Certificate renewal: Failed authorization procedure

eigen-value · June 4, 2020, 12:32pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: angel.cenel.it

I ran this command: certbot renew --dry-run

It produced this output:
Attempting to renew cert (angel.cenel.it) from /etc/letsencrypt/renewal/angel.cenel.it.conf produced an unexpected error: Failed authorization procedure. angel.cenel.it (http-01): urn:ietf:params:acme:error:una uthorized :: The client lacks sufficient authorization :: Invalid response from http://angel.cenel.it/.well-known/acme-challenge/d4d-kRS6CYAwBoVpq2iYTfKrx5WAnbyAgOs0w6SsmCE [139.162.185.155]: " tml lang=“en”>HTTP Status 404 \u2013 Not Foundbody {font-family:Tahoma", www.angel.cenel.it (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.angel.cenel.it/.well-known/acme-challenge/wspEUAELBHu-mvWsWsvcXITYRehPch_LwiQb9BilTkg [139.162.185.155]: “<!doctype html><html lang=“en”><ti tle>HTTP Status 404 \u2013 Not Found<style type=“text/css”>body {font-family:Tahoma”. Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/angel.cenel.it/fullchain.pem (failure) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ** DRY RUN: simulating ‘certbot renew’ close to cert expiry ** (The test certificates below have not been saved.) All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/angel.cenel.it/fullchain.pem (failure) ** DRY RUN: simulating ‘certbot renew’ close to cert expiry ** (The test certificates above have not been saved.) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1 renew failure(s), 0 parse failure(s) IMPORTANT NOTES: - The following errors were reported by the server: Domain: angel.cenel.it Type: unauthorized Detail: Invalid response from http://angel.cenel.it/.well-known/acme-challenge/d4d-kRS6CYAwBoVpq2iYTfKrx5WAnbyAgOs0w6SsmCE [139.162.185.155]: “<!doctype html><html lang=“en”>HTTP Status 404 – Not Found<style type=“text/css”>body {font-family:Tahoma” Domain: www.angel.cenel.it Type: unauthorized Detail: Invalid response from http://www.angel.cenel.it/.well-known/acme-challenge/wspEUAELBHu-mvWsWsvcXITYRehPch_LwiQb9BilTkg [139.162.185.155]: “<!doctype html><html lang=“en”>HTTP Status 404 – Not Found<style type=“text/css”>body {font-family:Tahoma” To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.

My web server is (include version): Apache/2.4.18

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: aruba.it

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

rg305 · June 4, 2020, 6:02pm

Please show this file:
/etc/letsencrypt/renewal/angel.cenel.it.conf

And also, the output of this command:
apachectl -S

eigen-value · June 4, 2020, 6:11pm

Hi, thanks for the response

/etc/letsencrypt/renewal/angel.cenel.it.conf

renew_before_expiry = 30 days

version = 0.31.0
archive_dir = /etc/letsencrypt/archive/angel.cenel.it
cert = /etc/letsencrypt/live/angel.cenel.it/cert.pem
privkey = /etc/letsencrypt/live/angel.cenel.it/privkey.pem
chain = /etc/letsencrypt/live/angel.cenel.it/chain.pem
fullchain = /etc/letsencrypt/live/angel.cenel.it/fullchain.pem

Options used in the renewal process

[renewalparams]
installer = apache
authenticator = apache
server = https://acme-v02.api.letsencrypt.org/directory
account = 37b6ea7c2efd2f5257b116ab2e8a45f1

apachectl -S
AH00112: Warning: DocumentRoot [/opt/tomcat/webapps/ROOT] does not exist
AH00526: Syntax error on line 36 of /etc/apache2/sites-enabled/000-default-le-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/angel.cenel.it/fullchain.pem' does not exist or is empty
Action '-S' failed.
The Apache error log may have more information.

rg305 · June 4, 2020, 6:13pm

Well that is a BIG sign.

Let's have a look at this file:

Also, this may be a key component to this problem:

eigen-value · June 4, 2020, 6:16pm

It is a big sign indeed, but DocumentRoot exists and .conf file is not empty here is the content:

<IfModule mod_ssl.c>
<VirtualHost *:443>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.

