Certbot renew of Multi-Cert failed

Help
1

Trying to renew Multi-Domain Cert with name “www.swiss7cloud.ch” with an existing Sub-Domains www.swiss7cloud.ch and Sub-Domain office.swiss7cloud.ch

Webserver is running in productive mode & is serving data.

My domain is: www.swiss7cloud.ch

The operating system my web server runs on is (include version):

centos-release-7-6.1810.2.el7.centos.x86_64

i can login to a root shell on my machine : yes

I’m using a control panel to manage my site : no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.30.2

Renewal Parameter: (conf-file)

[renewalparams]
authenticator = webroot
account = xxxxxxx
server = https://acme-v02.api.letsencrypt.org/directory
webroot_path = /var/www/html/nextcloud,
[[webroot_map]]
office.swiss7cloud.ch = /var/www/html/nextcloud
swiss7cloud.ch = /var/www/html/nextcloud
www.swiss7cloud.ch = /var/www/html/nextcloud

Error msg:

“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:ietf:params:acme:error:unauthorized”,
“detail”: “Invalid response from https://office.swiss7cloud.ch/.well-known/acme-challenge/pxBgqx01xsl30EgoQapf1xoSoblh3INQutD8-cPWO7Y [88.151.146.103]: “\u003c!DOCTYPE html\u003e\n\u003chtml lang=\“en\”\u003e\n\u003chead\u003e\n\u003cmeta charset=\“utf-8\”\u003e\n\u003ctitle\u003eError\u003c/title\u003e\n\u003c/head\u003e\n\u003cbody\u003e\n\u003cpre\u003eCannot GET /.well-known/””,
“status”: 403

Additional Infos:

There is an Apache Proxy-Redirect of “Office.swiss7cloud.ch” to a Container (Docker), which provice the Cloud Office Application … it Looks like the ACME Response from that Docker Container cannot be obtained by certbot.

Strange Thing is, that the first CERT creation did work -->

certbot certonly --cert-name www.swiss7cloud.ch --webroot -w /var/www/html/nextcloud -d swiss7cloud.ch,www.swiss7cloud.ch,office.swiss7cloud.ch

Maybe some Environment Parameters did Change since … or there was / is a cerbot Software Change !?

2

Hi @Githopp192

there is a check of your office - subdomain ( https://check-your-website.server-daten.de/?q=office.swiss7cloud.ch ):

With the info

A Info: Different Server-Headers found

And a redirect http -> https:

Domainname Http-Status redirect Sec. G
http://office.swiss7cloud.ch/
88.151.146.103 301 https://office.swiss7cloud.ch/ 0.073 A
https://office.swiss7cloud.ch/
88.151.146.103 302 https://office.swiss7cloud.ch/welcome/ 0.513 A
https://office.swiss7cloud.ch/welcome/ 200 0.380 A
http://office.swiss7cloud.ch/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
88.151.146.103 301 https://office.swiss7cloud.ch/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.076 A
Visible Content: Moved Permanently The document has moved here .
https://office.swiss7cloud.ch/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 404 0.396 A
Not Found
Visible Content: Cannot GET /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de

But http:

Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.2.10

Instead https:

Server: nginx

So if you use the webroot parameter, you must use the root of your nginx in your command. Not the DocumentRoot of your Apache.

Perhaps it's easier if you create two different certificates: One with the office subdomain, the other with your domain (non-www and www).

3

The Document-root of the Docker nginx (OnlyOffice Container) on another machine is not reachable on the Cloud-Server through “certbot” unfortunately -->
certbot certonly --dry-run --webroot -w /var/www/html/nextcloud -d swiss7cloud.ch,www.swiss7cloud.ch -w /var/www/onlyoffice/documentserver office.swiss7cloud.ch
/var/www/onlyoffice/documentserver does not exist or is not a directory

Certbot want to have got this Directory onto the Cloud Server (which is correct, it’s an Apache Server).

Yes, it would be easier creating two different certs … but i think it’s not working from the Cloud perspective. OnlyOffice is called from the Cloud URL, when opening an Office Document, and then through Subdomain Redirection the OnlyOffice Container would be contacted. This is happening all inside the Cloud-URL … so both (Cloud & OnlyOffice) would need the same Cert.

Hm … i’m seeing several approaches …

  • Workaround: Through Cloud Maint.Window … interim disabling office.swiss7cloud redirection, retry the renewal
  • Maybe building some additional Apache “Virtual Host” with a ACME Rewrite Rule -->

<VirtualHost :80>
DocumentRoot “/var/www/html/”
ServerName www.example.com
ServerAlias example.com
RewriteEngine On
RewriteRule ^.well-known/acme-challenge/ - [L]
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.) https://%{SERVER_NAME}/$1 [R,L]

or … maybe my favorite

  • going the way with DNS-01 Challange -->
    There are some tools on Github, where i could automate those things …

What do you think ?

4

Every domain has it's own certificate. If the office-subdomain uses another webspace, it's difficult to create one certificate with all domain names.

So split it - or use dns-01 validation.

5

Because of Urgency … i decided to proceed with Method 1 (Workaround: Through Cloud Maint.Window … interim disabling office.swiss7cloud redirection, retry the renewal) … and it worked … so … as soon i’m gonna disabling the Redirection to NIGINX … the Webroot Method does work …
Thinking … either using the DNS-01 Method or removing the NGINX Redirection before a renewal in the future …

6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.