Hi,
I have been using Let’s Encrypt for 3 months now on a CentOS 7 and Apache . It is time to renew my certs and I have not been able to do so. I spent the night reading other topics with similar issues but I found no solution. It is critical for me to renew and restore my website, it’s been down for 4 hours now. :((
What I have tried so far:
Running the command certbot renew
generates the error:
Cert is due for renewal, auto-renewing...
/usr/lib64/python2.7/site-packages/cffi/model.py:526: UserWarning: 'point_conversion_form_t' has no values explicitly defined; next version will refuse to guess which integer type it is meant to be (unsigned/signed, int/long)
% self._get_c_name())
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for mydomain.com.br
tls-sni-01 challenge for www.mydomain.com.br
Waiting for verification...
Cleaning up challenges
Error while running apachectl graceful.
Job for httpd.service invalid.
Attempting to renew cert from /etc/letsencrypt/renewal/mydomain.com.br.conf produced an unexpected error: Error while running apachectl graceful.
Job for httpd.service invalid.
. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mydomain.com.br/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: mydomain.com.br
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
883b5ce27275ef075b699399af96855c.75421e9dc4f12985d858d2afbd93fa37.acme.invalid
from 123.12.12.123:443. Received 2 certificate(s), first
certificate had names "mydomain.com.br, www.mydomain.com.br"
Domain: www.mydomain.com.br
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
62709006899fc09be4fae4072edcd408.822483677484878c61c3ced918c4b756.acme.invalid
from 123.12.12.123:443. Received 2 certificate(s), first
certificate had names "mydomain.com.br, www.mydomain.com.br"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
I have also tried the following certbot certonly --expand --webroot --webroot-path /my_path/mydomain.com.br/public_html/
and ultimately got the following error:
Failed authorization procedure. mydomain.com.br (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mydomain.com.br/.well-known/acme-challenge/hqZLYG1Aops-04Jp-0nPCgo-_fqGCHcy9nnng4GJoLU: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http:", www.mydomain.com.br (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.mydomain.com.br/.well-known/acme-challenge/pweTdryjacukKwLfei1PXdZZz4LQiE_oecQAJ_Bejq0: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http:"
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: mydomain.com.br
Type: unauthorized
Detail: Invalid response from
http://mydomain.com.br/.well-known/acme-challenge/hqZLYG1Aops-04Jp-0nPCgo-_fqGCHcy9nnng4GJoLU:
"<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http:"
Domain: www.mydomain.com.br
Type: unauthorized
Detail: Invalid response from
http://www.mydomain.com.br/.well-known/acme-challenge/pweTdryjacukKwLfei1PXdZZz4LQiE_oecQAJ_Bejq0:
"<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http:"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
I checked my DNS Record A and it is pointing to my public IP. One thing that puzzled me however is, when I checked my snginx.conf file, the servcer is listening to my IP NAT inside, the private ip at the 443 port. I changed it to the same IP that the DNS Record A is pointing, but the nginx won’t restart returning an erro; so I am assuming it is suppose to point to my IP Nat (?). Maybe this has nothing to do with it.
Checking the httpd.conf and shttpd.conf files, they are pointing to my public IP and ports 8080 and 8443.
I think there might be a misconfiguration on these files, and then when certbot tries to renew the certificates, apache graceful fails because of this misconfiguration. It is getting to the point the more I look at it the more confused I get… I tried all sorts of things… please help!