Certificate doesn't get created

Knocklive · April 24, 2022, 7:03pm

Hi!
I'm trying to expand my certificates but every time I try it it dosen't wort properly.
My Domain settings should be correct.

Thanks in advance!

My domains are:
cloud.knocklive.de,dc.labycheck.de,github.knocklive.de,invite.labycheck.de,knocklive.de,labycheck.de,schule.knocklive.de,shop.knocklive.de,status.knocklive.de,vote.labycheck.de

I ran this command:
sudo certbot --apache -d "cloud.knocklive.de,dc.labycheck.de,github.knocklive.de,invite.labycheck.de,knocklive.de,labycheck.de,schule.knocklive.de,shop.knocklive.de,status.knocklive.de,vote.labycheck.de"

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/cloud.knocklive.de.conf)

It contains these names: knocklive.de, cloud.knocklive.de, dc.labycheck.de,
github.knocklive.de, invite.labycheck.de, labycheck.de, schule.knocklive.de,
status.knocklive.de, vote.labycheck.de

You requested these names for the new certificate: cloud.knocklive.de,
dc.labycheck.de, github.knocklive.de, invite.labycheck.de, knocklive.de,
labycheck.de, schule.knocklive.de, shop.knocklive.de, status.knocklive.de,
vote.labycheck.de.

Do you want to expand and replace this existing certificate with the new
certificate?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel: E
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for cloud.knocklive.de
http-01 challenge for dc.labycheck.de
http-01 challenge for github.knocklive.de
http-01 challenge for invite.labycheck.de
http-01 challenge for knocklive.de
http-01 challenge for labycheck.de
http-01 challenge for schule.knocklive.de
http-01 challenge for shop.knocklive.de
http-01 challenge for status.knocklive.de
http-01 challenge for vote.labycheck.de
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. labycheck.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 2606:4700:3035::6815:568b: Invalid response from https://labycheck.de/.well-known/acme-challenge/iv7xi28_eDnUfSJycsTBkhwqXtTajHr9MimhGf-udUY: 404, invite.labycheck.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 2606:4700:3035::6815:568b: Invalid response from https://invite.labycheck.de/.well-known/acme-challenge/DIDEdlTMLgVN-woNlA7_hb26_g0FbG73mz3OqIfyaUg: 404, vote.labycheck.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 2606:4700:3032::ac43:dc5c: Invalid response from https://vote.labycheck.de/.well-known/acme-challenge/-HQW88k5muhhrVDNiwsPusU-WyxvwI7KzXDdzFoG86c: 404, github.knocklive.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 2606:4700:3035::6815:5b2e: Invalid response from https://github.knocklive.de/.well-known/acme-challenge/5Y-HYz3_fYFEErRrkim6XSdw_9ewcrxoJcJoL7IM2GY: 404, cloud.knocklive.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 2606:4700:3035::ac43:a6b9: Invalid response from https://cloud.knocklive.de/.well-known/acme-challenge/rKSJM-eSYWYdSk835nVB_7MLHolJPlEOZJ78Ad5dQAQ: 404, status.knocklive.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 2606:4700:3035::6815:5b2e: Invalid response from https://status.knocklive.de/.well-known/acme-challenge/FEZdI7ObrJZ_MNiLCwAmjjpTk-4vvPDqmsWOllYQrAk: 404, dc.labycheck.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 2606:4700:3035::6815:568b: Invalid response from https://dc.labycheck.de/.well-known/acme-challenge/tK__LlnthkYIsoXnN06hnUTFRl9k5Of6M9kLMEjtBcY: 404, schule.knocklive.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 2606:4700:3035::ac43:a6b9: Invalid response from https://schule.knocklive.de/.well-known/acme-challenge/bXFTuqKfalMF7J2zfLUOU3S0o8XL11NZpfOU82Vd8gs: 404, shop.knocklive.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 2606:4700:3035::6815:5b2e: Invalid response from https://shop.knocklive.de/.well-known/acme-challenge/nnLfillmi2rMJR_vAamnMU8HePMRD_UQs1KvJnpDy3M: 404, knocklive.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 2606:4700:3035::6815:5b2e: Invalid response from https://knocklive.de/.well-known/acme-challenge/z3UFn8w5ABGr_nK6WePcnEO2o5fEhJnME-arOspA13Q: 404

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: labycheck.de
   Type:   unauthorized
   Detail: 2606:4700:3035::6815:568b: Invalid response from
   https://labycheck.de/.well-known/acme-challenge/iv7xi28_eDnUfSJycsTBkhwqXtTajHr9MimhGf-udUY:
   404

   Domain: invite.labycheck.de
   Type:   unauthorized
   Detail: 2606:4700:3035::6815:568b: Invalid response from
   https://invite.labycheck.de/.well-known/acme-challenge/DIDEdlTMLgVN-woNlA7_hb26_g0FbG73mz3OqIfyaUg:
   404

   Domain: vote.labycheck.de
   Type:   unauthorized
   Detail: 2606:4700:3032::ac43:dc5c: Invalid response from
   https://vote.labycheck.de/.well-known/acme-challenge/-HQW88k5muhhrVDNiwsPusU-WyxvwI7KzXDdzFoG86c:
   404

