Certbot Renew Certificate Issue


#1

Hi.
We have been using this server for two years and have never had any problems with the renewal of the certificate. Then we updated to version 0.28 to create new certificates with http-01 but now we have the error you see below. The dns are pointing correctly, we have reset them and made them repaint and everything works by pinging. But we can no longer create the certificate. What can you depend on?

My domain is: mydomain.it

I ran this command: certbot renew

It produced this output:
Processing /etc/letsencrypt/renewal/mydomain.it.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for mydomain.it
http-01 challenge for www.mydomain.it.it
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (mydomain.it.it) from /etc/letsencrypt/renewal/mydomain.it.conf produced an unexpected error: Failed authorization procedure. www.mydomain.it (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.mydomain.it/.well-known/acme-challenge/YukIpqz6twLz9mvw3vf8J82mJ8lVlvXRd9KMO8JPb0o [37.187.171.38]: “\n\n<!–[if IE 9]>\n<html lang=“en” class=“ie9 no-js”>”, mydomain.it (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mydomain.it/.well-known/acme-challenge/Ur119PCPNOGZBPhMKVLBptA6XPGSJ8uo4k99R_Po3xo [37.187.171.38]: “\n\n<!–[if IE 9]>\n<html lang=“en” class=“ie9 no-js”>”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mydomain.it/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mydomain.it/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version): apache

The operating system my web server runs on is (include version): Ubuntu 16.04.4 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot/xenial,xenial,now 0.28.0-1+ubuntu16.04.1+certbot+4 all


#2

Hi @tuttositiweb

there are old certificates (2017-10-27 - https://crt.sh/?q=live.streamingwebtv24.it ), perhaps you have used tls-sni-01 - validation. This is deprecated, so Certbot switches to http-01 - validation.

I see, you have already tested your domain via https://check-your-website.server-daten.de/?q=live.streamingwebtv24.it

Most looks ok:

Domainname Http-Status redirect Sec. G
http://live.streamingwebtv24.it/
37.187.171.38 302 http://live.streamingwebtv24.it/login 0.297 D
http://www.live.streamingwebtv24.it/
37.187.171.38 302 http://www.live.streamingwebtv24.it/login 0.290 D
http://live.streamingwebtv24.it/login 200 0.346 H
http://www.live.streamingwebtv24.it/login 200 0.356 H
https://live.streamingwebtv24.it/
37.187.171.38 302 https://live.streamingwebtv24.it/login 1.996 B
https://www.live.streamingwebtv24.it/
37.187.171.38 -10 0.103 P
SecureChannelFailure - The request was aborted: Could not create SSL/TLS secure channel.
https://live.streamingwebtv24.it/login 200 1.707 B
http://live.streamingwebtv24.it/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
37.187.171.38 404 0.227 A
Not Found
http://www.live.streamingwebtv24.it/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
37.187.171.38 404 0.260 A
Not Found

The live.streamingwebtv24.it is redirected to the login, port 80 is open, /.well-known/acme-challenge/random-filename` isn’t redirected. Instead, there is the expected http status 404 - Not Found.

So you have already an exception, /.well-known isn’t redirected to your login.

Check your vHost to find your DocumentRoot. Then use it:

certbot run -a webroot -i apache -w yorDocumentRoot -d live.streamingwebtv24.it

PS: You have both domain names, so add

-d www.www.live.streamingwebtv24.it

#3

Thank you for answer.
Can you explain better what do you mean about yorDocumentRoot?
Let me know.
Thank you.


#4

Your port 80 vHost has something like

<VirtualHost *:80>
    DocumentRoot "/www/example1"
    ServerName www.example.com

    # Other directives here
</VirtualHost>

This

    DocumentRoot "/www/example1"

is your DocumentRoot, so you can use that path direct:

certbot run -a webroot -i apache -w /www/example1 -d live.streamingwebtv24.it -d www.live.streamingwebtv24.it

