For the past year I’ve had a cron autmatically renew my certificate for me which has been working fine. However, the last time it tried to renew, an error message was written to the logs. I’ve tried to renew manually and received this:
Attempting to renew cert from /etc/letsencrypt/renewal/buttercupstraining.co.uk.conf produced an unexpected error: Failed authorization procedure. buttercupstraining.co.uk (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://buttercupstraining.co.uk/.well-known/acme-challenge/h81QmFzIs1xuHOHzU8vlGf3eb_xOnTPOT7u-M7bHCW0: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p", www.buttercupstraining.co.uk (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.buttercupstraining.co.uk/.well-known/acme-challenge/HntDFFQSiYIxsNgZ7u_b8gemIudZ9Ju5f0ggx_DkHC8: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p". Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/buttercupstraining.co.uk/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: buttercupstraining.co.uk
Type: unauthorized
Detail: Invalid response from
http://buttercupstraining.co.uk/.well-known/acme-challenge/h81QmFzIs1xuHOHzU8vlGf3eb_xOnTPOT7u-M7bHCW0:
"<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p"
Domain: www.buttercupstraining.co.uk
Type: unauthorized
Detail: Invalid response from
http://www.buttercupstraining.co.uk/.well-known/acme-challenge/HntDFFQSiYIxsNgZ7u_b8gemIudZ9Ju5f0ggx_DkHC8:
"<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
I’m a bit confused as it has been working fine previously and I’m not sure what to do now. I do have a .well-known folder in my htdocs root but it is currently empty.
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://buttercupstraining.co.uk/">here</a>.</p>
</body></html>
Indeed he should show the conf for <VirtualHost *:443> and domain buttercupstraining.co.uk.conf as both domains ( buttercupstraining.co.uk and www.buttercupstraining.co.uk ) are being redirected to https://buttercupstraining.co.uk/ so the DocumentRoot for that virtualhost should match the webroot path that he has in /etc/letsencrypt/renewal/buttercupstraining.co.uk.conf for all the domains covered by that renewal conf.
I should also mention that the only thing I can think that I had changed prior to the certificate not being renewed was in my .htaccess file where I was trying to make the site always redirect to WWW.:
I had uncommented these, however I commented them out again and restarted apache before I manually tried to renew the certificate to see if that would work, which it didn’t.
# To redirect all users to access the site WITH the 'www.' prefix,
# (http://example.com/... will be redirected to http://www.example.com/...)
# uncomment the following:
# RewriteCond %{HTTP_HOST} .
# RewriteCond %{HTTP_HOST} !^www\. [NC]
# RewriteRule ^ http%{ENV:protossl}://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
<VirtualHost _default_:80>
DocumentRoot "/opt/bitnami/apache2/htdocs"
ServerName buttercupstraining.co.uk
Redirect permanent / https://buttercupstraining.co.uk/
location /.well-known/acme-challenge {
allow all;
root /opt/bitnami/apache2/htdocs/.well-known/acme-challenge
}
<Directory "/opt/bitnami/apache2/htdocs">
Options FollowSymLinks MultiViews
AddLanguage en en
LanguagePriority en
ForceLanguagePriority Prefer Fallback
AllowOverride All
<IfVersion < 2.3 >
Order allow,deny
Allow from all
</IfVersion>
<IfVersion >= 2.3 >
Require all granted
</IfVersion>
</Directory>
# Error Documents
ErrorDocument 503 /503.html
# Bitnami applications installed with a prefix URL (default)
Include "/opt/bitnami/apache2/conf/bitnami/bitnami-apps-prefix.conf"
</VirtualHost>
I then created an ‘acme-challenge’ directory and added a test text file, but get a 403 forbiddon error. When restarted apache this error message displayed:
AH00526: Syntax error on line 12 of /opt/bitnami/apache2/conf/bitnami/bitnami.conf:
Invalid command 'location', perhaps misspelled or defined by a module not included in the server configuration
apache config test fails, aborting
Looks like Apache should be able to read files from this directory without any issues. So the restriction must come from some configuration file. Iʼm out of ideas for now…
@rg305 see my earlier post, nginx syntax/directives wonʼt work in Apache conf files.
You seem to be using Drupal 7.54… are you aware that Drupal 7.55 was released last week, including a fix to make the supplied default .htaccess compatible with the HTTP-01 challenge?