Mis-configured apache.conf blocking `certbow renew`

#1

I updated certbot after receiving an email telling me I needed to update my client and that TLS-SNI-01 validation is reaching end-of-life. So I followed the instructions here, but unfortunately when I ran the command sudo certbot renew --dry-run I recieved a lot of output telling me things didn’t go well. I’ve been racking my brain and google trying to remove any redirects from port 80, but either I end up with a 403 Forbidden, or a redirect which certbot doesn’t like. I’m at a loss.

apache.conf
Mutex file:${APACHE_LOCK_DIR} default
PidFile ${APACHE_PID_FILE}
Timeout 150
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 5
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
HostnameLookups Off
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf
Include ports.conf
<Directory />
	Options None
   Order deny,allow
   Deny from all
	AllowOverride None
	Require all denied
</Directory>

<Directory /usr/share>
	AllowOverride None
	Require all granted
</Directory>

<Directory /var/www/>
	Options -Indexes +FollowSymLinks -MultiViews
        Options -Includes -ExecCGI
	FileETag -INode
	AllowOverride All
        Allow from all
	Require all granted
        LimitRequestBody 5120000
</Directory>

AccessFileName .htaccess

<FilesMatch "^\.ht">
	Require all denied
</FilesMatch>

LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

IncludeOptional conf-enabled/*.conf
IncludeOptional sites-enabled/*.conf
FileEtag -INode +MTime +Size
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
#Hide the Server information
ServerSignature Off
ServerTokens Prod
SecServerSignature LCARS 
ServerName kipp.garyluck.co.uk
UseCanonicalName On
#Setting some custom headers
<IfModule mod_headers.c>
     Header always set Content-Security-Policy "default-src 'self';script-src 'self' https: data: ;style-src 'self' 'unsafe-inline'; img-src 'self' *.gravatar.com; font-src 'self' data: ;"
    <If "%{HTTPS} eq 'on'">
    Header always set Strict-Transport-Security "max-age=31536000;"
    </If>
# includeSubDomains"
   Header always set X-Frame-Options "SAMEORIGIN"
   Header always set X-Xss-Protection "1; mode=block"
   Header always set X-Content-Type-Options "nosniff"
   Header unset X-Powered-By
   Header always set Referrer-Policy "strict-origin-when-cross-origin"
   Header always set Feature-Policy "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'"	
</IfModule>
<Directory /var/www/*/public_html>
   AllowOverride All
   Order allow,deny
   Allow from All

   RewriteEngine On
   RewriteOptions InheritBefore
   RewriteCond %{REQUEST_URI} ^/\.test
   RewriteRule . - [L,PT]

   #Prevent files being executed by the web client.
   RewriteRule ^wp-admin/includes/ - [F,L]
   RewriteRule !^wp-includes/ - [S=3]
   RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
   RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
   RewriteRule ^wp-includes/theme-compat/ - [F,L]
   #Prevent user lookup using /?author=1
   RewriteCond %{REQUEST_URI} !^/wp-admin [NC]
   RewriteCond %{QUERY_STRING} author=\d [or]
   RewriteCond %{REQUEST_URI} ^/wp-json/wp/v2/users
   RewriteRule ^ /? [L,R=301]
   FileETag None 
</Directory>
<Directory /var/www/*/public_html/.well-known/acme-challenge>
   Options +Indexes
</Directory>
<Directory /var/www/*/public_html/wp-content/uploads>
   <Files ~ "\.ph(?:p[345]?|t|tml)$">
      deny from all
   </Files>
</Directory>
<Files wp-config.php>
   order allow,deny
   deny from all
</Files>
#Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
   order allow,deny
   deny from all
</Files>
<Location "/wp-content/">
   <If "%{QUERY_STRING} =~ /wp-config.php/">
     Deny from all
   </If>
</Location>
<IfModule mod_ssl.c>
   #Some SSL stuff
    SSLEngine off
    #Although the SSLEngine is off here, it's enabled in each VHosts config file. Means I can set global stuff here, and just need to switch it on per VHost.
    SSLProtocol all -SSLv3 -SSLv2
    SSLHonorCipherOrder on
    SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
    BrowserMatch "MSIE [2-6]" \
                    nokeepalive ssl-unclean-shutdown \
                    downgrade-1.0 force-response-1.0
    BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

