Necesito ayuda no puedo renovar certificado

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: imap.municipiolarioja.gob.ar

I ran this command: certbot renew

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/imap.municipiolarioja.gob.ar.conf


Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for imap.municipiolarioja.gob.ar
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (imap.municipiolarioja.gob.ar) from /etc/letsencrypt/renewal/imap.municipiolarioja.gob.ar.conf produced an unexpected error: Failed authorization procedure. imap.municipiolarioja.gob.ar (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 181.10.138.84: Invalid response from http://imap.municipiolarioja.gob.ar/.well-known/acme-challenge/pzhwyHa-UgBJOD6uf2Lo0ELlgCuC3nGwXnoXNp_Pgkc: 404. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/imap.municipiolarioja.gob.ar/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/imap.municipiolarioja.gob.ar/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version): apache 2.4.18

The operating system my web server runs on is (include version): ubuntu 16.04 /

My hosting provider, if applicable, is: propio

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):0.31.0

Hi @alfrdgarcia, and welcome to the LE community forum :slight_smile:

Please excuse my English.

Please show the output of:
apachectl -t -D DUMP_VHOSTS

2 Likes

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:443 imap.municipiolarioja.gob.ar (/etc/apache2/sites-enabled/imap.municipiolarioja.gob.ar-le-ssl.conf:2)
*:80 imap.municipiolarioja.gob.ar (/etc/apache2/sites-enabled/imap.municipiolarioja.gob.ar.conf:1)

If those are the only lines shown, please show the file:
/etc/apache2/sites-enabled/imap.municipiolarioja.gob.ar.conf

If there are more lines, please show them all.

1 Like

imap.municipiolarioja.gob.ar.conf

<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        ServerName imap.municipiolarioja.gob.ar
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/moodle
        Redirect  / https://imap.municipiolarioja.gob.ar
        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error_moodle.log
        CustomLog ${APACHE_LOG_DIR}/access_moodle.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
RewriteEngine on
RewriteCond %{SERVER_NAME} =imap.municipiolarioja.gob.ar
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
RewriteCond %{REQUEST_URI} !^\.well-known/(.*)$
#RewriteRule https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]




</VirtualHost>

imap.municipiolarioja.gob.ar-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        ServerName imap.municipiolarioja.gob.ar

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/moodle
        #Redirect / https://imap.municipiolarioja.gob.ar
        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error_moodle.log
        CustomLog ${APACHE_LOG_DIR}/access_moodle.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/imap.municipiolarioja.gob.ar/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/imap.municipiolarioja.gob.ar/privkey.pem
</VirtualHost>
</IfModule>
        Redirect  / https://imap.municipiolarioja.gob.ar

the above should supersedes the below:

RewriteEngine on
RewriteCond %{SERVER_NAME} =imap.municipiolarioja.gob.ar
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
RewriteCond %{REQUEST_URI} !^\.well-known/(.*)$
#RewriteRule https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

[which is very dysfunctional/broken]

2 Likes

thanks I will try deleting the one below and verify the operation

I modified those lines that were wrong and still the problem persists, I don't have much experience in managing services of this type. Could you give me more information to solve the problem? From already thank you very much.

Please show the file now:
imap.municipiolarioja.gob.ar.conf

1 Like

Hello, sorry for the delay, below I will show you how the configuration looks, I tried taking out that line that corresponds to well-known getting the same error

<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        ServerName imap.municipiolarioja.gob.ar
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/moodle
        Redirect  / https://imap.municipiolarioja.gob.ar
        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error_moodle.log
        CustomLog ${APACHE_LOG_DIR}/access_moodle.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf

RewriteCond %{REQUEST_URI} !^\.well-known/(.*)$

</VirtualHost>

This line is NOT doing anything.

I'm unable to reach your IP, so my troubleshooting is severely limited [to only my crystal ball].
And I think your system is NOT the one terminating the initial HTTP requests.
So...
Is there a proxy type system in front of your imap server?
Do the HTTP requests reach your imap server?

1 Like

Thank you for your patience. It does not work with a proxy, but with a private dns server from the same institution to which I have access, both servers connect to the internet through a mikrotik which has ports 80 and 443 so that they can have access. Any other information you need please let me know. To test access to the .well-known folder, create a file at the following address https://imap.municipiolarioja.gob.ar/.well-known/acme-challenge/test.txt

How can I test if http requests reach the server?

2 Likes

HTTPS to that test.txt file works.
HTTP to that test.txt file fails.

2 Likes

Interestingly, the HTTPS request is resolved by Apache. But, the HTTP request by nginx.

curl -Ik https://imap.municipiolarioja.gob.ar/.well-known/acme-challenge/test.txt
HTTP/1.1 200 OK
Date: Sun, 12 Jun 2022 02:14:08 GMT
Server: Apache/2.4.18 (Ubuntu)
Last-Modified: Fri, 10 Jun 2022 12:02:03 GMT
ETag: "2-5e116b4d5e4c0"
Accept-Ranges: bytes
Content-Length: 2
Content-Type: text/plain

curl -I http://imap.municipiolarioja.gob.ar/.well-known/acme-challenge/test.txt
HTTP/1.1 404 Not Found
Server: nginx
Date: Sun, 12 Jun 2022 02:14:13 GMT
Content-Type: text/html;charset=iso-8859-1
Content-Length: 275
Connection: keep-alive
Cache-Control: must-revalidate,no-cache,no-store
2 Likes

I have several virtualized servers, some with nginx, but in this particular one I don't have nginx installed. check the dns server and the server that I need to renew the certificate is the only one in a specific ip, the others point to other ip

Then why does that HTTP request get responded to by Server: nginx ?

Do you have any port or protocol forwarding that might be different for HTTP and HTTPS for that server? (since https is replied to by Apache)

2 Likes

Follow the packet.
Is there any NAT device involved?

1 Like

There is a mikrotik that redirects the lan ip to the public ip through which the dns server comes out

Only specific IP ports are redirected through a mikrotik

Outbound is NOT the problem.
Which ports are being allow in?
And to which IP do they go?

1 Like