New Certificate and renewal error - DEBUG:certbot.error_handler:Encountered exception

Help
1

Hi

i have been using cerbot to issue certificate successfully for few years now, and all of a sudden it that to error…i am not reallyn a fan of stuff that works and just breaks without touching it.

A section of the log is pasted below. i will appreciate anyone who can provide clue to solutions

-------------------------------------------------------------log-----------------------------------

challenge/bCtcdpALjuPNoi7xEIttE1J7sh-BwmefXbq7wE7sLLE [xx.xx.xx.xx]: “\n\u003c!DOCTYPE html PUBLIC \”-//W3C//DTD XHTML 1.0 Strict//EN\" \“http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\”\u003e\n\u003chtml xmlns=\“http”",
“status”: 403
},
“url”: “https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/68442879/_FkDDA”,
“token”: “bCtcdpALjuPNoi7xEIttE1J7sh-BwmefXbq7wE7sLLE”,
“validationRecord”: [
{
“url”: “http://otas.ctechn.com/.well-known/acme-challenge/bCtcdpALjuPNoi7xEIttE1J7sh-BwmefXbq7wE7sLLE”,
“hostname”: “otas.xxxxxx.com”,
“port”: “80”,
“addressesResolved”: [
“xx.xx.xx.xx”
],
“addressUsed”: “xx.xx.xx.xx”
}
]
}
]
}
2020-06-24 22:29:19,676:DEBUG:acme.client:Storing nonce: 0002nUmrSSjtyt23dxYxIUFJG0GCGtHkJdF0ipnPSamEKNc
2020-06-24 22:29:19,677:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: otas.xxxxx.com
Type: unauthorized
Detail: Invalid response from http://otas.ctechn.com/.well-known/acme-challenge/bCtcdpALjuPNoi7xEIttE1J7sh-BwmefXbq7wE7sLLE [xx.xx.xx.xx]: "\n\n<html xmlns=“http”

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
2020-06-24 22:29:19,678:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 168, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 239, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. otas.xxxxx.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://otas.xxxxx.com/.well-known/acme-challenge/bCtcdpALjuPNoi7xEIttE1J7sh-BwmefXbq7wE7sLLE [xx.xx.xx.xx]: "\n\n<html xmlns=“http”

2020-06-24 22:29:19,678:DEBUG:certbot.error_handler:Calling registered functions
2020-06-24 22:29:19,678:INFO:certbot.auth_handler:Cleaning up challenges
2020-06-24 22:29:20,755:DEBUG:certbot_nginx.parser:Could not parse file: /etc/nginx/sites-enabled/load-balancer.conf due to Expected {Group:({[] “#” rest of line})

regards

1 Like
2

Hi @chaosnature

looks like you have touched it.

A buggy changed configuration, --nginx may not work anymore.

2 Likes
3

Waow!

Lighting Speed reply…lol
i thought i might have to just post and forget this issue for days or weeks…thanks alot for your reply.

i say i have not touch it bcos i have another packed webserver which used to work and now i went back and tried it, same error
i reverted back to earlier snapshots same error.

what do you mean it might never work again…we cant fix this?

4

Update i have fixed all error on the webmin platform , nginx test pass, apache 2 test pass,

cerbot can renew but not create new certificate…
even reinstalled cerbot…

what could be the issue?

anyone?

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=divineactivation.com

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/xxxxxxxxx.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/xxxxxxx.com/privkey.pem
    Your cert will expire on 2020-09-22. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the “certonly” option. To non-interactively renew all of
    your certificates, run “certbot renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

root@webmin2:/etc/apache2#

1 Like
5

and i take it back lol…i am a fan of Let"s encrypt…so please help solve this problem and let’s encrypt. :slight_smile:

6

o.k another update…certbot refused to start service after reboot.
and one wierd thing discovered…the ip displayed is not my ip, have i been hacked?

– Unit certbot.service has failed.

– The result is RESULT.
Jun 25 01:11:53 webmin2 sshd[20772]: Failed password for root from 112.85.42.232 port 62203 ssh2
Jun 25 01:11:54 webmin2 sshd[20772]: Received disconnect from 112.85.42.232 port 62203:11: [preauth]
Jun 25 01:11:54 webmin2 sshd[20772]: Disconnected from authenticating user root 112.85.42.232 port 62203 [preauth]
Jun 25 01:11:54 webmin2 sshd[20772]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=1
Jun 25 01:12:00 webmin2 sshd[20797]: Invalid user arkserver from 62.234.164.238 port 54464
Jun 25 01:12:00 webmin2 sshd[20797]: pam_unix(sshd:auth): check pass; user unknown
Jun 25 01:12:00 webmin2 sshd[20797]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser
Jun 25 01:12:02 webmin2 sshd[20797]: Failed password for invalid user arkserver from 62.234.164.238 port 54464 ssh2
Jun 25 01:12:02 webmin2 sshd[20797]: Received disconnect from 62.234.164.238 port 54464:11: Bye Bye [preauth]
Jun 25 01:12:02 webmin2 sshd[20797]: Disconnected from invalid user arkserver 62.234.164.238 port 54464 [preauth]

7

i am sure someone has seen this before…something tells me i am close to solving this…

8

i ahve just added ```
adduser ark

9

There

https://divineactivation.com/

is a valid certificate, see https://check-your-website.server-daten.de/?q=divineactivation.com

CN=divineactivation.com
	25.06.2020
	23.09.2020
expires in 90 days	divineactivation.com - 1 entry

The www domain name is missing, so your www version isn't secure.

