Passing arguments to httpd


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:www.bickel.be

I ran this command:certbot renew --dry-run

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/www.bickel.be.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.bickel.be
Error while running apachectl restart httpd.
Passing arguments to httpd using apachectl is no longer supported.
You can only start/stop/restart httpd using this script.
If you want to pass extra arguments to httpd, edit the
/etc/sysconfig/httpd config file.

Job for httpd.service failed because the control process exited with error code. See “systemctl status httpd.service” and “journalctl -xe” for details.

Unable to restart apache using [‘apachectl’, ‘restart’, ‘httpd’]
Error while running apachectl restart.

Job for httpd.service failed because the control process exited with error code. See “systemctl status httpd.service” and “journalctl -xe” for details.

Cleaning up challenges
Attempting to renew cert (www.bickel.be) from /etc/letsencrypt/renewal/www.bickel.be.conf produced an unexpected error: Error while running apachectl restart.

Job for httpd.service failed because the control process exited with error code. See “systemctl status httpd.service” and “journalctl -xe” for details.
. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.bickel.be/fullchain.pem (failure)


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.bickel.be/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


1 renew failure(s), 0 parse failure(s)

My web server is (include version):Apache/2.4.6 (CentOS)

The operating system my web server runs on is (include version):CentOS Linux release 7.6.1810 (Core)

My hosting provider, if applicable, is:not applicable

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):certbot 0.29.1


#2

Could you show us the contents of this file?

This error shouldn’t be happening in Certbot 0.29.


#3

Yes, this is it:
cat /etc/letsencrypt/renewal/www.bickel.be.conf

renew_before_expiry = 30 days

version = 0.26.1
archive_dir = /etc/letsencrypt/archive/www.bickel.be
cert = /etc/letsencrypt/live/www.bickel.be/cert.pem
privkey = /etc/letsencrypt/live/www.bickel.be/privkey.pem
chain = /etc/letsencrypt/live/www.bickel.be/chain.pem
fullchain = /etc/letsencrypt/live/www.bickel.be/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = apache
installer = apache
account =
server = https://acme-v02.api.letsencrypt.org/directory


#4

and any output from this?

find /etc/letsencrypt/renewal-hooks

#5

find /etc/letsencrypt/renewal-hooks
/etc/letsencrypt/renewal-hooks
/etc/letsencrypt/renewal-hooks/pre
/etc/letsencrypt/renewal-hooks/deploy
/etc/letsencrypt/renewal-hooks/post


#6

Alright. So we know that you don’t have anything stopping or restarting Apache during Certbot’s execution. That’s good.

Are there any issues with your Apache configuration?

apachectl -t

It’s possible that your Apache configuration was in an invalid state when Certbot went to modify it to perform certificate authentication, and when it tried to reload the server, that may have caused it to bail out.


#7

apachectl -t
Syntax OK

Yes that is possible, i read some other forum articles about this issue, changed the apache startup scripts and at some moment i have seen such an error, but then later i read that this issue should be resolved with my certbot version and than i revert all changes and reinstalled certbot according to the manual and then got stuck with the current situation.


#8

One of the things you’ll likely need to do is to open up port 80 on your firewall, as your domain currently times out on port 80, but it is required for the Apache authenticator to succeed. From How to stop using TLS-SNI-01 with Certbot :

tls-sni-01 used port 443, but http-01 uses port 80. Ideally your web server should allow both ports. Of that’s not possible, for instance because your ISP blocks port 80, you’ll need to switch to the dns-01 challenge, or use an ACME client that supports tls-sni-01.

With your present issue,

:\

You might need to go diving into the systemd logs to see what actually happened during the failure, since it doesn’t seem to occur without Certbot running:

journalctl -u httpd -l

or

/var/log/httpd/error_log

#9

Thanks, that makes sense, i closed port 80 recently, didn’t know it was needed, but i enabled it back as before.

It now goes wrong with this error:
Cleaning up challenges
Attempting to renew cert (www.bickel.be) from /etc/letsencrypt/renewal/www.bickel.be.conf produced an unexpected error: Failed authorization procedure. www.bickel.be (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.bickel.be/.well-known/acme-challenge/48_A7ZGYz_K5zRPeWygIBL5j0O3ChM5W1BEr_WNmZsI: “\n\n403 Forbidden\n\n

Forbidden

\n<p”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.bickel.be/fullchain.pem (failure)

In the apachelog i see this:
client denied by server configuration: /var/lib/letsencrypt/http_challenges/Bxnn12G7lCarS5ychQYgTuz6Q1Dvz0pFay3867HPUeA

There is a redirect in my webconfig, redirecting all http traffic to the site to https, but that config was always there…could that be the issue?
I cannot find how it get’s a relation to the file in ‘/var/lib/letsencrypt/http_challenges’ from my webservers documentroot…


#10

The Apache authenticator temporarily injects that into your virtualhost config when you try to issue or renew a certificate.

If you run Certbot with --debug-challenges, it will pause after modifying your Apache config, so you can see what is going on in your virtual host. That’s probably what you’ll need to do to figure out that “client denied by server configuration”.

The alternative is to use the webroot authenticator instead of the Apache one. That may look something like:

certbot renew --cert-name www.bickel.be -a webroot -w /var/www/your-webroot

#11

I finally got a new certificate.
I ran this command:
sudo certbot renew --dry-run --debug-challenges -v
It did not pause after modifying the config, but it did show me exactly the code that was injected in the httpd.conf.

The code injected was:
RewriteEngine on
RewriteRule ^/.well-known/acme-challenge/([A-Za-z0-9-_=]+)$ /var/lib/letsencrypt/http_challenges/$1 [END]

<Directory /var/lib/letsencrypt/http_challenges>
Require all granted

<Location /.well-known/acme-challenge>
Require all granted

I did some testing with manually putting this code in my config and tried to open a file on the challenge location and got also permission errors.
Then i changed both lines:
Require all granted
In
Order allow,deny
Allow from all

And after that ran the certbot command again and then it worked all fine with dry-run and then run for real and got a new certificate.

What could be the cause of the injected code not working or is their incorrect code being injected?


#12

Although leaving your code in would stop certbot from adding anything related to that.

I think upgrading apache may also solve this problem.
[for others that may not be so bold]


#13

We’ll i’ll try that when i have some time for it.
thanks all for your help, at least i have a workarond now and a working certificate!