Certbot wont renew my cert --> 404

Help
1

Hello Guys,

My domain is:
vibez-clan.de
www.vibez-clan.de

I ran this command:
certbot --dry-run renew
cerbot --apache -d vibez-clan.de

It produced this output:

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for vibez-clan.de
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. vibez-clan.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 94.16.111.220: Invalid response from https://vibez-clan.de/.well-known/acme-challenge/G3Sy1BPgdULTSpilEAgtMmze4bVr4ttJZSSqLfXBr3k: 404

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: vibez-clan.de
   Type:   unauthorized
   Detail: 94.16.111.220: Invalid response from
   https://vibez-clan.de/.well-known/acme-challenge/G3Sy1BPgdULTSpilEAgtMmze4bVr4ttJZSSqLfXBr3k:
   404

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version):
Server version: Apache/2.4.29 (Ubuntu)
Server built: 2022-06-23T12:51:37

The operating system my web server runs on is (include version):
Ubuntu 18.04.6 LTS

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 0.27.0

Well i hope someone can help me out...The Prodecure was already successfull, there are running certs, created with certbot..just the renew process is actually not working and my certs are expiring in a few days..

3

Hi @Ikarus_vbz, and welcome to the LE community forum :slight_smile:

Let's start unraveling this by looking at Apache configuration.
Please show:
sudo apachectl -t -D DUMP_VHOSTS

Also, this is not a routable IPv6 address:

Name:      vibez-clan.de
Addresses: fe80::81f:c8ff:fe09:31a5
           94.16.111.220

Name:      www.vibez-clan.de
Addresses: fe80::81f:c8ff:fe09:31a5
           94.16.111.220
3 Likes
4

Hello @rg305

output:

sudo apachectl -t -D DUMP_VHOSTS

VirtualHost configuration:
*:443                  is a NameVirtualHost
         default server vibez-clan.com (/etc/apache2/sites-enabled/vibez-clan.com-le-ssl.conf:2)
         port 443 namevhost vibez-clan.com (/etc/apache2/sites-enabled/vibez-clan.com-le-ssl.conf:2)
                 alias www.vibez-clan.com
         port 443 namevhost vibez-clan.de (/etc/apache2/sites-enabled/vibez-clan.de-le-ssl.conf:2)
                 alias www.vibez-clan.de
*:80                   is a NameVirtualHost
         default server fastdl.combat.vibez-clan.de (/etc/apache2/sites-enabled/fastdl.combat.vibez-clan.de.conf:1)
         port 80 namevhost fastdl.combat.vibez-clan.de (/etc/apache2/sites-enabled/fastdl.combat.vibez-clan.de.conf:1)
                 alias www.fastdl.combat.vibez-clan.de
         port 80 namevhost fastdl.dust.vibez-clan.de (/etc/apache2/sites-enabled/fastdl.dust.vibez-clan.de.conf:1)
                 alias www.fastdl.dust.vibez-clan.de
         port 80 namevhost fastdl.mapping.vibez-clan.de (/etc/apache2/sites-enabled/fastdl.mapping.vibez-clan.de.conf:1)
                 alias www.fastdl.mapping.vibez-clan.de
         port 80 namevhost fastdl.testserver.vibez-clan.de (/etc/apache2/sites-enabled/fastdl.testserver.vibez-clan.de.conf:1)
                 alias www.fastdl.testserver.vibez-clan.de
         port 80 namevhost fastdl.vibez-clan.de (/etc/apache2/sites-enabled/fastdl.vibez-clan.de.conf:1)
                 alias www.fastdl.vibez-clan.de
         port 80 namevhost vibez-clan.com (/etc/apache2/sites-enabled/vibez-clan.com.conf:1)
                 alias www.vibez-clan.com
         port 80 namevhost vibez-clan.de (/etc/apache2/sites-enabled/vibez-clan.de-le-ssl.conf:23)
                 alias www.vibez-clan.de
         port 80 namevhost vibez-clan.de (/etc/apache2/sites-enabled/vibez-clan.de-le-ssl.conf:38)
                 alias www.vibez-clan.de
         port 80 namevhost vibez-clan.de (/etc/apache2/sites-enabled/vibez-clan.de-le-ssl.conf:60)
                 alias www.vibez-clan.de
         port 80 namevhost www.vibez-clan.de (/etc/apache2/sites-enabled/vibez-clan.de.conf:1)
                 alias vibez-clan.de

ipv6 wrong, okay, is this one better? 2a03:4000:51:ffa:81f:c8ff:fe09:31a5

1 Like
5

That is a name:port overlap.
Each name:port combination should only appear once in the configuration.