#5

Hi. I have tried but nothing:

certbot run -a webroot -i apache -w mydocumentroot -d live.streamingwebtv24.it -d www.live.streamingwebtv24.it
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for live.streamingwebtv24.it
http-01 challenge for www.live.streamingwebtv24.it
Using the webroot path mydocumentroot for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. live.streamingwebtv24.it (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://live.streamingwebtv24.it/.well-known/acme-challenge/XzEA-8lcfi_RwJdMY5Fl8hDkfOuGH8GXiMS-g8Tikdg [xx.xxx.xx.xx]: “\n\n<!–[if IE 9]>\n<html lang=“en” class=“ie9 no-js”>”, www.live.streamingwebtv24.it (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.live.streamingwebtv24.it/.well-known/acme-challenge/vzFXWXRdG6JURO2Bml6q1SXxsu3pC1Cq_TRnpYvINYQ [xx.xxx.xx.xx]: “\n\n<!–[if IE 9]>\n<html lang=“en” class=“ie9 no-js”>”

IMPORTANT NOTES:

I have covered ip here. I have also used the documentroot correctly.


#6

Did you really used mydocumentroot?

If that doesn’t work, this isn’t your DocumentRoot. Or you have additional location definitions. Or this vHost isn’t used, instead another vHost answers or an application answers.

Where is the redirect to the login defined? Why has / a redirect, /.well-known not?


#7

No i have used this:
certbot run -a webroot -i apache -w /var/www/html -d live.streamingwebtv24.it -d www.live.streamingwebtv24.it


#8

I have the same error:
certbot run -a webroot -i apache -w /var/www/html -d live.streamingwebtv24.it -d www.live.streamingwebtv24.it
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for live.streamingwebtv24.it
http-01 challenge for www.live.streamingwebtv24.it
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.live.streamingwebtv24.it (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.live.streamingwebtv24.it/.well-known/acme-challenge/w2MeM4qmN6grZv8Iw_cIgP5I3soVFkaEI2i5qgzpWag [37.187.171.38]: “\n\n<!–[if IE 9]>\n<html lang=“en” class=“ie9 no-js”>”, live.streamingwebtv24.it (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://live.streamingwebtv24.it/.well-known/acme-challenge/yWq63t9XulDFgfML31oBpPYFDIaRtwE0N_siJXKIa9E [37.187.171.38]: “\n\n<!–[if IE 9]>\n<html lang=“en” class=“ie9 no-js”>”

IMPORTANT NOTES:


#9

We use only that vHost.
It’s the first time we have this issue renewing the certificate.
No problem for more that 1 year.
We have update to 0.28 certbot version. And now we have this issue.


#10

Could you put a test file under /var/www/html/.well-known/acme-challenge/? For example:

echo "Testfile" >> /var/www/html/.well-known/acme-challenge/1234


#11

Hi. If i go here: /var/www/html/
i find all files of my website but there are not the folders: .well-known and acme-challenge
What i have to do?
I remember that also in past i didn’t have those folders there.
Thank you.


#12

Make those folders. 


#13

I remember that also in past i didn’t have those folders there.
Why it requests now?
Thank you.


#14

They are probably deleted when empty when used for the challenge by certbot. But now we want to debug your issue, so please make them and put a test file in it.


#15

Hi. I have do that:
echo “Testfile” >> /var/www/html/.well-known/acme-challenge/1234

And it has created a file called 1234.
What i have to do now?


#16

http://live.streamingwebtv24.it/.well-known/acme-challenge/1234 gives a 404 File not found.

Perhaps there is some content management system preventing your Apache from serving regular files. Or the DocumentRoot is still not correct.


#17

Hi.
We have seen that there is an htaccess in the folder root with this:
RewriteEngine on
RewriteCond %{REQUEST_URI} !^/public/
RewriteRule ^(.*)$ /public/$1

Infact if i put a file inside public i can see it.
So what i can do now?

Thank you.


#18

Hi.
We have seen that there is an htaccess in the folder root with this:
RewriteEngine on
RewriteCond %{REQUEST_URI} !^/public/
RewriteRule ^(.*)$ /public/$1

Infact if i put a file inside public i can see it.
So what i can do now?

Thank you.


#19

Try adding:

RewriteCond %{REQUEST_URI} !^/.well-known/

under the existing RewriteCond.


#20

Ok.
And later i use this?

certbot run -a webroot -i apache -w /var/www/html -d live.streamingwebtv24.it -d www.live.streamingwebtv24.it