Certbot (incorrectly?) using "subdomain.mydomain.com.well-known" - which can't be found?


#1

I’m trying to setup auto-renewal of my certs, but I’m getting a weird error when trying to do a test run and renew the certs. I downloaded letsencrypt from github yesterday (2016-11-02) and ran it the first time to generate & install certs. That process went OK, and letsencrypt certs are being served by apache2. Great, but when I try to renew using “certbot-auto certonly”, I run into problems.

It seems to be looking for a domain that is not correct:
My server CNAME: subdomain.mydomain.com
Certbot tries to use: subdomain.mydomain.com.well-known

Domain: subdomain.mydomain.com
Type: connection
Detail: Could not connect to subdomain.mydomain.com.well-known

FailedChallenges: Failed authorization procedure. subdomain.mydomain.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to subdomain.mydomain.com.well-known

I thought it should be using subdomain.mydomain.com/.well-known <-- notice the slash before “.well-known” as compared to what certbot uses to validate the domain??

I verified that if I manually create the /.well-known folder in document root, that it’s accessible through apache, but this seems to be looking for the wrong domain (instead of a subfolder) when attempting to validate.

Any ideas what’s going on?

Server: Ubuntu 14.04.5 LTS with apache2 running on standard ports

Here’s my output log from the attempted dry-run renewal request:

