Challenge file not created during update

Yeah… but maybe you don’t need all that many old ciphers :wink: https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=old&openssl=1.1.1d&hsts=false&guideline=5.4

1 Like

right now, I’d try a

certbot --staging --manual --preferred-challenges=http

if it works, remove --staging and run again.

at the very least it should tell you where the problem is

…/.well-known/acme-challenge$ touch webroot_check
Yeah, that checks out just fine.

Right on 6peppe! New command:

certbot-auto certonly --staging --manual --preferred-challenges=http --break-my-cert

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’
to cancel): hork.com www.hork.com
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for hork.com
http-01 challenge for www.hork.com


NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you’re running certbot in manual mode on a machine that is not
your server, please ensure you’re okay with that.

Are you OK with your IP being logged?


(Y)es/(N)o: Y


Create a file containing just this data:

H32iOYOzjyJZp0dvDp-ahSIpI6yJpy3A4dvy0SZZQW4.RBWym4r_JIAUsFWjcGCZPwjWQbTNRGUZ8eZkUc85iHg

And make it available on your web server at this URL:

http://hork.com/.well-known/acme-challenge/H32iOYOzjyJZp0dvDp-ahSIpI6yJpy3A4dvy0SZZQW4


Press Enter to Continue


Create a file containing just this data:

xr6iu2MBATznK84EavK7RueNiyS4RwNyZi0sDCoz3Sk.RBWym4r_JIAUsFWjcGCZPwjWQbTNRGUZ8eZkUc85iHg

And make it available on your web server at this URL:

http://www.hork.com/.well-known/acme-challenge/xr6iu2MBATznK84EavK7RueNiyS4RwNyZi0sDCoz3Sk

(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet.)


Press Enter to Continue
Waiting for verification…
Cleaning up challenges

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/hork.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/hork.com/privkey.pem
    Your cert will expire on 2020-05-29. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot-auto
    again. To non-interactively renew all of your certificates, run
    “certbot-auto renew”
    and what’s more, I now have new certs :slight_smile:
    -rw------- 1 root root 1704 Feb 29 17:57 privkey2.pem
    -rw-r–r-- 1 root root 3549 Feb 29 17:57 fullchain2.pem
    -rw-r–r-- 1 root root 1679 Feb 29 17:57 chain2.pem
    -rw-r–r-- 1 root root 1870 Feb 29 17:57 cert2.pem

Just in time for dinner. Thanks guys!

Congratulations, now you have a non-functional staging certificate. You literally used the option --break-my-cert which should have given you a hint.

Although I don’t understand why the staging server would succeed and the live server wouldn’t, you could try to run the same command, but now without the --staging and --break-my-cert options.

1 Like

Please remember this:

1 Like

Well rats! That does /not/ work, despite my 3 attempts at it. :frowning:
New command:

certbot-auto certonly --manual --preferred-challenges=http

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’
to cancel): hork.com www.hork.com
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn’t close to expiry.
(ref: /etc/letsencrypt/renewal/hork.com.conf)

What would you like to do?


1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)


Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for hork.com
http-01 challenge for www.hork.com


NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you’re running certbot in manual mode on a machine that is not
your server, please ensure you’re okay with that.

Are you OK with your IP being logged?


(Y)es/(N)o: Y


Create a file containing just this data:

lr8P-m0zUck1NgE9EXVHNEnRJv-u7w1rHcpV82DZ1lQ.2uIOTW8ZMoWC4qwu3smFmSSg-bY69H6WN8hRHGTveNw

And make it available on your web server at this URL:

http://hork.com/.well-known/acme-challenge/lr8P-m0zUck1NgE9EXVHNEnRJv-u7w1rHcpV82DZ1lQ


Press Enter to Continue


Create a file containing just this data:

PCeBPh7I7y33wPbm5FY7FAS4ahVeCvrM5MoYLumH2QQ.2uIOTW8ZMoWC4qwu3smFmSSg-bY69H6WN8hRHGTveNw

And make it available on your web server at this URL:

http://www.hork.com/.well-known/acme-challenge/PCeBPh7I7y33wPbm5FY7FAS4ahVeCvrM5MoYLumH2QQ

(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet.)


