Web server: Apache/2.4.29 (Ubuntu)
O/S: Ubuntu 18.04.6 LTS
Control panel: Webmin / Virtualmin + root access
Certbot version: certbot 0.27.0
Greetings:
I am having trouble renewing my Let's Encrypt certificate on a Ubuntu server running apache2.
The certificate was first installed three months ago and the website has been running fine. But autorenew today failed. I read somewhere that WSGI, which the website uses, does not work well with Let's Encrypt. So I disabled WSGI and restarted apache2 with a very simple config
The key authorization file from the server did not match this challenge "FrQHNG5lZQSdsYYJi0siJIy9Acfz5V7gE23xwu2TxeQ.dR2g1kFtm2-3gDYi3sRFEFtf3Nhi2GpS62UpayyLBp0" != "<html>\n\t<head>\n\t</head>\n\t<body>\n\t</body>\n</html>"
I am guessing there must be something straightforward that a beginner such as I have overlooked. Please help.
Thanks.
[This issue has been resolved with help from @MikeMcQ. Please see reply below for the steps.]
Can you show us the contents of the renewal conf file for this cert in this folder
/etc/letsencrypt/renewal
It looks like there was a config change to your server since you last renewed your cert. Your server is responding to the acme challenge URL with a "200 OK" response and just a few html tags. I can reproduce that but now we need to see why that is.
To experiment, I replaced all instances of /home/DOMAIN/public_html by /var/www/html in the renewal conf file, restarted Apache, and reran letsencrypt, but to no avail:
The key authorization file from the server did not match this challenge "4v0HxkKCosEhJKltM6y6Wid7CXJlWwho6EDobm0ADbw.dR2g1kFtm2-3gDYi3sRFEFtf3Nhi2GpS62UpayyLBp0" != "<html>\n\t<head>\n\t</head>\n\t<body>\n\t</body>\n</html>
My test HTTP Challenge URL gets redirected to your index.html file which is just an empty stub page. I'm not sure why that is but check redirects in your VirtualHost and maybe even .htaccess file.
The only thing I'm not sure of is whether you redirect every page request or are just using a 302 redirect instead of a 404 Not Found. You shouldn't do a 302 for 404 but sometimes people do. In any case, you should really fix this faulty redirect first
curl -i babblingbabel.com/.well-known/acme-challenge/Test123
HTTP/1.1 302 Found
Server: Apache
Location: http://babblingbabel.com/index.html
Here's another example unrelated to the HTTP Challenge that should get 404
curl -i babblingbabel.com/RandomFile
HTTP/1.1 302 Found
Server: Apache
Location: http://babblingbabel.com/index.html
Thanks very much for your help, @MikeMcQ. The steps I have taken are outlined as follows (some may be superfluous):
Let's Encrypt renewal for Apache with WSGI on Ubuntu VPS
running Webmin/Virtualmin: [this statement is incorrect, please see @MikeMcQ's reply below]
The key ideas are (A) disable WSGI and (B) ensure that the
Apache DocumentRoot is consistent with Let's Encrypt's renewal
webroot_path configuration.
(1) WSGI is incompatible with Let's Encrypt: disable WSGI
and restart Apache with some simple site:
% sudo a2disconf wsgi
% sudo a2dissite website-ssl
% sudo a2ensite 000-default
% sudo systemctl restart apache2
where 000-default.conf has the following setting
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
Note: some internet support groups suggest commenting
out WSGIScriptAlias, WSGIDaemonProcess, and
WSGIProcessGroup in wsgi.conf will do without having to
enable another site. I have not tried it.
(2) Edit /etc/letsencrypt/renewal/DOMAIN.conf, replacing the
value of webroot_path with the value of DocumentRoot
above. There may be multiple places in the file that
needs replacement.
Note: the DOMAIN.conf file changes after certificate
renewal, which means the file needs to be edited again
before the next renewal.
It may be possible to set DocumentRoot in step (1) to
the value of webroot_path in DOMAIN.conf to obviate this
current step. I have tried cursorily to no avail.
(3) Make a backup of the /etc/letsencrypt directory in case
something goes wrong during the renewal process.
(4) Renew
% sudo letsencrypt renew
(5) Request Let's Encrypt renewal certificate in
Webmin/Virtualmin's server configuration web interface.
Note: This may be superfluous.
I knew WSGI was not compatible with the --apache plug-in of Certbot
But, I thought webroot should work OK with it involved. At worst you would need a location for /.well-known/acme-challenge maybe but I don't have a WSGI setup to test if you even need that.
And, I don't have a VirtualMin setup either so your settings may be specific to your particular hosting config.
Just for clarity, it is one Certbot option, not Let's Encrypt, that is incompatible with WSGI. And, that is because it doesn't parse the Apache config with non-standard Apache settings. Let's Encrypt is the ACME Server and issues the certs. It may not be clear about this in the VirtualMin panels but this is what is actually happening.
