Not able to stop using TLS-SNI-01


#1

Following the instructions in the pinned article How to stop using TLS-SNI-01 with Certbot has not worked. When it tries to renew, it still uses TLS-SNI-01.

My domain is: complete-concrete-concise.com

I ran this command: certbot renew --dry-run

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/complete-concrete-concise.com.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for complete-concrete-concise.com
http-01 challenge for faqbite.com
http-01 challenge for www.complete-concrete-concise.com
http-01 challenge for www.faqbite.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (complete-concrete-concise.com) from /etc/letsencrypt/renewal/complete-concrete-concise.com.conf produced an unexpected error: Failed authorization procedure. faqbite.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://faqbite.com/.well-known/acme-challenge/VrbRmiuLEokpPxeo0EhT6SikR4xXSmURobKapmEXXSM [2600:3c03::f03c:91ff:fe37:dac2]: "\n<html lang=“en”>\n \n \n\n \n <meta charset=“UTF-8”>\n <meta name=“viewpor”, complete-concrete-concise.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://complete-concrete-concise.com/.well-known/acme-challenge/t7HMURPx4gQcv254aahEfb3nbc2_CZ4FLAAwoJDY9N4 [2606:4700:30::681c:196f]: "\n\n\n<html lang=“en-US”>\n\n<meta name=“google-site-verification” content=“M6dlOwdAGrtkkzWpMabe6CDvxIm4TBbv4pRP”, www.complete-concrete-concise.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://complete-concrete-concise.com/.well-known/acme-challenge/2jTfLUh_q_NUb8kW_8vzJZp58j261ciQji5ZBx2I8t4 [2606:4700:30::681c:196f]: "\n\n\n<html lang=“en-US”>\n\n<meta name=“google-site-verification” content=“M6dlOwdAGrtkkzWpMabe6CDvxIm4TBbv4pRP”, www.faqbite.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://faqbite.com/.well-known/acme-challenge/PfatuRF8RjWKqr_hAgunR7M7P1PY-hd8bHG_MdtL72c [2600:3c03::f03c:91ff:fe37:dac2]: "\n<html lang=“en”>\n \n \n\n \n <meta charset=“UTF-8”>\n <meta name=“viewpor”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/complete-concrete-concise.com/fullchain.pem (failure)


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/complete-concrete-concise.com/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version):

Server version: Apache/2.4.29 (Ubuntu)
Server built: 2018-10-10T18:59:25

The operating system my web server runs on is (include version):

Distributor ID: Ubuntu
Description: Ubuntu 18.04.2 LTS
Release: 18.04
Codename: bionic

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don’t know): |Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.28.0

My renewal config file contents are:

renew_before_expiry = 30 days

version = 0.28.0
archive_dir = /etc/letsencrypt/archive/complete-concrete-concise.com
cert = /etc/letsencrypt/live/complete-concrete-concise.com/cert.pem
privkey = /etc/letsencrypt/live/complete-concrete-concise.com/privkey.pem
chain = /etc/letsencrypt/live/complete-concrete-concise.com/chain.pem
fullchain = /etc/letsencrypt/live/complete-concrete-concise.com/fullchain.pem

Options used in the renewal process

[renewalparams]
account = fd262b6b4be9e611e9797eb2cdf5674a
authenticator = webroot
installer = apache
server = https://acme-v02.api.letsencrypt.org/directory
webroot_path = /var/www/complete-concrete-concise.com/public_html,
[[webroot_map]]
faqbite.com = /var/www/complete-concrete-concise.com/public_html
www.faqbite.com = /var/www/complete-concrete-concise.com/public_html
complete-concrete-concise.com = /var/www/complete-concrete-concise.com/public_html
www.complete-concrete-concise.com = /var/www/complete-concrete-concise.com/public_html


#2

Why do you think so? From your output, it is using HTTP-01:

More likely is that your webroots are not working.

