Failed reviewal


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: go4go.net

I ran this command:

The following command is ran from a daily cron job for automatic renewal. It has been working properly until very recently
/usr/bin/certbot renew --renew-hook “systemctl restart httpd”

It produced this output:
2019-01-14 02:31:47,497:DEBUG:certbot.reporter:Reporting to user: The following
errors were reported by the server:

Domain: go4go.net
Type: unauthorized
Detail: Invalid response from http://go4go.net/.well-known/acme-challenge/evmGDn
62iNZN31xuo5SSE0-MrRjYFZWLyKGkpwP-P8A: “\n\n404 Not Found\n\n

Not
Found

\n<p”

To fix these errors, please make sure that your domain name was entered correctl
y and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
2019-01-14 02:31:47,500:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
File “/usr/lib/python2.7/site-packages/certbot/auth_handler.py”, line 82, in h
andle_authorizations
self._respond(aauthzrs, resp, best_effort)
File “/usr/lib/python2.7/site-packages/certbot/auth_handler.py”, line 161, in
_respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File “/usr/lib/python2.7/site-packages/certbot/auth_handler.py”, line 232, in
_poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. go4go.net (http-01): urn:ietf:
params:acme:error:unauthorized :: The client lacks sufficient authorization :: I
nvalid response from http://go4go.net/.well-known/acme-challenge/evmGDn62iNZN31x
uo5SSE0-MrRjYFZWLyKGkpwP-P8A: “\n\n404 Not Found\n\n

Not Found</h
1>\n<p”

2019-01-14 02:31:47,500:DEBUG:certbot.error_handler:Calling registered functions
2019-01-14 02:31:47,500:INFO:certbot.auth_handler:Cleaning up challenges
2019-01-14 02:31:47,801:WARNING:certbot.renewal:Attempting to renew cert (go4go.net-0001) from /etc/letsencrypt/renewal/go4go.net-0001.conf produced an unexpected error: Failed authorization procedure. go4go.net (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://go4go.net/.well-known/acme-challenge/evmGDn62iNZN31xuo5SSE0-MrRjYFZWLyKGkpwP-P8A: “\n\n404 Not Found\n\n

Not Found

\n<p”. Skipping.
2019-01-14 02:31:47,804:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File “/usr/lib/python2.7/site-packages/certbot/renewal.py”, line 432, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 1170, in renew_cert
renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 118, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File “/usr/lib/python2.7/site-packages/certbot/renewal.py”, line 307, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File “/usr/lib/python2.7/site-packages/certbot/client.py”, line 353, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/usr/lib/python2.7/site-packages/certbot/client.py”, line 389, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/usr/lib/python2.7/site-packages/certbot/auth_handler.py”, line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File “/usr/lib/python2.7/site-packages/certbot/auth_handler.py”, line 161, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File “/usr/lib/python2.7/site-packages/certbot/auth_handler.py”, line 232, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. go4go.net (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://go4go.net/.well-known/acme-challenge/evmGDn62iNZN31xuo5SSE0-MrRjYFZWLyKGkpwP-P8A: “\n\n404 Not Found\n\n

Not Found

\n<p”

2019-01-14 02:31:47,805:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
2019-01-14 02:31:47,805:ERROR:certbot.renewal: /etc/letsencrypt/live/go4go.net-0001/fullchain.pem (failure)
2019-01-14 02:31:47,808:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 9, in
load_entry_point(‘certbot==0.29.1’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 1352, in main
return config.func(config, plugins)
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 1259, in renew
renewal.handle_renewal_request(config)
File “/usr/lib/python2.7/site-packages/certbot/renewal.py”, line 457, in handle_renewal_request
len(renew_failures), len(parse_failures)))
Error: 1 renew failure(s), 0 parse failure(s)

My web server is (include version): Apache 2.4.6

The operating system my web server runs on is (include version): CentOS 7

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#2

I think we’ll need to first identify which Certbot authenticator you are trying to use.

What is the contents of:

/etc/letsencrypt/renewal/go4go.net-0001.conf

#3

cat /etc/letsencrypt/renewal/go4go.net-0001.conf

renew_before_expiry = 30 days

version = 0.27.1
archive_dir = /etc/letsencrypt/archive/go4go.net-0001
cert = /etc/letsencrypt/live/go4go.net-0001/cert.pem
privkey = /etc/letsencrypt/live/go4go.net-0001/privkey.pem
chain = /etc/letsencrypt/live/go4go.net-0001/chain.pem
fullchain = /etc/letsencrypt/live/go4go.net-0001/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = apache
installer = apache
account = 814517e6077cd2108b30d3b9b375a6a8
renew_hook = systemctl restart httpd
server = https://acme-v02.api.letsencrypt.org/directory

The last successful renewal was on 2018-11-15.

From my system log I can see certbot was updated to 0.29.1 on 2018-12-15. The renewal was OK for quite a long time


#4

Could you please show me the output of the following:

apachectl -t -D DUMP_VHOSTS

This issue sometimes occurs when there are duplicate port 80 virtualhosts for one or more names, and I’d like to exclude that first.


#5

apachectl -t -D DUMP_VHOSTS
Passing arguments to httpd using apachectl is no longer supported.
You can only start/stop/restart httpd using this script.
If you want to pass extra arguments to httpd, edit the
/etc/sysconfig/httpd config file.
VirtualHost configuration:
*:80 is a NameVirtualHost
default server go4go.net (/etc/httpd/conf.d/le-redirect-go4go.net.conf:1)
port 80 namevhost go4go.net (/etc/httpd/conf.d/le-redirect-go4go.net.conf:1)
alias breakfast.go4go.net
port 80 namevhost www.go4go.net (/etc/httpd/conf.d/site_go4go.conf:4)
alias go4go.net
port 80 namevhost breakfast.go4go.net (/etc/httpd/conf.d/site_go4go.conf:14)
port 80 namevhost www.2decomp.org (/etc/httpd/conf.d/site_go4go.conf:23)
alias 2decomp.org
*:443 is a NameVirtualHost
default server go4go.net (/etc/httpd/conf.d/le-redirect-go4go.net-le-ssl.conf:2)
port 443 namevhost go4go.net (/etc/httpd/conf.d/le-redirect-go4go.net-le-ssl.conf:2)
alias breakfast.go4go.net
port 443 namevhost www.go4go.net (/etc/httpd/conf.d/ssl.conf:56)


#6

plus

is a conflict. Apache can only actually use one or the other VirtualHost for go4go.net, and Certbot gets confused when it tries to identify which VirtualHost it needs to change when performing domain validation for go4go.net.

The simple solution is probably to comment out le-redirect-go4go.net, but this depends on your goals and understanding of your own setup.


#7

Thank you very much!

I moved /etc/httpd/conf.d/le-redirect-go4go.net.conf elsewhere and restart apache. Then ‘certbot renew --dry-run’ confirmed that the renewal would be successful.

May I ask what does the rewrite rule in le-redirect-go4go.net.conf do? Should I try to incorporate that in my own .conf file?


#8

It was probably the HTTP->HTTPS redirect that Certbot created for you.

I am actually not sure how your Apache configuration got in this state. Usually Certbot does it in a safe and correct way, and doesn’t stuff up your virtual hosting. Somehow, things went wrong with you.

You could try copy the redirect rule to your “real” port 80 virtualhost. No guarantees about it working or not, though.


#9

Thanks again. I must say this support forum is wonderful. I did not expect to get help so quickly.


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.