Failure to renew - or certonly


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: imagesvanuatu.com

I ran this command: sudo certbot certonly

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?


1: Apache Web Server plugin - Beta (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)


Select the appropriate number [1-3] then [enter] (press ‘c’ to cancel): 3
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’
to cancel): imagesvanuatu.com,www.imagesvanuatu.com
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for imagesvanuatu.com
http-01 challenge for www.imagesvanuatu.com
Input the webroot for imagesvanuatu.com: (Enter ‘c’ to cancel): /opt/bitnami/apache2/htdocs/imagesvanuatu.com

Select the webroot for www.imagesvanuatu.com:


1: Enter a new webroot
2: /opt/bitnami/apache2/htdocs/imagesvanuatu.com


Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. imagesvanuatu.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://imagesvanuatu.com.well-known/acme-challenge/aIkHcO8573I21WUSvU-K3G00GHS2M-86wPG2ietRD6M: Error getting validation data, www.imagesvanuatu.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://imagesvanuatu.com.well-known/acme-challenge/oWhlrb85zQmPkeJHlHLg6TUWYBgd0OqIVK61xBcfcQU: Error getting validation data

IMPORTANT NOTES:

My web server is (include version): Apache

The operating system my web server runs on is (include version): Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-1060-aws x86_64)

My hosting provider, if applicable, is: Amazon LightSail

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#2

In addition:
My keys are stored in /etc/letsencrypt/keys
/etc/letsencrypt/renewal/imagesvanuatu.com.conf has:

renew_before_expiry = 30 days

version = 0.26.1
archive_dir = /etc/letsencrypt/archive/imagesvanuatu.com
cert = /etc/letsencrypt/live/imagesvanuatu.com/cert.pem
privkey = /etc/letsencrypt/live/imagesvanuatu.com/privkey.pem
chain = /etc/letsencrypt/live/imagesvanuatu.com/chain.pem
fullchain = /etc/letsencrypt/live/imagesvanuatu.com/fullchain.pem

Options used in the renewal process

[renewalparams]
server = https://acme-v02.api.letsencrypt.org/directory
account = 87aa472feb5ceb9c1e8485a988ccece4
authenticator = webroot
[[webroot_map]]
www.imagesvanuatu.com = /opt/bitnami/apache2/htdocs/imagesvanuatu.com
imagesvanuatu.com = /opt/bitnami/apache2/htdocs/imagesvanuatu.com

When I try to renew I get an error because it is challenging the .well-known folder in the website folder - and there is no .well-known folder in the imagesvanuatu.com folder.

When I use sudo certbot certonly I expected to see an option to keep the existing certificate for now or renew and replace the certificate - but certbot just started the renew process (and failed). I wanted to try to replace the certificate to try to fix whatever the problem is.

I’m having this problem on all my lightsail hosted websites. The certificates installed fine when I set it up but they are not auto-renewing and the certificates will expire next week.


#3

You have a dodgy redirect - https://letsdebug.net/www.imagesvanuatu.com/11916

You’re going to want to look for something that looks like:

Redirect permanent https://imagesvanuatu.com

and change it to:

Redirect permanent https://imagesvanuatu.com/

(trailing slash).


#4

YES!!! Thank you _az, that was exactly the problem. I fixed it and the certificates renewed successfully.

Richard


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.