Expired Certificate Not Trusted


#1

I’m not sure if the two issues are related or not. I renewed the certs on Feb 9-10. Yesterday the cert was not there when I went to the web page. I then tried to renew the cert and it failed below. I can see the website (without the secure) and can also see a file in the .well-known/acme-challenge directory. I tried setting the directory to 777 briefly and it still did not work. Any ideas?

Please fill out the fields below so we can help you better.

My domain is:


I ran this command:
./certbot-auto certonly --webroot

It produced this output:
./certbot-auto certonly --webrootRequesting root privileges to run certbot…
/home/username/.local/share/letsencrypt/bin/letsencrypt certonly --webroot
[sudo] password for username:
Use of --agree-dev-preview is deprecated.
Use of --agree-dev-preview is deprecated.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c’
to cancel):www.example.com
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.onlinedegreedatabase.com
Using the webroot path /var/www for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.example.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.example.com/.well-known/acme-challenge/qaNjuGPAOeoDttaGABdsf3gSEHq98UrpQxYf557-vx8: "

404 Not Found

Not Found

<p"

IMPORTANT NOTES:

My operating system is (include version):
ubuntu 14.04
My web server is (include version):
apache2
My hosting provider, if applicable, is:
n/a
I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no


#2

@douglas

Certificate do not expire prematurely unless you revoke them

Looks like you have a binding problem and you actually have two certificates issued https://crt.sh/?q=www.onlinedegreedatabase.com

I can see you are serving up the older certificate which expired on 20/04/2017

Either renew the existing certificate or update you web server to use the newer certificate which expires May 20

Andrei


#3

Also your challenge is not passing due to the fact the fact the challenge file is not found.

Before submitting the challenge I recommend you browse to the challenge location to confirm a file is served up.

Andrei


#4

Thank you for responding. So is the problem with renewing that I have two certificates in the pipeline and if I do another I would get a Too many authorizations error? If so, what is the solution that you recommend?


#5

hi @douglas

Absolutely not.

Renew the certificate you currently have and just make sure that you pass the challenge (it should be the same challenge as these are valid for some time)

Andrei


#6

Alas, I am still getting the unauthorized error. I have cleared all .htaccess files and I am at a loss. This worked fine the last time and I have made no major changes to anything.


#7

And a new error: When I change the permissions back to 777 and run manually, I get: Error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new authz :: Too many invalid authorizations recently.


#8

Hi @douglas,

As @ahaw021 mentioned, it looks like you do have a newer certificate which you aren’t using. If you can figure out how that happened, it might help.

Related to your current renewal failures: Do you know if you originally obtained the certificate using the webroot method? Do you have a record or a recollection of what command you used when you originally got your certificate? If you used a different method before and are trying to renew with webroot without specifying the appropriate parameters, it might account for the failures you’re seeing.


#9

Everything has been with webroot as I have a Virtual Host.


#10

OK, could you tell me the results of the following commands? (with sudo if necessary)

cat /etc/letsencrypt/cli.ini

ls -l /etc/letsencrypt/live/www.onlinedegreedatabase.com

cat /etc/letsencrypt/renewal/www.onlinedegreedatabase.com.conf

If you make a file /var/www/test.txt, can you then see that same file on the web at http://www.onlinedegreedatabase.com/test.txt?


#11

cat /etc/letsencrypt/cli.ini

authenticator = webroot
webroot-path = /var/www/
server = https://acme-v01.api.letsencrypt.org/directory
renew-by-default
agree-dev-preview
agree-tos
email = d.f.stoll@gmail.com

ls -l /etc/letsencrypt/live/www.onlinedegreedatabase.com

total 0
lrwxrwxrwx 1 root root 52 Feb 7 18:56 cert.pem -> …/…/archive/www.onlinedegreedatabase.com/cert4.pem
lrwxrwxrwx 1 root root 53 Feb 7 18:56 chain.pem -> …/…/archive/www.onlinedegreedatabase.com/chain4.pem
lrwxrwxrwx 1 root root 57 Feb 7 18:56 fullchain.pem -> …/…/archive/www.onlinedegreedatabase.com/fullchain4.pem
lrwxrwxrwx 1 root root 55 Feb 7 18:56 privkey.pem -> …/…/archive/www.onlinedegreedatabase.com/privkey4.pem

cat /etc/letsencrypt/renewal/www.onlinedegreedatabase.com.conf

``# renew_before_expiry = 30 days
version = 0.11.1
cert = /etc/letsencrypt/live/www.onlinedegreedatabase.com/cert.pem
privkey = /etc/letsencrypt/live/www.onlinedegreedatabase.com/privkey.pem
chain = /etc/letsencrypt/live/www.onlinedegreedatabase.com/chain.pem
fullchain = /etc/letsencrypt/live/www.onlinedegreedatabase.com/fullchain.pem
archive_dir = /etc/letsencrypt/archive/www.onlinedegreedatabase.com

cat /etc/letsencrypt/renewal/www.onlinedegreedatabase.com.conf

``# Options used in the renewal process
[renewalparams]
account = ffa2f7a60f96555d16a864c6be44cc86
server = https://acme-v01.api.letsencrypt.org/directory
authenticator = webroot
installer = None
webroot_path = /var/www,
[[webroot_map]]
www.onlinedegreedatabase.com = /var/www

No, but http://www.onlinedegreedatabase.com/.well-known/acme-challenge/test.txt is visibile.


#12

Do you mean that if you put test.txt in /var/www, it becomes visible at http://www.onlinedegreedatabase.com/.well-known/acme-challenge/test.txt? Or did you mean that it becomes visible there if you put it in /var/www/.well-known/acme-challenge?


#13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.