I have a problem renewing my certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: academiaeficacia.com

I ran this command: Le_HTTPPort=77777 acme.sh --test --debug --renew -d academiaeficacia.com -d www.academiaeficacia.com --standalone --webroot /home/integro/webapps/eficacia

It produced this output:
[mar jul 24 15:19:39 UTC 2018] Le_Listen_V4
[mar jul 24 15:19:39 UTC 2018] Le_Listen_V6
[mar jul 24 15:19:39 UTC 2018] _NC=‘socat TCP-LISTEN:77777,crlf,reuseaddr,fork’
[mar jul 24 15:19:40 UTC 2018] serverproc=‘39946’
[mar jul 24 15:19:40 UTC 2018] url=‘https://acme-staging.api.letsencrypt.org/acme/challenge/X-kQD1uaHjiAgrBlK8rciMiEMXCbeIgFKP6z--xH97M/152290930’
[mar jul 24 15:19:40 UTC 2018] payload=’{“resource”: “challenge”, “keyAuthorization”: “9XxbaDSR1MFOqgHxkw72-ypyBGq2h-HmqQHW8hEh_V4.OHOCENYOWUdLzzMS9BG8bKozAFMd4vIeOZOeUuRgUBA”}’
[mar jul 24 15:19:41 UTC 2018] POST
[mar jul 24 15:19:41 UTC 2018] _post_url=‘https://acme-staging.api.letsencrypt.org/acme/challenge/X-kQD1uaHjiAgrBlK8rciMiEMXCbeIgFKP6z--xH97M/152290930’
[mar jul 24 15:19:41 UTC 2018] _CURL=‘curl -L --silent --dump-header /home/integro/.acme.sh/http.header -g ’
[mar jul 24 15:19:41 UTC 2018] _ret=‘0’
[mar jul 24 15:19:41 UTC 2018] code=‘202’
[mar jul 24 15:19:41 UTC 2018] sleep 2 secs to verify
[mar jul 24 15:19:43 UTC 2018] checking
[mar jul 24 15:19:43 UTC 2018] GET
[mar jul 24 15:19:43 UTC 2018] url=‘https://acme-staging.api.letsencrypt.org/acme/challenge/X-kQD1uaHjiAgrBlK8rciMiEMXCbeIgFKP6z--xH97M/152290930’
[mar jul 24 15:19:43 UTC 2018] timeout=
[mar jul 24 15:19:43 UTC 2018] _CURL=‘curl -L --silent --dump-header /home/integro/.acme.sh/http.header -g ’
[mar jul 24 15:19:43 UTC 2018] ret=‘0’
[mar jul 24 15:19:43 UTC 2018] academiaeficacia.com:Verify error:Invalid response from http://academiaeficacia.com/.well-known/acme-challenge/9XxbaDSR1MFOqgHxkw72-ypyBGq2h-HmqQHW8hEh_V4:
[mar jul 24 15:19:43 UTC 2018] Debug: get token url.
[mar jul 24 15:19:43 UTC 2018] GET
[mar jul 24 15:19:43 UTC 2018] url=‘http://academiaeficacia.com/.well-known/acme-challenge/9XxbaDSR1MFOqgHxkw72-ypyBGq2h-HmqQHW8hEh_V4’
[mar jul 24 15:19:43 UTC 2018] timeout=1
[mar jul 24 15:19:43 UTC 2018] _CURL=‘curl -L --silent --dump-header /home/integro/.acme.sh/http.header -g --connect-timeout 1’
[mar jul 24 15:19:44 UTC 2018] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 60
[mar jul 24 15:19:44 UTC 2018] ret=‘60’
[mar jul 24 15:19:44 UTC 2018] Skip for removelevel:
[mar jul 24 15:19:44 UTC 2018] pid=‘39946’
[mar jul 24 15:19:44 UTC 2018] No need to restore nginx, skip.
[mar jul 24 15:19:44 UTC 2018] _clearupdns
[mar jul 24 15:19:44 UTC 2018] skip dns.
[mar jul 24 15:19:44 UTC 2018] _on_issue_err
[mar jul 24 15:19:44 UTC 2018] Please check log file for more details: /home/integro/.acme.sh/acme.sh.log
[mar jul 24 15:19:44 UTC 2018] url=‘https://acme-staging.api.letsencrypt.org/acme/challenge/X-kQD1uaHjiAgrBlK8rciMiEMXCbeIgFKP6z--xH97M/152290930’
[mar jul 24 15:19:44 UTC 2018] payload=’{“resource”: “challenge”, “keyAuthorization”: “9XxbaDSR1MFOqgHxkw72-ypyBGq2h-HmqQHW8hEh_V4.OHOCENYOWUdLzzMS9BG8bKozAFMd4vIeOZOeUuRgUBA”}’
[mar jul 24 15:19:44 UTC 2018] POST
[mar jul 24 15:19:44 UTC 2018] _post_url=‘https://acme-staging.api.letsencrypt.org/acme/challenge/X-kQD1uaHjiAgrBlK8rciMiEMXCbeIgFKP6z--xH97M/152290930’
[mar jul 24 15:19:44 UTC 2018] _CURL=‘curl -L --silent --dump-header /home/integro/.acme.sh/http.header -g ’
[mar jul 24 15:19:44 UTC 2018] _ret=‘0’
[mar jul 24 15:19:44 UTC 2018] code=‘400’
[mar jul 24 15:19:45 UTC 2018] url=‘https://acme-staging.api.letsencrypt.org/acme/challenge/ld6M9iOJY3WMnzSwk1j1L55ILQZl1dCfHc_4AI6GC0Q/152290935’
[mar jul 24 15:19:45 UTC 2018] payload=’{“resource”: “challenge”, “keyAuthorization”: “XQP1tl3OUyik0PxA7RYjJIyVSE6wnLPU6PN6u8JyD7A.OHOCENYOWUdLzzMS9BG8bKozAFMd4vIeOZOeUuRgUBA”}’
[mar jul 24 15:19:45 UTC 2018] POST
[mar jul 24 15:19:45 UTC 2018] _post_url=‘https://acme-staging.api.letsencrypt.org/acme/challenge/ld6M9iOJY3WMnzSwk1j1L55ILQZl1dCfHc_4AI6GC0Q/152290935’
[mar jul 24 15:19:45 UTC 2018] _CURL='curl -L --silent --dump-header /home/integro/.acme.sh/http.header -g ’
[mar jul 24 15:19:45 UTC 2018] _ret=‘0’
[mar jul 24 15:19:45 UTC 2018] code=‘202’
[mar jul 24 15:19:45 UTC 2018] Diagnosis versions

