Migrated servers; cannot renew

Greetings,
Due to unforeseen circumstances, I migrated apache to another server. The site(s) are working fine, with my existing certificates. However, I tried to do a dry-run for renewal and that was unable to succeed.

My domain is:
There are a few. Two of them are geemusic.pendulus.org and omicron.pendulus.org

I ran this command:
certbot renew --dry-run

It produced this output:

Attempting to renew cert (geemusic.pendulus.org) from /etc/letsencrypt/renewal/geemusic.pendulus.org.conf produced an unexpected error: Failed authorization procedure. omicron.pendulus.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://omicron.pendulus.org/.well-known/acme-challenge/968rFubW1fBGjOlzZzyIW1x-ksYQO7wPOAAcGxtXbwo [66.152.179.48]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>403 Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p". Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/geemusic.pendulus.org/fullchain.pem (failure)

My web server is (include version):
New: apache 2.4.38
Old: apache 2.2.22

The operating system my web server runs on is (include version):
New: Debian 10
Old: Debian 7

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
New: 0.31.0
Old: 0.30.0

The URL it tries to access above does not exist. It never has, even on my old server.
So, I have no idea what the difference is, or what changed.

I’ve messed around with it for awhile, and not sure what’s going on.

1 Like

Which authenticator are you using? Could you post the contents of /etc/letsencrypt/renewal/geemusic.pendulus.org.conf?

1 Like

Sure! It’s using apache as the authenticator.

# renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/geemusic.pendulus.org
cert = /etc/letsencrypt/live/geemusic.pendulus.org/cert.pem
privkey = /etc/letsencrypt/live/geemusic.pendulus.org/privkey.pem
chain = /etc/letsencrypt/live/geemusic.pendulus.org/chain.pem
fullchain = /etc/letsencrypt/live/geemusic.pendulus.org/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 74fdc4f4fee94276e82b42511e1bca32
authenticator = apache
installer = apache
server = https://acme-v02.api.letsencrypt.org/directory
1 Like

I think this is the important part of the error.

It would suggest that there is some kind of rule that is blocking access to the challenge response resource that Certbot’s Apache authenticator temporarily creates on your system.

Maybe the Apache major version upgrade from 2.2 to 2.4 caused some of your configuration to have a different effect - mod_authz* stuff changed a lot in particular.

If you want to inspect Certbot/Apache while the challenge URL still exists on your system, what you can try is run Certbot with --debug-challenges.

This will pause Certbot after it has prepared the challenge response resource. You can then have a look at how it modified your Apache config and investigate why you’re getting a 403.

Alternatively if you wanna zip up your entire Apache directory and post that, I could try reproduce your issue.

2 Likes

For what it’s worth, I did not let certbot change my apache config. I simply made the changes myself through the years.

One thing I wondered - maybe I could undo the whole SSL stack and let certbot just do everything for me. It’s trusting, and I’m not that big into trusting tools :slight_smile:

I took a look at the debug output, but it didn’t do much until I added -v. Then it was just a wall of text that was a lot.

Unfortunately, I cannot upload a zip file. So I went ahead and tried to upload just the letencrypt log, but I cannot because I’m too new, ha!

It does ultimately say the same thing though. I’m not too married to these certs.
I almost feel like just starting fresh would be easier; I’m just not sure how to put my apache config in a place that certbot would like it.

Preferably, I could leave some of the SSL config in place?

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.