Certbot renewal failing lightspeed server

My domain is: jpoliveras.com

I ran this command: sudo certbot renew

It produced this output:
--- Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: jpoliveras.com
Type: unauthorized
Detail: 82.180.161.91: Invalid response from http://jpoliveras.com/.well-known/acme-challenge/ZPC6-hd8wk9Y5aajQx4_nW0cLezj0mV0g-eoxZO_QPA: "<!DOCTYPE html>\n<html lang=\"en\">\n <head>\n <meta charset=\"UTF-8\">\n <meta name=\"viewport\" content=\"width=device-width, init"

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Failed to renew certificate jpoliveras.com with error: Some challenges have failed.

All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/jpoliveras.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Network console gives me a 200 response on Vite App and I read this should be returning a 404 instead since the text-file does not exist

The config file for certbot has authenticator set to webroot and an added webroot_maps section set already so I don't need to specify webroot

I do believe the cert was created using a standalone authenticator when I first acquired the VPS and SSH'd into it, not sure if this is causing any renewal issues

This is my first time trying to renew the cert.

Usually I don't like asking for help and do find a solution via trial and error and using all the available solutions I research, but I need this solved asap so my site doesn't go down and I can focus on some other more important work.

My web server is (include version):
LiteSpeed/1.7.19

The operating system my web server runs on is (include version):
Ubuntu 22.04.4

My hosting provider, if applicable, is:
Hostinger VPS + GoDaddy registrar

I can login to a root shell on my machine (yes or no, or I don't know):
SSH key via Putty

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
Lightspeed WebAdmin Console 1.7.19

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.21.0

Some code infrastructure info:

Docker compose yml
Frontend:
Dockerfile
Backend:
Dockerfile
SSL certs mounted as volumes from root letsencrypt directory to specified directory in docker container

Frontend hosts Vue app on port 3000
Backend hosts Django app using Gunicorn wsgi on port 8000

OLS settings:
Listeners:
HTTP 80
HTTPS 443 , secured set to Yes
mapped to my virtual host jpoliveras.com

Virtual host:
jpoliveras.com

document root:
/root/jp_portfolio_site/ 
(im learning this isn't best practice but this is what I setup when I initially got the VPS using guidance from Hostinger ai bot)

domain name:
jpoliveras.com

domain alias:
www.jpoliveras.com

2 external apps:
dockerserve
GunicornApp

Context:
/ context points to the dockerserve
/api context points to GunicornApp

I added an additional context for /.well-known/
with location: /root/jp_portfolio_site/.well-known/
and accessible set to Yes

Rewrite:
i did have a rewrite rule for http to https on all paths but temporarily deleted incase that was 
causing issues with the HTTP-01 challenge

if anymore info is needed I'll gladly provide it

Hello @jpoliveras, welcome to the Let's Encrypt community.

Please verify the --webroot-path the was provided to Certbot
matches the path to LiteSpeed that serves content.

Here is the Certbot documentation on Webroot.

Also using curl to simulate the ACME HTTP-01 Challenge response code HTTP/1.1 200 OK

• 200 OK - HTTP | MDN

$ curl -Ii http://jpoliveras.com/.well-known/acme-challenge/hVdPmqTIE2fwRJPcAlB6xo23GeKDbp8pa1nLWFWC -A "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
HTTP/1.1 200 OK
content-disposition: inline; filename="index.html"
accept-ranges: bytes
etag: "b1411cf64880fbf39719b3575f916493e1e5d8e0"
content-type: text/html; charset=utf-8
vary: Accept-Encoding
date: Mon, 02 Dec 2024 04:12:35 GMT
server: LiteSpeed
connection: Keep-Alive

I highly doubt that your server has a file
http://jpoliveras.com/.well-known/acme-challenge/hVdPmqTIE2fwRJPcAlB6xo23GeKDbp8pa1nLWFWC
thus and expected response code HTTP/1.1 404 Not Found

• 404 Not Found - HTTP | MDN

There is probably a LightSpeed configuration issue going.

LightSpeed forum is here https://www.litespeedtech.com/support/forum/
LightSpeed support is here Support - LiteSpeed Technologies

Edit

Maybe supplemental information
Here is a list of issued certificates crt.sh | jpoliveras.com

image881×160 3.16 KB

Only the Let's Encrypt issued certificates only have the SANs poliveras.com;
the others have SANs for both poliveras.com and www.poliveras.com

And presently the certificate being served is https://decoder.link/sslchecker/jpoliveras.com/443 matching this certificate crt.sh | 14483877906 having a Validity
Not Before: Sep 9 02:59:22 2024 GMT
Not After : Dec 8 02:59:21 2024 GMT

Thanks for the welcome Bruce!

Yeah i figured it would be something wrong with the Lightspeed config but I currently have no clue after trying all solutions.

I can absolutely confirm the webroot_maps is set correctly to the document root path that is set in the lightspeed config.

Are you suggesting that I take this topic to the lightspeed forum as well?

