Ok, updates for me:
-
# sudo ./certbot-auto --os-packages-only
All seems ok, two warning lines:
W: Ignoring Provides line with DepCompareOp for package python-cffi-backend-api-max
W: Ignoring Provides line with DepCompareOp for package python-cffi-backend-api-min
which looks benign.
-
# export VENV_ARGS="--python $(command -v python2 || command -v python 2.7)"
No output, ok.
-
# tools/_venv_common.sh -e acme -e . -e certbot-apache -e certbot-nginx
Some warnings, but finished ok:
++ /home/ca/certbot/tools/merge_requirements.py /home/ca/certbot/tools/dev_constraints.txt /tmp/tmp.1AVj9Qv3rM
/home/ca/certbot/venv/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:318: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#snimissingwarning. SNIMissingWarning
/home/ca/certbot/venv/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning. InsecurePlatformWarning
/home/ca/certbot/venv/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning. InsecurePlatformWarning
then final message
Please run the following command to activate developer environment:
source venv/bin/activate
-
# venv/bin/certbot --apache --preferred-challenges http
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Which names would you like to activate HTTPS for?
1: [redacted].ro
2: airtime.[redacted].ro
3: fb.[redacted].ro
4: listen.[redacted].ro
5: www.[redacted].ro
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1,2,3,4,5
Cert not yet due for renewal
`You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.` `(ref: /etc/letsencrypt/renewal/airtime.[redacted].ro.conf)`
What would you like to do?
-------------------------------------------------------------------------------
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for [redacted].ro
http-01 challenge for airtime.[redacted].ro
http-01 challenge for fb.[redacted].ro
http-01 challenge for listen.[redacted].ro
http-01 challenge for www.[redacted].ro
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. fb.[redacted].ro (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://fb.[redacted].ro/.well-known/acme-challenge/nKsabs49FVQQgPheCTm4vEghYcNhGo9GNJ2I4XgRE6w: "
<!DOCTYPE html>
<html lang="en" id="facebook" class="no_js">
<head><meta charset="utf-8" /><meta name="referrer" content="defaul", listen.[redacted].ro (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://listen.[redacted].ro/.well-known/acme-challenge/1yiF4phYb-KDZbPZ4whjYxI6Wtac-nLClyD3wbb6LlE [xxx.xxx.xxx.xxx]: 404
IMPORTANT NOTES:
- The following errors were reported by the server:
` Domain: fb.[redacted].ro` ` Type: unauthorized` ` Detail: Invalid response from` ` http://fb.[redacted].ro/.well-known/acme-challenge/nKsabs49FVQQgPheCTm4vEghYcNhGo9GNJ2I4XgRE6w:` ` "<!DOCTYPE html>` ` <html lang="en" id="facebook" class="no_js">` ` <head><meta charset="utf-8" /><meta name="referrer"` ` content="defaul"`
Domain: listen.[redacted].ro
Type: unauthorized
Detail: Invalid response from
http://listen.[redacted].ro/.well-known/acme-challenge/1yiF4phYb-KDZbPZ4whjYxI6Wtac-nLClyD3wbb6LlE
[xxx.xxx.xxx.xxx]: 404
``
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
For the fb.[redacted].ro and listen.[redacted].ro subdomains it might be normal to fail.
- fb.[redacted].ro is a redirect to a Facebook application page
- listen[redacted].ro is an internal redirect to an internal Icecast stream (via Airtime)
Below are the Apache conf files for those two subdomains failing (http and https):
fb.[redacted].ro.conf
<VirtualHost *:80>
ServerName fb.[redacted].ro
ProxyPreserveHost On
Redirect permanent / https://www.facebook.com/[redacted]/
RewriteEngine On
RewriteCond %{SERVER_NAME} =airtime.[redacted].ro
RewriteRule ^ https://www.facebook.com/[redacted]/%{REQUEST_URI} [END,NE,R=permanent]
RewriteCond %{SERVER_NAME} =fb.[redacted].ro
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
fb.[redacted].ro-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName fb.[redacted].ro
