Only 1 of 12 Certificate Fails to Renew


#1

I have a new problem with LetsEncrypt renewals. One of my domains is not renewing with the error output below. 12 others on the same server work find. The *.conf files are identical with of course the exception of the domain related names being changed. I’m down to <14 days before it dies.

I thought about removing the LetsEncrypt keys and putting new ones in, but am concerned that I may not be able to install new keys depending on what the root cause is.

Seems like others have had similar, but slightly different issues. I use cloudflare but I turned that off and nothing changed. Right now I’m out of “challenges” for some period of time so I can’t even test new attempts at a fix until I’m given more challenge attempts.

Ideas? When does the lock out of too many challenge attempts get released?

Thanks in advance…Ken

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ideatogrowth.com

I ran this command:
sudo certbot renew --preferred-challenges http

It produced this output:
Processing /etc/letsencrypt/renewal/ideatogrowth.com.conf


Cert is due for renewal, auto-renewing…

Plugins selected: Authenticator apache, Installer apache

Renewing an existing certificate

Performing the following challenges:

http-01 challenge for ideatogrowth.com

http-01 challenge for www.ideatogrowth.com

Waiting for verification…

Cleaning up challenges

Attempting to renew cert (ideatogrowth.com) from /etc/letsencrypt/renewal/ideatogrowth.com.conf produced an unexpected error: Failed authorization procedure. www.ideatogrowth.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.ideatogrowth.com/.well-known/acme-challenge/AaRQmz7NF74zjZtlgNC2lBRK946eHEaMKGRMYPIAhXs: “<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p”, ideatogrowth.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://ideatogrowth.com/.well-known/acme-challenge/8SgjXBoXjlotJYiGZwCdCjPEP4xHSb1JlBpQlwfQfAU: “<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p”. Skipping.

My web server is (include version):
Apache/2.4.29 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 18.04.1 LTS

My hosting provider, if applicable, is:
Linode

I can login to a root shell on my machine (yes or no, or I don’t know):
YES

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No


#2

Hi @kennetheyoung,

What version of Certbot are you using? You might have found a Certbot bug here (where Certbot can’t understand your Apache configuration correctly).

Separately, did you realize that this site is proxied by Cloudflare? While that doesn’t explain this particular problem, it does mean that your Let’s Encrypt cert isn’t seen by the public at all; instead, Cloudflare obtains an additional certificate which it uses when serving your site to the public. The Let’s Encrypt cert is only shown by your site to Cloudflare.

If you intend to keep this site behind Cloudflare, you could also consider using their origin CA

This is at least as secure as a Let’s Encrypt certificate in this configuration and doesn’t require regular renewal the way Let’s Encrypt certificates do.


#3

The domain redirects HTTP to HTTPS… I think it has Cloudflare’s “Always Use HTTPS” feature on. If Certbot is modifying the HTTP virtual host, that would be a problem.


#4

Hi Seth,

Thank you for the quick reply.

  1. What version of certbot, it might be a bug.

apt-cache policy certbot | grep -i Installed

Installed : 0.28.0-1+ubuntu18.04.1+certbot+4

Why would this only fail on one of 12 sites I’m running on the same server?

I disabled CloudFlare and got the same results. I did have a typo in my .conf file which I fixed which changed the error output, which is interesting, but not sure what it tells me. (see output at the end)

  1. Proxied by CloudFlare.

Yes I do you CloudFlare for this and other sites.

No, I did not know that they did not “use” my LetsEncrypt SSL. I don’t see that fact documented anywhere. Can you point me to this fact? My customers see a green lock when they access my sites and I’m not paying CloudFlare for any certs, so they appear to pass my SSL cert from LetsEncrypt out to the world. If you think this is not true, I’ll research and find out what really happening…

I would still likely keep LetsEncrypt running as I disable CloudFlare at times for development work. I use my cron file to keep LetsEncrypt updated so it’s not really any extra work.

RESULTS BELOW:

ken_young@venus : /etc/apache2/sites-available $ sudo certbot renew --preferred-challenges http

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/corks4acause.org.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/headsandtailssports.com.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/ideatogrowth.com.conf


Cert is due for renewal, auto-renewing…

Plugins selected: Authenticator apache, Installer apache

Renewing an existing certificate

Performing the following challenges:

http-01 challenge for ideatogrowth.com

http-01 challenge for www.ideatogrowth.com

Waiting for verification…

Cleaning up challenges

Attempting to renew cert (ideatogrowth.com) from /etc/letsencrypt/renewal/ideatogrowth.com.conf produced an unexpected error: Failed authorization procedure. www.ideatogrowth.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.ideatogrowth.com/.well-known/acme-challenge/s2bhpyD1mXY2z4FXyBT9bqp-D6RdvmQfA8pF94vxanI: “<!DOCTYPE html><html class=“html” lang=“en-US” prefix=“og: [http://ogp.me/ns#](http://ogp.me/ns#\)” itemscope itemtype=”[http://schema.org/Article](http://schema.org/Article\)"><he", ideatogrowth.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://ideatogrowth.com/.well-known/acme-challenge/KY4mxq3OyZXMZDqQMZCfXjEgSIII8vBUgw3nKwfXxmY: “<!DOCTYPE html><html class=“html” lang=“en-US” prefix=“og: [http://ogp.me/ns#](http://ogp.me/ns#\)” itemscope itemtype=”[http://schema.org/Article](http://schema.org/Article\)"><he". Skipping.