My web server is (include version):

The operating system my web server runs on is (include version): CentOS Linux release 7.5.1804

My hosting provider, if applicable, is: Webfaction Hosting

I can login to a root shell on my machine (yes or no, or I don’t know): No

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

I’m not familiar with acme.sh myself, but if it’s at all akin to the Certbot setup, you shouldn’t be using --standalone and --webroot together. The former says “I don’t have a webserver running, spin up a temporary one to reply to the challenge” and the latter says “I have a web server running and serving files from this directory, please place challenge files appropriately and my webserver will take it from there.”

Thanks @jared.m, I can use 1 option and the result will be the same.

I checked that my webserver working using http://academiaeficacia.com/.well-known/acme-challenge/test.txt with http and this is working well.

I think problem is that acme.sh apparentlly can’t create the file in .well-known/acme-challenge/NNNNNNN.

Hi @jmadrigal-integro

your file

https://acme-staging.api.letsencrypt.org/acme/challenge/X-kQD1uaHjiAgrBlK8rciMiEMXCbeIgFKP6z--xH97M/152290930

says:

Letsencrypt want to load

http://academiaeficacia.com/.well-known/acme-challenge/9XxbaDSR1MFOqgHxkw72-ypyBGq2h-HmqQHW8hEh_V4

But calling this file:

D:\download http://academiaeficacia.com/.well-known/acme-challenge/9XxbaDSR1MFOqgHxkw72-ypyBGq2h-HmqQHW8hEh_V4 -h
Transfer-Encoding: chunked
Connection: keep-alive
Link: https://academiaeficacia.com/wp-json/; rel="https://api.w.org/"
Cache-Control: no-cache, must-revalidate, max-age=0
Content-Type: text/html; charset=UTF-8
Date: Tue, 24 Jul 2018 15:38:03 GMT
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Location: https://academiaeficacia.com/login/
Server: nginx

Status: 302 Redirect

your webserver doesn't send the content of your file, instead there is a redirect to your login-page.

So you should change your redirect rules, so that /.well-known/acme-challenge/ is excluded.

PS: Interesting:

http://academiaeficacia.com/.well-known/acme-challenge/test.txt

works, but test it with a filename 123456789 without extension.

