I am self-hosting a subdomain of my website. That subdomain is powered by a rapsberry pi running raspbian, the cgit frontend lighttpd. This is hosted on my home connection behind my router, but i’m pretty confident that this is not part of the problem. I initially setup this system using a huge amount of webpage and i’m pretty much unable to pin them all down, but i can provide all relevant configuration.
A few days ago, i started getting email, stating that my certificate was due for renewal. I initially setup a cron job to renew the certificate, but it if failling with the error below.
thanks for any and all help that you guys can provide.
Requesting to rerun ./certbot-auto with root privileges...
[sudo] password for adrien:
Attempting to renew cert (git.abak.io) from /etc/letsencrypt/renewal/git.abak.io.conf produced an unexpected error: Failed authorization procedure. git.abak.io (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://git.abak.io/.well-known/acme-challenge/vZLuuedpLNjaETff3FUurHaiY5Fxy-qTCslx_dfv2cQ: "<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.". Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/git.abak.io/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
My web server is (include version):
lighttpd/1.4.35 (ssl)
The operating system my web server runs on is (include version):
debian 8.0 (raspbian)
My hosting provider, if applicable, is:
Not really applicable, my hosting provider is my ISP.
I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no
Let’s Encrypt is trying to request the challenge file form the URL noted, but your server is replying with an XML document instead. You need to be able to serve text files as they exist from .well-known/acme-challenge on your server. Perhaps place a test.txt file there and see if you can load it. You probably have some web server configuration preventing files from being served from this directory as they nee to be.
Where is Certbot configured to put the file? It’s specified in /etc/letsencrypt/renewal/git.abak.io.conf, and should be recorded in /var/log/letsencrypt/letsencrypt.log.
@mnordhoff, i think you got me on the right tracks. letsencrypt was set up with /var/www/html as its root, and my webserver was set up with /var/www/html/cgitas its root.
I modified lets encrypt config and it looks like the problem is fixed. Running certbot-auto -q renew no longer fails, and appears to succeed.
How can i make sure that everything is working correctly ?
You could visit your website in a browser, click the lock icon, open the certificate details, and confirm you have a new certificate. Or you could plug in your website into ssllabs.com and review that output.
Doing this I can see that your new certificate is not showing up. Perhaps you need to systemctl reload lighttpd so it loads the new certificate.
Ok, so i restarted my webserver and went back to check ssllabs, which seems to indicate that there are 2 certificates active on my website. I disregarded that, as the second certificate seems to be valid until 2021.
I then re-ran the renewal command, without the -q flag (which i assumed stands for quiet), the results are as follows:
Requesting to rerun ./certbot-auto with root privileges...
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/git.abak.io.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal
-------------------------------------------------------------------------------
The following certs are not due for renewal yet:
/etc/letsencrypt/live/git.abak.io/fullchain.pem (skipped)
No renewals were attempted.
-------------------------------------------------------------------------------
so i guess this means i’m good to go, and that i just need to adjust my cron job to run the renewal more regurlarly than once every 90 days.
When is a certificate due for renewal ? Only strictly after its expiration ?
@Patches : for the record (and in case someone ends up here) i believe the command you meant was systemctl restart lighttpd as reload reloads the unit file, but maybe i’m wrong.
certbot renew examines the expiration date of your certificate(s) and only renews them when they are 30 days or less from expiration. It's safe to run as often as you like. The certbot team recommends running it twice daily so you get plenty of chances to renew in the event of a temporary failure.
systemctl reload restarts a service such that it does not stop running/taking requests. systemctl restart fully stops and then starts a service and it will be unavailable for a brief moment while doing this.
The command you are thinking of that reloads unit files is systemctl daemon-reload.