Certificate renew issue


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: gitlab.moneypolo.zone

I ran this command: certbot renew

It produced this output:

Attempting to renew cert (gitlab.moneypolo.zone) from /etc/letsencrypt/renewal/gitlab.moneypolo.zone.conf produced an unexpected error: Failed authorization procedure. gitlab.moneypolo.zone (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: The key authorization file from the server did not match this challenge [OYslH0QRomuEc_AB5XR3l0uKkXLzrUsHkh66pPEID-0.-OiumeD6NtXT3DHLsdSDEYi_3b_WIIDu44zi1kXW5SE] != [

Page not found

]. Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/gitlab.moneypolo.zone/fullchain.pem (failure)

My web server is (include version): nginx

The operating system my web server runs on is (include version): Centos 7 x64

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


#2

Please show:

  1. the vhost file for “gitlab.moneypolo.zone” using 80
  2. any special handling for “/.well-known/acme-challenge” (if any)
  3. /var/log/letsencrypt/letsencrypt.log
  4. certbot --version
  5. certbot certificates

#3

Hey Rudy,

add 1:

here is vhost .conf file located on rev proxy - mnps0024 is a webserver running LE + Gitlab.

<VirtualHost 192.168.3.253:80>
ServerName moneypolo.zone
ServerAlias www.moneypolo.zone

    AssignUserID www_moneypolo.zone vhosts

    ErrorLog  /var/log/httpd/moneypolo.zone-error.log
    CustomLog /var/log/httpd/moneypolo.zone-access.log combined

    HostnameLookups Off
    UseCanonicalName On
    AllowEncodedSlashes On

    ProxyRequests Off
    ProxyPreserveHost On



    <Location /var/www/public/letsencrypt>
            # Restrction
            # include /etc/httpd/IPrestriction/deny.conf
            # include /etc/httpd/IPrestriction/NAME.conf
            ProxyPass http://moneypolo.zone.mnps0024.mnp.local/
            ProxyPassReverse  http://moneypolo.zone.mnps0024.mnp.local/
    </Location>

add 2. No special handling so far

add 3. Here is a log from last renewal

FailedChallenges: Failed authorization procedure. gitlab.moneypolo.zone (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: The key authorization file from the server did not match this challenge [OYslH0QRomuEc_AB5XR3l0uKkXLzrUsHkh66pPEID-0.-OiumeD6NtXT3DHLsdSDEYi_3b_WIIDu44zi1kXW5SE] != [

Page not found

]

2018-04-05 11:16:14,630:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
2018-04-05 11:16:14,630:ERROR:certbot.renewal: /etc/letsencrypt/live/gitlab.moneypolo.zone/fullchain.pem (failure)
2018-04-05 11:16:14,631:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 9, in
load_entry_point(‘certbot==0.22.0’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 1266, in main
return config.func(config, plugins)
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 1179, in renew
renewal.handle_renewal_request(config)
File “/usr/lib/python2.7/site-packages/certbot/renewal.py”, line 443, in handle_renewal_request
len(renew_failures), len(parse_failures)))
Error: 1 renew failure(s), 0 parse failure(s)

add 4 certbot version is 0.22.0
add 5 only for gitlab.moneypolo.zone

Thanks for any help!
Jiri


#4

add 5

Found the following certs:
Certificate Name: gitlab.moneypolo.zone
Domains: gitlab.moneypolo.zone
Expiry Date: 2018-04-19 12:20:41+00:00 (VALID: 13 days)
Certificate Path: /etc/letsencrypt/live/gitlab.moneypolo.zone/fullchain.pem
Private Key Path: /etc/letsencrypt/live/gitlab.moneypolo.zone/privkey.pem


#5

Where is

without that piece of the puzzle it is impossible to complete…


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.