    <FilesMatch "\.(cgi|shtml|phtml|php)$">
       SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory /usr/lib/cgi-bin>
       SSLOptions +StdEnvVars
    </Directory>
</IfModule>
garyluck.vhost.conf
<VirtualHost *:80>
       DocumentRoot /var/www/garyluck/public_html
       ServerName garyluck.co.uk
       ServerAlias www.garyluck.co.uk
       <If "%{REQUEST_URI} !~ /\.well\-known/">
              Redirect / https://garyluck.co.uk
       </If>
</VirtualHost>

<VirtualHost _default_ *:443>
        ServerAdmin webmaster@localhost 
        ServerName garyluck.co.uk
        DocumentRoot /var/www/garyluck/public_html
        <IfModule mod_headers.c>
          Header always set Content-Security-Policy "default-src https: data: ; style-src 'self' 'unsafe-inline' https: maxcdn.bootstrapcdn.com; script-src https: 'self';"
        </IfModule>
        <Directory "/var/www/owncloud">
          Options +FollowSymLinks
          AllowOverride All

          <IfModule mod_dav.c>
                Dav off
          </IfModule>
        </Directory>
	<IfModule mod_ssl.c>
        SSLEngine on
        SSLCertificateFile /etc/letsencrypt/live/garyluck.co.uk/cert.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/garyluck.co.uk/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/garyluck.co.uk/fullchain.pem

        </IfModule>

        ErrorLog ${APACHE_LOG_DIR}/garyluck.co.uk/error.log
        CustomLog ${APACHE_LOG_DIR}/garyluck.co.uk/access.log combined
</VirtualHost>

My domain is: https://garyluck.co.uk

I ran this command: sudo certbot renew --dry-run

It produced this output:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/garyluck.co.uk.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for garyluck.co.uk
http-01 challenge for www.garyluck.co.uk
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (garyluck.co.uk) from /etc/letsencrypt/renewal/garyluck.co.uk.conf produced an unexpected error: Failed authorization procedure. garyluck.co.uk (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://garyluck.co.uk/.well-known/acme-challenge/T1cLVMp-l5NNMcDUq5If5hoZvpZf5eaxkg-nr-s75xY [178.62.79.84]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>403 Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p", www.garyluck.co.uk (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.garyluck.co.uk/.well-known/acme-challenge/5QUDu7M2iVbiNXJZdTITi34-2yxTHfCju0LiI3rk9M4 [178.62.79.84]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>403 Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p". Skipping.

And

 - The following errors were reported by the server:

   Domain: garyluck.co.uk
   Type:   unauthorized
   Detail: Invalid response from
   http://garyluck.co.uk/.well-known/acme-challenge/T1cLVMp-l5NNMcDUq5If5hoZvpZf5eaxkg-nr-s75xY
   [178.62.79.84]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>403
   Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p"

   Domain: www.garyluck.co.uk
   Type:   unauthorized
   Detail: Invalid response from
   http://www.garyluck.co.uk/.well-known/acme-challenge/5QUDu7M2iVbiNXJZdTITi34-2yxTHfCju0LiI3rk9M4
   [178.62.79.84]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>403
   Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): Apache/2.4.7 (Ubuntu)

The operating system my web server runs on is: Ubuntu 14.04.5

I can login to a root shell on my machine: Yep

I’m using a control panel to manage my site: No

The version of my client is: certbot 0.28.0

#2

Hi @koloqial

checked your domain via https://check-your-website.server-daten.de/?q=garyluck.co.uk that looks good:

Domainname Http-Status redirect Sec. G
http://garyluck.co.uk/
178.62.79.84 302 https://garyluck.co.uk 0.043 A
http://www.garyluck.co.uk/
178.62.79.84 302 https://garyluck.co.uk 0.040 E
https://garyluck.co.uk 200 1.233 A
https://garyluck.co.uk/
178.62.79.84 200 1.260 A
https://www.garyluck.co.uk/
178.62.79.84 200 1.264 A
http://garyluck.co.uk/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
178.62.79.84 404 0.043 A
Not Found
http://www.garyluck.co.uk/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
178.62.79.84 404 0.043 A
Not Found

Port 80 is open, /.well-known/acme-challenge/unknown-file answers with a http status 404, Not Found.