   Domain: github.knocklive.de
   Type:   unauthorized
   Detail: 2606:4700:3035::6815:5b2e: Invalid response from
   https://github.knocklive.de/.well-known/acme-challenge/5Y-HYz3_fYFEErRrkim6XSdw_9ewcrxoJcJoL7IM2GY:
   404

   Domain: cloud.knocklive.de
   Type:   unauthorized
   Detail: 2606:4700:3035::ac43:a6b9: Invalid response from
   https://cloud.knocklive.de/.well-known/acme-challenge/rKSJM-eSYWYdSk835nVB_7MLHolJPlEOZJ78Ad5dQAQ:
   404

   Domain: status.knocklive.de
   Type:   unauthorized
   Detail: 2606:4700:3035::6815:5b2e: Invalid response from
   https://status.knocklive.de/.well-known/acme-challenge/FEZdI7ObrJZ_MNiLCwAmjjpTk-4vvPDqmsWOllYQrAk:
   404

   Domain: dc.labycheck.de
   Type:   unauthorized
   Detail: 2606:4700:3035::6815:568b: Invalid response from
   https://dc.labycheck.de/.well-known/acme-challenge/tK__LlnthkYIsoXnN06hnUTFRl9k5Of6M9kLMEjtBcY:
   404

   Domain: schule.knocklive.de
   Type:   unauthorized
   Detail: 2606:4700:3035::ac43:a6b9: Invalid response from
   https://schule.knocklive.de/.well-known/acme-challenge/bXFTuqKfalMF7J2zfLUOU3S0o8XL11NZpfOU82Vd8gs:
   404

   Domain: shop.knocklive.de
   Type:   unauthorized
   Detail: 2606:4700:3035::6815:5b2e: Invalid response from
   https://shop.knocklive.de/.well-known/acme-challenge/nnLfillmi2rMJR_vAamnMU8HePMRD_UQs1KvJnpDy3M:
   404

   Domain: knocklive.de
   Type:   unauthorized
   Detail: 2606:4700:3035::6815:5b2e: Invalid response from
   https://knocklive.de/.well-known/acme-challenge/z3UFn8w5ABGr_nK6WePcnEO2o5fEhJnME-arOspA13Q:
   404

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.```

My web server is (include version):
Server version: Apache/2.4.25 (Debian)
Server built:   2022-03-18T12:54:25

The operating system my web server runs on is (include version):
Debian 9

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of `certbot --version` or `certbot-auto --version` if you're using Certbot):
certbot 0.28.0

rg305 · April 25, 2022, 12:29am

Your domains are now behind Cloudflare CDN.
Has that always been the case?

Knocklive · May 1, 2022, 8:48pm

no, I've had it with my normal dns manager... Can't I use Cloudflare with letsencrypt?

MikeMcQ · May 1, 2022, 9:16pm

Yes, but you may not need to. You are using Cloudflare CDN - not just their DNS service.

Their Edge manages a cert for HTTPS between their Edge and the client (browsers, ...).
There is (usually) another cert in your Origin server for HTTPS between it and the Edge. Cloudflare has an Origin Cert for this which is easier than using Let's Encrypt. See below topics for CDN config and the Origin Cert.
https://developers.cloudflare.com/ssl/get-started/
https://developers.cloudflare.com/ssl/origin-configuration/origin-ca/

webprofusion · May 2, 2022, 2:37am

Cloudflare is performing the redirect to https because it's running in Full (Strict) SSL mode, then when your server responds on https it doesn't know the challenge response.

This usually means that only the http version of your config (not https) knows how to respond to acme challenges (i.e.there may be a rule that forwards all /.well-known/acme-challenge http requests to a particular location - I don't really know how certbot apache integration configures apache).

Try setting your domain SSL/TLS settings on cloudflare to Full instead of Full (Strict), this will allow http requests to reach your server without redirecting to https.

MikeMcQ · May 2, 2022, 2:58am

In their docs the only diff between Full and Full(Strict) is that Full(Strict) will validate the cert when connecting to your Origin server with HTTPS. So, no self-signed certs, no expired certs, and names must match. The Cloudflare Origin CA cert is allowed in Full(Strict).

There are ways to have Cloudflare redirect http to https, but, that is done separately.

Good point though about the redirection. The certbot apache plug-in modifies the port 80 VirtualHost only. And, if Cloudflare is redirecting http->https the Let's Encrypt server would not find the challenge token with https.

The Cloudflare Origin CA Cert avoids needing to maintain certbot and monitor its operation.

webprofusion · May 2, 2022, 3:09am

Yeah they do offer an origin cert you can use so your TLS is end-to-end but I like the ability to switch cloudflare dns proxying off and have traffic flow directly to the server if need be.

As an aside, by default the cipher suites they present for your proxied site are not compatible with everything and I actually have to pay $10 monthly for an "Advanced" certificate to get RSA (a bunch of older windows 2012 etc. machines don't have the cipher suites enabled to work with the default ECC cert).

_az · May 2, 2022, 3:27am

This was an issue with Certbot's Apache authenticator prior to version 0.31.0 (released 2019-02-07). If OP upgraded, they could keep using Full (Strict).