Solved it!
Had to do some debugging… -vvv flag did it.
This problem was missing access rights for apache user www-data on
/var/lib/letsencrypt (was: root:root, 750)
For all out there in the wild, here’s a short description what’s going on with letsencrypt’s http authentication:
- certbot aquires a one time challenge key from letsencrypt.org
- This key is placed in /var/lib/letsencrypt/http-challenges
- The apache config is temporarily rewritten by certbot to redirect corresponding requests to that dir.
- A graceful restart of apache is performed, so that the rewritten apache config gets activated.
- letsencrypt performs a http get on .well-known/acme-challenge/ witch gets redirected to /var/lib/letsencrypt/http-challenges/. That’s why apache needs read access to that path!
- The authentication get’s confirmed, the cert is updated and the original apache config get’s restored.
Solution (as root): cd /var/lib; chown -R root:www-data letsencrypt