2016-11-03 18:41:12,790:DEBUG:certbot.main:Root logging level set at -10
2016-11-03 18:41:12,791:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2016-11-03 18:41:12,791:DEBUG:certbot.main:certbot version: 0.9.3
2016-11-03 18:41:12,791:DEBUG:certbot.main:Arguments: ['--debug', '-vvv', '--dry-run', '--webroot', '--webroot-path', '/var/www/html/subdomain', '--email', 'myemailaddress@mydomain.com', '-d', 'subdomain.mydomain.com']
2016-11-03 18:41:12,791:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#standalone,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#webroot,PluginEntryPoint#apache,PluginEntryPoint#null)
2016-11-03 18:41:12,792:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2016-11-03 18:41:12,794:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7f7615633f90>
Prep: True
2016-11-03 18:41:12,794:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7f7615633f90> and installer None
2016-11-03 18:41:12,929:DEBUG:certbot.main:Picked account: <Account(xxx[[REDACTED]]xxx)>
2016-11-03 18:41:12,931:DEBUG:root:Sending GET request to https://acme-staging.api.letsencrypt.org/directory. args: (), kwargs: {}
2016-11-03 18:41:12,933:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
2016-11-03 18:41:13,068:DEBUG:requests.packages.urllib3.connectionpool:"GET /directory HTTP/1.1" 200 296
2016-11-03 18:41:13,069:DEBUG:root:Received <Response [200]>. Headers: {'Content-Length': '296', 'Expires': 'Thu, 03 Nov 2016 18:41:59 GMT', 'Boulder-Request-Id': 'xxx[[REDACTED]]xxx', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Thu, 03 Nov 2016 18:41:59 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'xxx[[REDACTED]]xxx'}. Content: '{\n  "new-authz": "https://acme-staging.api.letsencrypt.org/acme/new-authz",\n  "new-cert": "https://acme-staging.api.letsencrypt.org/acme/new-cert",\n  "new-reg": "https://acme-staging.api.letsencrypt.org/acme/new-reg",\n  "revoke-cert": "https://acme-staging.api.letsencrypt.org/acme/revoke-cert"\n}'
2016-11-03 18:41:13,069:DEBUG:acme.client:Received response <Response [200]> (headers: {'Content-Length': '296', 'Expires': 'Thu, 03 Nov 2016 18:41:59 GMT', 'Boulder-Request-Id': 'xxx[[REDACTED]]xxx', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Thu, 03 Nov 2016 18:41:59 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'xxx[[REDACTED]]xxx'}): '{\n  "new-authz": "https://acme-staging.api.letsencrypt.org/acme/new-authz",\n  "new-cert": "https://acme-staging.api.letsencrypt.org/acme/new-cert",\n  "new-reg": "https://acme-staging.api.letsencrypt.org/acme/new-reg",\n  "revoke-cert": "https://acme-staging.api.letsencrypt.org/acme/revoke-cert"\n}'
2016-11-03 18:41:13,075:INFO:certbot.renewal:Cert not due for renewal, but simulating renewal for dry run
2016-11-03 18:41:13,076:INFO:certbot.main:Renewing an existing certificate
2016-11-03 18:41:13,076:DEBUG:root:Requesting fresh nonce
2016-11-03 18:41:13,076:DEBUG:root:Sending HEAD request to https://acme-staging.api.letsencrypt.org/acme/new-authz. args: (), kwargs: {}
2016-11-03 18:41:13,150:DEBUG:requests.packages.urllib3.connectionpool:"HEAD /acme/new-authz HTTP/1.1" 405 0
2016-11-03 18:41:13,150:DEBUG:root:Received <Response [405]>. Headers: {'Content-Length': '91', 'Pragma': 'no-cache', 'Boulder-Request-Id': 'xxx[[REDACTED]]xxx', 'Expires': 'Thu, 03 Nov 2016 18:42:00 GMT', 'Server': 'nginx', 'Connection': 'keep-alive', 'Allow': 'POST', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Thu, 03 Nov 2016 18:42:00 GMT', 'Content-Type': 'application/problem+json', 'Replay-Nonce': 'xxx[[REDACTED]]xxx'}. Content: ''
2016-11-03 18:41:13,151:DEBUG:acme.client:Storing nonce: 'xxx[[REDACTED]]xxx'
2016-11-03 18:41:13,151:DEBUG:acme.jose.json_util:Omitted empty fields: expires=None, challenges=None, status=None, combinations=None
2016-11-03 18:41:13,151:DEBUG:acme.client:Serialized JSON: {"identifier": {"type": "dns", "value": "subdomain.mydomain.com"}, "resource": "new-authz"}
2016-11-03 18:41:13,152:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), crit=(), kid=None, jwk=None, x5t=None, x5tS256=None, cty=None, x5u=None, typ=None, alg=None, jku=None
2016-11-03 18:41:13,155:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), crit=(), kid=None, nonce=None, x5tS256=None, cty=None, x5t=None, x5u=None, typ=None, jku=None
2016-11-03 18:41:13,155:DEBUG:root:Sending POST request to https://acme-staging.api.letsencrypt.org/acme/new-authz. args: (), kwargs: {'data': '{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "xxx[[REDACTED]]xxx"}}, "protected": "xxx[[REDACTED]]xxx", "payload": "xxx[[REDACTED]]xxx", "signature": "xxx[[REDACTED]]xxx"}'}
2016-11-03 18:41:13,251:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/new-authz HTTP/1.1" 201 1015
