I have a problem renewing my certificate


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: academiaeficacia.com

I ran this command: Le_HTTPPort=77777 acme.sh --test --debug --renew -d academiaeficacia.com -d www.academiaeficacia.com --standalone --webroot /home/integro/webapps/eficacia

It produced this output:
[mar jul 24 15:19:39 UTC 2018] Le_Listen_V4
[mar jul 24 15:19:39 UTC 2018] Le_Listen_V6
[mar jul 24 15:19:39 UTC 2018] _NC=‘socat TCP-LISTEN:77777,crlf,reuseaddr,fork’
[mar jul 24 15:19:40 UTC 2018] serverproc=‘39946’
[mar jul 24 15:19:40 UTC 2018] url=‘https://acme-staging.api.letsencrypt.org/acme/challenge/X-kQD1uaHjiAgrBlK8rciMiEMXCbeIgFKP6z--xH97M/152290930
[mar jul 24 15:19:40 UTC 2018] payload=’{“resource”: “challenge”, “keyAuthorization”: “9XxbaDSR1MFOqgHxkw72-ypyBGq2h-HmqQHW8hEh_V4.OHOCENYOWUdLzzMS9BG8bKozAFMd4vIeOZOeUuRgUBA”}’
[mar jul 24 15:19:41 UTC 2018] POST
[mar jul 24 15:19:41 UTC 2018] _post_url=‘https://acme-staging.api.letsencrypt.org/acme/challenge/X-kQD1uaHjiAgrBlK8rciMiEMXCbeIgFKP6z--xH97M/152290930
[mar jul 24 15:19:41 UTC 2018] _CURL=‘curl -L --silent --dump-header /home/integro/.acme.sh/http.header -g ’
[mar jul 24 15:19:41 UTC 2018] _ret=‘0’
[mar jul 24 15:19:41 UTC 2018] code=‘202’
[mar jul 24 15:19:41 UTC 2018] sleep 2 secs to verify
[mar jul 24 15:19:43 UTC 2018] checking
[mar jul 24 15:19:43 UTC 2018] GET
[mar jul 24 15:19:43 UTC 2018] url=‘https://acme-staging.api.letsencrypt.org/acme/challenge/X-kQD1uaHjiAgrBlK8rciMiEMXCbeIgFKP6z--xH97M/152290930
[mar jul 24 15:19:43 UTC 2018] timeout=
[mar jul 24 15:19:43 UTC 2018] _CURL=‘curl -L --silent --dump-header /home/integro/.acme.sh/http.header -g ’
[mar jul 24 15:19:43 UTC 2018] ret=‘0’
[mar jul 24 15:19:43 UTC 2018] academiaeficacia.com:Verify error:Invalid response from http://academiaeficacia.com/.well-known/acme-challenge/9XxbaDSR1MFOqgHxkw72-ypyBGq2h-HmqQHW8hEh_V4:
[mar jul 24 15:19:43 UTC 2018] Debug: get token url.
[mar jul 24 15:19:43 UTC 2018] GET
[mar jul 24 15:19:43 UTC 2018] url=‘http://academiaeficacia.com/.well-known/acme-challenge/9XxbaDSR1MFOqgHxkw72-ypyBGq2h-HmqQHW8hEh_V4
[mar jul 24 15:19:43 UTC 2018] timeout=1
[mar jul 24 15:19:43 UTC 2018] _CURL=‘curl -L --silent --dump-header /home/integro/.acme.sh/http.header -g --connect-timeout 1’
[mar jul 24 15:19:44 UTC 2018] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 60
[mar jul 24 15:19:44 UTC 2018] ret=‘60’
[mar jul 24 15:19:44 UTC 2018] Skip for removelevel:
[mar jul 24 15:19:44 UTC 2018] pid=‘39946’
[mar jul 24 15:19:44 UTC 2018] No need to restore nginx, skip.
[mar jul 24 15:19:44 UTC 2018] _clearupdns
[mar jul 24 15:19:44 UTC 2018] skip dns.
[mar jul 24 15:19:44 UTC 2018] _on_issue_err
[mar jul 24 15:19:44 UTC 2018] Please check log file for more details: /home/integro/.acme.sh/acme.sh.log
[mar jul 24 15:19:44 UTC 2018] url=‘https://acme-staging.api.letsencrypt.org/acme/challenge/X-kQD1uaHjiAgrBlK8rciMiEMXCbeIgFKP6z--xH97M/152290930
[mar jul 24 15:19:44 UTC 2018] payload=’{“resource”: “challenge”, “keyAuthorization”: “9XxbaDSR1MFOqgHxkw72-ypyBGq2h-HmqQHW8hEh_V4.OHOCENYOWUdLzzMS9BG8bKozAFMd4vIeOZOeUuRgUBA”}’
[mar jul 24 15:19:44 UTC 2018] POST
[mar jul 24 15:19:44 UTC 2018] _post_url=‘https://acme-staging.api.letsencrypt.org/acme/challenge/X-kQD1uaHjiAgrBlK8rciMiEMXCbeIgFKP6z--xH97M/152290930
[mar jul 24 15:19:44 UTC 2018] _CURL=‘curl -L --silent --dump-header /home/integro/.acme.sh/http.header -g ’
[mar jul 24 15:19:44 UTC 2018] _ret=‘0’
[mar jul 24 15:19:44 UTC 2018] code=‘400’
[mar jul 24 15:19:45 UTC 2018] url=‘https://acme-staging.api.letsencrypt.org/acme/challenge/ld6M9iOJY3WMnzSwk1j1L55ILQZl1dCfHc_4AI6GC0Q/152290935
[mar jul 24 15:19:45 UTC 2018] payload=’{“resource”: “challenge”, “keyAuthorization”: “XQP1tl3OUyik0PxA7RYjJIyVSE6wnLPU6PN6u8JyD7A.OHOCENYOWUdLzzMS9BG8bKozAFMd4vIeOZOeUuRgUBA”}’
[mar jul 24 15:19:45 UTC 2018] POST
[mar jul 24 15:19:45 UTC 2018] _post_url=‘https://acme-staging.api.letsencrypt.org/acme/challenge/ld6M9iOJY3WMnzSwk1j1L55ILQZl1dCfHc_4AI6GC0Q/152290935
[mar jul 24 15:19:45 UTC 2018] _CURL='curl -L --silent --dump-header /home/integro/.acme.sh/http.header -g ’
[mar jul 24 15:19:45 UTC 2018] _ret=‘0’
[mar jul 24 15:19:45 UTC 2018] code=‘202’
[mar jul 24 15:19:45 UTC 2018] Diagnosis versions