        ServerName angel.cenel.it
        ServerAlias www.angel.cenel.it
        DocumentRoot /opt/tomcat/webapps/ROOT
        # DocumentRoot /var/www/html

        JKMount /* ajp13_worker

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf

        Include /etc/letsencrypt/options-ssl-apache.conf
        SSLCertificateFile /etc/letsencrypt/live/angel.cenel.it/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/angel.cenel.it/privkey.pem

        RewriteEngine on
        RewriteRule ^/$ /app [R]

</VirtualHost>
</IfModule>

rg305 · June 4, 2020, 6:19pm

The post is mostly unreadable.
Please EDIT IT and add lines above and below it as follows:

```
your posted text
```

eigen-value · June 4, 2020, 6:20pm

thanks I was trying to…

rg305 · June 4, 2020, 6:22pm

eigen-value · June 4, 2020, 6:23pm

I did it… now I think it’s readable

rg305 · June 4, 2020, 6:25pm

Let’s have a look at this included file:
/etc/letsencrypt/options-ssl-apache.conf

And let’s be sure these files exist:
SSLCertificateFile /etc/letsencrypt/live/angel.cenel.it/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/angel.cenel.it/privkey.pem
with this:
ls -l /etc/letsencrypt/live/angel.cenel.it/

eigen-value · June 4, 2020, 6:27pm

here it is

# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.

SSLEngine on

# Intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3
SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES$
SSLHonorCipherOrder     on
SSLCompression          off

SSLOptions +StrictRequire

# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common

#CustomLog /var/log/apache2/access.log vhost_combined
#LogLevel warn
#ErrorLog /var/log/apache2/error.log

# Always ensure Cookies have "Secure" set (JAH 2012/1)
#Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4"

rg305 · June 4, 2020, 6:29pm

That looks default/standard.

Show:
ls -l /etc/letsencrypt/live/angel.cenel.it/
certbot certificates

eigen-value · June 4, 2020, 6:29pm

sudo ls -l /etc/letsencrypt/live/angel.cenel.it/
total 4
lrwxrwxrwx 1 root root 38 Jan 24 10:11 cert.pem -> …/…/archive/angel.cenel.it/cert1.pem
lrwxrwxrwx 1 root root 39 Jan 24 10:11 chain.pem -> …/…/archive/angel.cenel.it/chain1.pem
lrwxrwxrwx 1 root root 43 Jan 24 10:11 fullchain.pem -> …/…/archive/angel.cenel.it/fullchain1.pem
lrwxrwxrwx 1 root root 41 Jan 24 10:11 privkey.pem -> …/…/archive/angel.cenel.it/privkey1.pem
-rw-r–r-- 1 root root 692 Jan 24 10:11 README

eigen-value · June 4, 2020, 6:29pm

sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Revocation status for /etc/letsencrypt/live/angel.cenel.it/cert.pem is unknown

Found the following certs:
Certificate Name: angel.cenel.it
Domains: angel.cenel.it www.angel.cenel.it
Expiry Date: 2020-04-23 08:11:12+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/angel.cenel.it/fullchain.pem
Private Key Path: /etc/letsencrypt/live/angel.cenel.it/privkey.pem

rg305 · June 4, 2020, 6:30pm

So far, so good(ish).
Let’s see:
certbot certificates

eigen-value · June 4, 2020, 6:30pm

sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Revocation status for /etc/letsencrypt/live/angel.cenel.it/cert.pem is unknown

Found the following certs:
Certificate Name: angel.cenel.it
Domains: angel.cenel.it www.angel.cenel.it
Expiry Date: 2020-04-23 08:11:12+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/angel.cenel.it/fullchain.pem
Private Key Path: /etc/letsencrypt/live/angel.cenel.it/privkey.pem

rg305 · June 4, 2020, 6:32pm

OK then only thing that looks somewhat out-of-place is:
RewriteEngine on
RewriteRule ^/$ /app [R]

If you can save that entire file as a backup, replace it with this (as a test):

<VirtualHost *:443>
        ServerName angel.cenel.it
        ServerAlias www.angel.cenel.it
        DocumentRoot /opt/tomcat/webapps/ROOT
        # DocumentRoot /var/www/html

        JKMount /* ajp13_worker

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        Include /etc/letsencrypt/options-ssl-apache.conf
        SSLCertificateFile /etc/letsencrypt/live/angel.cenel.it/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/angel.cenel.it/privkey.pem

        #RewriteEngine on
        #RewriteRule ^/$ /app [R]
</VirtualHost>

rg305 · June 4, 2020, 6:39pm

OR:

<VirtualHost *:443>
        ServerName angel.cenel.it
        ServerAlias www.angel.cenel.it
        DocumentRoot /opt/tomcat/webapps/ROOT
        # DocumentRoot /var/www/html

        JKMount /* ajp13_worker

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        Include /etc/letsencrypt/options-ssl-apache.conf
        SSLCertificateFile /etc/letsencrypt/live/angel.cenel.it/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/angel.cenel.it/privkey.pem

        RewriteEngine on
        RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge [NC]
        RewriteRule ^/$ /app [R]
</VirtualHost>

eigen-value · June 4, 2020, 8:14pm

I tried both, then I tried removing all the rwrite rules in the port 80 Vhost as well. Restarted apache and tomcat then tried a dry-run but the output didn’t change…

eigen-value · June 4, 2020, 9:18pm

I solved the problem finally. It was a mod_jk problem.
I removed the JKMount directive and used mod_proxy instead