Failed to renew cert

Jihadist · July 9, 2020, 6:15pm

My domain is:
zabbix.ucheba.mcdir.ru
I ran this command:
sudo certbot renew --dry-run
It produced this output:
Domain: zabbix.ucheba.mcdir.ru
Type: unauthorized
Detail: Invalid response from http://zabbix.ucheba.mcdir.ru/login
[host_ip]: "\n<html lang=“en”>\n \n

\n \n !(function() {\n if ('PerformanceLongTaskTiming' in wi" To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. My web server is (include version): Server version: Apache/2.4.29 (Ubuntu) The operating system my web server runs on is (include version): ubuntu 18.04 I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no The version of my client is (e.g. output of `certbot --version` or `certbot-auto --version` if you're using Certbot): certbot 0.31.0 Domain: zabbix.ucheba.mcdir.ru Type: unauthorized Detail: Invalid response from http://zabbix.ucheba.mcdir.ru/login [host_ip]: "\n\n \n \n \n !(function() {\n if $ To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. 2020-07-05 09:35:03,889:DEBUG:certbot.error_handler:Encountered exception: Traceback (most recent call last): File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations self._respond(aauthzrs, resp, best_effort) File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 168, in _respond self._poll_challenges(aauthzrs, chall_update, best_effort) File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 239, in _poll_challenges raise errors.FailedChallenges(all_failed_achalls) certbot.errors.FailedChallenges: Failed authorization procedure. zabbix.ucheba.mcdir.ru (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: I$

rg305 · July 9, 2020, 7:06pm

From that it would seem that the challenge requests are being forced to a login page.

Jihadist · July 9, 2020, 7:25pm

How could it happen? Because i took first cert and everything worked fine. Who should i do?

rg305 · July 9, 2020, 8:42pm

There are many reasons this can happen.
Mainly because something "changed".
Please show the vhost config file for that domain name.

Jihadist · July 9, 2020, 9:51pm

DocumentRoot /usr/share/zabbix`
DirectoryIndex index.php

<VirtualHost *:80>
        ServerName zabbix.ucheba.mcdir.ru
        ServerAlias www.zabbix.ucheba.mcdir.ru
        ServerAdmin email
        Redirect permanent / https://zabbix.ucheba.mcdir.ru
        #DocumentRoot /usr/share/zabbix
        #DirectoryIndex index.php
        <Directory /usr/share/zabbix>
                DirectoryIndex index.php
                Options FollowSymLinks
                AllowOverride None
                Require all granted
        </Directory>
</VirtualHost>

<IfModule mod_ssl.c>
        <VirtualHost *:443>
                ServerName zabbix.ucheba.mcdir.ru
                ServerAdmin email
                DirectoryIndex index.php
                #DocumentRoot /usr/share/zabbix
                # Use HTTP Strict Transport Security to force client to use secure connections only.
                Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
                # Referer logging is used to allow websites and web servers to identify where people are visiting them from, for promotional or statistical purposes.
                Header always set Referrer-Policy "no-referrer"


                SSLCertificateFile         /etc/letsencrypt/live/zabbix.ucheba.mcdir.ru/fullchain.pem
                SSLCertificateKeyFile    /etc/letsencrypt/live/zabbix.ucheba.mcdir.ru/privkey.pem



                SSLEngine on
                SSLProtocol all -TLSv1 -TLSv1.1 -SSLv2 -SSLv3
                SSLHonorCipherOrder on
                SSLCompression off
                SSLOptions +StrictRequire
                SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-A$


        </VirtualHost>
</IfModule>

rg305 · July 9, 2020, 11:43pm

There is no exclusion for the challenge requests, so it just goes to whatever you are doing for https.

You can replace:

Jihadist:

        Redirect permanent / https://zabbix.ucheba.mcdir.ru
        #DocumentRoot /usr/share/zabbix
        #DirectoryIndex index.php
        <Directory /usr/share/zabbix>
                DirectoryIndex index.php
                Options FollowSymLinks
                AllowOverride None
                Require all granted
        </Directory>

With:

  #set the site document root
  #here you use a dedicated path for challenge files only
  DocumentRoot /some-fake-document-root
  #allow the HTTP users access to the site document root
  <Directory /some-fake-document-root>
    AllowOverride None
    Require all granted
  </Directory>
  #set the default action for non challenge requests
  <LocationMatch "^/(?!\.well-known)">
    #send requests that don't have ".well-known" to HTTPS
    RedirectMatch ^/(.*)$ https://zabbix.ucheba.mcdir.ru/$1
  </LocationMatch>

rg305 · July 9, 2020, 11:45pm

Note: You may have to create the “/some-fake-document-root” folder.
And chmod it with 777 so that “everyone” can access it.