Processing /etc/letsencrypt/renewal/investorreadinessprogram.com.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/shemisweetcakes.net.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/dragonflypiecards.com.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/networkexecwomen.com.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/wpsiterepair.com.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/wpquicksite.com.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/casajimenezwine.com.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/wpsiteteam.com.conf


Cert not yet due for renewal

All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/ideatogrowth.com/fullchain.pem (failure)


The following certs are not due for renewal yet:

/etc/letsencrypt/live/corks4acause.org/fullchain.pem expires on 2019-02-06 (skipped)

/etc/letsencrypt/live/headsandtailssports.com/fullchain.pem expires on 2019-03-29 (skipped)

/etc/letsencrypt/live/investorreadinessprogram.com/fullchain.pem expires on 2019-03-04 (skipped)

/etc/letsencrypt/live/shemisweetcakes.net/fullchain.pem expires on 2019-03-04 (skipped)

/etc/letsencrypt/live/dragonflypiecards.com/fullchain.pem expires on 2019-03-04 (skipped)

/etc/letsencrypt/live/networkexecwomen.com/fullchain.pem expires on 2019-02-06 (skipped)

/etc/letsencrypt/live/wpsiterepair.com/fullchain.pem expires on 2019-03-04 (skipped)

/etc/letsencrypt/live/wpquicksite.com/fullchain.pem expires on 2019-03-04 (skipped)

/etc/letsencrypt/live/casajimenezwine.com/fullchain.pem expires on 2019-03-04 (skipped)

/etc/letsencrypt/live/wpsiteteam.com/fullchain.pem expires on 2019-03-04 (skipped)

All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/ideatogrowth.com/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

Domain: www.ideatogrowth.com

Type: unauthorized

Detail: Invalid response from

http://www.ideatogrowth.com/.well-known/acme-challenge/s2bhpyD1mXY2z4FXyBT9bqp-D6RdvmQfA8pF94vxanI:

"<!DOCTYPE html><html class=“html” lang=“en-US” prefix="og:

[http://ogp.me/ns#](http://ogp.me/ns#\)" itemscope

itemtype="[http://schema.org/Article](http://schema.org/Article\)"><he"

Domain: ideatogrowth.com

Type: unauthorized

Detail: Invalid response from

http://ideatogrowth.com/.well-known/acme-challenge/KY4mxq3OyZXMZDqQMZCfXjEgSIII8vBUgw3nKwfXxmY:

"<!DOCTYPE html><html class=“html” lang=“en-US” prefix="og:

[http://ogp.me/ns#](http://ogp.me/ns#\)" itemscope

itemtype="[http://schema.org/Article](http://schema.org/Article\)"><he"

To fix these errors, please make sure that your domain name was

entered correctly and the DNS A/AAAA record(s) for that domain

contain(s) the right IP address.

Kenneth Ervin Young

IDEA TO GROWTH LLC

Chief Executive Officer

Ken@IdeaToGrowth.com

KennethErvinYoung@gmail.com

Mobile/Text: +1 (813) 407-8240

Business Mail:

3690 W Gandy Blvd

Suite #183

Tampa, FL 33611-3300

United States

Website Email Facebook Twitte r LinkedIn LinkedIn-IdeaToGrowthLLC


#5

I disabled CloudFlare before I did the original post, flushed all cached. Same problem.
All the other 11 sites also use CloudFlare and have HTTPS enabled and they don’t have an issue, or at least haven’t in the past. They’ve been updating regularly automatically with a cron file command.

Again, this only happens on 1 of 12 sites.

See my update to Seth as I did have a typo in my *.conf file so the error output did change. Perhaps that gives a better clue.


#6

Cloudflare’s proxy features necessitate having a certificate for your domain installed on their servers.

Your Let’s Encrypt certificate protects connections between your origin and Cloudflare. (Assuming you set “Full (strict)” SSL in Cloudflare’s dashboard, anyway.) You could replace it with a Cloudflare Origin CA certificate.

A different certificate protects connections between Cloudflare and people visiting your website, unless you use the Business or Enterprise plans and upload your Let’s Encrypt certificate to Cloudflare.

If you open one of your websites and look in your browser’s certificate info, or search Certificate Transparency logs, you’ll see Cloudflare’s certificates.

https://crt.sh/?q=ideatogrowth.com

https://crt.sh/?q=ideatogrowth.com&dir=^&sort=1&group=icaid

Cloudflare currently primarily buys certificates from Sectigo (formerly known as Comodo), with some from DigiCert, and maybe GlobalSign, and they’re also working on Let’s Encrypt integration. (That’s all subject to change, of course.)

Sounds good. :slightly_smiling_face: You don’t have to use the Cloudflare Origin CA, it’s just an option.


#7

What was the typo?

What’s the output of: sudo apachectl -S ?


closed #8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.