Certificate renewal is failing with missing /

sektor1952 · July 29, 2021, 6:02am

Any thoughts?

rg305 · July 29, 2021, 6:07am

Way too many...

About this:
Make sure you added a <directory> section that allows everyone access to the newly created path.

sektor1952 · July 29, 2021, 6:14am

Ok the test file works now, but I think I need to redo the certificate for webmin.

rg305 · July 29, 2021, 6:17am

Slow and steady progress.

Retry the --dry-run

sektor1952 · July 29, 2021, 6:21am

I did and it still failed with the below error

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/bearclawats.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Simulating renewal of an existing certificate for bearclawats.com and www.bearclawats.com
Performing the following challenges:
http-01 challenge for bearclawats.com
http-01 challenge for www.bearclawats.com
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/bearclawats.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/prod.bearclaw.io.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Simulating renewal of an existing certificate for prod.bearclaw.io
Performing the following challenges:
http-01 challenge for prod.bearclaw.io
Using the webroot path /var/lib/letsencrypt for all unmatched domains.
Waiting for verification...
Challenge failed for domain prod.bearclaw.io
http-01 challenge for prod.bearclaw.io
Cleaning up challenges
Failed to renew certificate prod.bearclaw.io with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following simulated renewals succeeded:
  /etc/letsencrypt/live/bearclawats.com/fullchain.pem (success)

The following simulated renewals failed:
  /etc/letsencrypt/live/prod.bearclaw.io/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: prod.bearclaw.io
   Type:   unauthorized
   Detail: Invalid response from
   http://prod.bearclaw.io/.well-known/acme-challenge/7srmlufeGn3ZAwKvBuY6SIs6XbvfWgeLBeHfpg92usI
   []: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.```

rg305 · July 29, 2021, 6:24am

sektor1952:

Processing /etc/letsencrypt/renewal/prod.bearclaw.io.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Simulating renewal of an existing certificate for prod.bearclaw.io
Performing the following challenges:
http-01 challenge for prod.bearclaw.io
Using the webroot path /var/lib/letsencrypt for all unmatched domains.

Did you use --webroot to obtain the cert?

Please show this file:
/etc/letsencrypt/renewal/prod.bearclaw.io.conf

sektor1952 · July 29, 2021, 6:27am

no webmin has a menu in the config to obtain the cert.

# renew_before_expiry = 30 days
version = 1.11.0
archive_dir = /etc/letsencrypt/archive/prod.bearclaw.io
cert = /etc/letsencrypt/live/prod.bearclaw.io/cert.pem
privkey = /etc/letsencrypt/live/prod.bearclaw.io/privkey.pem
chain = /etc/letsencrypt/live/prod.bearclaw.io/chain.pem
fullchain = /etc/letsencrypt/live/prod.bearclaw.io/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 71a50be4990a0dc15bcc7672118694cd
manual_public_ip_logging_ok = None
server = https://acme-v02.api.letsencrypt.org/directory
authenticator = webroot
rsa_key_size = 2048
webroot_path = /var/lib/letsencrypt,
[[webroot_map]]

rg305 · July 29, 2021, 6:29am

Remove the last two lines:

and also remove the line:

and retry the --dry-run

sektor1952 · July 29, 2021, 6:43am

Here is the error I received.

Processing /etc/letsencrypt/renewal/prod.bearclaw.io.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewal configuration file /etc/letsencrypt/renewal/prod.bearclaw.io.conf does not specify an authenticator. Skipping.

rg305 · July 29, 2021, 6:45am

Lovely...
Please show the file:

sektor1952 · July 29, 2021, 6:46am

# renew_before_expiry = 30 days
version = 1.11.0
archive_dir = /etc/letsencrypt/archive/prod.bearclaw.io
cert = /etc/letsencrypt/live/prod.bearclaw.io/cert.pem
privkey = /etc/letsencrypt/live/prod.bearclaw.io/privkey.pem
chain = /etc/letsencrypt/live/prod.bearclaw.io/chain.pem
fullchain = /etc/letsencrypt/live/prod.bearclaw.io/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 71a50be4990a0dc15bcc7672118694cd
manual_public_ip_logging_ok = None
server = https://acme-v02.api.letsencrypt.org/directory
# authenticator = webroot
rsa_key_size = 2048
# webroot_path = /var/lib/letsencrypt,
# [[webroot_map]]

rg305 · July 29, 2021, 6:48am

That was the prod renewal file.
Please show the other renewal file.

[and when I said remove I meant remove - not rem out - certbot will put back whatever it needs]

sektor1952 · July 29, 2021, 6:50am

oh sorry here you go.

# renew_before_expiry = 30 days
version = 1.11.0
archive_dir = /etc/letsencrypt/archive/bearclawats.com
cert = /etc/letsencrypt/live/bearclawats.com/cert.pem
privkey = /etc/letsencrypt/live/bearclawats.com/privkey.pem
chain = /etc/letsencrypt/live/bearclawats.com/chain.pem
fullchain = /etc/letsencrypt/live/bearclawats.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = apache
installer = apache
account = 71a50be4990a0dc15bcc7672118694cd
manual_public_ip_logging_ok = None
server = https://acme-v02.api.letsencrypt.org/directory

rg305 · July 29, 2021, 6:51am

That is what we need in the other file.
Anywhere below "[renewalparams]"

sektor1952 · July 29, 2021, 6:53am

I changed the authenticator that I commented out and it worked.

rg305 · July 29, 2021, 6:54am

What worked [exactly]?

OK I see:

curl http://prod.bearclaw.io/.well-known/acme-challenge/test-file-1234
test file

Retry the --dry-run

sektor1952 · July 29, 2021, 6:55am

changing the authenticator from webroot to apache in the prod.bearclaw.io.conf file and then doing an httpd reload

sektor1952 · July 29, 2021, 6:59am

I had already fixed the forbidden issue by adding the directory entry, but then the other error cleared by changing the authenticator like you suggested.

rg305 · July 29, 2021, 7:01am

So did the --dry-run succeed?
Are all your certs up-to-date?

sektor1952 · July 29, 2021, 7:02am

yes, that is what I meant by it worked sorry for the lack of clarity it's late where I am.