Certificate renewal is failing with missing /

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: bearclawats.com

I ran this command: certbot renew --dry-run

It produced this output: https://bearclawats.com.well-known/acme-challenge/cDzHn93U7YHOkxj9JW2X76g4JHf_lwGLYq0_UWwN_FI:
Invalid host in redirect target "bearclawats.com.well-known". Check
webserver config for missing '/' in redirect target.

My web server is (include version): Apache 2.4.6-97

The operating system my web server runs on is (include version): Centos 7.9-2009

My hosting provider, if applicable, is: liquidweb

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot-1.11.0

1 Like

I have 2 more servers with different domains and all servers seem to be affected, but the weird thing is it has been working fine until recently.

I try to fix the missing / issue and I get a new error.

1 Like

The missing slash is produced during the redirection of the original HTTP request.
Please show the output of:
sudo apachectl -S

1 Like

Sure thing here it is

*:80 bearclawats.com (/etc/httpd/conf/httpd.conf:354)
*:443 is a NameVirtualHost
default server prod.bearclaw.io (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost prod.bearclaw.io (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost bearclawats.com (/etc/httpd/conf/httpd.conf:366)
alias www.bearclawats.com
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/etc/httpd/logs/error_log"
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/httpd/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
PidFile: "/run/httpd/httpd.pid"
Define: _RH_HAS_HTTPPROTOCOLOPTIONS
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="apache" id=48
Group: name="apache" id=48

1 Like

Please show this file:
[we should find the broken redirection there - or in an .htaccess file (if used)]

1 Like

As an aside:

Is in desperate need of an update!

1 Like

Here you go.

<VirtualHost *:80>
    ServerName bearclawats.com
    ServerAlias www.bearclawats.com
    Redirect 301 / "https://bearclawats.com"
RewriteEngine on
RewriteCond %{SERVER_NAME} =bearclaw.io [OR]
RewriteCond %{SERVER_NAME} =www.bearclaw.io
# RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
RewriteCond %{SERVER_NAME} =bearclawats.com [OR]
RewriteCond %{SERVER_NAME} =www.bearclawats.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost *:443>
    ServerName bearclawats.com
    ServerAlias www.bearclawats.com
    ErrorLog /var/log/httpd/bearclawats.com-error.log
    LogLevel crit
    CustomLog /var/log/httpd/bearclawats.com-access.log "combined"
    DocumentRoot /var/www/html
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/bearclawats.com/cert.pem

SSLCertificateKeyFile /etc/letsencrypt/live/bearclawats.com/privkey.pem

SSLCertificateChainFile /etc/letsencrypt/live/bearclawats.com/chain.pem

</VirtualHost>

This is broken (missing "/" after .com):

and it precedes (and overrides) this whole section:

I would just delete the first line.

1 Like

The redirect 301 line?

Yes, you can safely delete it.
Then restart or reload Apache.

1 Like

OK let me try that and see what happens.

These three lines also serve no purpose here (and would never be used):

1 Like

Interesting I believe they were added when I originally ran certbot --apache if I remember correctly.

There must have been a copy/paste, or copy file to new name, because the names compared don't match the server names used right above it - certbot would never have done that.

1 Like

Can't ever match:

1 Like

oh I remember bearclaw.io and www.bearclaw.io used to live on that server and I moved it.

1 Like

So what I did is commented out the lines you mentioned and reloaded httpd and now I received the below error. FYI prod.bearclaw.io is the main hostname and I run webmin with letsencrypt.

IMPORTANT NOTES:

That is better - the missing "/" has been removed.

But there is no HTTP vhost found for: prod.bearclaw.io

1 Like

Ok, now I am trying to fix that error, but I am very curious why it broke all of a sudden and on all 3 servers that have a similar config but different domain names.

prod.bearclaw.io I don't have in apache, because I am just using that hostname for webmin.