Yes!

3 Likes
6

sorry im really newbie at all of this...how to fix those na:port overlap? I only have 2 config files in sites-enabled named
vibez-clan.de.conf
and
vibez-clan.de-le-ssl.conf

Aight, changed that IPv6 Entry, thank you for this hint

1 Like
7

Both of these files have HTTP server blocks for names:"vibez-clan.de, www.vibez-clan.de"

The first file has three such HTTP server blocks!
You need to delete the ones you are not using - leaving only one.
[don't delete the entire file if there are other blocks that need to be used]

3 Likes
8

This is now entry of vibez-clan.de.conf

<VirtualHost *:80>
    ServerAdmin u@localhost
    ServerName www.vibez-clan.de
    ServerAlias vibez-clan.de
    DocumentRoot /var/www/vibez-clan.de
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

RewriteEngine on
RewriteCond %{SERVER_NAME} =vibez-clan.de [OR]
RewriteCond %{SERVER_NAME} =www.vibez-clan.de
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
LogLevel warn

This is now the entry for vibez-clan.de-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerAdmin u@localhost
    ServerName vibez-clan.de
    ServerAlias www.vibez-clan.de
    DocumentRoot /var/www/vibez-clan.de
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined


Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/vibez-clan.de/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/vibez-clan.de/privkey.pem
</VirtualHost>
</IfModule>

<IfModule mod_ssl.c>
<VirtualHost *:80>
    ServerAdmin u@localhost
    ServerName vibez-clan.de
    ServerAlias www.vibez-clan.de
    DocumentRoot /var/www/vibez-clan.de
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =vibez-clan.de [OR]
RewriteCond %{SERVER_NAME} =www.vibez-clan.de
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

</VirtualHost>
</IfModule>

If i do sudo apachectl -t -D DUMP_VHOSTS again, this is now the output:

VirtualHost configuration:
*:443                  is a NameVirtualHost
         default server vibez-clan.com (/etc/apache2/sites-enabled/vibez-clan.com-le-ssl.conf:2)
         port 443 namevhost vibez-clan.com (/etc/apache2/sites-enabled/vibez-clan.com-le-ssl.conf:2)
                 alias www.vibez-clan.com
         port 443 namevhost vibez-clan.de (/etc/apache2/sites-enabled/vibez-clan.de-le-ssl.conf:2)
                 alias www.vibez-clan.de
*:80                   is a NameVirtualHost
         default server fastdl.combat.vibez-clan.de (/etc/apache2/sites-enabled/fastdl.combat.vibez-clan.de.conf:1)
         port 80 namevhost fastdl.combat.vibez-clan.de (/etc/apache2/sites-enabled/fastdl.combat.vibez-clan.de.conf:1)
                 alias www.fastdl.combat.vibez-clan.de
         port 80 namevhost fastdl.dust.vibez-clan.de (/etc/apache2/sites-enabled/fastdl.dust.vibez-clan.de.conf:1)
                 alias www.fastdl.dust.vibez-clan.de
         port 80 namevhost fastdl.mapping.vibez-clan.de (/etc/apache2/sites-enabled/fastdl.mapping.vibez-clan.de.conf:1)
                 alias www.fastdl.mapping.vibez-clan.de
         port 80 namevhost fastdl.testserver.vibez-clan.de (/etc/apache2/sites-enabled/fastdl.testserver.vibez-clan.de.conf:1)
                 alias www.fastdl.testserver.vibez-clan.de
         port 80 namevhost fastdl.vibez-clan.de (/etc/apache2/sites-enabled/fastdl.vibez-clan.de.conf:1)
                 alias www.fastdl.vibez-clan.de
         port 80 namevhost vibez-clan.com (/etc/apache2/sites-enabled/vibez-clan.com.conf:1)
                 alias www.vibez-clan.com
         port 80 namevhost vibez-clan.de (/etc/apache2/sites-enabled/vibez-clan.de-le-ssl.conf:18)
                 alias www.vibez-clan.de
         port 80 namevhost www.vibez-clan.de (/etc/apache2/sites-enabled/vibez-clan.de.conf:1)
                 alias vibez-clan.de
9