Jihadist · July 11, 2020, 2:16pm

I changed everything as you said but i receive the same error

rg305 · July 11, 2020, 10:19pm

Please show the config as it is now.
And the output of:
sudo apachectl -S

rg305 · July 11, 2020, 10:20pm

I’m still seeing 302 redirects (to /login) for challenge type requests:

curl -Iki http://zabbix.ucheba.mcdir.ru/.well-known/acme-challenge/test-file
HTTP/1.1 302 Found
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Location: /login
Pragma: no-cache
Set-Cookie: redirect_to=%2F.well-known%2Facme-challenge%2Ftest-file; Path=/; HttpOnly; SameSite=Lax
X-Frame-Options: deny
Date: Sat, 11 Jul 2020 22:18:27 GMT

Jihadist · July 12, 2020, 10:25am

AH00558: apache2: Could not reliably determine the server's fully qualified domain     name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:80                   is a NameVirtualHost
         port 80 namevhost zabbix.ucheba.mcdir.ru (/etc/apache2/sites-enabled/zabbix.ucheba.mcdir.ru.conf:4)
                 alias www.zabbix.ucheba.mcdir.ru
*:443                  is a NameVirtualHost
         port 443 namevhost zabbix.ucheba.mcdir.ru (/etc/apache2/sites-enabled/zabbix.ucheba.mcdir.ru.conf:33)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/usr/share/zabbix"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

rg305 · July 12, 2020, 12:42pm

Please show this file:
/etc/apache2/sites-enabled/zabbix.ucheba.mcdir.ru.conf

be sure to add lines (to your post here) above and below the file with three back ticks; as follows:

```
YOUR POST
```

Jihadist · July 12, 2020, 1:07pm

I posted it before but i can do it again

DocumentRoot /usr/share/zabbix
DirectoryIndex index.php

<VirtualHost *:80>
        ServerName zabbix.ucheba.mcdir.ru
        ServerAlias www.zabbix.ucheba.mcdir.ru
        ServerAdmin myemail
        #Redirect permanent / https://zabbix.ucheba.mcdir.ru
        #DocumentRoot /usr/share/zabbix
        #DirectoryIndex index.php
        #<Directory /usr/share/zabbix>
        #       DirectoryIndex index.php
        #       Options FollowSymLinks
        #       AllowOverride None
        #       Require all granted
        #</Directory>
        #set the site document root
        #here you use a dedicated path for challenge files only
        DocumentRoot  /usr/share/fake_root_doc
        #allow the HTTP users access to the site document root
        <Directory  /usr/share/fake_root_doc>
        AllowOverride None
        Require all granted
        </Directory>
        #set the default action for non challenge requests
        <LocationMatch "^/(?!\.well-known)">
        #send requests that don't have ".well-known" to HTTPS
        RedirectMatch ^/(.*)$ https://zabbix.ucheba.mcdir.ru/$1
        </LocationMatch>
</VirtualHost>

<IfModule mod_ssl.c>
        <VirtualHost *:443>
                ServerName zabbix.ucheba.mcdir.ru
                ServerAdmin myemail
                DirectoryIndex index.php
                #DocumentRoot /usr/share/zabbix
                # Use HTTP Strict Transport Security to force client to use secure connections only.
                Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
                # Referer logging is used to allow websites and web servers to identify where people are visiting them from, for promotional or statistical purposes.
                Header always set Referrer-Policy "no-referrer"


                SSLCertificateFile         /etc/letsencrypt/live/zabbix.ucheba.mcdir.ru/fullchain.pem
                SSLCertificateKeyFile    /etc/letsencrypt/live/zabbix.ucheba.mcdir.ru/privkey.pem



                SSLEngine on
                SSLProtocol all -TLSv1 -TLSv1.1 -SSLv2 -SSLv3
                SSLHonorCipherOrder on
                SSLCompression off
                SSLOptions +StrictRequire
                SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256


        </VirtualHost>
</IfModule>

rg305 · July 12, 2020, 11:00pm

The redirection is NOT coming from that code.
Do you have an .htaccess file?
[or any other method to redirect requests to /login]

curl -Iki http://zabbix.ucheba.mcdir.ru/
HTTP/1.1 302 Found
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Location: /login
Pragma: no-cache
Set-Cookie: redirect_to=%2F; Path=/; HttpOnly; SameSite=Lax
X-Frame-Options: deny
Date: Sun, 12 Jul 2020 22:57:36 GMT

Jihadist · July 13, 2020, 10:33am

I dont have htaccess and curl works for me another way

curl -Iki http://zabbix.ucheba.mcdir.ru/
HTTP/1.1 302 Found
Date: Mon, 13 Jul 2020 10:28:11 GMT
Server: Apache
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Location: https://zabbix.ucheba.mcdir.ru/
Content-Type: text/html; charset=iso-8859-1

rg305 · July 13, 2020, 1:55pm

Try that same thing from the Internet.

Jihadist · July 13, 2020, 2:35pm

I have the same as yours from the Internet but i dont know where is the problem

rg305 · July 13, 2020, 3:15pm

Then you need to learn how your network “works”.
There is an obvious difference between what you see from the inside and what is seen form the outside.
Is there an IPS or some other type of inline device that might be handling HTTP connections?

Jihadist · July 13, 2020, 3:53pm

I dont use any kind of ips or waf except ufw of course

rg305 · July 13, 2020, 4:17pm

And yet the difference exists…
[and continues to go unexplained]