Certificate has stopped renewing

Hi,

For the past year I’ve had a cron autmatically renew my certificate for me which has been working fine. However, the last time it tried to renew, an error message was written to the logs. I’ve tried to renew manually and received this:

Attempting to renew cert from /etc/letsencrypt/renewal/buttercupstraining.co.uk.conf produced an unexpected error: Failed authorization procedure. buttercupstraining.co.uk (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://buttercupstraining.co.uk/.well-known/acme-challenge/h81QmFzIs1xuHOHzU8vlGf3eb_xOnTPOT7u-M7bHCW0: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p", www.buttercupstraining.co.uk (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.buttercupstraining.co.uk/.well-known/acme-challenge/HntDFFQSiYIxsNgZ7u_b8gemIudZ9Ju5f0ggx_DkHC8: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p". Skipping.

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/buttercupstraining.co.uk/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: buttercupstraining.co.uk
   Type:   unauthorized
   Detail: Invalid response from
   http://buttercupstraining.co.uk/.well-known/acme-challenge/h81QmFzIs1xuHOHzU8vlGf3eb_xOnTPOT7u-M7bHCW0:
   "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
   <html><head>
   <title>403 Forbidden</title>
   </head><body>
   <h1>Forbidden</h1>
   <p"

   Domain: www.buttercupstraining.co.uk
   Type:   unauthorized
   Detail: Invalid response from
   http://www.buttercupstraining.co.uk/.well-known/acme-challenge/HntDFFQSiYIxsNgZ7u_b8gemIudZ9Ju5f0ggx_DkHC8:
   "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
   <html><head>
   <title>403 Forbidden</title>
   </head><body>
   <h1>Forbidden</h1>
   <p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

I’m a bit confused as it has been working fine previously and I’m not sure what to do now. I do have a .well-known folder in my htdocs root but it is currently empty.

Any help would be appreciated. Thanks

HTTP/1.1 301 Moved Permanently
Date: Mon, 12 Jun 2017 11:29:30 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Location: https://buttercupstraining.co.uk/
Content-Length: 241
Content-Type: text/html; charset=iso-8859-1

                                              <html><head>
                                                          <title>301 Moved Permanently</title>
                                                                                              </head><body>
                                                                                                           <h1>Moved Permanently</h1>
     <p>The document has moved <a href="https://buttercupstraining.co.uk/">here</a>.</p>
                                                                                        </body></html>

Connection to host lost.

Show your virtual host config file(s)
the part that covers
listen :80

Indeed he should show the conf for <VirtualHost *:443> and domain buttercupstraining.co.uk.conf as both domains ( buttercupstraining.co.uk and www.buttercupstraining.co.uk ) are being redirected to https://buttercupstraining.co.uk/ so the DocumentRoot for that virtualhost should match the webroot path that he has in /etc/letsencrypt/renewal/buttercupstraining.co.uk.conf for all the domains covered by that renewal conf.

Thanks, my conf file has this

<VirtualHost _default_:80>
  DocumentRoot "/opt/bitnami/apache2/htdocs"
	ServerName buttercupstraining.co.uk
	Redirect permanent / https://buttercupstraining.co.uk/
  <Directory "/opt/bitnami/apache2/htdocs">
	Options FollowSymLinks MultiViews
    AddLanguage en en
    LanguagePriority en
    ForceLanguagePriority Prefer Fallback

    AllowOverride All
    <IfVersion < 2.3 >
      Order allow,deny                          
      Allow from all
    </IfVersion>
    <IfVersion >= 2.3 >
      Require all granted
    </IfVersion>
  </Directory>

  # Error Documents
  ErrorDocument 503 /503.html

  # Bitnami applications installed with a prefix URL (default)
  Include "/opt/bitnami/apache2/conf/bitnami/bitnami-apps-prefix.conf"
</VirtualHost>

and

<VirtualHost _default_:443>
  DocumentRoot "/opt/bitnami/apache2/htdocs"
  Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
  SSLEngine on
SSLCertificateFile "/etc/letsencrypt/live/buttercupstraining.co.uk/cert.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/buttercupstraining.co.uk/privkey.pem"
SSLCertificateChainFile "/etc/letsencrypt/live/buttercupstraining.co.uk/chain.pem"
            
  <Directory "/opt/bitnami/apache2/htdocs">
    Options FollowSymLinks MultiViews
    AddLanguage en en
    LanguagePriority en
    ForceLanguagePriority Prefer Fallback

    AllowOverride All
    <IfVersion < 2.3 >
      Order allow,deny                          
      Allow from all
    </IfVersion>
    <IfVersion >= 2.3 >
      Require all granted
    </IfVersion>
  </Directory>

  # Error Documents
  ErrorDocument 503 /503.html
        
  # Bitnami applications installed with a prefix URL (default)
  Include "/opt/bitnami/apache2/conf/bitnami/bitnami-apps-prefix.conf"
</VirtualHost>

