Certbot no more working anymore after upgrade to 0.21.1

webbie4 · February 16, 2018, 8:34am

Hi,
we are using LetsEncrypt in combination with certbot on Ubuntu 16.04 - so far everything worked fine.

But after upgrading to 0.21.1 it’s no more possible to get new certs.

I usually use
certbot --apache certonly --cert-name xyz.com

Worked fine so far without any problems, but after the update I got only an error:

Detail: Invalid response from

A look in Apache Logfiles says:
AH01797: client denied by server configuration:
/var/lib/letsencrypt/http_challenges

Is DocumentRoot in the VirtualHost Container ignored? /var/lib/letsencrypt is NOT my webroot. Or is is overwritten while authentication ?

Nevertheless I tried to change permission for /var/lib/letsencrypt/ in apache2.conf - and this errormsg vanished but nevertheless no new cert is available, there’s a new error message:

Failed authorization procedure. xyz.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from …

I don’t know what’s going wrong - changed nothing in server configuration and everything worked fine until the last update.

Any help would be appreciated. Thank you very much in advance

webbie4 · February 16, 2018, 8:41am

UPDATE:
certbot --apache

works - it only fails if running with the certonly parameter - maybe a bug in new version?

djack · February 16, 2018, 5:40pm

I think I have the same problem.

I’ve noticed that the request from the LE server has a colon atthe end of the filename whereas the stored file does not.

I get :
Detail: Invalid response from
http://blah.blah.blah/.well-known/acme-challenge/0i4J9Nz3mxhWT4mOzc62BOcJpiqRkxP_bEitqeU0h2A:

but the file created is /.well-known/acme-challenge/0i4J9Nz3mxhWT4mOzc62BOcJpiqRkxP_bEitqeU0h2A

I’m going to try playing with rewrite rules as a quick workaround but I’m not sure where the bug actually lies.

schoen · February 16, 2018, 7:07pm

Hi @djack, the colon there is part of the error output from Certbot, not part of the filename. So that apparent discrepancy isn't the reason for your error.

schoen · February 16, 2018, 7:09pm

@joohoi, could you take a look at this? It’s really weird that it would work better with run than with certonly.

djack · February 16, 2018, 9:42pm

I’ve just tried again and it is working now so I wonder if there was something network-wise giving problems.

Can I suggest modifying the certbot error reporting output to make it clear what the actual requested URL was? That colon caused me a great deal of confusion.

Thanks for your help.

schoen · February 16, 2018, 10:22pm

@djack, that error was reported (with the colon) from the server side, which I’m not directly involved with, but I’ve reported an issue here:

schoen · February 16, 2018, 10:28pm

@joohoi, if you happen to look in on this, I’m afraid we’ve gotten two separate issues mixed up in this thread but I’m still curious about the original issue with certonly --apache failing and the default run --apache succeeding.

system · March 18, 2018, 10:28pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.