Failed to renew cert

My domain is:
zabbix.ucheba.mcdir.ru
I ran this command:
sudo certbot renew --dry-run
It produced this output:
Domain: zabbix.ucheba.mcdir.ru
Type: unauthorized
Detail: Invalid response from http://zabbix.ucheba.mcdir.ru/login
[host_ip]: "\n<html lang=“en”>\n \n

\n \n !(function() {\n if ('PerformanceLongTaskTiming' in wi" To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. My web server is (include version): Server version: Apache/2.4.29 (Ubuntu) The operating system my web server runs on is (include version): ubuntu 18.04 I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no The version of my client is (e.g. output of `certbot --version` or `certbot-auto --version` if you're using Certbot): certbot 0.31.0 Domain: zabbix.ucheba.mcdir.ru Type: unauthorized Detail: Invalid response from http://zabbix.ucheba.mcdir.ru/login [host_ip]: "\n\n \n \n \n !(function() {\n if $ To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. 2020-07-05 09:35:03,889:DEBUG:certbot.error_handler:Encountered exception: Traceback (most recent call last): File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations self._respond(aauthzrs, resp, best_effort) File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 168, in _respond self._poll_challenges(aauthzrs, chall_update, best_effort) File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 239, in _poll_challenges raise errors.FailedChallenges(all_failed_achalls) certbot.errors.FailedChallenges: Failed authorization procedure. zabbix.ucheba.mcdir.ru (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: I$
1 Like

From that it would seem that the challenge requests are being forced to a login page.

1 Like

How could it happen? Because i took first cert and everything worked fine. Who should i do?

1 Like

There are many reasons this can happen.
Mainly because something “changed”.
Please show the vhost config file for that domain name.

1 Like
DocumentRoot /usr/share/zabbix`
DirectoryIndex index.php

<VirtualHost *:80>
        ServerName zabbix.ucheba.mcdir.ru
        ServerAlias www.zabbix.ucheba.mcdir.ru
        ServerAdmin email
        Redirect permanent / https://zabbix.ucheba.mcdir.ru
        #DocumentRoot /usr/share/zabbix
        #DirectoryIndex index.php
        <Directory /usr/share/zabbix>
                DirectoryIndex index.php
                Options FollowSymLinks
                AllowOverride None
                Require all granted
        </Directory>
</VirtualHost>

<IfModule mod_ssl.c>
        <VirtualHost *:443>
                ServerName zabbix.ucheba.mcdir.ru
                ServerAdmin email
                DirectoryIndex index.php
                #DocumentRoot /usr/share/zabbix
                # Use HTTP Strict Transport Security to force client to use secure connections only.
                Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
                # Referer logging is used to allow websites and web servers to identify where people are visiting them from, for promotional or statistical purposes.
                Header always set Referrer-Policy "no-referrer"


                SSLCertificateFile         /etc/letsencrypt/live/zabbix.ucheba.mcdir.ru/fullchain.pem
                SSLCertificateKeyFile    /etc/letsencrypt/live/zabbix.ucheba.mcdir.ru/privkey.pem



                SSLEngine on
                SSLProtocol all -TLSv1 -TLSv1.1 -SSLv2 -SSLv3
                SSLHonorCipherOrder on
                SSLCompression off
                SSLOptions +StrictRequire
                SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-A$


        </VirtualHost>
</IfModule>
1 Like

There is no exclusion for the challenge requests, so it just goes to whatever you are doing for https.

You can replace:

With:

  #set the site document root
  #here you use a dedicated path for challenge files only
  DocumentRoot /some-fake-document-root
  #allow the HTTP users access to the site document root
  <Directory /some-fake-document-root>
    AllowOverride None
    Require all granted
  </Directory>
  #set the default action for non challenge requests
  <LocationMatch "^/(?!\.well-known)">
    #send requests that don't have ".well-known" to HTTPS
    RedirectMatch ^/(.*)$ https://zabbix.ucheba.mcdir.ru/$1
  </LocationMatch>
1 Like

Note: You may have to create the “/some-fake-document-root” folder.
And chmod it with 777 so that “everyone” can access it.

