Any thoughts?
Way too many...
About this:
Make sure you added a <directory>
section that allows everyone access to the newly created path.
Ok the test file works now, but I think I need to redo the certificate for webmin.
Slow and steady progress.
Retry the --dry-run
I did and it still failed with the below error
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/bearclawats.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Simulating renewal of an existing certificate for bearclawats.com and www.bearclawats.com
Performing the following challenges:
http-01 challenge for bearclawats.com
http-01 challenge for www.bearclawats.com
Waiting for verification...
Cleaning up challenges
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/bearclawats.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/prod.bearclaw.io.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Simulating renewal of an existing certificate for prod.bearclaw.io
Performing the following challenges:
http-01 challenge for prod.bearclaw.io
Using the webroot path /var/lib/letsencrypt for all unmatched domains.
Waiting for verification...
Challenge failed for domain prod.bearclaw.io
http-01 challenge for prod.bearclaw.io
Cleaning up challenges
Failed to renew certificate prod.bearclaw.io with error: Some challenges have failed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following simulated renewals succeeded:
/etc/letsencrypt/live/bearclawats.com/fullchain.pem (success)
The following simulated renewals failed:
/etc/letsencrypt/live/prod.bearclaw.io/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: prod.bearclaw.io
Type: unauthorized
Detail: Invalid response from
http://prod.bearclaw.io/.well-known/acme-challenge/7srmlufeGn3ZAwKvBuY6SIs6XbvfWgeLBeHfpg92usI
[]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
2.0//EN\">\n<html><head>\n<title>404 Not
Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.```
Did you use --webroot
to obtain the cert?
Please show this file:
/etc/letsencrypt/renewal/prod.bearclaw.io.conf
no webmin has a menu in the config to obtain the cert.
# renew_before_expiry = 30 days
version = 1.11.0
archive_dir = /etc/letsencrypt/archive/prod.bearclaw.io
cert = /etc/letsencrypt/live/prod.bearclaw.io/cert.pem
privkey = /etc/letsencrypt/live/prod.bearclaw.io/privkey.pem
chain = /etc/letsencrypt/live/prod.bearclaw.io/chain.pem
fullchain = /etc/letsencrypt/live/prod.bearclaw.io/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = 71a50be4990a0dc15bcc7672118694cd
manual_public_ip_logging_ok = None
server = https://acme-v02.api.letsencrypt.org/directory
authenticator = webroot
rsa_key_size = 2048
webroot_path = /var/lib/letsencrypt,
[[webroot_map]]
Remove the last two lines:
and also remove the line:
and retry the --dry-run
Here is the error I received.
Processing /etc/letsencrypt/renewal/prod.bearclaw.io.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewal configuration file /etc/letsencrypt/renewal/prod.bearclaw.io.conf does not specify an authenticator. Skipping.
Lovely...
Please show the file:
# renew_before_expiry = 30 days
version = 1.11.0
archive_dir = /etc/letsencrypt/archive/prod.bearclaw.io
cert = /etc/letsencrypt/live/prod.bearclaw.io/cert.pem
privkey = /etc/letsencrypt/live/prod.bearclaw.io/privkey.pem
chain = /etc/letsencrypt/live/prod.bearclaw.io/chain.pem
fullchain = /etc/letsencrypt/live/prod.bearclaw.io/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = 71a50be4990a0dc15bcc7672118694cd
manual_public_ip_logging_ok = None
server = https://acme-v02.api.letsencrypt.org/directory
# authenticator = webroot
rsa_key_size = 2048
# webroot_path = /var/lib/letsencrypt,
# [[webroot_map]]
That was the prod renewal file.
Please show the other renewal file.
[and when I said remove I meant remove - not rem out - certbot
will put back whatever it needs]
oh sorry here you go.
# renew_before_expiry = 30 days
version = 1.11.0
archive_dir = /etc/letsencrypt/archive/bearclawats.com
cert = /etc/letsencrypt/live/bearclawats.com/cert.pem
privkey = /etc/letsencrypt/live/bearclawats.com/privkey.pem
chain = /etc/letsencrypt/live/bearclawats.com/chain.pem
fullchain = /etc/letsencrypt/live/bearclawats.com/fullchain.pem
# Options used in the renewal process
[renewalparams]
authenticator = apache
installer = apache
account = 71a50be4990a0dc15bcc7672118694cd
manual_public_ip_logging_ok = None
server = https://acme-v02.api.letsencrypt.org/directory
That is what we need in the other file.
Anywhere below "[renewalparams]
"
I changed the authenticator that I commented out and it worked.
What worked [exactly]?
OK I see:
curl http://prod.bearclaw.io/.well-known/acme-challenge/test-file-1234
test file
Retry the --dry-run
changing the authenticator from webroot to apache in the prod.bearclaw.io.conf file and then doing an httpd reload
I had already fixed the forbidden issue by adding the directory entry, but then the other error cleared by changing the authenticator like you suggested.
So did the --dry-run
succeed?
Are all your certs up-to-date?
yes, that is what I meant by it worked sorry for the lack of clarity it's late where I am.