Thanks,

I have removed the redirection only for the directory .well-known and now the error is:

[mar jul 24 15:52:48 UTC 2018] sleep 2 secs to verify
[mar jul 24 15:52:50 UTC 2018] checking
[mar jul 24 15:52:50 UTC 2018] GET
[mar jul 24 15:52:50 UTC 2018] url=‘https://acme-staging.api.letsencrypt.org/acme/challenge/pwljr2v_UlHupcfGeqaMk8JlmyZVgB9PIkyN8mVDJng/152297220’
[mar jul 24 15:52:50 UTC 2018] timeout=
[mar jul 24 15:52:50 UTC 2018] _WGET=‘wget -q --content-on-error ’
[mar jul 24 15:52:50 UTC 2018] ret=‘0’
[mar jul 24 15:52:50 UTC 2018] academiaeficacia.com:Verify error:The key authorization file from the server did not match this challenge [iAZoIHVWQDkdtHN_mr22JSRTnarYDykthV1T46COhjY.OHOCENYOWUdLzzMS9BG8bKozAFMd4vIeOZOeUuRgUBA] != []
[mar jul 24 15:52:50 UTC 2018] Debug: get token url.
[mar jul 24 15:52:50 UTC 2018] GET
[mar jul 24 15:52:50 UTC 2018] url=‘http://academiaeficacia.com/.well-known/acme-challenge/iAZoIHVWQDkdtHN_mr22JSRTnarYDykthV1T46COhjY’
[mar jul 24 15:52:50 UTC 2018] timeout=1
[mar jul 24 15:52:50 UTC 2018] _WGET=‘wget -q --content-on-error --timeout=1’
[mar jul 24 15:52:50 UTC 2018] ret=‘0’
[mar jul 24 15:52:50 UTC 2018] Skip for removelevel:
[mar jul 24 15:52:50 UTC 2018] pid=‘24670’
[mar jul 24 15:52:50 UTC 2018] No need to restore nginx, skip.
[mar jul 24 15:52:50 UTC 2018] _clearupdns
[mar jul 24 15:52:50 UTC 2018] skip dns.
[mar jul 24 15:52:50 UTC 2018] _on_issue_err
[mar jul 24 15:52:50 UTC 2018] Please check log file for more details: /home/integro/.acme.sh/acme.sh.log
[mar jul 24 15:52:50 UTC 2018] url=‘https://acme-staging.api.letsencrypt.org/acme/challenge/pwljr2v_UlHupcfGeqaMk8JlmyZVgB9PIkyN8mVDJng/152297220’
[mar jul 24 15:52:50 UTC 2018] payload=’{“resource”: “challenge”, “keyAuthorization”: “iAZoIHVWQDkdtHN_mr22JSRTnarYDykthV1T46COhjY.OHOCENYOWUdLzzMS9BG8bKozAFMd4vIeOZOeUuRgUBA”}’
[mar jul 24 15:52:50 UTC 2018] POST
[mar jul 24 15:52:50 UTC 2018] _post_url=‘https://acme-staging.api.letsencrypt.org/acme/challenge/pwljr2v_UlHupcfGeqaMk8JlmyZVgB9PIkyN8mVDJng/152297220’
[mar jul 24 15:52:50 UTC 2018] _WGET='wget -q --content-on-error ’
[mar jul 24 15:52:51 UTC 2018] wget returns 8, the server returns a ‘Bad request’ response, lets process the response later.
[mar jul 24 15:52:51 UTC 2018] Using sed -i
[mar jul 24 15:52:51 UTC 2018] _ret=‘0’
[mar jul 24 15:52:51 UTC 2018] code=‘400’

Looks like your webserver sends wrong data:

The key authorization file from the server did not match this challenge [iAZoIHVWQDkdtHN_mr22JSRTnarYDykthV1T46COhjY.OHOCENYOWUdLzzMS9BG8bKozAFMd4vIeOZOeUuRgUBA] !=

Your webserver accepts the url

http://academiaeficacia.com/.well-known/acme-challenge/iAZoIHVWQDkdtHN_mr22JSRTnarYDykthV1T46COhjY

but the content of the file is empty. Has to be

iAZoIHVWQDkdtHN_mr22JSRTnarYDykthV1T46COhjY.OHOCENYOWUdLzzMS9BG8bKozAFMd4vIeOZOeUuRgUBA

(next challenge the filename and the content will change).

And: Calling the "wrong url"

http://academiaeficacia.com/.well-known/acme-challenge/abcd

I get a http-status 200, I should get a 404.

I think that acme.sh have an error on the webfaction servers, I had to use an external service to renew the certificate.

It is the great option to renew this certificates.

Thank you so much.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.