Since the time im replying to my original post:

these are updated settings:

I copied all contents from original document root to new document root incase there was a permissions issue happening

virtual host root:
/var/www/html

document root:
/var/www/html
also tried /var/www/html/jp_portfolio_site/
doesn't matter if i include the site contents folder or not, it still gets served fine by lightspeed

context type: static
uri: /.well-known
location: /var/www/html/.well-known/
also tried /var/www/html/jp_portfolio_site/.well-known/ , made no difference same error result

Contents of letsencrypt renewal configuration file for my domain:
# renew_before_expiry = 30 days
version = 1.21.0
archive_dir = /etc/letsencrypt/archive/jpoliveras.com
cert = /etc/letsencrypt/live/jpoliveras.com/cert.pem
privkey = /etc/letsencrypt/live/jpoliveras.com/privkey.pem
chain = /etc/letsencrypt/live/jpoliveras.com/chain.pem
fullchain = /etc/letsencrypt/live/jpoliveras.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 8f31d9537595fa23afb8067fd923d3ff
authenticator = webroot
webroot_path = /var/www/html/jp_portfolio_site/
server = https://acme-v02.api.letsencrypt.org/directory

i omitted the webroot_map sections and just went with webroot_path

this troubleshooting process is in reference to Unable to renew letsencrypt cert on Ghost blog behind litespeed - proxypass needed? | LiteSpeed Support Forums

which I felt was the closest issue to mine, only difference is I have 2 external apps instead of just 1

So now I have really tried everything to my knowledge and do not know what else could be a solution to this problem.

virtual host root:
/var/www/html/

document root:
/var/www/html/

Well, there's your problem AI bots are almost never the answer, unless you yourself have at least some form of grasp of the matter. They'll regularly halucinate the most weird and also incorrect stuff, unless you can guide it thoroughly towards a sensible answer.

In any case, the problem is that LiteSpeed does, despite your efforts, not recognise the /.well-known/acme-challenge/ path as a separate entity: it still responds with the "Vite App", whatever that may be.

Unfortunately I'm not experienced in LiteSpeed, so I don't know if those context type / uri / location stuff is the correct way to do it. But it doesn't look like it's working now. One would expect a "404 file not found" instead of seeing the "Vite App" response.

Yup im not fan of AI, but to my surprise it was pretty efficient with guiding me through my VPS setup and mounting the SSLs as volumes and everything to get my site running couple months ago, granted I had way more grasp of the situation, still was my first time using lightspeed and it definitely helped me more than anything else could

But this, during the process of troubleshooting this problem it was really shitting the bed big time

I wish the logs said more useful information but unfortunately they don’t and like you said despite my best efforts lightspeed still doesn’t recognize that directory the Http-01 challenge creates and responds with Vite App which is believe is just the index.html file

With that webroot path Certbot will create the token here:

/var/www/html/jp_portfolio_site/.well-known/acme-challenge/(token)

You can test if LiteSpeed replies from there by creating (and verifying) a test file like:

sudo mkdir -p /var/www/html/jp_portfolio_site/.well-known/acme-challenge/
sudo bash -c 'echo testVal >/var/www/html/jp_portfolio_site/.well-known/acme-challenge/TestToken123'
ls -l /var/www/html/jp_portfolio_site/.well-known/acme-challenge

Best to not use an extension on the token file as some servers might treat those differently and the LE tokens have no extension.

Once that file is created try getting it with

curl -i http://jpoliveras.com/.well-known/acme-challenge/TestToken123

You should see the contents testVal

If not, review your LiteSpeed access and/or error logs to find the reason. And check any other component that may "see" that HTTP request.

Hey Mike thanks for the reply, im not at my PC atm, I haven’t been able to try this yet but funny enough I do recall the AI bot making me perform this same test also with modifications to ownership of the /.well-known directory of data-www:data-www

I’ll try again at some point today maybe, currently focused on studying for AWS exam

But I will leave this with you for now, you mentioned check any component that would “see” that http request, the only component I can think of besides Lightspeed is my vue router index.js file, I do have a 404 pathmatch/catch-all on there so all 404s get redirected to custom 404 page but I have already tested removing that path setting and theres no difference in response

Would you like me to post the code for the index.js file? That is the only component I can think of that sees the http request, unless potentially some settings in my settings.py django file, if the code for that would also help solve this I can also provide that

Not for my benefit It is up to you to ensure the routing of HTTP requests is suitable for the purpose.

AI is not ready for prime time.

Ran this test, what returned was the index.html content

Went into lightspeed into the contexts

opened the /.well-known/ context

changed the location from /var/www/html/.well-known/ to /var/www/html/jp_portfolio_site/.well-known/

ran the curl command again, returned value of Testval

ran sudo certbot renew, certificates renewed successfully

unbelievable

thanks guys!

I guess the solution was having the directories pre-created and not messing with the ownership this time instead of letting certbot create them

thanks again!

Well, maybe but I think it more likely that the directory names were not matched up

I had tried the updated context location previously when the .well-known directory didnt exist and it would 200 response and not lightspeed 404

Just glad it works now

Hopefully this thread can help someone in the future that also encounters this problem

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.