Help with auto renewal through squid

I have set a letsencrypt cert for apache but I actually use the certificate in squid, so when it’s time to renew the certificate, the Authority doesn’t find the challenge since it reads from squid. I would love to make a bypass in squid for the verification but I don’t know what to bypass. Or is there another solution? Can anyone help me? Thank you very much!

domain: carta.ro
command: (as root) /usr/share/certbot/certbot-auto renew --no-self-upgrade
output: (selection)

Domain: carta.ro
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
9f6ccc8415741607d62a0efbaf2f9bef.3e5317909a0f99f6981d86aec44adb31.acme.invalid
from 37.251.160.116:443. Received 2 certificate(s), first
certificate had names “beta.carta.ro, carta.ro, de.carta.ro,
en.carta.ro, es.carta.ro, fr.carta.ro, hu.carta.ro, it.carta.ro,
mail.carta.ro, ro.carta.ro, www.carta.ro”

os: debian Linux 7

If you want to bypass requests to challenge files, you have to use http-01 authorization instead of tls-sni-01. Then you have to make sure, that URLs starting with /.well-known/acme-challenge/ are delivered locally.

Thank you for your answer! Let me see if I got that right: I have to make sure that I can access https://carta.ro/.well-known/acme-challenge/ from a browser and then I change the command in order for certbot to use the http-01 authorization instead of tls-sni-01?

Yes, this should be it. You actually have to figure out where http://carta.ro/.well-known/acme-challenge/ actually points to (which directory). Then to test, put a file test.txt there and try to access this via http://carta.ro/.well-known/acme-challenge/test.txt. If this works, you can happily use the http-01 authorization via webroot plugin.

NOTE I had to edit this, these must be http-URLs not https.

Thank you again for your reply!

Now I can access http://carta.ro/.well-known/acme-challenge/ (no https).
As I understand (please let me know if I’m wrong) I tell certbot-auto to use the http-01 authorization by adding “–preferred-challenges=http” to the command so the final command is: “/usr/share/certbot/certbot-auto renew --no-self-upgrade --preferred-challenges=http” ran as root. But now I get this error:

Attempting to renew cert (carta.ro) from /etc/letsencrypt/renewal/carta.ro.conf produced an unexpected error: None of the preferred challenges are supported by the selected plugin. Skipping.

Thank you again for continuing to help…

Try the webroot-plugin:

certbot-auto --webroot -d domain.tld,www.domain.tld -w /path

The path should be the directory which contains the directory .well-known

Can that be used in order to renew an existing certificate? - it is asking me to use also the “certonly” command:

With the webroot plugin, you probably want to use the “certonly” command

You are right, have a look into the documentation:

Beautiful! I want to thank you and also to share this answer so that it would help maybe others:

This is the command that made the renewal of the certificate (with the http://carta.ro/.well-known/acme-challenge/ made available to any browser as explained above):

/usr/share/certbot/certbot-auto certonly -n -d carta.ro -d beta.carta.ro -d de.carta.ro -d en.carta.ro -d es.carta.ro -d fr.carta.ro -d hu.carta.ro -d it.carta.ro -d mail.carta.ro -d ro.carta.ro -d www.carta.ro --webroot -w /var/www/carta/

A short explanation that I got from https://certbot.eff.org/docs/using.html#renewing-certificates: if the domains are all listed like in the certificate, then a renewal is attempted. If one domain is missing then the command will issue a new certificate - I didn’t want that so I listed every domain with “-d” in front of it. The “–webroot” makes it that the validation of the domain will happen by placing a file in the “.well-known/acme-challenge/” which will be found in the folder specified after the “-w” option.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.