Failing renewal

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:Hurricanepub.com

I ran this command:sudo certbot renew --dry-run -v

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/aquaprographix.com.conf

Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Simulating renewal of an existing certificate for aquaprographix.com and 9 more domains
Performing the following challenges:
http-01 challenge for hurricanepub.com
http-01 challenge for www.hurricanepub.com
http-01 challenge for aquaprographix.com
http-01 challenge for colasprint.com
http-01 challenge for speed-stream.com
http-01 challenge for tricountycamaroswfl.com
http-01 challenge for www.aquaprographix.com
http-01 challenge for www.colasprint.com
http-01 challenge for www.speed-stream.com
http-01 challenge for www.tricountycamaroswfl.com
Waiting for verification...
Challenge failed for domain hurricanepub.com
Challenge failed for domain www.hurricanepub.com
http-01 challenge for hurricanepub.com
http-01 challenge for www.hurricanepub.com

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: hurricanepub.com
Type: unauthorized
Detail: 50.192.28.25: Invalid response from http://hurricanepub.com/.well-known/acme-challenge/5wDlkyJl5YymmsncaPXpdvtLo7wXZafqFDzrVkUD4D0: 404

Domain: www.hurricanepub.com
Type: unauthorized
Detail: 50.192.28.25: Invalid response from http://www.hurricanepub.com/.well-known/acme-challenge/t2aP5bV-ut-Y5K1ibsVTuosf7d5Oct_TgFQ1Da8eyFQ: 404

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges
Failed to renew certificate aquaprographix.com with error: Some challenges have failed.

All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/aquaprographix.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
Saving debug log to /var/log/letsencrypt/letsencrypt.log

My web server is (include version): Apache/2.4.55 (Ubuntu)

The operating system my web server runs on is (include version):
Ubunto 22.04

My hosting provider, if applicable, is: Self Hosted

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.21.0

ports are all open, I can access the sites all DNS records are current
When I installed a couple months ago went thru without a issue then I got a notification from lets encrypt bot that it could not renew

1 Like
2

Welcome to the community @spd2612

The errors are just for the hurricanepub domains. So, I guess that's partly good news.

That site just returns an empty page with a small template of html <head> info. Is that what I should expect?

We should start with you showing us the output of this

sudo apachectl -t -D DUMP_VHOSTS
3 Likes
3

sudo apachectl -t -D DUMP_VHOSTS

VirtualHost configuration:
*:443                  is a NameVirtualHost
         default server aquaprographix.com (/etc/apache2/sites-enabled/aquaprographix.com-le-ssl.conf:2)
         port 443 namevhost aquaprographix.com (/etc/apache2/sites-enabled/aquaprographix.com-le-ssl.conf:2)
                 alias www.aquaprographix.com
         port 443 namevhost colasprint.com (/etc/apache2/sites-enabled/colasprint.com-le-ssl.conf:2)
                 alias www.colasprint.com
         port 443 namevhost hurricanepub.com (/etc/apache2/sites-enabled/hurricanepub-le-ssl.conf:2)
                 alias www.hurricanepub.com
         port 443 namevhost speed-stream.com (/etc/apache2/sites-enabled/speed-stream.com-le-ssl.conf:2)
                 alias www.speed-stream.com
         port 443 namevhost tricountycamaroswfl.com (/etc/apache2/sites-enabled/tricountycamaroswfl.com-le-ssl.conf:2)
                 alias www.tricountycamaroswfl.com
*:80                   is a NameVirtualHost
         default server 192.168.4.13 (/etc/apache2/sites-enabled/000-local.conf:1)
         port 80 namevhost 192.168.4.13 (/etc/apache2/sites-enabled/000-local.conf:1)
                 alias 192.168.4.13
                 wild alias 192.168.4.*
         port 80 namevhost aquaprographix.com (/etc/apache2/sites-enabled/aquaprographix.com.conf:1)
                 alias www.aquaprographix.com
         port 80 namevhost colasprint.com (/etc/apache2/sites-enabled/colasprint.com.conf:1)
                 alias www.colasprint.com
         port 80 namevhost hurricanepub.com (/etc/apache2/sites-enabled/hurricanepub.conf:1)
                 alias www.hurricanepub.com
         port 80 namevhost speed-stream.com (/etc/apache2/sites-enabled/speed-stream.com.conf:1)
                 alias www.speed-stream.com
         port 80 namevhost tricountycamaroswfl.com (/etc/apache2/sites-enabled/tricountycamaroswfl.com.conf:1)
                 alias www.tricountycamaroswfl.com

No you should see a weather page, The root of that site has a url redirect up to a different folder
Which takes it to HurricanePub Weather
Not sure why its not loading on your end loads fine for me and on a alternet ip ?

4

Can you show contents of that file? Please put 3 backticks before and after to retain the tags like this
```
contents of file
```

As for website, I was using curl, not a browser, but there was no code that indicated a redirect.

From a browser I see your site fine. Do you return different info based on the user-agent or something?

3 Likes
5

no user agent I have to run that site that way or it messes up my images has to run from the template folder
I am guessing this is what you want

<VirtualHost *:80>
    ServerName hurricanepub.com
    ServerAlias www.hurricanepub.com
    ServerAdmin xyz@localhost
    DocumentRoot /var/www/hurricanepub
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine off
RewriteCond %{SERVER_NAME} =hurricanepub.com [OR]
RewriteCond %{SERVER_NAME} =www.hurricanepub.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
6

Yes, but backticks rather than single quotes would be nice :slight_smile:

You can just edit your post from the menu bar

3 Likes
7

Your other domain names return expected results to my curl requests. That is, the HTTP site redirects to HTTPS and the HTTPS returns the html coding for a normal web page.