My web server is (include version):

The operating system my web server runs on is (include version): CentOS Linux release 7.5.1804

My hosting provider, if applicable, is: Webfaction Hosting

I can login to a root shell on my machine (yes or no, or I don’t know): No

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No


#2

I’m not familiar with acme.sh myself, but if it’s at all akin to the Certbot setup, you shouldn’t be using --standalone and --webroot together. The former says “I don’t have a webserver running, spin up a temporary one to reply to the challenge” and the latter says “I have a web server running and serving files from this directory, please place challenge files appropriately and my webserver will take it from there.”


#3

Thanks @jared.m, I can use 1 option and the result will be the same.

I checked that my webserver working using http://academiaeficacia.com/.well-known/acme-challenge/test.txt with http and this is working well.

I think problem is that acme.sh apparentlly can’t create the file in .well-known/acme-challenge/NNNNNNN.


#4

Hi @jmadrigal-integro

your file

https://acme-staging.api.letsencrypt.org/acme/challenge/X-kQD1uaHjiAgrBlK8rciMiEMXCbeIgFKP6z--xH97M/152290930

says:

Letsencrypt want to load

http://academiaeficacia.com/.well-known/acme-challenge/9XxbaDSR1MFOqgHxkw72-ypyBGq2h-HmqQHW8hEh_V4

But calling this file:

D:\download http://academiaeficacia.com/.well-known/acme-challenge/9XxbaDSR1MFOqgHxkw72-ypyBGq2h-HmqQHW8hEh_V4 -h
Transfer-Encoding: chunked
Connection: keep-alive
Link: https://academiaeficacia.com/wp-json/; rel=“https://api.w.org/
Cache-Control: no-cache, must-revalidate, max-age=0
Content-Type: text/html; charset=UTF-8
Date: Tue, 24 Jul 2018 15:38:03 GMT
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Location: https://academiaeficacia.com/login/
Server: nginx

Status: 302 Redirect

your webserver doesn’t send the content of your file, instead there is a redirect to your login-page.

So you should change your redirect rules, so that /.well-known/acme-challenge/ is excluded.

PS: Interesting:

http://academiaeficacia.com/.well-known/acme-challenge/test.txt

works, but test it with a filename 123456789 without extension.


