Lets Encrypt renewal


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:windglass.dyndns.org

I ran this command:certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /usr/local/etc/letsencrypt/renewal/windglass.dyndns.org.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for windglass.dyndns.org
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (windglass.dyndns.org) from /usr/local/etc/letsencrypt/renewal/windglass.dyndns.org.conf produced an unexpected error: Failed authorization procedure. windglass.dyndns.org (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://windglass.dyndns.org/.well-known/acme-challenge/bqMKfH4ie3NvJNRlCbU9pPQwwEWknB-_6cA6UIPBUgQ: q%!(EXTRA string=

404 Not Found

Not Found

<p). Skipping. All renewal attempts failed. The following certs could not be renewed: /usr/local/etc/letsencrypt/live/windglass.dyndns.org/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/usr/local/etc/letsencrypt/live/windglass.dyndns.org/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


#2

Your webserver has a redirect in place, from HTTP to HTTPS. But, it also redirects to another directory, as shown below:

osiris@erazer ~ $ curl -Lv http://windglass.dyndns.org/.well-known/acme-challenge/bqMKfH4ie3NvJNRlCbU9pPQwwEWknB-_6cA6UIPBUgQ
*   Trying 112.205.253.250...
(...)
* Connected to windglass.dyndns.org (112.205.253.250) port 80 (#0)
> GET /.well-known/acme-challenge/bqMKfH4ie3NvJNRlCbU9pPQwwEWknB-_6cA6UIPBUgQ HTTP/1.1
> Host: windglass.dyndns.org
(...)
 
< HTTP/1.1 301 Moved Permanently
(...)
< Location: https://windglass.dyndns.org/inventory/.well-known/acme-challenge/bqMKfH4ie3NvJNRlCbU9pPQwwEWknB-_6cA6UIPBUgQ
(...)
< 
* Ignoring the response-body
* Connection #0 to host windglass.dyndns.org left intact
* Issue another request to this URL: 'https://windglass.dyndns.org/inventory/.well-known/acme-challenge/bqMKfH4ie3NvJNRlCbU9pPQwwEWknB-_6cA6UIPBUgQ'
(...)
> GET /inventory/.well-known/acme-challenge/bqMKfH4ie3NvJNRlCbU9pPQwwEWknB-_6cA6UIPBUgQ HTTP/1.1
> Host: windglass.dyndns.org
(...)
> 
< HTTP/1.1 404 Not Found
(...)
osiris@erazer ~ $ 

As you can see, the redirect from HTTP with the URL /.well-known/acme-challenge/ goes to HTTPS with URL /inventory/.well-known/acme-challenge. While the URL should stay /.well-known/acme-challenge/. Without the /inventory/ part.

This is probably due to your CMS of the site.

You should disable redirects to HTTPS for the path /.well-known/acme-challenge/. It isn’t necessary nor does it make the challenge any safer.


#3

Thank you. Really appreciate your prompt reply


#4

problem solved! :slight_smile: thank you


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.