Press Enter to Continue
Waiting for verification…
Challenge failed for domain hork.com
Challenge failed for domain www.hork.com
http-01 challenge for hork.com
http-01 challenge for www.hork.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

and to remove any doubts about those two file:
.well-known/acme-challenge$ ls -l
-rw-r----- 1 webmastr apache 88 Feb 29 18:50 lr8P-m0zUck1NgE9EXVHNEnRJv-u7w1rHcpV82DZ1lQ
-rw-r----- 1 webmastr apache 88 Feb 29 18:51 PCeBPh7I7y33wPbm5FY7FAS4ahVeCvrM5MoYLumH2QQ

hork10:.well-known/acme-challenge$ more *
::::::::::::::
lr8P-m0zUck1NgE9EXVHNEnRJv-u7w1rHcpV82DZ1lQ
::::::::::::::
lr8P-m0zUck1NgE9EXVHNEnRJv-u7w1rHcpV82DZ1lQ.2uIOTW8ZMoWC4qwu3smFmSSg-bY69H6WN8hRHGTveNw
::::::::::::::
PCeBPh7I7y33wPbm5FY7FAS4ahVeCvrM5MoYLumH2QQ
::::::::::::::
PCeBPh7I7y33wPbm5FY7FAS4ahVeCvrM5MoYLumH2QQ.2uIOTW8ZMoWC4qwu3smFmSSg-bY69H6WN8hRHGTveNw

and they /are/ visible/readable from here:
http://www.hork.com/.well-known/acme-challenge/

