Certbot Renew Error - 404

rsmereka · March 6, 2019, 3:01pm

I am attempting to manually renew my certs using Certbot and one of the sub-domains is failing with a 404 (‘not found’) error. DNS resolution works perfectly.

My domains are:
agreliantinc.com, agreliantinc.ca

My sub-domains are:
companypolicy.agreliantinc.com
companypolicy.agreliantinc.ca
connectpride.agreliantinc.com
connectpride.agreliantinc.ca

The sub-domain connectpride.agreliantinc.ca is failing.

I ran the command:
sudo certbot renew

It produced the output (sorry I cannot include the complete output but new users here cannot upload files and have a severe size limit):
2019-03-05 11:30:51,426:DEBUG:certbot.main:certbot version: 0.28.0
2019-03-05 13:34:39,984:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/acme/authz/YDCpxz82kmgx9d5KpJpUhqnosEcKmKfCFPY2Psi6c-Y.
2019-03-05 13:34:40,078:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 “GET /acme/authz/YDCpxz82kmgx9d5KpJpUhqnosEcKmKfCFPY2Psi6c-Y HTTP/1.1” 200 2071
2019-03-05 13:34:40,079:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Link: https://acme-v02.api.letsencrypt.org/index;rel=“index”
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Content-Length: 2071
Expires: Tue, 05 Mar 2019 18:34:40 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 05 Mar 2019 18:34:40 GMT
Connection: keep-alive

{
“identifier”: {
“type”: “dns”,
“value”: “connectpride.agreliantinc.ca”
},
“status”: “invalid”,
“expires”: “2019-03-12T18:34:31Z”,
“challenges”: [
{
“type”: “tls-sni-01”,
“status”: “invalid”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/YDCpxz82kmgx9d5KpJpUhqnosEcKmKfCFPY2Psi6c-Y/13280765572”,
“token”: “EYqgUeFvg22Pe7wW72jsV1_OKwLsFjxe20LB5TgIXdk”
},
{
“type”: “tls-alpn-01”,
“status”: “invalid”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/YDCpxz82kmgx9d5KpJpUhqnosEcKmKfCFPY2Psi6c-Y/13280765573”,
“token”: “VQnaB8_t8hZ3jV0WG_qtG4Ss-cmzGHJy6gGtnO3xKQE”
},
{
“type”: “dns-01”,
“status”: “invalid”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/YDCpxz82kmgx9d5KpJpUhqnosEcKmKfCFPY2Psi6c-Y/13280765574”,
“token”: “zNpDjsGItlNn9flNtbuUmASE4ukTTq5kBR1Zs-gV66I”
},
{
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:ietf:params:acme:error:unauthorized”,
“detail”: “Invalid response from http://connectpride.agreliantinc.ca/.well-known/acme-challenge/PJvgQ-aMXcjdEJIG6YkY5Fee0y5Cf4AE4GuOHnIukTU [216.8.180.146]: “\u003c!DOCTYPE HTML PUBLIC \”-//IETF//DTD HTML 2.0//EN\”\u003e\n\u003chtml\u003e\u003chead\u003e\n\u003ctitle\u003e404 Not Found\u003c/title\u003e\n\u003c/head\u003e\u003cbody\u003e\n\u003ch1\u003eNot Found\u003c/h1\u003e\n\u003cp"",
“status”: 403
},
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/YDCpxz82kmgx9d5KpJpUhqnosEcKmKfCFPY2Psi6c-Y/13280765575”,
“token”: “PJvgQ-aMXcjdEJIG6YkY5Fee0y5Cf4AE4GuOHnIukTU”,
“validationRecord”: [
{
“url”: “http://connectpride.agreliantinc.ca/.well-known/acme-challenge/PJvgQ-aMXcjdEJIG6YkY5Fee0y5Cf4AE4GuOHnIukTU”,
“hostname”: “connectpride.agreliantinc.ca”,
“port”: “80”,
“addressesResolved”: [
“216.8.180.146”
],
“addressUsed”: “216.8.180.146”
}
]
}
]
}
2019-03-05 13:34:40,081:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: connectpride.agreliantinc.ca
Type: unauthorized
Detail: Invalid response from http://connectpride.agreliantinc.ca/.well-known/acme-challenge/PJvgQ-aMXcjdEJIG6YkY5Fee0y5Cf4AE4GuOHnIukTU [216.8.180.146]: “\n\n404 Not Found\n\n

