Error renewal SSL certificat

Hi, for some reason i can't renew my certificate. I recently moved, and with my new ISP came a new IPv6 Address. For that reason i got an server with an IPv4 Address that redirects traffic to my Raspberri Pi at home. So the Domain resolves to the IPv4 of the external Server which redirects traffic to the IPv6 Address of my Raspberry, which runs the webserver.

My domain is: lulanius.de

I ran this command: certbot renew

It produced this output: Failed authorization procedure. lulanius.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://lulanius.de/.well-known/acme-challenge/C9W2M9j0KzqmSjsxLxcLFJoLI9p5ergW7zDOV9gNkv4 [217.160.174.115]: "\n\n404 Not Found\n\n

Not Found

\n<p"

IMPORTANT NOTES:

My web server is (include version): Server version: Apache/2.4.38

The operating system my web server runs on is (include version): Rasbian Butcher/Debian

My hosting provider, if applicable, is: The IPv4 Server is hosted by Ionos

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

1 Like

Welcome to the Let's Encrypt Community :slightly_smiling_face:

On which server are you running certbot?

What are the contents of this file?

/etc/letsencrypt/renewal/lulanius.de.conf

Thanks, happy to be here :slight_smile:

Cerbot is running on my Raspberry, content of the file is:

cat /etc/letsencrypt/renewal/lulanius.de.conf

renew_before_expiry = 30 days

version = 0.31.0
archive_dir = /etc/letsencrypt/archive/lulanius.de
cert = /etc/letsencrypt/live/lulanius.de/cert.pem
privkey = /etc/letsencrypt/live/lulanius.de/privkey.pem
chain = /etc/letsencrypt/live/lulanius.de/chain.pem
fullchain = /etc/letsencrypt/live/lulanius.de/fullchain.pem

Options used in the renewal process

[renewalparams]
account = b6aa12901e15fe65c67bd4c290a36c1a
authenticator = webroot
webroot_path = /var/www/nextcloud,
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
lulanius.de = /var/www/nextcloud

I've already copied the /var/www/nectcloud directory to my external server, but it didn't help. I also installed a apache2 Webserver on this server, because before i would get an error like "connection refused". Do i have to run certbot on my external server?

1 Like

In order to use any of certbot's http-01 challenge authenticators (e.g. manual, webroot, apache, nginx), certbot needs to be able to write the challenge file(s) to the webserver that actually serves the content. With the apache and nginx authenticators, sometimes it's possible to run certbot on a load balancer (or some type of proxy) since those authenticators create an exception in the webserver configuration thus typically bypassing the balancing/proxying behavior.

Sorry for the late answer. I used chmod to change the permissions on the webroot path on both servers as well as used the certbot --apache command on the Raspberry. Sadly i still get the same error

Failed authorization procedure. lulanius.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://lulanius.de/.well-known/acme-challenge/4neBAHnjocNttpDCxbWo3Jh7qZIiQ96zbNhpzURBIzw [217.160.174.115]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

Any idea on how to fix this?

1 Like

As much as it might look that way, that error (usually) has nothing to do with file permissions. It's telling you that the Let's Encrypt server was unable to retrieve the challenge files. This is typically either due to certbot having the wrong webroot folder (check this: /var/www/nextcloud) or being run on the wrong server (when using the webroot authenticator, certbot must be run on the server actually serving/containing the content).

I'm using the right webroot directory and run certbot on my Raspberry which serves the content, but i'm still getting that error message...

Using the webroot path /var/www/nextcloud for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. lulanius.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://lulanius.de/.well-known/acme-challenge/XVRw2IDvBwuvOqpipm4GiOX3aDBQDjgh1lmMfGj-VIg [217.160.174.115]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"
1 Like

Please check your Apache error and/or access log: it should contain the physical location where Apache tried to locate the file.

Also @griffin when using the --apache authenticator, the regular DocumentRoot isn't used. When --apache fails, it is mostly due to a non-standard Apache virtualhost configuration.

