Certbot Renewal Error

Help
1

Hi, I'm attempting to renew my certificate, however I'm running into the same error a lot of folks are, when I issue the command: certbot auto-renew or certbot certonly.

When I run certbot certonly (or auto-renew), I get the following error message:

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.

I am self hosting my own webserver (ubuntu 20), and my domain is loxx.myddns.me with openlitespeed. I use No-ip.com for the dynamic dns portion, but I've looked through there, and I don't have any options for settings A records that I can see.

Certbot version: 0.40.0
Yes, I have root access and am using root access when I run the commands.
No control panels are being used.

I've used https://letsdebug.net/ and it reports that my certificate is non-operational. I'm also fairly certain that both ports 80 and 443 are open and are forwarding correctly, as verified with https://canyouseeme.org/

I'm also fairly certain that I don't have a /.well-known/acme-challenge directory, as the original instructions I followed to setup the cert in the first place didn't contain any information pertaining to those directories. These are those instructions.

I don't want to run into my rate limit again for debugging this issue, so I'm concerned about reattempting to issue a new cert until I can figure out the source of the issue.

Finally I've run mysite 2x through this website, both by ip address and domain name, and it provides a lot of information, but I don't fully understand, but I'm sure there are some clues in there.

So I'd appreciate any advice you could offer.
Thanks!
~Nick

1 Like
2

Hi,

Based on the tutorial you provided, you are using webroot to obtain a certificate.
Have you tried sudo certbot renew? If so, do you have the same message as the error?

In order to prevent you from running into failed authorization limits, please do the below test with --dry-run or --staging flag. e.g. sudo certbot renew --dry-run or sudo certbot certonly --staging.

First of all, can you try to run sudo certbot renew --dry-run and share the output? (From the point you execute to the failed, error message) I'm guessing your webroot path might have changed, or you didn't specify it correctly.
Then, please locate your website's root folder (Document Root in LSWS web panel), you need to use that as your webroot-path.

1 Like
3

Hi Steven,

Thanks for the help. Here are the results from the dry run.

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for loxx.myddns.me
Using the webroot path /usr/local/lsws/sites for all unmatched domains.
Waiting for verification...
Challenge failed for domain loxx.myddns.me
http-01 challenge for loxx.myddns.me
Cleaning up challenges
Attempting to renew cert (loxx.myddns.me) from /etc/letsencrypt/renewal/loxx.myddns.me.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/loxx.myddns.me/fullchain.pem (failure)

** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/loxx.myddns.me/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

Perhaps I didn't do this correctly, but when I originally setup the cert, I put it in the root of my webserver sites folder as I have several sites I am running, thinking that one cert would serve the entire server. Maybe this is not correct thinking?

So my path to my sites folder is /usr/local/lsws/sites/
(and in there I have several sub directories for different sites)

in OLS my document root is $VH_ROOT/sites/, so I believe that's correct.

I have also tried running the dry-run command with a webroot listed, but got the same results.
certbot renew --webroot -w /usr/local/lsws/sites --dry-run

Same error as before, so I'm pretty stumped as to what I'm doing wrong.

Thanks Steven for your help on this.

1 Like
4

What is the complete path?
Is it /usr/local/lsws/sites/xxx/sites/?

You need to use the complete path for webroot path as sudo certbot renew --cert-name loxx.myddns.me --webroot -w /usr/local/lsws/sites/xxx/sites/ --dry-run --renew-hook "sudo service lsws reload"

1 Like
5

Well originally the complete path to where all the sites where (where I first thought I installed the cert was) is /usr/local/lsws/sites/.

However I am only currently using one site at the moment, and so I also tried your command using that directory just to cover my bases, (I run both of these commands as root btw, sudo -s)

certbot renew --cert-name loxx.myddns.me --webroot -w /usr/local/lsws/sites/resefe/ --dry-run --renew-hook "sudo service lsws reload"`

and I received the same error message, so at least it's consistent. ha ha.

This is the bit that confuses me in the error message.
Detail: Invalid response from
http://loxx.myddns.me/.well-known/acme-challenge/Rvp8hKwk_gcvZJ_WKYFDgjYStZYzyKrNP_Q6I1Beks8

Am I supposed to have a directory/sub dir called .well-known/acme-challenge at the root of my server with some sort of file in it?