Remove this block from file: vibez-clan.de-le-ssl.conf

3 Likes
10

YES!! This solved almost the Problem :smiley:
Just one problem is left, as i was trying to solve it by myself, i have distroyed the symlink. How can i re-create this?

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 65, in _reconstitute
    renewal_candidate = storage.RenewableCert(full_path, config)
  File "/usr/lib/python3/dist-packages/certbot/storage.py", line 439, in __init__
    self._check_symlinks()
  File "/usr/lib/python3/dist-packages/certbot/storage.py", line 498, in _check_symlinks
    "expected {0} to be a symlink".format(link))
certbot.errors.CertStorageError: expected /etc/letsencrypt/live/vibez-clan.de/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/vibez-clan.de.conf is broken. Skipping.
11

Show:
ls -l /etc/letsencrypt/live/vibez-clan.de/

3 Likes
12 
ls -l /etc/letsencrypt/live/vibez-clan.de/
total 8
-rw-r--r-- 1 root root 1866 Jan 19 21:17 cert.pem
lrwxrwxrwx 1 root root   38 Nov 10 13:38 chain.pem -> ../../archive/vibez-clan.de/chain6.pem
lrwxrwxrwx 1 root root   42 Nov 10 13:38 fullchain.pem -> ../../archive/vibez-clan.de/fullchain6.pem
lrwxrwxrwx 1 root root   40 Nov 10 13:38 privkey.pem -> ../../archive/vibez-clan.de/privkey6.pem
-rw-r--r-- 1 root root  682 Aug 24 08:13 README
13

These three are still symlink [GOOD]

This one is the file [BAD]

Let's look at:
ls -l /etc/letsencrypt/archive/vibez-clan.de/*6.pem

3 Likes
14 
-rw-r--r-- 1 root root 1866 Nov 10 13:38 /etc/letsencrypt/archive/vibez-clan.de/cert6.pem
-rw-r--r-- 1 root root 3750 Nov 10 13:38 /etc/letsencrypt/archive/vibez-clan.de/chain6.pem
-rw-r--r-- 1 root root 5616 Nov 10 13:38 /etc/letsencrypt/archive/vibez-clan.de/fullchain6.pem
-rw-r--r-- 1 root root 1704 Nov 10 13:38 /etc/letsencrypt/archive/vibez-clan.de/privkey6.pem
15

Perfect!

Do:

rm /etc/letsencrypt/live/vibez-clan.de/cert.pem
certbot update_symlinks

Then you can renew as usual.

3 Likes
16 
certbot update_symlinks
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Expected /etc/letsencrypt/live/vibez-clan.de/cert.pem to be a symlink
17

You missed the first step:

3 Likes
18 
rm: cannot remove '/etc/letsencrypt/live/vibez-clan.de/cert.pem': No such file or directory

No :smiley:

19

hmm...

Show (again):
ls -l /etc/letsencrypt/live/vibez-clan.de/

3 Likes
20 

total 4
lrwxrwxrwx 1 root root  38 Nov 10 13:38 chain.pem -> ../../archive/vibez-clan.de/chain6.pem
lrwxrwxrwx 1 root root  42 Nov 10 13:38 fullchain.pem -> ../../archive/vibez-clan.de/fullchain6.pem
lrwxrwxrwx 1 root root  40 Nov 10 13:38 privkey.pem -> ../../archive/vibez-clan.de/privkey6.pem
-rw-r--r-- 1 root root 682 Aug 24 08:13 README
21

That must be a very old version of certbot...
Upgrade as soon as possible,

For now... do:
sudo ln -s /etc/letsencrypt/archive/cert6.pem /etc/letsencrypt/live/cert.pem

Then show (again):
ls -l /etc/letsencrypt/live/vibez-clan.de/

3 Likes