So use your webroot:

certbot -a webroot -w  /var/www/garyluck/public_html -d garyluck.co.uk -d www.garyluck.co.uk --dry-run

to check that domain.

Your other domain - the same, a good http status 404, port 80 is open.

#3

Hi! @JuergenAuer, thanks for your response!

I tried

certbot certonly -a webroot -w /var/www/garyluck/public_html -d garyluck.co.uk -d www.garyluck.co.uk --dry-run

but got

--dry-run currently only works with the 'certonly' or 'renew' subcommands ('run')

So I did

sudo certbot certonly -a webroot -w /var/www/garyluck/public_html -d garyluck.co.uk -d www.garyluck.co.uk --dry-run

and got

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert not due for renewal, but simulating renewal for dry run
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for garyluck.co.uk
http-01 challenge for www.garyluck.co.uk
Using the webroot path /var/www/garyluck/public_html for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - The dry run was successful.

I don’t understand why that works, yet the original command fails. :confounded:

1 Like
#4

Happy to read that.

Sometimes the Apache-plugin has problems to understand the configuration. Or you have changed something.

But if there is a webroot, webroot should always work.

1 Like
#5

For more context, the Certbot Apache plugin tries to modify your Apache configuration temporarily in order to pass the challenge, whereas the webroot plugin tries to create a file in the specified location. It is indeed possible that the Apache plugin could fail to understand your Apache configuration sufficiently well in order to make the temporary changes correctly. Hopefully this is fixed in a newer version of Certbot, or will be.

#6

We’re seeing a lot of these lately.

I’m not sure if it’s really a “misunderstanding” of the configuration. I think it’s more of a difference in Apache configurations which are working and which are not working with the temporary Apache conf generated by certbot.

I haven’t seen any user with this problem posting its Apache configuration and/or Apache access logs unfortunately.

#7

Oh, I actually thought they were doing the same thing (placing a file in root, etc). My mistake. Though, up until I got this email, my configuration hadn’t changed.

#8

My config and vhost config is in my OP. I shall add logs.

#9

Ah, sorry, didn’t see them, they are “hidden” behind a clickable thingy.

That would be great! I’m mostly interested in when certbot renew failed, where Apache expected to find the token file when it generated the 404 File not found-error.

1 Like
#10

Yes, that’s a good way to put it. @joohoi has made a recent fix that should improve this situation in many cases, so I’d like to know exactly what Certbot versions people are using when they run into problems.

#11

Access.log generated when certbot renew --dry-run was running. Though, I should add that the response is a 403, not a 404 (according to certbot results below).

certbot renew --dryrun results
 - The following errors were reported by the server:

   Domain: www.garyluck.co.uk
   Type:   unauthorized
   Detail: Invalid response from
   http://www.garyluck.co.uk/.well-known/acme-challenge/Qcjbi-uwvj1JJYX6pk8mMUiC                                                     N5eaAcbrhWHEg1DlKOM
   [178.62.79.84]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>403
   Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p"