Also, this is what is in my .conf file, does the webroot in here need to be updated?

renew_before_expiry = 30 days

version = 0.40.0
archive_dir = /etc/letsencrypt/archive/loxx.myddns.me
cert = /etc/letsencrypt/live/loxx.myddns.me/cert.pem
privkey = /etc/letsencrypt/live/loxx.myddns.me/privkey.pem
chain = /etc/letsencrypt/live/loxx.myddns.me/chain.pem
fullchain = /etc/letsencrypt/live/loxx.myddns.me/fullchain.pem

Options used in the renewal process

[renewalparams]
account = 7cf369883b8b7ec5bc973b82e6c87653
authenticator = webroot
server = https://acme-v02.api.letsencrypt.org/directory
webroot_path = /usr/local/lsws/sites,
[[webroot_map]]

Thanks!

1 Like
6

According to your document root, the path might be /usr/local/lsws/sites/resefe/sites/
Basically, it's the path where all files presented in the directory will be served.

I think the webroot plugin will create it. But just in case, can you try to make a file test under /usr/local/lsws/sites/resefe/sites/.well-known/acme-challenge/? You can fill anything in the content, but just make sure the file is there. Then you should be able to see http://loxx.myddns.me/.well-known/acme-challenge/test

1 Like
7

@stevenzhu

Are you meaning:

--deploy-hook "sudo service lsws reload"

1 Like
8

Ok, I've added 2 sets of .well-known/acme-challenge directories now and in each one I've put an index.html file,

both are accessible via chrome, https://loxx.myddns.me/.well-known/acme-challenge and https://loxx.myddns.me/resefe/.well-known/acme-challenge

I also tried Griffin's alternate suggestion of changing --renew-hook to --deploy-hook, but I'm still getting the same error. =/

Is it possible that I'm at the stage where I need to uninstall letsencrypt completely and start over from scratch?

1 Like
9

The first one works fine. Now the question is, whats the complete path for the first link?

Yeah I do mean that, sorry...

No I don't think it's necessary... We just need to figure out what's the correct / complete webroot path...

1 Like
10

Ok, so it's a webroot issue (potentially).

Let's back up a minute. Perhaps my understanding of how to deploy the cert in the first place was wrong.

To recap, my server structure is as follows:

Full path to root directory of OLS sites
/usr/local/lsws/sites

Under the sites directory, I have several sub dirs for different sites. (resefe, portal, etc etc), which for example for the resefe site (the main one I'm testing) would be
/usr/local/lsws/sites/resefe

So to your question, what's the complete path to the first link, I believe this should be it.
/usr/local/lsws/sites/.well-known/acme-challenge/index.html

Here's a snippet from OLS, to help me try to understand the server pathing.
|Virtual Host Name |loxx.myddns.me|
|Virtual Host Root |$SERVER_ROOT/|
|Config File |$SERVER_ROOT/conf/vhosts/$VH_NAME/vhconf.conf|

So if $vh_root is = to $server_root/
and
$server_root is /usr/local/lsws/
and
Document_root is = to $VH_ROOT/sites/

Then wouldn't the correct directory (full path) be /usr/local/lsws/sites? Because $server_root is /usr/local/lsws and $vh_root is also the same (/usr/local/lsws) and then
$doc_root is /usr/local/lsws/sites
------------------^Server ^VH ^Doc Root

Or do I still not understand the pathing correctly?

I've also re-read the error numerous times, and I'm taking a guess here that it's looking for a file called NWdshgKvADunRlcImzQ3qizgl1v_qzgQ2k27PhFQgis that would live in the above mentioned .well-known/acme-challenge folder, but I can't seem to find this file anywhere on my HD, so can it be regenerated somehow?

2 Likes
11

In this case, then /usr/local/lsws/sites/ should be your document root, thus your webroot path.
The only thing i can think of now, is to increase debug level and see what did certbot make in your local folder.
Try -vv (I already included) and see if there's any mention where did certbot place the file.

certbot renew --cert-name loxx.myddns.me --webroot -w /usr/local/lsws/sites/resefe/ --dry-run --deploy-hook "sudo service lsws reload" -vv

There's not a way to regenerate the file, because it's randomly (well, semi-randomly) generated every time you initiate a new request.

