Fail to add domain to certificate


#1

This same thing has worked before. Suddenly I can’t add a domain.

My domain is:

grendel.no

I ran this command:

certbot --apache certonly -w ~vds/www/blog.grendel.no -d grendel.no -d blog.grendel.no -d r.grendel.no -d www.grendel.no -d ptsd-boken.grendel.no  -d diaspora.grendel.no

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

-------------------------------------------------------------------------------
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/grendel.no-0005.conf)

It contains these names: grendel.no, blog.grendel.no, ptsd-boken.grendel.no,
r.grendel.no, www.grendel.no

You requested these names for the new certificate: grendel.no, blog.grendel.no,
r.grendel.no, www.grendel.no, ptsd-boken.grendel.no, diaspora.grendel.no.

Do you want to expand and replace this existing certificate with the new
certificate?
-------------------------------------------------------------------------------
(E)xpand/(C)ancel: E
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for grendel.no
http-01 challenge for blog.grendel.no
http-01 challenge for r.grendel.no
http-01 challenge for www.grendel.no
http-01 challenge for ptsd-boken.grendel.no
http-01 challenge for diaspora.grendel.no
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. diaspora.grendel.no (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://diaspora.grendel.no/.well-known/acme-challenge/mCn0jlm7uDui78cQygeupysDif4tdPA35kgLK12n_4Q: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: diaspora.grendel.no
   Type:   unauthorized
   Detail: Invalid response from
   http://diaspora.grendel.no/.well-known/acme-challenge/mCn0jlm7uDui78cQygeupysDif4tdPA35kgLK12n_4Q:
   "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
   <html><head>
   <title>403 Forbidden</title>
   </head><body>
   <h1>Forbidden</h1>
   <p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version):

Apache/2.4.18 (Ubuntu)

The operating system my web server runs on is (include version):

Ubuntu 16.04.4 LTS

My hosting provider, if applicable, is:

www.webhuset.no

I can login to a root shell on my machine (yes or no, or I don’t know):

Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

No


#2

Hi @rolfmblindgren,

Any url used with your diaspora.grendel.no domain is being redirected to the same url https://grendel.no/wp-signup.php?new=diaspora:

$ curl -IkL diaspora.grendel.no/.well-known/acme-challenge/test
HTTP/1.1 302 Found
Date: Sun, 08 Apr 2018 11:16:41 GMT
Server: Apache/2.4.18 (Ubuntu) mod_R/1.2.8 R/3.2.3 OpenSSL/1.0.2g mod_apreq2-20090110/2.8.0
Content-Security-Policy: upgrade-insecure-requests;
Location: http://grendel.no/wp-signup.php?new=diaspora
Cache-Control: max-age=300, must-revalidate
Expires: Sun, 08 Apr 2018 11:21:41 GMT
Vary: Accept-Encoding,Cookie
Content-Type: text/html; charset=UTF-8

HTTP/1.1 301 Moved Permanently
Date: Sun, 08 Apr 2018 11:16:41 GMT
Server: Apache/2.4.18 (Ubuntu) mod_R/1.2.8 R/3.2.3 OpenSSL/1.0.2g mod_apreq2-20090110/2.8.0
Content-Security-Policy: upgrade-insecure-requests;
Location: https://grendel.no/wp-signup.php?new=diaspora
Cache-Control: max-age=300, must-revalidate
Expires: Sun, 08 Apr 2018 11:21:41 GMT
Vary: Accept-Encoding,Cookie
Content-Type: text/html; charset=UTF-8

HTTP/1.1 200 OK
Date: Sun, 08 Apr 2018 11:16:42 GMT
Server: Apache/2.4.18 (Ubuntu) mod_R/1.2.8 R/3.2.3 OpenSSL/1.0.2g mod_apreq2-20090110/2.8.0
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy: upgrade-insecure-requests;
Cache-Control: max-age=300, must-revalidate
Expires: Sun, 08 Apr 2018 11:21:42 GMT
Vary: Accept-Encoding,Cookie
Content-Type: text/html; charset=UTF-8

So, seems Let’s Encrypt won’t reach the token during the validation process. Before try again, you must be sure the token can be reached from internet so create a test file in the right path for the document root used by diaspora.grendel.no and try to reach it.

mkdir -p /path/to/diaspora.grendel.com-DocumentRoot/.well-known/acme-challenge/
echo -n "this is a test for diaspora subdomain" > /path/to/diaspora.grendel.com-DocumentRoot/.well-known/acme-challenge/test

And once done, try to reach it with your browser:

http://diaspora.grendel.no/.well-known/acme-challenge/test

or using command line

curl -ikL http://diaspora.grendel.no/.well-known/acme-challenge/test

If you see the text “this is a test for diaspora subdomain” then you can try again but if you don’t, you need to review the redirections used for your diaspora subdomain.

Good luck,
sahsanu


#3

Thanks, the redirect problem is solved now, but essentially the same thing happens:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

-------------------------------------------------------------------------------
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/grendel.no-0005.conf)

It contains these names: grendel.no, blog.grendel.no, ptsd-boken.grendel.no,
r.grendel.no, www.grendel.no

You requested these names for the new certificate: grendel.no, blog.grendel.no,
r.grendel.no, www.grendel.no, ptsd-boken.grendel.no, diaspora.grendel.no.

Do you want to expand and replace this existing certificate with the new
certificate?
-------------------------------------------------------------------------------
(E)xpand/(C)ancel: E
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for grendel.no
http-01 challenge for blog.grendel.no
http-01 challenge for r.grendel.no
http-01 challenge for www.grendel.no
http-01 challenge for ptsd-boken.grendel.no
http-01 challenge for diaspora.grendel.no
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. diaspora.grendel.no (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://diaspora.grendel.no/.well-known/acme-challenge/d4NVsFC3PX51eQzJCQVQX-J5Z8WvUzIsgkUXNHmHH5g: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: diaspora.grendel.no
   Type:   unauthorized
   Detail: Invalid response from
   http://diaspora.grendel.no/.well-known/acme-challenge/d4NVsFC3PX51eQzJCQVQX-J5Z8WvUzIsgkUXNHmHH5g:
   "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
   <html><head>
   <title>403 Forbidden</title>
   </head><body>
   <h1>Forbidden</h1>
   <p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

#4

Hi @rolfmblindgren,

Could you please issue the same certbot command but adding --debug parameter?. Once finished, upload the log file /var/log/letsencrypt/letsencrypt.log to some service like pastebin.com

Thank you.

Cheers,
sahsanu


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.