Curious: My browser had a cached redirect to port 8444, there is a self signed certificate. If you use non-standard ports, you have to find other solutions to install the certificate, Certbot can't do that.

Second try, now the redirect is gone, I see :443/.

10

8444 does not go to my (Nginx/Apche) load balancer and i have long disabled port fording to 8444, but it still keeps apearing in other 443 configurations now and then.

divineactivation.com is is an existing site i have already given a certificate, i deliberatly did that for some domain name (no cert for www), however my issue now is to create new certificates, this is not currently working....i am about to remove and reinstall certbot see if it resolves the service issue.....bcos with out that we are at the very beginning.

thanks for responding...

11

Can you tell me where you found the 8444?

12

Up date…
Instead of re-installing i rebooted and this time i didnt get any errors on the cerbot service

i did :slight_smile:root@webmin2:~# systemctl status certbot
● certbot.service - Certbot
Loaded: loaded (/lib/systemd/system/certbot.service; static; vendor preset: enabled)
Active: inactive (dead)
Docs: file:///usr/share/doc/python-certbot-doc/html/index.html
https://letsencrypt.readthedocs.io/en/latest/

what does this mean?
is it good?

regards

13

ust tested this and still getting:

Attempting to parse the version 1.5.0 renewal configuration file found at /etc/letsencrypt/renewal/chatafrika.com.conf with version 0.31.0 of Certbot. This might not work.
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for cheapestdeals.org
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. cheapestdeals.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://cheapestdeals.org/.well-known/acme-challenge/ivNPkoOaTaGIqScE1IsgpWetAVElBDLmCrZ86-hvbAs [82.26.12.78]: "\n\n<html xmlns=“http”

IMPORTANT NOTES:

14

Why is my post ignored???

15

me neither, cant create new cert because acme fail on the verification.

16

I am working on it, when i find a solution i will post it here for others to use…

17

Hi all,

this might and might not work for you…i have a replica PoC Environment i used to try this out, not tried it in my PROD environment yet.

Follow the below steps…

Install Certbot - Latest

In this section, we will install the most recent version of Certbot using the official repository. You may uninstall the previous installation of Certbot using the commands as shown below.

Uninstall Certbot

sudo apt remove python-certbot-nginx
sudo apt remove certbot
sudo apt purge certbot
sudo apt-get autoclean

Make sure to use purge

sudo apt-get autoremove

OR

sudo apt-get --purge autoremove

Now we will add the official repository to the system repositories. It can be done using the commands as shown below.

Add Certbot repository

sudo add-apt-repository ppa:certbot/certbot

Press Enter to confirm

This is the PPA for packages prepared by Debian Let’s Encrypt Team and backported for Ubuntu(s).
More info: https://launchpad.net/~certbot/+archive/ubuntu/certbot
Press [ENTER] to continue or Ctrl-c to cancel adding it.

Now refresh the packages index using the command as shown below.

Refresh packages index

sudo apt-get update

We can install the Certbot using the same command as we did in the previous section.

Install Let’s Encrypt

sudo apt-get install python-certbot-nginx

Installation results



Setting up python3-certbot (0.31.0-1+ubuntu18.04.1+certbot+1) …
Setting up certbot (0.31.0-1+ubuntu18.04.1+certbot+1) …
Created symlink /etc/systemd/system/timers.target.wants/certbot.timer → /lib/systemd/system/certbot.timer.
certbot.service is a disabled or a static unit, not starting it.
Setting up python3-certbot-nginx (0.31.0-1+ubuntu18.04.1+certbot+1) …
Setting up python-certbot-nginx (0.31.0-1+ubuntu18.04.1+certbot+1) …
Processing triggers for man-db (2.8.3-2ubuntu0.1) …

We can confirm the installation by checking the Certbot version as shown below.

Check Certbot version

certbot --version

Output

certbot 0.31.0

Next, it complained of a few directories in the sites-enabled not existing when i ran cerbot which i remove (rm )

Next i ran certbot --nginx again
it ask for my email , first i used the usual email, it failed tried a different one failed again

then i VPN and ran cerbot again with a new email…voulla …it worked…

try it let me know

i will update on PROD actions…

regards

1 Like
18

Update
What i did next:

Was just; copy over the letsencrypt folder from my PoC Environment to my PROD environment.

Now it all working…

Root cause : dont ask me, ask Letsencrypte guys…

My job here is done!

1 Like
19

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.