Certificate renewal fails


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
bulgarische-feinkost.de, liebe-und-ferien.de, pszn.de, uzi77.de, www.bulgarische-feinkost.de, www.liebe-und-ferien.de, www.pszn.de and some more but I’m not allowed to post all (30 in total, but subdomains of the listed ones)

I ran this command:
certbot renew

It produced this output:
Domain: bulgarische-feinkost.de
Type: unauthorized
Detail: Invalid response from
http://bulgarische-feinkost.de/.well-known/acme-challenge/gdv3JiNgvbS4b-vK-7i
dUZrZmSdz5OV7Ppd3X3q8mAU:
“\n\n403
Forbidden\n\n

Forbidden

\n<p”

Domain: www.bulgarische-feinkost.de
Type: unauthorized
Detail: Invalid response from
http://www.bulgarische-feinkost.de/.well-known/acme-challenge/JecTUtrnVbncr0P
AqDpB443FfZgxKKdDQ6IWJj8Hcow:
“\n\n403
Forbidden\n\n

Forbidden

\n<p”

… and so on

My web server is (include version):
apache 2.4.37

The operating system my web server runs on is (include version):
Ubuntu 16.04 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

After upgrading to certbot 0.28.0 the renewal doesn’t work anymore. I’m using this setup already since September 2017 without any problems. So I guess the last update broke the operation of the renewal process.?.?.?


#2

Hi @UZi02

perhaps you have used tls-sni-01 - validation. But this method is deprecated, support ends 2019-02-13:

So Certbot uses the apache - authenticator - and fails.

But I see, you have already tested your domain with my tool - https://check-your-website.server-daten.de/?q=bulgarische-feinkost.de

There is a 404, not a 403.

So webroot should work, webroot as authenticator (-a), apache as installer (-i).


But: You have 30 domain names. So you must define a lot of -w - parameters if you want one certificate with 30 domain names.

certbot run -a webroot -i apache -w /var/www/example -d www.example.com -d example.com -w /var/www/other -d other.example.net -d another.other.example.net

Or you split your certificate, so you have one certificate with www.bulgarische-feinkost.de + bulgarische-feinkost.de, the next certificate with the next main domain etc.


#3

With

I get the following error:

Waiting for verification...
Cleaning up challenges
Failed authorization procedure. blog.liebe-und-ferien.de (http-01): urn:ietf:par                 ams:acme:error:unauthorized :: The client lacks sufficient authorization :: Inva                 lid response from http://blog.liebe-und-ferien.de/.well-known/acme-challenge/J0r                 ZWm9eHEHVZjU2nV-PZVl3X6VE2BiLCyQ3PJ7ikKk: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD                  HTML 2.0//EN\">\n<html><head>\n<title>403 Forbidden</title>\n</head><body>\n<h1>                 Forbidden</h1>\n<p"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: blog.liebe-und-ferien.de
   Type:   unauthorized
   Detail: Invalid response from
   http://blog.liebe-und-ferien.de/.well-known/acme-challenge/J0rZWm9eHEHVZjU2nV                 -PZVl3X6VE2BiLCyQ3PJ7ikKk:
   "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>403
   Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

So it seems to use http-01 validation instead of tls-sni-01.

What else can I try?


#4

That can’t work. You need all parameters.

This domain has a different setting. Checking /.well-known/acme-challenge, there is a redirect to https, then a connection closed:

https://blog.liebe-und-ferien.de/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de -8 0.323 W
ConnectionClosed - The request was aborted: The connection was closed unexpectedly.

Your first domain has no redirect, /.well-known/acme-challenge/1234 answers with a simple http status 404.


#5

So the dialogue after
certbot run -a webroot -i apache
is not sufficient?

Where does this setting come from? Where do I have to add this and how? Isn’t that done by the certbot program?

Best regards


#6

So the 403 and 404 errors came from insufficient access rights on the folder /var/lib/letsencrypt which could only be accessed by root. After chmod 755 to this folder I get closer. But now I have to wait because I tried too much today and exceeded the rate limit.


#7

You can use the test system. Add --test-cert and certonly, so there is no installation.

The test system has it’s own (higher) rate limits.


#8

So everything’s fine now. I’ve split the certificates as you suggested in your first post.

But it seems that with certbot 0.28.0 the mentioned folder was set with insufficient access rights.

Many thanks for your patience (I have seen a lot of renewal failure topics here) and help!


#9

Happy to read that. Yep, now

CN=bulgarische-feinkost.de
	11.01.2019
	11.04.2019
	bulgarische-feinkost.de, m2.bulgarische-feinkost.de, 
www.bulgarische-feinkost.de - 3 entries

it’s better. Too much different domains, too much reasons something may not work.


closed #10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.