access_log shows all these attempts to read them:
66.133.109.36 - - [29/Feb/2020:18:52:06 -0500] “GET /.well-known/acme-challenge/lr8P-m0zUck1NgE9EXVHNEnRJv-u7w1rHcpV82DZ1lQ HTTP/1.1” 200 88 “-” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)”
66.133.109.36 - - [29/Feb/2020:18:52:06 -0500] “GET /.well-known/acme-challenge/PCeBPh7I7y33wPbm5FY7FAS4ahVeCvrM5MoYLumH2QQ HTTP/1.1” 200 88 “-” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)”
52.28.236.88 - - [29/Feb/2020:18:52:06 -0500] “GET /.well-known/acme-challenge/lr8P-m0zUck1NgE9EXVHNEnRJv-u7w1rHcpV82DZ1lQ HTTP/1.1” 200 88 “-” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)”
52.28.236.88 - - [29/Feb/2020:18:52:06 -0500] “GET /.well-known/acme-challenge/PCeBPh7I7y33wPbm5FY7FAS4ahVeCvrM5MoYLumH2QQ HTTP/1.1” 200 88 “-” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)”
65.19.128.70 - - [29/Feb/2020:18:53:53 -0500] “HEAD /.well-known/acme-challenge/lr8P-m0zUck1NgE9EXVHNEnRJv-u7w1rHcpV82DZ1lQ HTTP/1.1” 200 - “-” “Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36”
65.19.128.70 - - [29/Feb/2020:18:53:53 -0500] “GET /.well-known/acme-challenge/lr8P-m0zUck1NgE9EXVHNEnRJv-u7w1rHcpV82DZ1lQ HTTP/1.1” 200 88 “-” “Discourse Forum Onebox v2.5.0.beta1”
65.19.128.70 - - [29/Feb/2020:18:53:53 -0500] “HEAD /.well-known/acme-challenge/PCeBPh7I7y33wPbm5FY7FAS4ahVeCvrM5MoYLumH2QQ HTTP/1.1” 200 - “-” “Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36”
65.19.128.70 - - [29/Feb/2020:18:53:53 -0500] “GET /.well-known/acme-challenge/PCeBPh7I7y33wPbm5FY7FAS4ahVeCvrM5MoYLumH2QQ HTTP/1.1” 200 88 “-” “Discourse Forum Onebox v2.5.0.beta1”
105.242.128.41 - - [29/Feb/2020:18:54:45 -0500] “POST /ctrlt/DeviceUpgrade_1 HTTP/1.1” 400 226 “-” “-”
192.168.1.1 - - [29/Feb/2020:18:54:51 -0500] “GET /.well-known/acme-challenge/ HTTP/1.1” 200 492 “-” “Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0”
192.168.1.1 - - [29/Feb/2020:18:54:57 -0500] “GET /.well-known/acme-challenge/lr8P-m0zUck1NgE9EXVHNEnRJv-u7w1rHcpV82DZ1lQ HTTP/1.1” 200 88 “http://www.hork.com/.well-known/acme-challenge/” “Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0”
65.19.128.70 - - [29/Feb/2020:18:55:25 -0500] “HEAD / HTTP/1.1” 200 - “-” “Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36”
65.19.128.70 - - [29/Feb/2020:18:55:25 -0500] “GET / HTTP/1.1” 200 1237 “-” “Discourse Forum Onebox v2.5.0.beta1”
65.19.128.70 - - [29/Feb/2020:18:55:28 -0500] “HEAD /.wel HTTP/1.1” 404 - “-” “Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36”
65.19.128.70 - - [29/Feb/2020:18:55:28 -0500] “HEAD /.well HTTP/1.1” 404 - “-” “Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36”
65.19.128.70 - - [29/Feb/2020:18:55:29 -0500] “HEAD /.well-k HTTP/1.1” 404 - “-” “Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36”
65.19.128.70 - - [29/Feb/2020:18:55:29 -0500] “HEAD /.well-kno HTTP/1.1” 404 - “-” “Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36”
65.19.128.70 - - [29/Feb/2020:18:55:30 -0500] “HEAD /.well-know HTTP/1.1” 404 - “-” “Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36”
65.19.128.70 - - [29/Feb/2020:18:55:30 -0500] “HEAD /.well-known HTTP/1.1” 301 - “-” “Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36”
65.19.128.70 - - [29/Feb/2020:18:55:30 -0500] “HEAD /.well-known/ HTTP/1.1” 200 - “-” “Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36”
65.19.128.70 - - [29/Feb/2020:18:55:30 -0500] “GET /.well-known/ HTTP/1.1” 200 282 “-” “Discourse Forum Onebox v2.5.0.beta1”
65.19.128.70 - - [29/Feb/2020:18:55:32 -0500] “HEAD /.well-known/ac HTTP/1.1” 404 - “-” “Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36”
65.19.128.70 - - [29/Feb/2020:18:55:32 -0500] “HEAD /.well-known/acm HTTP/1.1” 404 - “-” “Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36”
65.19.128.70 - - [29/Feb/2020:18:55:33 -0500] “HEAD /.well-known/acme- HTTP/1.1” 404 - “-” “Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36”
65.19.128.70 - - [29/Feb/2020:18:55:33 -0500] “HEAD /.well-known/acme-ch HTTP/1.1” 404 - “-” “Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36”
65.19.128.70 - - [29/Feb/2020:18:55:34 -0500] “HEAD /.well-known/acme-chal HTTP/1.1” 404 - “-” “Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36”
65.19.128.70 - - [29/Feb/2020:18:55:34 -0500] “HEAD /.well-known/acme-chall HTTP/1.1” 404 - “-” “Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36”
65.19.128.70 - - [29/Feb/2020:18:55:34 -0500] “HEAD /.well-known/acme-challe HTTP/1.1” 404 - “-” “Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36”
65.19.128.70 - - [29/Feb/2020:18:55:35 -0500] “HEAD /.well-known/acme-challen HTTP/1.1” 404 - “-” “Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36”
65.19.128.70 - - [29/Feb/2020:18:55:35 -0500] “HEAD /.well-known/acme-challeng HTTP/1.1” 404 - “-” “Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36”
65.19.128.70 - - [29/Feb/2020:18:55:36 -0500] “HEAD /.well-known/acme-challenge HTTP/1.1” 301 - “-” “Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36”
65.19.128.70 - - [29/Feb/2020:18:55:36 -0500] “HEAD /.well-known/acme-challenge/ HTTP/1.1” 200 - “-” “Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36”
65.19.128.70 - - [29/Feb/2020:18:55:36 -0500] “GET /.well-known/acme-challenge/ HTTP/1.1” 200 492 “-” “Discourse Forum Onebox v2.5.0.beta1”

Please read my answer. You are blocking some ip addresses, so the secondary validation doesn’t work.