   Domain: garyluck.co.uk
   Type:   unauthorized
   Detail: Invalid response from
   http://garyluck.co.uk/.well-known/acme-challenge/CssqpyfpYQ19dLERJNOaDROSOV7L                                                     3NfwTEc7DZNT7t0
   [178.62.79.84]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>403
   Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
garyluck.co.uk:80 ::1 - - [21/Feb/2019:15:28:03 -0500] "OPTIONS * HTTP/1.0" 200 109 "-" "Apache/2.4.7 (Ubuntu) PHP/5.5.9-1ubuntu4.26 OpenSSL/1.0.1f LCARS (internal dummy connection)"
garyluck.co.uk:80 ::1 - - [21/Feb/2019:15:28:03 -0500] "OPTIONS * HTTP/1.0" 200 109 "-" "Apache/2.4.7 (Ubuntu) PHP/5.5.9-1ubuntu4.26 OpenSSL/1.0.1f LCARS (internal dummy connection)"
garyluck.co.uk:80 ::1 - - [21/Feb/2019:15:28:03 -0500] "OPTIONS * HTTP/1.0" 200 109 "-" "Apache/2.4.7 (Ubuntu) PHP/5.5.9-1ubuntu4.26 OpenSSL/1.0.1f LCARS (internal dummy connection)"
garyluck.co.uk:80 ::1 - - [21/Feb/2019:15:28:03 -0500] "OPTIONS * HTTP/1.0" 200 109 "-" "Apache/2.4.7 (Ubuntu) PHP/5.5.9-1ubuntu4.26 OpenSSL/1.0.1f LCARS (internal dummy connection)"
garyluck.co.uk:80 ::1 - - [21/Feb/2019:15:28:05 -0500] "OPTIONS * HTTP/1.0" 200 109 "-" "Apache/2.4.7 (Ubuntu) PHP/5.5.9-1ubuntu4.26 OpenSSL/1.0.1f LCARS (internal dummy connection)"
garyluck.co.uk:80 ::1 - - [21/Feb/2019:15:28:05 -0500] "OPTIONS * HTTP/1.0" 200 109 "-" "Apache/2.4.7 (Ubuntu) PHP/5.5.9-1ubuntu4.26 OpenSSL/1.0.1f LCARS (internal dummy connection)"
garyluck.co.uk:80 ::1 - - [21/Feb/2019:15:28:05 -0500] "OPTIONS * HTTP/1.0" 200 109 "-" "Apache/2.4.7 (Ubuntu) PHP/5.5.9-1ubuntu4.26 OpenSSL/1.0.1f LCARS (internal dummy connection)"
garyluck.co.uk:80 ::1 - - [21/Feb/2019:15:28:05 -0500] "OPTIONS * HTTP/1.0" 200 109 "-" "Apache/2.4.7 (Ubuntu) PHP/5.5.9-1ubuntu4.26 OpenSSL/1.0.1f LCARS (internal dummy connection)"
garyluck.co.uk:80 52.29.173.72 - - [21/Feb/2019:15:28:08 -0500] "GET /.well-known/acme-challenge/CssqpyfpYQ19dLERJNOaDROSOV7L3NfwTEc7DZNT7t0 HTTP/1.1" 403 951 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
garyluck.co.uk:80 52.29.173.72 - - [21/Feb/2019:15:28:08 -0500] "GET /.well-known/acme-challenge/Qcjbi-uwvj1JJYX6pk8mMUiCN5eaAcbrhWHEg1DlKOM HTTP/1.1" 403 951 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
garyluck.co.uk:80 66.133.109.36 - - [21/Feb/2019:15:28:08 -0500] "GET /.well-known/acme-challenge/CssqpyfpYQ19dLERJNOaDROSOV7L3NfwTEc7DZNT7t0 HTTP/1.1" 403 951 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
garyluck.co.uk:80 13.58.30.69 - - [21/Feb/2019:15:28:08 -0500] "GET /.well-known/acme-challenge/CssqpyfpYQ19dLERJNOaDROSOV7L3NfwTEc7DZNT7t0 HTTP/1.1" 403 951 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
garyluck.co.uk:80 13.58.30.69 - - [21/Feb/2019:15:28:08 -0500] "GET /.well-known/acme-challenge/Qcjbi-uwvj1JJYX6pk8mMUiCN5eaAcbrhWHEg1DlKOM HTTP/1.1" 403 951 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
garyluck.co.uk:80 34.213.106.112 - - [21/Feb/2019:15:28:08 -0500] "GET /.well-known/acme-challenge/CssqpyfpYQ19dLERJNOaDROSOV7L3NfwTEc7DZNT7t0 HTTP/1.1" 403 951 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
garyluck.co.uk:80 66.133.109.36 - - [21/Feb/2019:15:28:08 -0500] "GET /.well-known/acme-challenge/Qcjbi-uwvj1JJYX6pk8mMUiCN5eaAcbrhWHEg1DlKOM HTTP/1.1" 403 951 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
garyluck.co.uk:80 34.213.106.112 - - [21/Feb/2019:15:28:08 -0500] "GET /.well-known/acme-challenge/Qcjbi-uwvj1JJYX6pk8mMUiCN5eaAcbrhWHEg1DlKOM HTTP/1.1" 403 951 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

