Certificate has stopped renewing

rickhumphries · June 12, 2017, 11:23am

Hi,

For the past year I’ve had a cron autmatically renew my certificate for me which has been working fine. However, the last time it tried to renew, an error message was written to the logs. I’ve tried to renew manually and received this:

Attempting to renew cert from /etc/letsencrypt/renewal/buttercupstraining.co.uk.conf produced an unexpected error: Failed authorization procedure. buttercupstraining.co.uk (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://buttercupstraining.co.uk/.well-known/acme-challenge/h81QmFzIs1xuHOHzU8vlGf3eb_xOnTPOT7u-M7bHCW0: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p", www.buttercupstraining.co.uk (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.buttercupstraining.co.uk/.well-known/acme-challenge/HntDFFQSiYIxsNgZ7u_b8gemIudZ9Ju5f0ggx_DkHC8: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p". Skipping.

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/buttercupstraining.co.uk/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: buttercupstraining.co.uk
   Type:   unauthorized
   Detail: Invalid response from
   http://buttercupstraining.co.uk/.well-known/acme-challenge/h81QmFzIs1xuHOHzU8vlGf3eb_xOnTPOT7u-M7bHCW0:
   "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
   <html><head>
   <title>403 Forbidden</title>
   </head><body>
   <h1>Forbidden</h1>
   <p"

   Domain: www.buttercupstraining.co.uk
   Type:   unauthorized
   Detail: Invalid response from
   http://www.buttercupstraining.co.uk/.well-known/acme-challenge/HntDFFQSiYIxsNgZ7u_b8gemIudZ9Ju5f0ggx_DkHC8:
   "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
   <html><head>
   <title>403 Forbidden</title>
   </head><body>
   <h1>Forbidden</h1>
   <p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

I’m a bit confused as it has been working fine previously and I’m not sure what to do now. I do have a .well-known folder in my htdocs root but it is currently empty.

Any help would be appreciated. Thanks

rg305 · June 12, 2017, 11:30am

HTTP/1.1 301 Moved Permanently
Date: Mon, 12 Jun 2017 11:29:30 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Location: https://buttercupstraining.co.uk/
Content-Length: 241
Content-Type: text/html; charset=iso-8859-1

                                              <html><head>
                                                          <title>301 Moved Permanently</title>
                                                                                              </head><body>
                                                                                                           <h1>Moved Permanently</h1>
     <p>The document has moved <a href="https://buttercupstraining.co.uk/">here</a>.</p>
                                                                                        </body></html>

Connection to host lost.

rg305 · June 12, 2017, 11:31am

Show your virtual host config file(s)
the part that covers
listen :80

sahsanu · June 12, 2017, 11:38am

Indeed he should show the conf for <VirtualHost *:443> and domain buttercupstraining.co.uk.conf as both domains ( buttercupstraining.co.uk and www.buttercupstraining.co.uk ) are being redirected to https://buttercupstraining.co.uk/ so the DocumentRoot for that virtualhost should match the webroot path that he has in /etc/letsencrypt/renewal/buttercupstraining.co.uk.conf for all the domains covered by that renewal conf.

rickhumphries · June 12, 2017, 11:55am

Thanks, my conf file has this

<VirtualHost _default_:80>
  DocumentRoot "/opt/bitnami/apache2/htdocs"
	ServerName buttercupstraining.co.uk
	Redirect permanent / https://buttercupstraining.co.uk/
  <Directory "/opt/bitnami/apache2/htdocs">
	Options FollowSymLinks MultiViews
    AddLanguage en en
    LanguagePriority en
    ForceLanguagePriority Prefer Fallback

    AllowOverride All
    <IfVersion < 2.3 >
      Order allow,deny                          
      Allow from all
    </IfVersion>
    <IfVersion >= 2.3 >
      Require all granted
    </IfVersion>
  </Directory>

  # Error Documents
  ErrorDocument 503 /503.html

  # Bitnami applications installed with a prefix URL (default)
  Include "/opt/bitnami/apache2/conf/bitnami/bitnami-apps-prefix.conf"
</VirtualHost>

and

<VirtualHost _default_:443>
  DocumentRoot "/opt/bitnami/apache2/htdocs"
  Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
  SSLEngine on
SSLCertificateFile "/etc/letsencrypt/live/buttercupstraining.co.uk/cert.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/buttercupstraining.co.uk/privkey.pem"
SSLCertificateChainFile "/etc/letsencrypt/live/buttercupstraining.co.uk/chain.pem"
            
  <Directory "/opt/bitnami/apache2/htdocs">
    Options FollowSymLinks MultiViews
    AddLanguage en en
    LanguagePriority en
    ForceLanguagePriority Prefer Fallback

    AllowOverride All
    <IfVersion < 2.3 >
      Order allow,deny                          
      Allow from all
    </IfVersion>
    <IfVersion >= 2.3 >
      Require all granted
    </IfVersion>
  </Directory>

  # Error Documents
  ErrorDocument 503 /503.html
        
  # Bitnami applications installed with a prefix URL (default)
  Include "/opt/bitnami/apache2/conf/bitnami/bitnami-apps-prefix.conf"
</VirtualHost>