1 Like

I changed everything as you said but i receive the same error

Please show the config as it is now.
And the output of:
sudo apachectl -S

1 Like

I’m still seeing 302 redirects (to /login) for challenge type requests:

curl -Iki http://zabbix.ucheba.mcdir.ru/.well-known/acme-challenge/test-file
HTTP/1.1 302 Found
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Location: /login
Pragma: no-cache
Set-Cookie: redirect_to=%2F.well-known%2Facme-challenge%2Ftest-file; Path=/; HttpOnly; SameSite=Lax
X-Frame-Options: deny
Date: Sat, 11 Jul 2020 22:18:27 GMT
1 Like
AH00558: apache2: Could not reliably determine the server's fully qualified domain     name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:80                   is a NameVirtualHost
         port 80 namevhost zabbix.ucheba.mcdir.ru (/etc/apache2/sites-enabled/zabbix.ucheba.mcdir.ru.conf:4)
                 alias www.zabbix.ucheba.mcdir.ru
*:443                  is a NameVirtualHost
         port 443 namevhost zabbix.ucheba.mcdir.ru (/etc/apache2/sites-enabled/zabbix.ucheba.mcdir.ru.conf:33)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/usr/share/zabbix"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33
1 Like

Please show this file:
/etc/apache2/sites-enabled/zabbix.ucheba.mcdir.ru.conf

be sure to add lines (to your post here) above and below the file with three back ticks; as follows:

```
YOUR POST
```

1 Like

I posted it before but i can do it again

DocumentRoot /usr/share/zabbix
DirectoryIndex index.php

<VirtualHost *:80>
        ServerName zabbix.ucheba.mcdir.ru
        ServerAlias www.zabbix.ucheba.mcdir.ru
        ServerAdmin myemail
        #Redirect permanent / https://zabbix.ucheba.mcdir.ru
        #DocumentRoot /usr/share/zabbix
        #DirectoryIndex index.php
        #<Directory /usr/share/zabbix>
        #       DirectoryIndex index.php
        #       Options FollowSymLinks
        #       AllowOverride None
        #       Require all granted
        #</Directory>
        #set the site document root
        #here you use a dedicated path for challenge files only
        DocumentRoot  /usr/share/fake_root_doc
        #allow the HTTP users access to the site document root
        <Directory  /usr/share/fake_root_doc>
        AllowOverride None
        Require all granted
        </Directory>
        #set the default action for non challenge requests
        <LocationMatch "^/(?!\.well-known)">
        #send requests that don't have ".well-known" to HTTPS
        RedirectMatch ^/(.*)$ https://zabbix.ucheba.mcdir.ru/$1
        </LocationMatch>
</VirtualHost>

<IfModule mod_ssl.c>
        <VirtualHost *:443>
                ServerName zabbix.ucheba.mcdir.ru
                ServerAdmin myemail
                DirectoryIndex index.php
                #DocumentRoot /usr/share/zabbix
                # Use HTTP Strict Transport Security to force client to use secure connections only.
                Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
                # Referer logging is used to allow websites and web servers to identify where people are visiting them from, for promotional or statistical purposes.
                Header always set Referrer-Policy "no-referrer"


                SSLCertificateFile         /etc/letsencrypt/live/zabbix.ucheba.mcdir.ru/fullchain.pem
                SSLCertificateKeyFile    /etc/letsencrypt/live/zabbix.ucheba.mcdir.ru/privkey.pem



                SSLEngine on
                SSLProtocol all -TLSv1 -TLSv1.1 -SSLv2 -SSLv3
                SSLHonorCipherOrder on
                SSLCompression off
                SSLOptions +StrictRequire
                SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256


        </VirtualHost>
</IfModule>
1 Like

The redirection is NOT coming from that code.
Do you have an .htaccess file?
[or any other method to redirect requests to /login]

curl -Iki http://zabbix.ucheba.mcdir.ru/
HTTP/1.1 302 Found
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Location: /login
Pragma: no-cache
Set-Cookie: redirect_to=%2F; Path=/; HttpOnly; SameSite=Lax
X-Frame-Options: deny
Date: Sun, 12 Jul 2020 22:57:36 GMT

1 Like

I dont have htaccess and curl works for me another way

curl -Iki http://zabbix.ucheba.mcdir.ru/
HTTP/1.1 302 Found
Date: Mon, 13 Jul 2020 10:28:11 GMT
Server: Apache
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Location: https://zabbix.ucheba.mcdir.ru/
Content-Type: text/html; charset=iso-8859-1
1 Like

Try that same thing from the Internet.

I have the same as yours from the Internet but i dont know where is the problem

Then you need to learn how your network “works”.
There is an obvious difference between what you see from the inside and what is seen form the outside.
Is there an IPS or some other type of inline device that might be handling HTTP connections?

I dont use any kind of ips or waf except ufw of course

And yet the difference exists…
[and continues to go unexplained]