error.log

[Thu Feb 21 15:32:41.846585 2019] [mpm_prefork:notice] [pid 17292] AH00171: Graceful restart requested, doing restart
[Thu Feb 21 15:32:41.959321 2019] [ssl:warn] [pid 17292] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Thu Feb 21 15:32:42.000226 2019] [mpm_prefork:notice] [pid 17292] AH00163: Apache/2.4.7 (Ubuntu) PHP/5.5.9-1ubuntu4.26 OpenSSL/1.0.1f LCARS configured -- resuming normal operations
[Thu Feb 21 15:32:42.000260 2019] [core:notice] [pid 17292] AH00094: Command line: '/usr/sbin/apache2'
[Thu Feb 21 15:32:44.260085 2019] [mpm_prefork:notice] [pid 17292] AH00171: Graceful restart requested, doing restart
[Thu Feb 21 15:32:44.334084 2019] [ssl:warn] [pid 17292] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Thu Feb 21 15:32:45.000933 2019] [mpm_prefork:notice] [pid 17292] AH00163: Apache/2.4.7 (Ubuntu) PHP/5.5.9-1ubuntu4.26 OpenSSL/1.0.1f LCARS configured -- resuming normal operations
[Thu Feb 21 15:32:45.002371 2019] [core:notice] [pid 17292] AH00094: Command line: '/usr/sbin/apache2'
[Thu Feb 21 15:32:47.263753 2019] [access_compat:error] [pid 18636] [client 120.52.120.5:54192] AH01797: client denied by server configuration: /var/www/garyluck/public_html/xmlrpc.php
[Thu Feb 21 15:32:47.499723 2019] [access_compat:error] [pid 18635] [client 52.29.173.72:50720] AH01797: client denied by server configuration: /var/lib/letsencrypt/http_challenges/2WKTHZKTM-Q6oVtvXyx6nKsdj92wtcfJr3JtNkEt2O0
[Thu Feb 21 15:32:47.698459 2019] [access_compat:error] [pid 18637] [client 52.29.173.72:50722] AH01797: client denied by server configuration: /var/lib/letsencrypt/http_challenges/k5Nj0iNeR7HZT1lltnfhv6_Fzygb5s4XvKPYmBhat3I
[Thu Feb 21 15:32:47.945920 2019] [access_compat:error] [pid 18635] [client 13.58.30.69:40725] AH01797: client denied by server configuration: /var/lib/letsencrypt/http_challenges/2WKTHZKTM-Q6oVtvXyx6nKsdj92wtcfJr3JtNkEt2O0
[Thu Feb 21 15:32:47.947907 2019] [access_compat:error] [pid 18637] [client 13.58.30.69:40724] AH01797: client denied by server configuration: /var/lib/letsencrypt/http_challenges/k5Nj0iNeR7HZT1lltnfhv6_Fzygb5s4XvKPYmBhat3I
[Thu Feb 21 15:32:47.962098 2019] [access_compat:error] [pid 18636] [client 66.133.109.36:45822] AH01797: client denied by server configuration: /var/lib/letsencrypt/http_challenges/2WKTHZKTM-Q6oVtvXyx6nKsdj92wtcfJr3JtNkEt2O0
[Thu Feb 21 15:32:48.035987 2019] [access_compat:error] [pid 18638] [client 34.213.106.112:44582] AH01797: client denied by server configuration: /var/lib/letsencrypt/http_challenges/2WKTHZKTM-Q6oVtvXyx6nKsdj92wtcfJr3JtNkEt2O0
[Thu Feb 21 15:32:48.088137 2019] [access_compat:error] [pid 18635] [client 66.133.109.36:53832] AH01797: client denied by server configuration: /var/lib/letsencrypt/http_challenges/k5Nj0iNeR7HZT1lltnfhv6_Fzygb5s4XvKPYmBhat3I
[Thu Feb 21 15:32:48.137760 2019] [access_compat:error] [pid 18637] [client 34.213.106.112:44584] AH01797: client denied by server configuration: /var/lib/letsencrypt/http_challenges/k5Nj0iNeR7HZT1lltnfhv6_Fzygb5s4XvKPYmBhat3I
#12