P.S. It's really not that good to put your document root right under yourt lsws host...

2 Likes
12

I really do appreciate all of your effort Steven to help me get this running, it has been awesome.

Running that command really did provide a lot more info. Most of which I don't understand what I'm looking at. I am going to copy it all into a file and see if I can attach it to this post, far too long to post in the thread. :slight_smile:

Oh, really? Seemed like a good way to keep things organized, but ideally it should be somewhere else? like the /var/www folder perhaps?

Nuts, won't let me upload an attachment. So I've linked it via my site.
https://loxx.myddns.me/loxx.myddns.me.resefe.txt

I'm going to study this file, but again, it's all greek to me..=/

2 Likes
13

Hi,

I checked your log file and see that you are using the /resefe/ path (it's entirely my bad... Wrote the wrong one). But it does seems like it wrote a file under your directory...

Can you run the command again, but without the /resefe/ this time?

@griffin JIC do you have any better suggestions? I'm out of options here...

1 Like
14

I'm out for a bit, but I'll analyze as soon as I get the chance.

15

Hi Steven,

I've actually run it both ways (with and without the /resefe/ bit) and I get the same error results each time.

It really may be time to toss in the towel, wipe LE and start over from scratch... shouldn't be this hard to renew a cert yea? So must be something wonky on my end.

:slight_smile:

2 Likes
16

....so I attempted to flush and start over today, and no luck.

deleted my expired certs, uninstalled certbot, reinstalled certbot, and then ran the certbot certonly command and couldn't make it through.
here's what I did.

root@DrXwebserver:/etc# certbot certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?

1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Plugins selected: Authenticator webroot, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): loxx.myddns.me
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for loxx.myddns.me
Input the webroot for loxx.myddns.me: (Enter 'c' to cancel): /usr/local/lsws/sites/resefe
Waiting for verification...
Challenge failed for domain loxx.myddns.me
http-01 challenge for loxx.myddns.me
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

...and I'm stuck. This is a major bummer, as It's grinded my webserver to a halt, since I can't (so far) get this resolved. =/

Not sure where to go from here. Any hail mary type of suggestions? Use a standalone server temporarily to get the cert installed perhaps?

Thanks,

1 Like
17

@stevenzhu was suggesting the following command:

certbot renew --cert-name loxx.myddns.me --webroot -w /usr/local/lsws/sites/resefe/ --dry-run --deploy-hook "sudo service lsws reload" -vv
1 Like
18

I will try that, but as I flushed / restarted certbot today, I don't think there's any certificate to renew. Thanks for the suggestion though, I'll give it a shot.

1 Like
19

Hi Everyone,

I want to thank the tireless efforts of Steven and the rest who worked on this to help me get this resolved.

I have finally got it resolved, but it was a pretty strange path to get from A to B, so I'll post it just in case anyone else ever has this issue.

Since I couldn't figure out what was going on from the logs, I decided to use an A Bomb solution and start from scratch.

I nuked openlitespeed and also certbot. I switched from OLS to Nginx.

Once I got nginx setup, I noticed that I was still getting redirected from http to https every time I tried to visit a site on my server, which obviously caused a lot of headscratching as I had nuked OLS and had not setup HTTPS yet on nginx (nginx would 500 error every time I tried to visit certain subdirectories under my domain name).

Turns out, one of my wordpress plugins on my site (Wordfence) was intercepting http requests and redirecting them. Since I didn't have any https setup, it was just erroring out.

So I had remove the wordfence-wap.php & .user.ini files from my WP directories, and once I cleaned that out, then the redirects stopped and I was able to reinstall certbot under nginx again.

So to recap:
If you are running wordpress sites with the wordfence plugin, it might be the cause of your "invalid response" issue when trying to renew your certs. At least it was a contributing factor in my case. One I would have never figured out, had I not decided to wipe the webserver software and start over.

Thanks again everyone.

4 Likes
20

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.