Issues renewing an SSL certificat- certbot


#1

Hello,

This is my first topic here but a few days ago something happened that I can’t explain. I’ve been using Certbot on multiple domains/servers for almost half a year now - maybe even more. And yesterday mine web app didn’t renew the certificate so it was unreachable. I now restore the digital ocean droplet back for 3 days, so I have a bit more time to find the issue.

This happens if I want to renew the certificate:

    IMPORTANT NOTES:
     - The following errors were reported by the server:

       Domain: app.instalgic.com
       Type:   unauthorized
       Detail: Invalid response from
       http://app.instalgic.com/.well-known/acme-challenge/RsWB5-XmCT6WK8CYRkrAZxWI1PfQZSsBF3VctyTzKOw:
       "<!DOCTYPE html>\n<html>\n    <head>\n        <meta
       charset=\"utf-8\">\n        <meta http-equiv=\"X-UA-Compatible\"
       content=\"IE=edge\">\n "

       To fix these errors, please make sure that your domain name was
       entered correctly and the DNS A/AAAA record(s) for that domain
       contain(s) the right IP address.
    You have new mail in /var/mail/root

Could someone try to help me out? I did everything I could, but I have no idea why suddenly I can’t renew.


#2

Hi @askejlacen

perhaps you have used tls-sni-01 validation. This is deprecated, support ends 2019-02-13, so your certbot switches to http-01 validation.

That means: Certbot creates a file in /.well-known/acme-challenge, Letsencrypt checks this file.

But checking your domain I see a different error as Letsencrypt ( https://check-your-website.server-daten.de/?q=app.instalgic.com ):

You have redirects http -> https, this is ok, Letsencrypt follows, the wrong certificate is ignored.

But then the unknown file https://app.instalgic.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de is redirected to your login page. Your login page doesn’t have the content Letsencrypt want’s to check.

So remove that redirect.

PS: In #help there is a list of questions:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):


#3

Hey, @JuergenAuer thanks for fast reply.

I’m running my main domain on another server and there the SSL successfully renewed. My main domain is Instalgic.com.

The subdomain in question is: app.instalgic.com
I ran this command: sudo certbot renew --dry-run

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/app.instalgic.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for app.instalgic.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (app.instalgic.com) from /etc/letsencrypt/renewal/app.i                                                                                                                                                             nstalgic.com.conf produced an unexpected error: Failed authorization procedure.                                                                                                                                                              app.instalgic.com (http-01): urn:ietf:params:acme:error:unauthorized :: The clie                                                                                                                                                             nt lacks sufficient authorization :: Invalid response from http://app.instalgic.                                                                                                                                                             com/.well-known/acme-challenge/YFLUEWpTcqMTUGC_28RywFriAGQeOuG3u9fHnjQAATE: "<!D                                                                                                                                                             OCTYPE html>\n<html>\n    <head>\n        <meta charset=\"utf-8\">\n        <met                                                                                                                                                             a http-equiv=\"X-UA-Compatible\" content=\"IE=edge\">\n ". Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/app.instalgic.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/app.instalgic.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: app.instalgic.com
   Type:   unauthorized
   Detail: Invalid response from
   http://app.instalgic.com/.well-known/acme-challenge/YFLUEWpTcqMTUGC_28RywFriA                                                                                                                                                             GQeOuG3u9fHnjQAATE:
   "<!DOCTYPE html>\n<html>\n    <head>\n        <meta
   charset=\"utf-8\">\n        <meta http-equiv=\"X-UA-Compatible\"
   content=\"IE=edge\">\n "

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

The operating system my web server runs on is (include version):
Distributor ID: Ubuntu
Description: Ubuntu 16.04.5 LTS
Release: 16.04
Codename: xenial

My web server is (include version):
Apache / 2.4.18 (Ubuntu)

My hosting provider, if applicable, is:
DigitalOcean

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

Certbot version:
certbot 0.26.1

This is also some content from letsencrypt.log

2019-02-02 14:16:31,793:DEBUG:certbot.error_handler:Calling registered functions
2019-02-02 14:16:31,793:INFO:certbot.auth_handler:Cleaning up challenges
2019-02-02 14:16:32,110:WARNING:certbot.renewal:Attempting to renew cert (app.instalgic.com) from /etc/letsencrypt/renewal/app.instalgic.com.conf produced an unexpected error: Failed authorization procedure. app.instalgic.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://app.instalgic.com/.well-known/acme-challenge/YFLUEWpTcqMTUGC_28RywFriAGQeOuG3u9fHnjQAATE: "<!DOCTYPE html>\n<html>\n    <head>\n        <meta charset=\"utf-8\">\n        <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\">\n ". Skipping.
2019-02-02 14:16:32,114:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 430, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1197, in renew_cert
    renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 115, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 305, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 334, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 370, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 155, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 226, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. app.instalgic.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://app.instalgic.com/.well-known/acme-challenge/YFLUEWpTcqMTUGC_28RywFriAGQeOuG3u9fHnjQAATE: "<!DOCTYPE html>\n<html>\n    <head>\n        <meta charset=\"utf-8\">\n        <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\">\n "

2019-02-02 14:16:32,116:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
2019-02-02 14:16:32,117:ERROR:certbot.renewal:  /etc/letsencrypt/live/app.instalgic.com/fullchain.pem (failure)
2019-02-02 14:16:32,117:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.26.1', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1364, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1276, in renew
    renewal.handle_renewal_request(config)
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 455, in handle_renewal_request
    len(renew_failures), len(parse_failures)))
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)

#4

This is really not related to this server and cert request.
So we will ignore that and focus on this server and cert.

This config:

directs certbot to use:

It would seem that those are now unable to properly determine the location of the challenge response.
Using -vv (or greater) may show exactly where certbot is placing that challenge response.
But that may not fix the problem.

The bigger problem is what is in the config that “confuses” certbot into placing it there (in an inaccessible location).
We could spend time on that…
Or just force it to go to the correct location (or a specific location) and be done with this.

To check where it should be going based on the config, we would need to see the current config.
And then use --webroot to ensure it uses that location.

To force it to a specific location, you can use an Alias directive to map the /.well-known/acme-challenge/ requests to a folder of your choosing.


closed #5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.