2016-11-03 18:41:13,251:DEBUG:root:Received <Response [201]>. Headers: {'Content-Length': '1015', 'Expires': 'Thu, 03 Nov 2016 18:42:00 GMT', 'Boulder-Request-Id': 'xxx[[REDACTED]]xxx', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Connection': 'keep-alive', 'Link': '<https://acme-staging.api.letsencrypt.org/acme/new-cert>;rel="next"', 'Location': 'https://acme-staging.api.letsencrypt.org/acme/authz/xxx[[REDACTED]]xxx', 'Pragma': 'no-cache', 'Boulder-Requester': '468169', 'Date': 'Thu, 03 Nov 2016 18:42:00 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'xxx[[REDACTED]]xxx'}. Content: '{\n  "identifier": {\n    "type": "dns",\n    "value": "subdomain.mydomain.com"\n  },\n  "status": "pending",\n  "expires": "2016-11-10T18:42:00.109836644Z",\n  "challenges": [\n    {\n      "type": "tls-sni-01",\n      "status": "pending",\n      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/xxx[[REDACTED]]xxx/16475342",\n      "token": "xxx[[REDACTED]]xxx"\n    },\n    {\n      "type": "dns-01",\n      "status": "pending",\n      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/xxx[[REDACTED]]xxx/16475343",\n      "token": "xxx[[REDACTED]]xxx"\n    },\n    {\n      "type": "http-01",\n      "status": "pending",\n      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/xxx[[REDACTED]]xxx/16475344",\n      "token": "xxx[[REDACTED]]xxx"\n    }\n  ],\n  "combinations": [\n    [\n      2\n    ],\n    [\n      1\n    ],\n    [\n      0\n    ]\n  ]\n}'
2016-11-03 18:41:13,252:DEBUG:acme.client:Storing nonce: '\xb5\xd6\xe0s\xfd\xbc\xb1\x8e\xce\x98\x97\xecZ\x98+\xa3\xab=\t\xb0\xb7\xfc\xec\x88\x91\x18\xc9\x0c\r\n\x01\xc8'
2016-11-03 18:41:13,252:DEBUG:acme.client:Received response <Response [201]> (headers: {'Content-Length': '1015', 'Expires': 'Thu, 03 Nov 2016 18:42:00 GMT', 'Boulder-Request-Id': 'xxx[[REDACTED]]xxx', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Connection': 'keep-alive', 'Link': '<https://acme-staging.api.letsencrypt.org/acme/new-cert>;rel="next"', 'Location': 'https://acme-staging.api.letsencrypt.org/acme/authz/xxx[[REDACTED]]xxx', 'Pragma': 'no-cache', 'Boulder-Requester': '468169', 'Date': 'Thu, 03 Nov 2016 18:42:00 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'xxx[[REDACTED]]xxx'}): '{\n  "identifier": {\n    "type": "dns",\n    "value": "subdomain.mydomain.com"\n  },\n  "status": "pending",\n  "expires": "2016-11-10T18:42:00.109836644Z",\n  "challenges": [\n    {\n      "type": "tls-sni-01",\n      "status": "pending",\n      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/xxx[[REDACTED]]xxx/16475342",\n      "token": "xxx[[REDACTED]]xxx"\n    },\n    {\n      "type": "dns-01",\n      "status": "pending",\n      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/xxx[[REDACTED]]xxx/16475343",\n      "token": "xxx[[REDACTED]]xxx"\n    },\n    {\n      "type": "http-01",\n      "status": "pending",\n      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/xxx[[REDACTED]]xxx/16475344",\n      "token": "xxx[[REDACTED]]xxx"\n    }\n  ],\n  "combinations": [\n    [\n      2\n    ],\n    [\n      1\n    ],\n    [\n      0\n    ]\n  ]\n}'
2016-11-03 18:41:13,253:INFO:certbot.auth_handler:Performing the following challenges:
2016-11-03 18:41:13,253:INFO:certbot.auth_handler:http-01 challenge for subdomain.mydomain.com
2016-11-03 18:41:13,253:INFO:certbot.plugins.webroot:Using the webroot path /var/www/html/subdomain for all unmatched domains.
2016-11-03 18:41:13,254:DEBUG:certbot.plugins.webroot:Creating root challenges validation dir at /var/www/html/subdomain/.well-known/acme-challenge
2016-11-03 18:41:13,257:DEBUG:certbot.plugins.webroot:Attempting to save validation to /var/www/html/subdomain/.well-known/acme-challenge/xxx[[REDACTED]]xxx
2016-11-03 18:41:13,257:INFO:certbot.auth_handler:Waiting for verification...
2016-11-03 18:41:13,258:DEBUG:acme.client:Serialized JSON: {"keyAuthorization": "xxx[[REDACTED]]xxx", "type": "http-01", "resource": "challenge"}
2016-11-03 18:41:13,259:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), crit=(), kid=None, jwk=None, x5t=None, x5tS256=None, cty=None, x5u=None, typ=None, alg=None, jku=None
2016-11-03 18:41:13,261:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), crit=(), kid=None, nonce=None, x5tS256=None, cty=None, x5t=None, x5u=None, typ=None, jku=None
2016-11-03 18:41:13,261:DEBUG:root:Sending POST request to https://acme-staging.api.letsencrypt.org/acme/challenge/xxx[[REDACTED]]xxx/16475344. args: (), kwargs: {'data': '{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "xxx[[REDACTED]]xxx"}}, "protected": "xxx[[REDACTED]]xxx", "payload": "xxx[[REDACTED]]xxx", "signature": "xxx[[REDACTED]]xxx"}'}
2016-11-03 18:41:13,361:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/challenge/xxx[[REDACTED]]xxx/16475344 HTTP/1.1" 202 338
2016-11-03 18:41:13,362:DEBUG:root:Received <Response [202]>. Headers: {'Content-Length': '338', 'Boulder-Request-Id': 'xxx[[REDACTED]]xxx', 'Expires': 'Thu, 03 Nov 2016 18:42:00 GMT', 'Server': 'nginx', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Connection': 'keep-alive', 'Link': '<https://acme-staging.api.letsencrypt.org/acme/authz/xxx[[REDACTED]]xxx>;rel="up"', 'Location': 'https://acme-staging.api.letsencrypt.org/acme/challenge/xxx[[REDACTED]]xxx/16475344', 'Pragma': 'no-cache', 'Boulder-Requester': '468169', 'Date': 'Thu, 03 Nov 2016 18:42:00 GMT', 'Content-Type': 'application/json', 'Replay-Nonce': 'xxx[[REDACTED]]xxx'}. Content: '{\n  "type": "http-01",\n  "status": "pending",\n  "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/xxx[[REDACTED]]xxx/16475344",\n  "token": "xxx[[REDACTED]]xxx",\n  "keyAuthorization": "xxx[[REDACTED]]xxx"\n}'
2016-11-03 18:41:13,362:DEBUG:acme.client:Storing nonce: ']xxx[[REDACTED]]xxx'