The buttercupstraining.co.uk.conf file includes this…

# renew_before_expiry = 30 days
cert = /etc/letsencrypt/live/buttercupstraining.co.uk/cert.pem
privkey = /etc/letsencrypt/live/buttercupstraining.co.uk/privkey.pem
chain = /etc/letsencrypt/live/buttercupstraining.co.uk/chain.pem
fullchain = /etc/letsencrypt/live/buttercupstraining.co.uk/fullchain.pem
version = 0.12.0
archive_dir = /etc/letsencrypt/archive/buttercupstraining.co.uk

# Options used in the renewal process
[renewalparams]
authenticator = webroot
installer = None
account = 62156727b0bb004a6023c692aef38aaf
[[webroot_map]]
buttercupstraining.co.uk = /opt/bitnami/apache2/htdocs
www.buttercupstraining.co.uk = /opt/bitnami/apache2/htdocs

rickhumphries · June 12, 2017, 11:59am

I should also mention that the only thing I can think that I had changed prior to the certificate not being renewed was in my .htaccess file where I was trying to make the site always redirect to WWW.:
I had uncommented these, however I commented them out again and restarted apache before I manually tried to renew the certificate to see if that would work, which it didn’t.

# To redirect all users to access the site WITH the 'www.' prefix,
  # (http://example.com/... will be redirected to http://www.example.com/...)
  # uncomment the following:
  # RewriteCond %{HTTP_HOST} .
  # RewriteCond %{HTTP_HOST} !^www\. [NC]
  # RewriteRule ^ http%{ENV:protossl}://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

rg305 · June 12, 2017, 12:03pm

TO:

ADD:
location /.well-known/acme-challenge {
allow all;
root /path/to/where/you/want/challenge/files
}

afterwhich, add a text file like:
http://buttercupstraining.co.uk/.well-known/acme-challenge/test.txt
If that is visible from Internet, try to renew.
If not, vhost file needs more work.

rickhumphries · June 12, 2017, 12:27pm

Hi - I added that line so it now reads:

<VirtualHost _default_:80>
  DocumentRoot "/opt/bitnami/apache2/htdocs"
	ServerName buttercupstraining.co.uk
	Redirect permanent / https://buttercupstraining.co.uk/
	location /.well-known/acme-challenge {
allow all;
root /opt/bitnami/apache2/htdocs/.well-known/acme-challenge
}
  <Directory "/opt/bitnami/apache2/htdocs">
	Options FollowSymLinks MultiViews
    AddLanguage en en
    LanguagePriority en
    ForceLanguagePriority Prefer Fallback

    AllowOverride All
    <IfVersion < 2.3 >
      Order allow,deny                          
      Allow from all
    </IfVersion>
    <IfVersion >= 2.3 >
      Require all granted
    </IfVersion>
  </Directory>

  # Error Documents
  ErrorDocument 503 /503.html

  # Bitnami applications installed with a prefix URL (default)
  Include "/opt/bitnami/apache2/conf/bitnami/bitnami-apps-prefix.conf"
</VirtualHost>

I then created an ‘acme-challenge’ directory and added a test text file, but get a 403 forbiddon error. When restarted apache this error message displayed:

AH00526: Syntax error on line 12 of /opt/bitnami/apache2/conf/bitnami/bitnami.conf:
Invalid command 'location', perhaps misspelled or defined by a module not included in the server configuration
apache config test fails, aborting

Nekit · June 12, 2017, 12:27pm

This looks like a solution for nginx servers, but OP runs Apache…

@rickhumphries do you by any chance have .htaccess files anywhere else inside /opt/bitnami/apache2/htdocs?

rickhumphries · June 12, 2017, 12:49pm

Other than the .htaccess file in the root of /opt/bitnami/apache2/htdocs the only other one I can see is at /opt/bitnami/apache2/htdocs/tmp

This is a Drupal installation so this is something I think has always been there

Nekit · June 12, 2017, 1:07pm

Can you show the output of this command?

namei -l /opt/bitnami/apache2/htdocs/.well-known/acme-challenge

rickhumphries · June 12, 2017, 1:09pm

Sure

f: /opt/bitnami/apache2/htdocs/.well-known/acme-challenge
drwxr-xr-x root    root   /
drwxr-xr-x root    root   opt
drwxr-xr-x root    root   bitnami
drwxr-xr-x root    root   apache2
drwxr-xr-x bitnami daemon htdocs
drwxr-xr-x root    root   .well-known
drwxr-xr-x root    root   acme-challenge

rg305 · June 12, 2017, 1:22pm

maybe order matters.
try
location /.well-known/acme-challenge {
allow all;
root /opt/bitnami/apache2/htdocs/.well-known/acme-challenge
}
Redirect permanent / https://buttercupstraining.co.uk/

OR maybe

Alias /.well-known/acme-challenge/ /opt/bitnami/apache2/htdocs/.well-known/acme-challenge
Redirect permanent / https://buttercupstraining.co.uk/

Nekit · June 12, 2017, 1:24pm

Looks like Apache should be able to read files from this directory without any issues. So the restriction must come from some configuration file. Iʼm out of ideas for now…

@rg305 see my earlier post, nginx syntax/directives wonʼt work in Apache conf files.

jmorahan · June 13, 2017, 1:06pm

You seem to be using Drupal 7.54… are you aware that Drupal 7.55 was released last week, including a fix to make the supplied default .htaccess compatible with the HTTP-01 challenge?

rickhumphries · June 19, 2017, 5:29pm

Thank you very much for pointing this out. I’ve just updated Drupal core now and this seems to have fixed the issue

system · July 19, 2017, 5:30pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.