#5

Thanks,

I have removed the redirection only for the directory .well-known and now the error is:

[mar jul 24 15:52:48 UTC 2018] sleep 2 secs to verify
[mar jul 24 15:52:50 UTC 2018] checking
[mar jul 24 15:52:50 UTC 2018] GET
[mar jul 24 15:52:50 UTC 2018] url=‘https://acme-staging.api.letsencrypt.org/acme/challenge/pwljr2v_UlHupcfGeqaMk8JlmyZVgB9PIkyN8mVDJng/152297220
[mar jul 24 15:52:50 UTC 2018] timeout=
[mar jul 24 15:52:50 UTC 2018] _WGET=‘wget -q --content-on-error ’
[mar jul 24 15:52:50 UTC 2018] ret=‘0’
[mar jul 24 15:52:50 UTC 2018] academiaeficacia.com:Verify error:The key authorization file from the server did not match this challenge [iAZoIHVWQDkdtHN_mr22JSRTnarYDykthV1T46COhjY.OHOCENYOWUdLzzMS9BG8bKozAFMd4vIeOZOeUuRgUBA] != []
[mar jul 24 15:52:50 UTC 2018] Debug: get token url.
[mar jul 24 15:52:50 UTC 2018] GET
[mar jul 24 15:52:50 UTC 2018] url=‘http://academiaeficacia.com/.well-known/acme-challenge/iAZoIHVWQDkdtHN_mr22JSRTnarYDykthV1T46COhjY
[mar jul 24 15:52:50 UTC 2018] timeout=1
[mar jul 24 15:52:50 UTC 2018] _WGET=‘wget -q --content-on-error --timeout=1’
[mar jul 24 15:52:50 UTC 2018] ret=‘0’
[mar jul 24 15:52:50 UTC 2018] Skip for removelevel:
[mar jul 24 15:52:50 UTC 2018] pid=‘24670’
[mar jul 24 15:52:50 UTC 2018] No need to restore nginx, skip.
[mar jul 24 15:52:50 UTC 2018] _clearupdns
[mar jul 24 15:52:50 UTC 2018] skip dns.
[mar jul 24 15:52:50 UTC 2018] _on_issue_err
[mar jul 24 15:52:50 UTC 2018] Please check log file for more details: /home/integro/.acme.sh/acme.sh.log
[mar jul 24 15:52:50 UTC 2018] url=‘https://acme-staging.api.letsencrypt.org/acme/challenge/pwljr2v_UlHupcfGeqaMk8JlmyZVgB9PIkyN8mVDJng/152297220
[mar jul 24 15:52:50 UTC 2018] payload=’{“resource”: “challenge”, “keyAuthorization”: “iAZoIHVWQDkdtHN_mr22JSRTnarYDykthV1T46COhjY.OHOCENYOWUdLzzMS9BG8bKozAFMd4vIeOZOeUuRgUBA”}’
[mar jul 24 15:52:50 UTC 2018] POST
[mar jul 24 15:52:50 UTC 2018] _post_url=‘https://acme-staging.api.letsencrypt.org/acme/challenge/pwljr2v_UlHupcfGeqaMk8JlmyZVgB9PIkyN8mVDJng/152297220
[mar jul 24 15:52:50 UTC 2018] _WGET='wget -q --content-on-error ’
[mar jul 24 15:52:51 UTC 2018] wget returns 8, the server returns a ‘Bad request’ response, lets process the response later.
[mar jul 24 15:52:51 UTC 2018] Using sed -i
[mar jul 24 15:52:51 UTC 2018] _ret=‘0’
[mar jul 24 15:52:51 UTC 2018] code=‘400’


#6

Looks like your webserver sends wrong data:

The key authorization file from the server did not match this challenge [iAZoIHVWQDkdtHN_mr22JSRTnarYDykthV1T46COhjY.OHOCENYOWUdLzzMS9BG8bKozAFMd4vIeOZOeUuRgUBA] != []

Your webserver accepts the url

http://academiaeficacia.com/.well-known/acme-challenge/iAZoIHVWQDkdtHN_mr22JSRTnarYDykthV1T46COhjY

but the content of the file is empty. Has to be

iAZoIHVWQDkdtHN_mr22JSRTnarYDykthV1T46COhjY.OHOCENYOWUdLzzMS9BG8bKozAFMd4vIeOZOeUuRgUBA

(next challenge the filename and the content will change).

And: Calling the “wrong url”

http://academiaeficacia.com/.well-known/acme-challenge/abcd

I get a http-status 200, I should get a 404.


#7

I think that acme.sh have an error on the webfaction servers, I had to use an external service to renew the certificate.

It is the great option to renew this certificates.

Thank you so much.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.