You might give the Apache authenticator a chance, it might instantly solve your problems:

certbot renew -a apache --dry-run

#3

Hi @richardsplanet

checked that domain and the www - version:

You have 4 ip addresses, but all looks good. In the end, every request http + /.well-known/acme-challenge/unknown-filename is redirected to https + non-www + /.well-known/acme-challenge/unknown-filename, this is good (checked with https://check-your-website.server-daten.de/?q=complete-concrete-concise.com - but the output is very long).

The last row is ok:

So your webroot must be wrong or there are additional definitions.

Create the two subdirectories

/var/www/complete-concrete-concise.com/public_html/.well-known/acme-challenge

there a file (file name 1234) and try to load this file via

http://complete-concrete-concise.com/.well-known/acme-challenge/1234

and your other domains.


#4

Trying

results in the same output.

Probably because I am not well versed in everything letsencrypt and certbot are doing that I assumed that HTTP-01 was related to TLS-SNI-01 and was expecting to see HTTP-02


#5

That was interesting, I get a 404 error. I know this worked the last time I had a problem and was asked to created this file.


#6

I think it might also be due to Cloudflare.

If Cloudflare is talking to your server over HTTPS, then the Apache authenticator might not work.

To confirm this, you can temporarily disable Cloudflare (disable the “orange cloud” in the DNS manager) on your domains and try again.

Alternatively, you will need to figure out how to properly setup your web roots to the correct directories so that it succeeds:

For each of your domains, you should be able to create /var/www/{domain}/public_html/.well-known/acme-challenge/test.txt and be able to access them in the browser at http://{domain}/.well-known/acme-challenge/test.txt.

In the above they seem to all point to the same directory, which doesn’t seem correct.


#7

Then your webroot may be wrong.

Or you have additional definitions (location), that moves /.well-known/acme-challenge to another internal directory.

So check your VirtualHost - definitions or share these files.


#8

Disabling Cloudflare and running

certbot renew -a apache --dry-run

produces the expected output.

As for the [[webroot_map]] that was set up by certbot or letsencrypt. The only change I made was - almost 3 months ago - to change the authenticator to webroot (that was done under instruction to a previous help request).

I have no problem scrapping and regenerating the file (if that is possible).


#9

You can directly modify this file to set the correct webroot for each respective domain. It might take some trial and error (and could depend on your .htaccess file as well).

You need to be able to reach files created in $WEBROOT/.well-known/acme-challenge/ from your browser.

It’s worth solving - having to disable Cloudflare just to do renewal is not a good state of affairs :frowning: .


#10

I’m going to need a bit of hand holding on this or a pointer to the relevant documentation.


#11

I just had a look in my apache error.log and noticed the following (this was 3 hours before I asked my question):

[Thu Feb 21 06:37:48.284803 2019] [core:crit] [pid 12439:tid 139978671609600] (13)Permission denied: [client 172.68.34.77:49632] AH00529: /var/www/complete-concrete-concise.com/public_html/.well-known/acme-challenge/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable and that '/var/www/complete-concrete-concise.com/public_html/.well-known/acme-challenge/' is executable, referer: http://complete-concrete-concise.com/.well-known/acme-challenge/PMqWmd-KdA7VZ8JCpFdDuGWR6KD0LTmzYW6pgMUmIUE

I locked down access to .htaccess with the rule:

<Files ~ "^\.ht">
  Order allow,deny
  Deny from all
</Files>

so this might be causing the problem or part of the problem.


#12

It turns out that this problem you experience with Cloudflare + the Apache authenticator (-a apache) is actually fixed since Certbot 0.31.

Unfortunately the Ubuntu 18.04 PPA doesn’t have an updated version yet, but it should do by the time your next renewal comes around. At that point you should be able to do:

 certbot renew -a apache

and from then on, it will remember your choice and work automatically.

You can also use certbot-auto to always run the latest version, but in your case I would suggest just sticking with the Ubuntu PPA and upgrading once it becomes available.


#13

Thanks for letting me know.


closed #14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.