Invalid response from domain when renewing certificate


#1

My domain is:
https://pro01.co.uk

I ran this command:
./letsencrypt-auto --text --agree-tos --email dan@myaddress.com certonly --renew-by-default --webroot --webroot-path /var/www/html -d pro01.co.uk

It produced this output:
IMPORTANT NOTES:

My operating system is (include version):
MacOS 10.12.3

My web server is (include version):
CentOS version 2017.03

My hosting provider, if applicable, is:
Amazon AWS

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

Additional:
These are the steps I usually take to update my certificate:

  1. sudo -i
  2. pip install pip --upgrade
  3. pip install virtualenv --upgrade
  4. cd letsencrypt
  5. ./letsencrypt-auto --text --agree-tos --email dan@myaddress.com certonly --renew-by-default --webroot --webroot-path /var/www/html -d pro01.co.uk

However last time I did this (in Feb) I upgraded pip from 6.1.1 to 8.1.2.

Today while doing the same above steps I got some errors, e.g. when I ran:
pip install pip --upgrade I got the error “DistributionNotFound”.
I ran “easy_install pip” to see if it would fix the issue and now when I run pip install pip --upgrade I get the notice:

Requirement already up-to-date: pip in /usr/lib/python2.7/dist-packages.

Not sure if this is related so thought I would mention it.


#2

Hi @dan382,

This error is probably not related to the dependencies/pip problems, because it’s a very familiar kind of error.

When using --webroot, you need to specify somewhere where Certbot can create files which are then visible to the public on your web site. However, when the certificate authority checked, it did not actually find these files at the expected location, but rather an error message from your web server.

If you create a file test.txt in /var/www/html, can you see it at http://pro01.co.uk/test.txt?

If so, if you create a file test2.txt in /var/www/html/.well-known/acme-challenge`, can you see it at http://pro01.co.uk/.well-known/acme-challenge/test2.txt?


#3

Hi Schoen,

Thanks for you’re reply, I really do appreciate the help!

The server has it’s virtualhost setup with this document root:
/var/www/html/pro01.co.uk

So to answer your first question, no I cant reach the test file by adding it to “/var/www/html” but I can if I add it to “/var/www/html/pro01.co.uk”.

The test2.txt file is a bit trickier, as it’s located at “/var/www/html/.well-known” not within the live document root which I guess would be /var/www/html/pro01.co.uk/.well-known, so although I can add files I’m not sure how I would see them from the website.

I’ve enclosed a picture of my directory structure to help clear things up.

I guess my question would be is the .well-known folder simply being created in the wrong place and if so how was it working up till now?

My vhost.conf is enclosed just in case it helps shed any more light on the issue:

<VirtualHost *:80>
	ServerName pro01.co.uk
	DocumentRoot /var/www/html/pro01.co.uk
</VirtualHost>

<VirtualHost *:443>
    ServerName pro01.co.uk
    DocumentRoot /var/www/html/pro01.co.uk

	SSLEngine on 
	SSLCertificateFile /etc/letsencrypt/live/pro01.co.uk/cert.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/pro01.co.uk/privkey.pem
	SSLCertificateChainFile /etc/letsencrypt/live/pro01.co.uk/chain.pem
</VirtualHost>

#4

In this case, you should specify --webroot-path /var/www/html/pro01.co.uk instead of --webroot-path /var/www/html. It’s about 85% likely that this will immediately solve your problem. :slight_smile:


#5

You star, it was that simple. Certificates been generated.

Any idea how I’ve managed to get the certificate without the right directory being specified up till now? I’ve literally been using “var/www/html” for about a year!


#6

Nope! Maybe you were using a different authentication method before?


#7

Nope, not as far as I’m aware. Very odd. In any case this issue is resolved, thanks again for your input.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.