1 Like

My Apache access.log is empty and my error.log contains just the following

[Sun Jun 06 23:04:50.297305 2021] [mpm_event:notice] [pid 754:tid 3069850128] AH00493: SIGUSR1 received.  Doing graceful restart
[Sun Jun 06 23:04:50.327957 2021] [ssl:warn] [pid 754:tid 3069850128] AH01909: localhost:4443:0 server certificate does NOT include an ID which matches the server name
[Sun Jun 06 23:04:50.329298 2021] [mpm_event:notice] [pid 754:tid 3069850128] AH00489: Apache/2.4.38 (Raspbian) OpenSSL/1.1.1d configured -- resuming normal operations
[Sun Jun 06 23:04:50.329337 2021] [core:notice] [pid 754:tid 3069850128] AH00094: Command line: '/usr/sbin/apache2'

However i also have nc-access and nc-error log files (which should be the access and error log files for my nextcloud). But the nc-error.log is empty as well and the nc-access log file which gives me a bunch of lines like this one [06/Jun/2021:23:07:33 +0200] "GET /.well-known/acme-challenge/test HTTP/2.0" 302 1025 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.128 Safari/537, but no line with /var/www/nextcloud

1 Like

Well, currently your website is severely broken: your homepage shows the owncloud index.php source code which probably isn't what you want at all.

Next, I think the configuration files of your frontend webserver and backend webserver are required.

1 Like

Yeah, noticed that to. Occured after i changed the apache root directory on my external derver to /var/www/nextcloud. Changed it back, should be working again now.

My config files are pretty much the standard nextcloud config files. And they were the same 3 months ago when i created the old certificate, so not sure if the problem lies within these files.

IMHO certbot has a problem with my external server, as it is the only thing that really changed in my setup. Also i don't understand why i have to run another webserver on my external server as its only purpose is to redirect traffic to my Pi. So as far as i know certbot should start the challenge and the data should go from my domain to my external server and then to my Pi. But it looks like the data doesn't reach my Pi. But why? Is cerbot using a special port? I thought cerbot is using port 80...

1 Like

On your Pi, run this (with the correct webroot folder specified, of course):

sudo certbot certonly --webroot -w /var/www/nextcloud -d "lulanius.de,www.lulanius.de" --dry-run --debug-challenges

This will cause certbot to pause after creating the http-01 challenge files. You should be able to see where they're being created (and access them from your web browser).

I'm confused. :woozy_face:

Correct me if I'm wrong here, but your external webserver is acting as a reverse proxy for lulanius.de by receiving requests from visitors, making requests to your Pi on their behalf, and relaying the responses from your Pi back to your visitors, right? There isn't a third webserver in there somewhere, I hope.

Sorry for the wait. No, there isn't a third webserver. The A-Record of my domain points to the external webserver, on which all traffic from port 80 and 443 is rerouted through 6tunnel to my Pi.

I tried your command, and on my Pi i can find the challenge file:
image

But when i try to access the file from my webbrowser the file isn't there:

Am i using the wrong URL?
As far as i can see, the reason why i cannot access the challenge file is because somehow the traffic isn't rerouted to my pi. Any idea why this is?

1 Like

I've run some diagnostics on lulanius.de and haven't found evidence of any immediate reason. My advice is to place a file named test containing 1234 inside of the acme-challenge directory. Once you can access that file with your web browser, the acme challenge should work.

What webserver software (e.g. apache, nginx) are you running on your Pi?

I think i may have found the error...as far as i can after installing the apache server on my external server port 80 was used by apache and not 6tunnel, which means that traffic wasn't getting rerouted to my pi. Also the IP Address of my Pi has changed, so i stopped apache on my external server and made a new 6Tunnel config. Now certbot is running fine and i have a new certificate. Thank you very much griffin, you were a great help.

Small problem remains, when i check my page it still gives me the warning about an invalid certificate...how long does it take for the new certificate to be used?

1 Like

First, you need to use this command to actually acquire the certificate on your Pi:

sudo certbot certonly --webroot -w /var/www/nextcloud -d "lulanius.de,www.lulanius.de"

Secondly, you need to install the certificate and its private key (most likely on your external webserver and not on your Pi). You would honestly probably be better off just acquiring the certificate on your external webserver since that's where it will be installed. I'm assuming the route between your external webserver and your Pi is private anyhow (and thus communications between your external webserver and Pi would not need to be encrypted).

Try this certbot command on your external webserver:

sudo certbot certonly --apache -d "lulanius.de,www.lulanius.de" --dry-run

If that works, run this one to actually acquire your certificate:

sudo certbot --apache -d "lulanius.de,www.lulanius.de"