Certbot renewal error

bravo · July 22, 2021, 10:53pm

Hi, Team

I'm trying to renew certifications, but I have gotten errors. The first installation of certification was done successfully. The WEB sites work and I can access to them from outside. Please see following information as well.

My domain is:corp-associe.jp, koshirophotography.com

I ran this command: certbot renew

It produced this output:
rocessing /etc/letsencrypt/renewal/www.corp-associe.jp.conf

Renewing an existing certificate for www.corp-associe.jp and 3 more domains

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: blog.koshirophotography.com
Type: unauthorized
Detail: Invalid response from https://blog.koshirophotography.com/.well-known/acme-challenge/kuFVuRhrxhH64wEPGnmPiluKCQwmdY4mlcnDcXk8wBE [203.141.138.215]: "\n\n403 Forbidden\n\n

Forbidden

\n<p"

Domain: www.koshirophotography.com
Type: unauthorized
Detail: Invalid response from https://www.koshirophotography.com/.well-known/acme-challenge/ozzoolA4NrMzmz_sc6VCj0i25Te9k2qhC9XFVPnnEOE [203.141.138.215]: "<!doctype html>\n<html lang="ja" >\n\n\t<meta charset="UTF-8" />\n\t<meta name="viewport" content="width=device-width, initial-s"

Domain: nightview.koshirophotography.com
Type: unauthorized
Detail: Invalid response from https://nightview.koshirophotography.com/.well-known/acme-challenge/fASZvCu8GTcIZr-_l0T2uP6N55u4ffW7gFFMN8-ulhI [203.141.138.215]: "\n\n403 Forbidden\n\n

Forbidden

\n<p"

Domain: www.corp-associe.jp
Type: unauthorized
Detail: Invalid response from https://www.corp-associe.jp/.well-known/acme-challenge/f1ov3kuJe7kXbNPTghzf-Jnm2u0mH-AHxX1x_BaFprU [203.141.138.215]: "<!doctype html>\n<html lang="ja" >\n\n\t<meta charset="UTF-8" />\n\t<meta name="viewport" content="width=device-width, initial-s"

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Failed to renew certificate www.corp-associe.jp with error: Some challenges have failed.

All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/www.corp-associe.jp/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Apache2.4.46

The operating system my web server runs on is (include version): RHEL 8.3

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.17.0

_az · July 22, 2021, 11:25pm

Even visiting your home page, we see this forbidden error:

which would probably also be affecting your Certbot setup, since you're using --webroot.

It might be worth looking into /var/log/httpd/error_log to see whether there are any messages that might give a clue about what the nature of the Forbidden error is.

It would also help to post the contents of /etc/letsencrypt/renewal/www.corp-associe.jp.conf, so we can see how the different domains' webroots are mapped.

bravo · July 23, 2021, 12:39am

Hi,
Thank you for your quick response. Yes, there was some misconfiguration of httpd.ssl.conf file. I modified and both subdomain work now. You can access to blog.xxxxx.com. However, I still have gotten the error as below.

Here is log file where is under /etc/letsencrypt/renewal.

renew_before_expiry = 30 days

version = 1.13.0
archive_dir = /etc/letsencrypt/archive/www.corp-associe.jp
cert = /etc/letsencrypt/live/www.corp-associe.jp/cert.pem
privkey = /etc/letsencrypt/live/www.corp-associe.jp/privkey.pem
chain = /etc/letsencrypt/live/www.corp-associe.jp/chain.pem
fullchain = /etc/letsencrypt/live/www.corp-associe.jp/fullchain.pem

Options used in the renewal process

[renewalparams]
account = 3430b538ce67ebb0aae1eaf065766dfd
authenticator = webroot
apache_server_root = /usr/local/apache2
apache_vhost_root = /usr/local/apache2/conf/extra
apache_challenge_location = /usr/local/apache2/conf
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
blog.koshirophotography.com = /data1/virtualdocs/wordpress/blog-koshirophotography
nightview.koshirophotography.com = /data1/virtualdocs/wordpress/nightview-koshirophotography
www.corp-associe.jp = /data1/htdocs/wordpress
www.koshirophotography.com = /data1/virtualdocs/wordpress/koshirophotography

Or I will need to wait for 30 or 45 minitues and try renewal process after rebooting apache service?

rg305 · July 23, 2021, 12:45am

Can you show the file (so we may look for other problems/mistakes)?

_az · July 23, 2021, 4:10am

OK, so just to take this one example, let's try create a file:

mkdir -p /data1/virtualdocs/wordpress/blog-koshirophotography/.well-known/acme-challenge
echo Hello > /data1/virtualdocs/wordpress/blog-koshirophotography/.well-known/acme-challenge/test.txt

and then we should be able to see it by visiting http://blog.koshirophotography.com/.well-known/acme-challenge/test.txt

That's the basic premise of how --webroot works.

If that's not working, we can start looking into why:

Wrong directory?
SELinux?
something else?

bravo · July 23, 2021, 4:28am

Hello _az

I have created test.txt under following directory. Does it work??
I don't see "Hello" text on this page.

[root@web1 acme-challenge]# pwd
/data1/virtualdocs/wordpress/blog-koshirophotography/.well-known/acme-challenge
[root@web1 acme-challenge]# ls
test.txt

webprofusion · July 23, 2021, 6:05am

No, it redirects to https and goes to this page:

You can test this kind of thing from your own phone using 4G data instead of wifi, that way you are accessing your website externally like Let's Encrypt would.

If the test.txt file works for you but not for external visitors that suggests that on your machine the website address is resolving to a different server (e.g. a test server instead of the production server).

_az · July 23, 2021, 7:46am

... and if you can't see the text file either, some more helpful things to post would be:

The /data1/virtualdocs/wordpress/blog-koshirophotography/.htaccess file, if it exists
The Apache .conf file for the blog virtual host

bravo · July 23, 2021, 9:00pm

Hi,
Thanks for your help. The .htaccess file exist. I tried to install new certification from scratch. I renamed current directory like www.corp-associe.jp to www.corp-associe.jp.old under /etc/letsencrypt/live and archive and tried to get new one. It was done successfully and the page work now. Also, I tried to renew the certifications, but I got error like there is no file exist of www.corp-associe.jp, so I renamed back to original file name. And it worked as well. I will go with this setting and see what happens. I think there might be way to clean up the certification before getting new one from scratch...

Sorry for confusion, but I appreciate for your help.

system · August 22, 2021, 9:01pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.