Not Found

\n<p”

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
2019-03-05 13:34:40,083:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 161, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 232, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. connectpride.agreliantinc.ca (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://connectpride.agreliantinc.ca/.well-known/acme-challenge/PJvgQ-aMXcjdEJIG6YkY5Fee0y5Cf4AE4GuOHnIukTU [216.8.180.146]: “\n\n404 Not Found\n\n

Not Found

\n<p”

2019-03-05 13:34:40,083:DEBUG:certbot.error_handler:Calling registered functions
2019-03-05 13:34:40,084:INFO:certbot.auth_handler:Cleaning up challenges
2019-03-05 13:34:40,551:WARNING:certbot.renewal:Attempting to renew cert (agreliantinc.ca) from /etc/letsencrypt/renewal/agreliantinc.ca.conf produced an unexpected error: Failed authorization procedure. connectpride.agreliantinc.ca (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://connectpride.agreliantinc.ca/.well-known/acme-challenge/PJvgQ-aMXcjdEJIG6YkY5Fee0y5Cf4AE4GuOHnIukTU [216.8.180.146]: “\n\n404 Not Found\n\n

Not Found

\n<p”. Skipping.
2019-03-05 13:34:40,554:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/renewal.py”, line 430, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1168, in renew_cert
renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 116, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File “/usr/lib/python3/dist-packages/certbot/renewal.py”, line 305, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 335, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 371, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 161, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 232, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. connectpride.agreliantinc.ca (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://connectpride.agreliantinc.ca/.well-known/acme-challenge/PJvgQ-aMXcjdEJIG6YkY5Fee0y5Cf4AE4GuOHnIukTU [216.8.180.146]: “\n\n404 Not Found\n\n

Not Found

\n<p”

2019-03-05 13:34:40,557:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
2019-03-05 13:34:40,558:ERROR:certbot.renewal: /etc/letsencrypt/live/agreliantinc.ca/fullchain.pem (failure)
2019-03-05 13:34:40,558:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 11, in
load_entry_point(‘certbot==0.28.0’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1340, in main
return config.func(config, plugins)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1247, in renew
renewal.handle_renewal_request(config)
File “/usr/lib/python3/dist-packages/certbot/renewal.py”, line 455, in handle_renewal_request
len(renew_failures), len(parse_failures)))
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)

My web server is Apache 2.4.18

My OS is Ubuntu server (not gui) 16.04.6

The server is onsite and I have full control over it. No hosting provider. DNS resolution is provided by Netfirms and I have full control over all the DNS records.

After this failure, I read all the posts I could find without any success.

TIA

stevenzhu · March 6, 2019, 5:09pm

Hi,

What method did you use to obtain the certificate initially? (The authenticator?)

Thank you

rsmereka · March 6, 2019, 5:14pm

Hi,

This has been running smoothly for over a year now and I don’t remember which authenticator I used. Is there any way I can tell on the server itself?

schoen · March 8, 2019, 12:23am

There's a big change underway in how users can prove control over their domains to Let's Encrypt. In preparation for that, Certbot's behavior has been changing in recent versions, including in the version 0.28.0 that you're running.

If you're using the Certbot apache authenticator (you can check in /etc/letsencrypt/renewal), you may be experiencing a known bug in how this authenticator performs the HTTP-01 challenge on systems that have multiple possibly-relevant Apache virtual hosts. This bug was fixed for most people in Certbot 0.31.0.

So if this is the case, you could try to find a way to upgrade to Certbot 0.31.0 or later, or switch to using the webroot authenticator (with --webroot) if you have a directory from which your Apache server serves static files (as opposed to, for example, proxying everything to a web app).

system · April 7, 2019, 12:24am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.