2016-11-03 18:41:13,363:DEBUG:acme.client:Received response <Response [202]> (headers: {'Content-Length': '338', 'Boulder-Request-Id': 'xxx[[REDACTED]]xxx', 'Expires': 'Thu, 03 Nov 2016 18:42:00 GMT', 'Server': 'nginx', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Connection': 'keep-alive', 'Link': '<https://acme-staging.api.letsencrypt.org/acme/authz/xxx[[REDACTED]]xxx>;rel="up"', 'Location': 'https://acme-staging.api.letsencrypt.org/acme/challenge/xxx[[REDACTED]]xxx/16475344', 'Pragma': 'no-cache', 'Boulder-Requester': '468169', 'Date': 'Thu, 03 Nov 2016 18:42:00 GMT', 'Content-Type': 'application/json', 'Replay-Nonce': 'xxx[[REDACTED]]xxx'}): '{\n  "type": "http-01",\n  "status": "pending",\n  "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/xxx[[REDACTED]]xxx/16475344",\n  "token": "xxx[[REDACTED]]xxx",\n  "keyAuthorization": "xxx[[REDACTED]]xxx"\n}'
2016-11-03 18:41:16,366:DEBUG:root:Sending GET request to https://acme-staging.api.letsencrypt.org/acme/authz/xxx[[REDACTED]]xxx. args: (), kwargs: {}
2016-11-03 18:41:16,440:DEBUG:requests.packages.urllib3.connectionpool:"GET /acme/authz/xxx[[REDACTED]]xxx HTTP/1.1" 200 1944
2016-11-03 18:41:16,441:DEBUG:root:Received <Response [200]>. Headers: {'Content-Length': '1944', 'Expires': 'Thu, 03 Nov 2016 18:42:03 GMT', 'Boulder-Request-Id': 'xxx[[REDACTED]]xxx', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-staging.api.letsencrypt.org/acme/new-cert>;rel="next"', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Thu, 03 Nov 2016 18:42:03 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'xxx[[REDACTED]]xxx'}. Content: '{\n  "identifier": {\n    "type": "dns",\n    "value": "subdomain.mydomain.com"\n  },\n  "status": "invalid",\n  "expires": "2016-11-10T18:42:00Z",\n  "challenges": [\n    {\n      "type": "tls-sni-01",\n      "status": "pending",\n      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/xxx[[REDACTED]]xxx/16475342",\n      "token": "xxx[[REDACTED]]xxx"\n    },\n    {\n      "type": "dns-01",\n      "status": "pending",\n      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/xxx[[REDACTED]]xxx/16475343",\n      "token": "xxx[[REDACTED]]xxx"\n    },\n    {\n      "type": "http-01",\n      "status": "invalid",\n      "error": {\n        "type": "urn:acme:error:connection",\n        "detail": "Could not connect to subdomain.mydomain.com.well-known",\n        "status": 400\n      },\n      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/xxx[[REDACTED]]xxx/16475344",\n      "token": "xxx[[REDACTED]]xxx",\n      "keyAuthorization": "xxx[[REDACTED]]xxx",\n      "validationRecord": [\n        {\n          "url": "http://subdomain.mydomain.com/.well-known/acme-challenge/xxx[[REDACTED]]xxx",\n          "hostname": "subdomain.mydomain.com",\n          "port": "80",\n          "addressesResolved": [\n            "12.34.56.78"\n          ],\n          "addressUsed": "12.34.56.78"\n        },\n        {\n          "url": "https://subdomain.mydomain.com.well-known/acme-challenge/xxx[[REDACTED]]xxx",\n          "hostname": "subdomain.mydomain.com.well-known",\n          "port": "443",\n          "addressesResolved": null,\n          "addressUsed": ""\n        }\n      ]\n    }\n  ],\n  "combinations": [\n    [\n      2\n    ],\n    [\n      1\n    ],\n    [\n      0\n    ]\n  ]\n}'
2016-11-03 18:41:16,442:DEBUG:acme.client:Received response <Response [200]> (headers: {'Content-Length': '1944', 'Expires': 'Thu, 03 Nov 2016 18:42:03 GMT', 'Boulder-Request-Id': 'xxx[[REDACTED]]xxx', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-staging.api.letsencrypt.org/acme/new-cert>;rel="next"', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Thu, 03 Nov 2016 18:42:03 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'xxx[[REDACTED]]xxx'}): '{\n  "identifier": {\n    "type": "dns",\n    "value": "subdomain.mydomain.com"\n  },\n  "status": "invalid",\n  "expires": "2016-11-10T18:42:00Z",\n  "challenges": [\n    {\n      "type": "tls-sni-01",\n      "status": "pending",\n      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/xxx[[REDACTED]]xxx/16475342",\n      "token": "xxx[[REDACTED]]xxx"\n    },\n    {\n      "type": "dns-01",\n      "status": "pending",\n      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/xxx[[REDACTED]]xxx/16475343",\n      "token": "xxx[[REDACTED]]xxx"\n    },\n    {\n      "type": "http-01",\n      "status": "invalid",\n      "error": {\n        "type": "urn:acme:error:connection",\n        "detail": "Could not connect to subdomain.mydomain.com.well-known",\n        "status": 400\n      },\n      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/xxx[[REDACTED]]xxx/16475344",\n      "token": "xxx[[REDACTED]]xxx",\n      "keyAuthorization": "xxx[[REDACTED]]xxx",\n      "validationRecord": [\n        {\n          "url": "http://subdomain.mydomain.com/.well-known/acme-challenge/xxx[[REDACTED]]xxx",\n          "hostname": "subdomain.mydomain.com",\n          "port": "80",\n          "addressesResolved": [\n            "12.34.56.78"\n          ],\n          "addressUsed": "12.34.56.78"\n        },\n        {\n          "url": "https://subdomain.mydomain.com.well-known/acme-challenge/xxx[[REDACTED]]xxx",\n          "hostname": "subdomain.mydomain.com.well-known",\n          "port": "443",\n          "addressesResolved": null,\n          "addressUsed": ""\n        }\n      ]\n    }\n  ],\n  "combinations": [\n    [\n      2\n    ],\n    [\n      1\n    ],\n    [\n      0\n    ]\n  ]\n}'
2016-11-03 18:41:16,443:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: subdomain.mydomain.com
Type:   connection
Detail: Could not connect to subdomain.mydomain.com.well-known

