Certificate renewal is failing with missing /

sektor1952 · July 29, 2021, 4:22am

No, the only thing on port 443 on that server is bearclawats.com the prod.bearclaw.io is just being used for server management.

It's been working and originally when I set it all up I followed steps I found online and I had a similar config running when it was originally located at a different host.

rg305 · July 29, 2021, 4:25am

I'll take that as a no (not on port 443).
That simplifies things (a bit).

hmm...

sektor1952 · July 29, 2021, 4:26am

Correct on a no on port 443 as webmin runs on 10000, if anything I would have pointed that to the main site.

rg305 · July 29, 2021, 4:26am

OK, let's re-review the base (catch all) HTTP vhost config file.
Show:

sektor1952 · July 29, 2021, 4:28am

<VirtualHost *:80>
    ServerName bearclawats.com
    ServerAlias www.bearclawats.com
#    Redirect 301 / "https://bearclawats.com/"
RewriteEngine on
# RewriteCond %{SERVER_NAME} =bearclaw.io [OR]
# RewriteCond %{SERVER_NAME} =www.bearclaw.io
# RewriteCond %{SERVER_NAME} =bearclawats.com [OR]
# RewriteCond %{SERVER_NAME} =www.bearclawats.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

rg305 · July 29, 2021, 4:34am

Ok we need to exclude the challenge requests from being redirect; as not all names will have an HTTPS site to deal with them.
So for that let's replace that section in the config with:

<VirtualHost *:80>
  DocumentRoot /some/unique/path
  <LocationMatch "^/(?!\.well-known)">
    #send all other requests to HTTPS
    RewriteEngine On
    RewriteCond %{HTTPS} !=on
    RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1
  </LocationMatch>
</VirtualHost>

Note: You must create that unique path with:
mkdir /whatever/path/you/chose/

sektor1952 · July 29, 2021, 4:35am

DocumentRoot is the main /var/www/html, also the DocumentRoot is specified in this line.

<VirtualHost *:443>
    ServerName bearclawats.com
    ServerAlias www.bearclawats.com
    ErrorLog /var/log/httpd/bearclawats.com-error.log
    LogLevel crit
    CustomLog /var/log/httpd/bearclawats.com-access.log "combined"
    DocumentRoot /var/www/html
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/bearclawats.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/bearclawats.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/bearclawats.com/chain.pem
</VirtualHost>

rg305 · July 29, 2021, 4:37am

Please don't use that path - make a new one just to handle any /.well-known/acme-challenge/ requests.
[for security reasons]
Can be:
/var/tmp/useless
/tmp/unused
/new/path/for/challenges

sektor1952 · July 29, 2021, 4:38am

ok, I can do that

rg305 · July 29, 2021, 4:41am

The point of this part of the exercise is to have the HTTP vhost config redirect all traffic to HTTPS.
Except the challenge requests, and they will go to wherever the DocumentRoot directs them (but only them).

rg305 · July 29, 2021, 4:45am

Once updated, try another --dry-run

sektor1952 · July 29, 2021, 4:48am

I did and ran httpd reload, same error about prod.bearclaw.io.

rg305 · July 29, 2021, 4:48am

Please shot the error - my mind can only remember so much...
Understand that I'm also working on another ticket and handling several server tasks unrelated to this site.

sektor1952 · July 29, 2021, 4:49am

Sorry about that.

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/bearclawats.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Simulating renewal of an existing certificate for bearclawats.com and www.bearclawats.com
Performing the following challenges:
http-01 challenge for bearclawats.com
http-01 challenge for www.bearclawats.com
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/bearclawats.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/prod.bearclaw.io.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Simulating renewal of an existing certificate for prod.bearclaw.io
Performing the following challenges:
http-01 challenge for prod.bearclaw.io
Using the webroot path /var/lib/letsencrypt for all unmatched domains.
Waiting for verification...
Challenge failed for domain prod.bearclaw.io
http-01 challenge for prod.bearclaw.io
Cleaning up challenges
Failed to renew certificate prod.bearclaw.io with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following simulated renewals succeeded:
  /etc/letsencrypt/live/bearclawats.com/fullchain.pem (success)

The following simulated renewals failed:
  /etc/letsencrypt/live/prod.bearclaw.io/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: prod.bearclaw.io
   Type:   unauthorized
   Detail: Invalid response from
   http://prod.bearclaw.io/.well-known/acme-challenge/7lPPuTmbZQp6t0pjpXKkj8W_oh_Xae6Ez_obMg5F7IQ
   [67.227.170.190]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>403
   Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

rg305 · July 29, 2021, 4:54am

OK, let's test the DocumentRoot out.

I see that it dodn't get redirected (so that's good):

Please place a test file in the expected challenge location.
Which is done with(I hope you understand my syntax):
echo "test file" > {/the/path/you/made}/.well-known/acme-challenge/test-file-1234

Note: You may need to create the two subdirectories.
If so, you can do so with:
mkdir {/the/path/you/made}/.well-known/
mkdir {/the/path/you/made}/.well-known/acme-challenge/

Then we can try accessing that file with:
http://prod.bearclaw.io/.well-known/acme-challenge/test-file-1234

sektor1952 · July 29, 2021, 5:00am

Ok I have to fix the permissions, give me a sec because I am getting a forbidden.

sektor1952 · July 29, 2021, 5:24am

I'm still getting a forbidden.

rg305 · July 29, 2021, 5:32am

That was unexpected:

sektor1952 · July 29, 2021, 5:33am

That's weird.

rg305 · July 29, 2021, 5:42am

Yeah a rare occasion.

I'm still seeing 403 forbidden as well.

curl -Iki http://prod.bearclaw.io/.well-known/acme-challenge/test-file-1234
HTTP/1.1 403 Forbidden
Date: Thu, 29 Jul 2021 05:41:57 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.3.29
Content-Type: text/html; charset=iso-8859-1