Difficulty with renew

dougwo · February 12, 2017, 5:45pm

I run codeigniter sites. I run them https only. I use a vhosts file to configure them. I also restrict access to some of them via IP address limiting.

I have never been able to get certbot running without webroot. I got cerbot to run by making a dummy site that allows access (no framework) and using webroot. So I have valid certs. But I need to get auto-renew running.

The problems with webroot are:

the code does http only so if I always force https, I get an error
Frameworks mess with the URLS. I can open up /.well-known as a non-framework directory, but it still doesn’t work for some reason.

What I really need is for certbot to work without webroot.

my domain is www.carespan.help
It is set as an A record to point to my IP (the site works)
My apache config is as follows:

ServerName www.carespan.help
DocumentRoot /home/httpd/sites/carespanhelp/doc-root/
<Directory ‘/home/httpd/sites/carespanhelp/doc-root’>
Require all granted
AllowOverride All
Options -Indexes

ServerName www.carespan.help
DocumentRoot /home/httpd/sites/carespanhelp/doc-root/
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/www.carespan.help/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.carespan.help/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/www.carespan.help/chain.pem
<Directory ‘/home/httpd/sites/carespanhelp/doc-root’>
Require all granted
AllowOverride All
Options -Indexes

Does ‘renew’ always use webroot? I get this error when running certbot renew --dry-run

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: www.carespan.help
Type: unauthorized
Detail: Invalid response from
http://www.carespan.help/.well-known/acme-challenge/gTCmaHYjMa-pkfOtwAxKH1MriGYHWOILTVmuXuUVQ1c:
"
403 Forbidden
Forbidden
<p"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.

serverco · February 12, 2017, 5:53pm

“renew” should try and renew using whatever method you used to generate the certificate in the first place. If you created it with webroot, then “renew” will use webroot.

Would the DNS challenge be better for you ? that just requires a TXT record added to your DNS with the token in it. If you have a reasonable API into your DNS, then that might be a lot easier for you.

dougwo · February 12, 2017, 6:00pm

I’ll try that. I got renew to work by opening ip .well-known, but I still cannot restrict IPs or certbot will never find it. I’ll try the TXT method. That should work. Thanks!

dougwo · February 24, 2017, 12:11am

I spoke before looking. There is a ton of old reference to pre-implementation of DNS challenge. I cannot seem to find a simple how-to anywhere. Any help links?

ahaw021 · February 24, 2017, 9:55am

hi doug

it’s as simple as adding a TXT record to your DNS

that’s probably why most people don’t go in to depth

Andrei

system · March 26, 2017, 9:55am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to automatically renew certificate without stopping server Help	7	5829	January 2, 2020
Renewal procedure with standalone server (disabling apache2) Help	21	5889	December 17, 2020
How to auto renew certs that have created with domain control validation Help	8	2201	August 18, 2018
Understanding certbot renew Server	7	10322	June 3, 2017
Certbot renewal and webroot folders Help	4	7613	November 3, 2016

Difficulty with renew

Forbidden

Related Topics