To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
2016-11-03 18:41:16,443:INFO:certbot.auth_handler:Cleaning up challenges
2016-11-03 18:41:16,443:DEBUG:certbot.plugins.webroot:Removing /var/www/html/subdomain/.well-known/acme-challenge/xxx[[REDACTED]]xxx
2016-11-03 18:41:16,444:DEBUG:certbot.plugins.webroot:All challenges cleaned up, removing /var/www/html/subdomain/.well-known/acme-challenge
2016-11-03 18:41:16,444:DEBUG:certbot.main:Exiting abnormally:
Traceback (most recent call last):
  File "/home/ubuntu/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module>
    sys.exit(main())
  File "/home/ubuntu/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 776, in main
    return config.func(config, plugins)
  File "/home/ubuntu/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 563, in obtain_cert
    action, _ = _auth_from_domains(le_client, config, domains, lineage)
  File "/home/ubuntu/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 96, in _auth_from_domains
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/home/ubuntu/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/renewal.py", line 238, in renew_cert
    new_certr, new_chain, new_key, _ = le_client.obtain_certificate(domains)
  File "/home/ubuntu/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/client.py", line 253, in obtain_certificate
    self.config.allow_subset_of_names)
  File "/home/ubuntu/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 78, in get_authorizations
    self._respond(resp, best_effort)
  File "/home/ubuntu/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 135, in _respond
    self._poll_challenges(chall_update, best_effort)
  File "/home/ubuntu/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 199, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. subdomain.mydomain.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to subdomain.mydomain.com.well-known

#2

When this bug has come up before, it’s been a problem with a broken rewrite rule in the Apache configuration (that was rewriting “http://foo.com/” to “https://foo.com” without the slash, or something like that). I’d check your rewrite rules and make sure that if there’s a slash on the input side, it’s matched by a corresponding slash on the output site. I don’t have a forum thread link about other people’s experiences with this, but I think it’s come up elsewhere on this very forum.


#3

@schoen - That was it! Thank you very much!

I had a rewrite rule on port 80 to explicitly redirect users to HTTPS connections:

    <VirtualHost _default_:80>
            Redirect / https://subdomain.mydomain.com
    </VirtualHost>

Which I tweaked to this (by adding the trailing slash at the end):

    <VirtualHost _default_:80>
            Redirect / https://subdomain.mydomain.com/
    </VirtualHost>

#4

Actually,

https://subdomain.mydomain.com

is an invalid URL. So technically, you didn’t tweak it, you merely corrected it.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.