:DEBUG:certbot.main:Arguments: [’-a’, ‘apache’, ‘-d’, ‘saram-nk.org’, ‘–dry-run’]
2018-06-19 04:25:00,839:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2018-06-19 04:25:00,873:DEBUG:certbot.log:Root logging level set at 20
2018-06-19 04:25:00,873:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2018-06-19 04:25:00,874:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 11, in
load_entry_point(‘certbot==0.19.0’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python2.7/dist-packages/certbot/main.py”, line 861, in main
return config.func(config, plugins)
File “/usr/lib/python2.7/dist-packages/certbot/main.py”, line 797, in renew
renewal.handle_renewal_request(config)
File “/usr/lib/python2.7/dist-packages/certbot/renewal.py”, line 375, in handle_renewal_request
raise errors.Error("Currently, the renew verb is capable of either "
Error: Currently, the renew verb is capable of either renewing all installed certificates that are due to be renewed or renewing a single certificate specified by its name. If you would like to renew specific certificates by their domains, use the certonly command instead. The renew verb may provide other options for selecting certificates to renew in the future.


#4

You only need to do one of those things, not both. Nonetheless, you should be able to now just run:

certbot renew

Since the first fix (as far as I can tell) appears to be working.


#5

I apologize for the bad formatting of my posts, but the wysiwyg editor of this board is giving me troubles, to say the least.

I’ve run this command: certbot renew

The resulting output is:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/saram-nk.org.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for saram-nk.org
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (saram-nk.org) from /etc/letsencrypt/renewal/saram-nk.org.conf produced an unexpected error: Failed authorization procedure. saram-nk.org (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://saram-nk.org/.well-known/acme-challenge/zkY-A-jZBpaGqf_pSS0_CgqnyyXXHIglO878fZTFq6c: "

404 Not Found

Not Found

<p". Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/saram-nk.org/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/saram-nk.org/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:


#6

I’m surprised that didn’t work. Perhaps the weboot has moved?

Anyway, try this third way. I made a mistake in my second suggested fix, but this should work for you:

certbot --apache -d saram-nk.org --dry-run

if that succeeds, you can try it live (you might get a rate limit error, but it should resolve within an hour):

certbot --apache -d saram-nk.org

#7

The command : certbot --apache -d saram-nk.org --dry-run

let to this output:

–dry-run currently only works with the ‘certonly’ or ‘renew’ subcommands (‘run’)

I tried running “certbot --apache -d saram-nk.org” anyway and it worked!

Thank you so much, _az. If you’re coming to Berlin anytime, please let me know, so that I can buy you a beer.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.