ProxyPreserveHost On
Redirect permanent / https://www.facebook.com/[redacted]/
RewriteEngine On
# Some rewrite rules in this file were disabled on your HTTPS site,
# because they have the potential to create redirection loops.
SSLCertificateFile /etc/letsencrypt/live/airtime.[redacted].ro/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/airtime.[redacted].ro/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/airtime.[redacted].ro/chain.pem
</VirtualHost>
</IfModule>
listen.[redacted].ro.conf
<VirtualHost *:80>
ServerName listen.[redacted].ro
ProxyPreserveHost On
ProxyPass / http://localhost:8000/airtime_128
ProxyPassReverse / http://localhost:8000/airtime_128
RewriteEngine on
RewriteCond %{SERVER_NAME} =listen.[redacted].ro
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
listen.[redacted].ro-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName listen.[redacted].ro
ProxyPreserveHost On
ProxyPass / http://localhost:8000/airtime_128
ProxyPassReverse / http://localhost:8000/airtime_128
SSLCertificateFile /etc/letsencrypt/live/airtime.[redacted].ro/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/airtime.[redacted].ro/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/airtime.[redacted].ro/chain.pem </VirtualHost>
</IfModule>
I cannot upload the log file (Sorry, new users cannot upload attachments), but here are the logged things for fb. and listen. subdomains:
Domain: fb.[redacted].ro
Type: unauthorized
Detail: Invalid response from http://fb.[redacted].ro/.well-known/acme-challenge/nKsabs49FVQQgPheCTm4vEghYcNhGo9GNJ2I4XgRE6w: "<!DOCTYPE html>
<html lang="en" id="facebook" class="no_js">
<head><meta charset="utf-8" /><meta name="referrer" content="defaul"
Domain: listen.[redacted].ro
Type: unauthorized
Detail: Invalid response from http://listen.[redacted].ro/.well-known/acme-challenge/1yiF4phYb-KDZbPZ4whjYxI6Wtac-nLClyD3wbb6LlE [xxx.xxx.xxx.xxx]: 404
To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
2018-01-15 07:11:41,985:INFO:certbot.auth_handler:Cleaning up challenges
2018-01-15 07:11:43,481:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File "venv/bin/certbot", line 9, in <module>
load_entry_point('certbot', 'console_scripts', 'certbot')()
File "/home/ca/certbot/certbot/main.py", line 1240, in main
return config.func(config, plugins)
File "/home/ca/certbot/certbot/main.py", line 994, in run
certname, lineage)
File "/home/ca/certbot/certbot/main.py", line 113, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File "/home/ca/certbot/certbot/renewal.py", line 297, in renew_cert
new_certr, new_chain, new_key, _ = le_client.obtain_certificate(domains)
File "/home/ca/certbot/certbot/client.py", line 318, in obtain_certificate
self.config.allow_subset_of_names)
File "/home/ca/certbot/certbot/auth_handler.py", line 81, in get_authorizations
self._respond(resp, best_effort)
File "/home/ca/certbot/certbot/auth_handler.py", line 138, in _respond
self._poll_challenges(chall_update, best_effort)
File "/home/ca/certbot/certbot/auth_handler.py", line 202, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. fb.[redacted].ro (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://fb.[redacted].ro/.well-known/acme-challenge/nKsabs49FVQQgPheCTm4vEghYcNhGo9GNJ2I4XgRE6w: "<!DOCTYPE html>
<html lang="en" id="facebook" class="no_js">
<head><meta charset="utf-8" /><meta name="referrer" content="defaul", listen.[redacted].ro (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://listen.[redacted].ro/.well-known/acme-challenge/1yiF4phYb-KDZbPZ4whjYxI6Wtac-nLClyD3wbb6LlE [xxx.xxx.xxx.xxx]: 404