1 Like

Thanks for hanging in there with me Juergen. Yes, I am blocking IP addresses. Over 50 million of them. Most of China, Russia, Ukraine, Iran, and selected ranges elsewhere. These were blocked in the last 20 minutes. Please let me know which need to be given access.
Feb 29 18:52:06 hork10 kernel: web_blcklst SRC=52.15.254.228
Feb 29 18:52:06 hork10 kernel: web_blcklst SRC=34.222.229.130
Feb 29 18:53:17 hork10 kernel: web_blcklst SRC=178.128.75.244
Feb 29 19:08:17 hork10 kernel: web_blcklst SRC=106.120.173.139
Feb 29 19:08:19 hork10 kernel: web_blcklst SRC=111.202.100.82
Feb 29 19:08:19 hork10 kernel: web_blcklst SRC=58.250.125.185
Feb 29 19:14:21 hork10 kernel: web_blcklst SRC=111.206.198.223
Feb 29 19:14:21 hork10 kernel: web_blcklst SRC=111.206.222.193
Feb 29 19:14:24 hork10 kernel: web_blcklst SRC=111.206.198.36
Feb 29 19:14:31 hork10 kernel: web_blcklst SRC=111.206.198.44
Feb 29 19:16:02 hork10 kernel: web_blcklst SRC=118.101.51.95
Feb 29 19:28:18 hork10 kernel: web_blcklst SRC=106.120.173.139

We don’t know. Read the blog post which was linked twice above already about multi-perspective validation.

1 Like

Thanks Osiris. Much better this way!
% date
Sun Mar 1 10:15:42 EST 2020
% systemctl stop seamus (that’s my dog)
% systemctl stop iptables
% certbot-auto certonly --manual --preferred-challenges=http
(all that jazz) Congratulations!
% systemctl start iptables
% systemctl start seamus
% date
Sun Mar 1 10:17:41 EST 2020

And that is how I will be renewing my letsencrypt certificate from here on out. :slight_smile:
Maybe I could have figured this out for myself if the Error message had been something like this:
Your secondary validation failed. This feature was newly added for version 1.2, because single point validation is susceptible to man-in-the-middle network attackers that may hijack or redirect the traffic along the validation path. Multi-Perspective validation uses a number of cloud based servers to independently validate your server. Because these cloud services (e.g. Amazon, DigitalOcean) are only semi-reputable themselves and seldom if ever produce real web traffic, you may have blocked them at your firewall, in which case the validation will fail. See if you can’t live with your firewall (partially) switched off for the two minutes it takes to renew your certificate. Also make sure you call of your (watch)dog if he is particularly vicious, as he may wake up the cat and you really don’t want that automatic reporting to the offending network provider to kick in.
With Love,
The outstanding letsencrypt team.

1 Like

You can use --pre-hook and --post-hook to run scripts before and after the renewal attempt. Might be an idea for your firewall.

2 Likes

You can also probably remove --manual and --preferred-challenges=http

1 Like

I like the --manual option. I know it is a goal of letsencrypt to make the cert renewal an automated process, but I rather spent 2 minutes every 12th Sunday manually renewing the cert than to have an automated process restart httpd on an active user of my web portal. I also understand that there are many options to modify certbot to everyone’s liking. I only need a single version that works for me. You guys have made installing a cert as easy as doing a self-signed certificate, with the added bonus that browsers will actually accept it, without screaming bloody murder. That’s good enough for me. Cheers. Crashulater out.

Ok.

Restart and reload are very different, though. (you can also choose the time, make it run a 3AM, etc…)

1 Like

Thanks, you’ve been great. Not only do I now have a valid cert again, the site also gets an ‘A’ from SSL labs. I didn’t know that just defining the CipherSuite in conf.d/ssl.conf wasn’t good enough. Apparently it must also be defined for each <VirtualHost: *:443>. Now it is. But that’s a different topic for a different board. :wink:
Cheers mate.

2 Likes

For A+ you need hsts, but be careful: activating hsts literally means most people won’t be able to see your site unencrypted.

1 Like

That fact alone isn’t such a problem: it’s the reason why HSTS exists in the first place! Perhaps you meant in the scenario when the encrypted site isn’t functioning properly? :wink:

1 Like

You have to watch where you’re placing those config lines inside ssl.conf. SSLCipherSuite & SSLProtocol tend to be placed inside the default VirtualHost block, which limits them to be used only when the 443 traffic doesn’t match any other vhost. If you set them outside the block, they will be set globally.

1 Like

That certainly explains that ZataRevan. My interpretation of default was always that those declarations would apply unless overridden by declarations made in the specific VirtualHost definition. You know, the inheritance principle. I guess, too much JavaScript can do that to a man. :wink:

1 Like