Your hurricanepub does not redirect but probably because you have rewrite off. Is that intentional? It won't prevent a cert renewal it is just good practice. It would also help debug what's happening if it was enabled.

Is there any reason the hurricanepub should respond differently to requests from curl compared to all your other sites?

EDIT: And the 3 backticks should be on their own line. Your earlier post got cropped

3 Likes
8

Yes its intentional that site retrieves data eletronically from outside and can only pass it on port 80

9 
<VirtualHost *:80>
    ServerName hurricanepub.com
    ServerAlias www.hurricanepub.com
    ServerAdmin xyz@localhost
    DocumentRoot /var/www/hurricanepub
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine off
RewriteCond %{SERVER_NAME} =hurricanepub.com [OR]
RewriteCond %{SERVER_NAME} =www.hurricanepub.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
10

Does that mean the page display using HTTPS will fail? Like with mixed-content error or similar? If so, why do you need a cert?

In any case, we'll need to see your certbot log. It will be very long. Ideally copy it to a .txt file and use the upload menu button.

EDIT: Oh, you can redact your email address in the VirtualHost (make it example@ or something)

4 Likes
11

It will fail to update the weatherdata it has no provision to send https
Here is whats in the root

<html>

	<head>

	<meta http-equiv="refresh" content="0; url=template/index.php" />

	<title>Meteotemplate</title>

	<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

	<meta name="description" content="Meteotemplate - free website template for weather enthusiasts." />

	<meta name="keywords" content="meteotemplate, weather, climate, station, template, website" />

	<meta name="robots" content="index,follow" />

	<link rel="icon" href="favicon.ico" type="image/x-icon">

	</head>

</html>

I could turn it on and test if you think thats it
I used to runn all this in Windows but could not keep hackers out of IIS so I ventured to Linux which has been a learning experiance
HTTPS is on every link in there so when you click anything you will then be on 443 also the template is configured in https

12

I think this is what you need thanks for your help here

lets encrypt.txt (64.9 KB)

2 Likes
13

I only find two errors in that log:

certbot.errors.ConfigurationError: Requested name 192.168.4.13 is an IP address. The Let's Encrypt certificate authority will not issue certificates for a bare IP address.
certbot.errors.ConfigurationError: 192.168.4.* contains an invalid character. Valid characters are A-Z, a-z, 0-9, ., and -.

Both seem unrelated to the 404 errors shown previously.

Please show the renewal.conf file for the HurricanePub.com domain.

3 Likes
14

The log file is truncated. This is the last line I see but there should be much more.

2023-02-14 18:53:36,154:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/2035

Agree with Rudy though I did not see anything wrong up until that point except as he noted

3 Likes
15

I am sorry I dont know where to find the renewal.config file ? and 192.168.4.13 is the local address of the web server I dont know how its getting in there? I am not that good with Linux I am learning it as I go
I did just get anoter notification from the Cron Daemon telling me it failed so the cron must still be running
Where do I go from here

16

If this is the file your wanting it is the Aquaprographix but that is the domain all the other ones are attached to

# renew_before_expiry = 30 days
version = 1.21.0
archive_dir = /etc/letsencrypt/archive/aquaprographix.com
cert = /etc/letsencrypt/live/aquaprographix.com/cert.pem
privkey = /etc/letsencrypt/live/aquaprographix.com/privkey.pem
chain = /etc/letsencrypt/live/aquaprographix.com/chain.pem
fullchain = /etc/letsencrypt/live/aquaprographix.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 67185136b68978347549343251b5b63d
authenticator = apache
installer = apache
server = https://acme-v02.api.letsencrypt.org/directory
17

Ok this makes no sence to me I turned on the rewrite engine for hurricanepub, restarted apache2 and run a dry-run tested good so I tried ```
sudo certbot renew

Can you think of any reason this should fail because of the rewrite engine being off 
In windows I worked around it as I could send it to the lan ip address but I have not figured out a way to do this in Linux
18

I don't see the rewrite occurring. Should be a 301 or 302 not 200 OK

curl -i http://hurricanepub.com
HTTP/1.1 200 OK
Server: Apache/2.4.55 (Ubuntu)

If the --dry-run succeeded did the actual renew work then? I couldn't tell from your post.

3 Likes
19

Yes with Rewrite ON It renewed all the domains I had to turn it back OFF though afterwards
It is data that the module updates If you go to the page you will see it says online If i turn rewrite on it breaks that
That data then gets stored in my sql database
I just dont understand why it wont update the cert with it off

1 Like
20

I don't quite follow why you need rewrite off and then have rewrite statements. Could you remove those rewrite statements altogether and remove rewrite off too? That should probably work for certbot renew anyway.

I think the problem is because the --apache plug-in inserts temp code into your Apache config and removes it after. It sets rewrite on but the conflicting statements must be causing a problem. (see below for this temp code which is also in the letsencrypt.log).

You could also switch to --webroot authentication but some care required with all your domains. That method does not make temp changes to Apache config.

--apache plug-in temp code:

2023-02-14 18:53:32,020:DEBUG:certbot_apache._internal.http_01:writing a pre config file with text:
         RewriteEngine on
        RewriteRule ^/\.well-known/acme-challenge/([A-Za-z0-9-_=]+)$ /var/lib/letsencrypt/http_challenges/$1 [END]
    
2023-02-14 18:53:32,021:DEBUG:certbot_apache._internal.http_01:writing a post config file with text:
         <Directory /var/lib/letsencrypt/http_challenges>
            Require all granted
        </Directory>
        <Location /.well-known/acme-challenge>
            Require all granted
        </Location>
3 Likes