Failed Authentication on renew


#1

I have been using letsencrypt for a while, but renew fails now. i switched to the certbot system, installed as per the instructions, and failure.

My domain is: www.valters.net

I ran this command: certbot renew --apache --dryrun

It produced this output:

My web server is (include version): Apache 2.4.18

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine YES

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.28.0


#2

Could you please provide all your Apache configuration files? If your server is directly connected to the internet (i.e., without any reverse proxy between the server and the internet), this should work.

Perhaps you have some kind of Apache configuration which is interfering with the temporary Apache configuration file used by certbot for the authentication.


#3

main config has some folder restrictions

<Directory />
        Options FollowSymLinks
        AllowOverride None
        Require all denied
</Directory>

<Directory /usr/share>
        AllowOverride None
        Require all granted
</Directory>

<Directory /var/www/>
        Options Indexes FollowSymLinks
        AllowOverride None
        Require all granted
</Directory>

I used to have this all in one file, but thought that may be the issue, so have 2 sites enabled across 2 confs

<VirtualHost *:80>

ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
ServerName valters.net
ServerAlias www.valters.net

RewriteEngine on
RewriteCond %{SERVER_NAME} =valters.net [OR]
RewriteCond %{SERVER_NAME} =www.valters.net
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]

</VirtualHost>

<IfModule mod_ssl.c>
  <VirtualHost *:443>

    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    ServerName valters.net
    ServerAlias www.valters.net
    SSLCertificateFile /etc/letsencrypt/live/valters.net/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/valters.net/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateChainFile /etc/letsencrypt/live/valters.net/chain.pem
 </VirtualHost>
</IfModule>

#4

Hi @wvalters

I see, you have already tested your domain via https://check-your-website.server-daten.de/?q=valters.net

There

Domainname Http-Status redirect Sec. G
http://valters.net/
192.241.191.165 200 0.213 H
http://www.valters.net/
192.241.191.165 200 0.210 H
https://valters.net/
192.241.191.165 200 1.980 N
Certificate error: RemoteCertificateChainErrors
https://www.valters.net/
192.241.191.165 200 1.983 N
Certificate error: RemoteCertificateChainErrors
http://valters.net/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
192.241.191.165 404 0.214 A
Not Found
http://www.valters.net/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
192.241.191.165 404 0.210 A
Not Found

is a 404 reported, not a 403. The 404 is good, port 80 answers.

So try to find your “DocumentRoot” in your VirtualHost, then use it.

certbot certonly -a webroot -w /var/www/html -d valters.net -d www.valters.net --dry-run

Your certificate is already expired, so you need a new.

certbot run -a webroot -i apache -w /var/www/html -d valters.net -d www.valters.net

#5

that was it… so, use the same when doing the certbot-auto?


#6

You said you have “regular” certbot 0.28.0. There’s no specific need to use certbot-auto.


#7

Happy to see now you have a new certificate:

CN=valters.net
	03.02.2019
	04.05.2019
	valters.net, www.valters.net - 2 entries

Yes, certbot-auto should run with the same command. Later “renew” should be enough.


#8

sorry. meant “automating” vie crontab. Thanks for the quick help!


closed #9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.