@koloqial Is that your access log? Do you also have an error log for the HTTP virtualhost on port 80? There isn’t a specific ErrorLog directive (only for your HTTPS virtualhost), but perhaps your Apache logs those errors in a central error log file.

For example, my ErrorLog files will log such a line when a file isn’t found on the disk:

[Thu Feb 21 21:38:22.033007 2019] [core:info] [pid 22255:tid 140359833204480] [client 2001:980:xxxx] AH00128: File does not exist: /var/www/vhosts/example.com/htdocs/non-existing-test-file
#13

Access log, and I updated with error.log. I’m having a look around now for other logs just in case.

#14

Hm, your error logs suggest there’s some Apache setting denying access to the temporary directory /var/lib/letsencrypt/, even when certbot adds a temporary <Directory> and <Location> section to the virtualhost to grant all access.

I can’t reproduce your errors, but it might be this is already fixed as @schoen mentioned.

#15

RIght, so I need to hunt down the offending config? I think that’ll have to be a tomorrow job. I guess I’ll revert the config back to basics, and apply each line of config back one at a time :expressionless:

#16

Well… You’ve got it working currently…

Although I would very much like to know the culprit in the Apache configuration, I’m not sure if you should fix a working setup :wink:

#17

That sounds like wise advice :slightly_smiling_face:.

But I don’t know if I consider this working, am I right in saying that when the time rolls around for the automated renewal to happen, it will fail?

I really liked the automated renewal.

#18

Hm, right, I saw the “Dry run was successful”, but that wasn’t a plain certbot renew command.

As you’ve used the apache plugin earlier, I don’t think you’d want a certonly mode of certbot. I would suggest using the apache plugin as installer (through -i apache) and the webroot plugin as authenticator (with -a webroot and the -w like you did before).

In my test just now, I saw certbot doesn’t remember the new settings when using --dry-run. So you might want to choose to get a brand new (working) certificate just once with:

sudo certbot certonly --cert-name garyluck.co.uk -i apache -a webroot -w /var/www/garyluck/public_html -d garyluck.co.uk -d www.garyluck.co.uk

I’ve added the --cert-name garyluck.co.uk because sometimes certbot adds a whole new set of certificates, archives and renewal configurations besides the original ones. This should prevent that from happening.

Afterwards, you should be able to run certbot renew --dry-run without a hitch and just renew the certificate in 60 days.

It should also be mentioned that you can edit the renewal configuration file manually, so you don’t necessary have to retrieve a new certificate if you don’t actually need it.

The configuration files are pretty straight forward, but it also uses some sort of “webroot map” to map the webroots to the right hostnames. For your system, adding the following to the bottom of the renewal configuration file should work:

[[webroot_map]]
garyluck.co.uk = /var/www/garyluck/public_html
www.garyluck.co.uk = /var/www/garyluck/public_html

Obviously, you should also change the authenticator variable which is now set to apache to webroot.

All the other things should be left untouched.

closed #19

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.