Issue works, renewal doesn't (http-01)

Help
1

Please fill out the fields below so we can help you better.

My domain is: xx.xx

I ran this command: ./letsencrypt-auto certonly --webroot -d xx.xx
It produced this output: Success

I ran this command: ./letsencrypt-auto --dry-run renew
It produced this output: Failure

My operating system is (include version): Ubuntu 16.04

My web server is (include version): apache2 (latest)

My hosting provider, if applicable, is: local

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Output:

1: $$$$$ FIRST COMMAND $$$$$ Issuing works just fine

su@host:/usr/local/letsencrypt# ./letsencrypt-auto certonly --webroot -d xx.xx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/xx.xx.conf)

What would you like to do?
-------------------------------------------------------------------------------
1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for xx.xx

Select the webroot for xx.xx:
-------------------------------------------------------------------------------
1: Enter a new webroot
-------------------------------------------------------------------------------
Press 1 [enter] to confirm the selection (press 'c' to cancel): /var/www/xx.xx

Press 1 [enter] to confirm the selection (press 'c' to cancel): 1
Input the webroot for xx.xx: (Enter 'c' to cancel):/var/www/xx.xx
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0002_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0002_csr-certbot.pem

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/xx.xx/fullchain.pem. Your cert will
expire on 2017-07-09. To obtain a new or tweaked version of this
certificate in the future, simply run letsencrypt-auto again. To
non-interactively renew *all* of your certificates, run
"letsencrypt-auto renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
Donating to EFF:                    https://eff.org/donate-le

2: $$$$$ SECOND COMMAND $$$$$ Renewal does not work

su@host:/usr/local/letsencrypt# ./letsencrypt-auto --dry-run renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/xx.xx.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for xx.xx
Waiting for verification...
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/xx.xx.conf produced an unexpected error: Failed authorization procedure. xx.xx (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://xx.xx/.well-known/acme-challenge/vAshSjnqR3b24lwWiemy_IeVBX2wvlDztxchKAKcMVI: "<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 
4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
". Skipping.<TITLE>Not Found</TITLE>

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/yy.yy.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for yy.yy
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits), not saving to file
Creating CSR: not saving to file

-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/yy.yy/fullchain.pem
-------------------------------------------------------------------------------
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

The following certs were successfully renewed:
/etc/letsencrypt/live/yy.yy/fullchain.pem (success)

The following certs could not be renewed:
/etc/letsencrypt/live/xx.xx/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

Domain: xx.xx
Type:   unauthorized
Detail: Invalid response from
http://xx.xx/.well-known/acme-challenge/vAshSjnqR3b24lwWiemy_IeVBX2wvlDztxchKAKcMVI:
"<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML
4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Not Found</TITLE>
"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
su@host:/usr/local/letsencrypt#
  • No .htaccess
  • Same configuration between yy.yy and xx.xx - Please take a look at yy.yy/.well-known as well - same behavior
  • Forced 443 however the .well-known folders are available on both 443 and 80 which redirects to 443
  • 0755 on .well-known
  • issue occurs with both root and www-data as owners

No idea how to debug this further. Here is the output of the log: ~removed~

Any help would be greatly appreciated!

Thank you very much for your time.

Cheers,

IonutZ

2

You should check your webservers log file for any error when you try certbots renewal. It should give you the location where it would expect to find the challenge and you should check if it really exists.

BTW: Both your sites provide a HTTPS certificate for vpn.atex.us from COMODO. Not Let’s Encrypt.

3

I guess I may be having some issues with the fact that I’m running several domains from the same IP :frowning: I’ll look more into it and post back. Thanks for checking!

4

Hey can you please check again? I fixed NAT in my firewall and I think it’s going through now. Both cert renews passed with success this time! :slight_smile:

5

Did you change it back again? Because I'm still getting the wrong certificate:

osiris@desktop ~ $ openssl s_client -connect caza.mba:443 -servername caza.mba
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = vpn.atex.us
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=vpn.atex.us
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
...
1 Like
7

(Sorry I’m still getting used to how this works - removed my entry and replied to yours)

Hey! Ya I did, I gotta figure out how to reroute to my vpn. Although this is beyond the scope of this, maybe you have an idea of what I can do. My configuration is as follows:

Internet -> Firewall -> Apache Webserver @ ip x.x.x.10
Internet -> Firewall -> VPN Server @ ip x.x.x.11

Can I use Apache mod_proxy in order to send traffic that goes to vpn.atex.us (request made to Apache Webserver) to the VPN server? (My VPN works over 443 - SSTP)

8

Does your VPN server use port 80 and 443? Normally, VPN's use a different port, right? Most of the time, NAT isn't a one takes all kind of thing, but you should be able to specify different ports for different hosts.

Ah, that edit clears things up, sneaky :wink: :stuck_out_tongue:

9

Hey, I’m using SSTP over 443. It’s all TCP over SSL.

10

I’m guessing this network setup thingy isn’t really something related to Let’s Encrypt unfortunately. You probably have more luck using Google.

11

Sounds good! Thank you for your help.

12

How does one close a topic or thank for responses on here by the way?

13

Looks like you've managed to find the "like" and "mark as solution" buttons. That'll be about it I guess :wink:

14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.