The buttercupstraining.co.uk.conf file includes this…

# renew_before_expiry = 30 days
cert = /etc/letsencrypt/live/buttercupstraining.co.uk/cert.pem
privkey = /etc/letsencrypt/live/buttercupstraining.co.uk/privkey.pem
chain = /etc/letsencrypt/live/buttercupstraining.co.uk/chain.pem
fullchain = /etc/letsencrypt/live/buttercupstraining.co.uk/fullchain.pem
version = 0.12.0
archive_dir = /etc/letsencrypt/archive/buttercupstraining.co.uk

# Options used in the renewal process
[renewalparams]
authenticator = webroot
installer = None
account = 62156727b0bb004a6023c692aef38aaf
[[webroot_map]]
buttercupstraining.co.uk = /opt/bitnami/apache2/htdocs
www.buttercupstraining.co.uk = /opt/bitnami/apache2/htdocs

I should also mention that the only thing I can think that I had changed prior to the certificate not being renewed was in my .htaccess file where I was trying to make the site always redirect to WWW.:
I had uncommented these, however I commented them out again and restarted apache before I manually tried to renew the certificate to see if that would work, which it didn’t.

# To redirect all users to access the site WITH the 'www.' prefix,
  # (http://example.com/... will be redirected to http://www.example.com/...)
  # uncomment the following:
  # RewriteCond %{HTTP_HOST} .
  # RewriteCond %{HTTP_HOST} !^www\. [NC]
  # RewriteRule ^ http%{ENV:protossl}://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

TO:

ADD:
location /.well-known/acme-challenge {
allow all;
root /path/to/where/you/want/challenge/files
}

afterwhich, add a text file like:
http://buttercupstraining.co.uk/.well-known/acme-challenge/test.txt
If that is visible from Internet, try to renew.
If not, vhost file needs more work.

Hi - I added that line so it now reads:

<VirtualHost _default_:80>
  DocumentRoot "/opt/bitnami/apache2/htdocs"
	ServerName buttercupstraining.co.uk
	Redirect permanent / https://buttercupstraining.co.uk/
	location /.well-known/acme-challenge {
allow all;
root /opt/bitnami/apache2/htdocs/.well-known/acme-challenge
}
  <Directory "/opt/bitnami/apache2/htdocs">
	Options FollowSymLinks MultiViews
    AddLanguage en en
    LanguagePriority en
    ForceLanguagePriority Prefer Fallback

    AllowOverride All
    <IfVersion < 2.3 >
      Order allow,deny                          
      Allow from all
    </IfVersion>
    <IfVersion >= 2.3 >
      Require all granted
    </IfVersion>
  </Directory>

  # Error Documents
  ErrorDocument 503 /503.html

  # Bitnami applications installed with a prefix URL (default)
  Include "/opt/bitnami/apache2/conf/bitnami/bitnami-apps-prefix.conf"
</VirtualHost>

I then created an ‘acme-challenge’ directory and added a test text file, but get a 403 forbiddon error. When restarted apache this error message displayed:

AH00526: Syntax error on line 12 of /opt/bitnami/apache2/conf/bitnami/bitnami.conf:
Invalid command 'location', perhaps misspelled or defined by a module not included in the server configuration
apache config test fails, aborting

This looks like a solution for nginx servers, but OP runs Apache…

@rickhumphries do you by any chance have .htaccess files anywhere else inside /opt/bitnami/apache2/htdocs?

Other than the .htaccess file in the root of /opt/bitnami/apache2/htdocs the only other one I can see is at /opt/bitnami/apache2/htdocs/tmp

This is a Drupal installation so this is something I think has always been there

Can you show the output of this command?

namei -l /opt/bitnami/apache2/htdocs/.well-known/acme-challenge

Sure

f: /opt/bitnami/apache2/htdocs/.well-known/acme-challenge
drwxr-xr-x root    root   /
drwxr-xr-x root    root   opt
drwxr-xr-x root    root   bitnami
drwxr-xr-x root    root   apache2
drwxr-xr-x bitnami daemon htdocs
drwxr-xr-x root    root   .well-known
drwxr-xr-x root    root   acme-challenge

maybe order matters.
try
location /.well-known/acme-challenge {
allow all;
root /opt/bitnami/apache2/htdocs/.well-known/acme-challenge
}
Redirect permanent / https://buttercupstraining.co.uk/

OR maybe

Alias /.well-known/acme-challenge/ /opt/bitnami/apache2/htdocs/.well-known/acme-challenge
Redirect permanent / https://buttercupstraining.co.uk/

Looks like Apache should be able to read files from this directory without any issues. So the restriction must come from some configuration file. Iʼm out of ideas for now…

@rg305 see my earlier post, nginx syntax/directives wonʼt work in Apache conf files.

You seem to be using Drupal 7.54… are you aware that Drupal 7.55 was released last week, including a fix to make the supplied default .htaccess compatible with the HTTP-01 challenge?

2 Likes

Thank you very much for pointing this out. I’ve just updated Drupal core now and this seems to have fixed the issue :slight_smile:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.