Problem ewing renew an existing certificate Perf Raspberri pi 3b Stretch

Ok, it was all working fine, until the mail I received that tells me to renew de SSL serts. I was wondered becorce I made a automated procedure in a cron job for this renew proces. The log file gives me the answer, some Errors. So I tought, lets do it be hand. Below is the result and I googled a lot but did not find a good solution. I did disabled IPV6 on mi raspberry pi so this could nod be a problem in this case. Hope someone can present the solution. Be verry welcome!
=>>
root@raspberry3b:/etc# certbot certonly -d teamtalk.nl-web.net --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for teamtalk.nl-web.net
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. teamtalk.nl-web.net (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://teamtalk.nl-web.net/.well-known/acme-challenge/RIFYu7TTyUSQ0eIozEl3MSblyxxtb3dlASZMdJylZLY [84.85.123.108]: “\n\n404 Not Found\n\n

Not Found

\n<p”

IMPORTANT NOTES:

1 Like

Hi @robnoordt

if that doesn’t work, Certbot doesn’t understand your Apache config.

What says

apachectl -S
2 Likes

Thanks for your replay!
Ok, below the output of apachectl -S
. in this I sea:
Main DocumentRoot: “/var/www/html”

But mi documentroot is in /media/(external HD) and I do not know how this command can find it in var/www/html
Alsow, It was a good working system until now. What could be happens and made changes? Where should I find this wrong route and give it the right route?

root@raspberry3b:~# apachectl -S
AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.1.1. Set the ‘ServerName’ directive globally to suppress this message
VirtualHost configuration:
*:443 is a NameVirtualHost
default server www.buurenvan.nl-web.net (/etc/apache2/sites-enabled/buurenvan.nl-web.net-le-ssl.conf:2)
port 443 namevhost www.buurenvan.nl-web.net (/etc/apache2/sites-enabled/buurenvan.nl-web.net-le-ssl.conf:2)
alias buurenvan.nl-web.net
port 443 namevhost www.pe1meh.nl-web.net (/etc/apache2/sites-enabled/pe1meh.nl-web.net-le-ssl.conf:2)
alias pe1meh.nl-web.net
port 443 namevhost www.radiorenzo.nl-web.net (/etc/apache2/sites-enabled/radiorenzo.nl-web.net-le-ssl.conf:2)
alias radiorenzo.nl-web.net
port 443 namevhost www.sunshine-hoogeveen.nl-web.net (/etc/apache2/sites-enabled/sunshine-hoogeveen.nl-web.net-le-ssl.conf:2)
alias sunshine-hoogeveen.nl-web.net
port 443 namevhost www.teamtalk.nl-web.net (/etc/apache2/sites-enabled/teamtalk.nl-web.net-le-ssl.conf:2)
alias teamtalk.nl-web.net
*:80 is a NameVirtualHost
default server 127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost 127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost www.buurenvan.nl-web.net (/etc/apache2/sites-enabled/buurenvan.nl-web.net.conf:1)
alias buurenvan.nl-web.net
port 80 namevhost www.pe1meh.nl-web.net (/etc/apache2/sites-enabled/pe1meh.nl-web.net.conf:1)
alias pe1meh.nl-web.net
port 80 namevhost www.radiorenzo.nl-web.net (/etc/apache2/sites-enabled/radiorenzo.nl-web.net.conf:1)
alias radiorenzo.nl-web.net
port 80 namevhost www.sunshine-hoogeveen.nl-web.net (/etc/apache2/sites-enabled/sunshine-hoogeveen.nl-web.net.conf:1)
alias sunshine-hoogeveen.nl-web.net
port 80 namevhost www.teamtalk.nl-web.net (/etc/apache2/sites-enabled/teamtalk.nl-web.net.conf:1)
alias teamtalk.nl-web.net
ServerRoot: “/etc/apache2”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/var/log/apache2/error.log"Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir=”/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
PidFile: “/var/run/apache2/apache2.pid”
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“www-data” id=33
Group: name=“www-data” id=33
root@raspberry3b:~#

1 Like

If you have that vHost

there is no matching vHost only with the non-www domain name.

Create one certificate with both domain names, so Certbot can find the matching vHost.

2 Likes

Ok Thanks,
So I have the file: /etc/apache2/sites-available/teamtalk.nl-web.net.conf and in that file:
ServerName www.teamtalk.nl-web.net
ServerAlias teamtalk.nl-web.net
And I understand, there must be a second file wher the diffrend is:
ServerName teamtalk.nl-web.net
ServerAlias teamtalk.nl-web.net
The first who is allreddy there:teamtalk.nl-web.net.conf
Should I name the second file: teamtalk.nl-web.net.conf:1
Or:
rename the firs to: teamtalk.nl-web.net.conf:1
and the new one
teamtalk.nl-web.net.conf:2
And, both files are the same whit the only diffrence as shown above?

1 Like

No, you have already your vHost configuration. But you have to use it.

2 Likes

Ok Jugen, is this what you mean?
certbot certonly --webroot -w /media/path/to/webdir -d teamtalk.nl-web.net -d www.teamtalk.nl-web.net

1 Like

Hi Jurgen,
I tried as I sugested above. No good result. Can you give me a more spesific stap bi stap instruction wath to do? Below the output of mi last action.
=>>
root@raspberry3b:~# certbot certonly --webroot -w /media/www/teamtalk.nl-web.net -d teamtalk.nl-web.net -d www.teamtalk.nl-web.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None


You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/teamtalk.nl-web.net.conf)

It contains these names: teamtalk.nl-web.net

You requested these names for the new certificate: teamtalk.nl-web.net,
www.teamtalk.nl-web.net.

Do you want to expand and replace this existing certificate with the new
certificate?


(E)xpand/©ancel: E
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for teamtalk.nl-web.net
http-01 challenge for www.teamtalk.nl-web.net
Using the webroot path /media/www/teamtalk.nl-web.net for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. teamtalk.nl-web.net (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://teamtalk.nl-web.net/.well-known/acme-challenge/vP17e8e1sr_-Xp5WPrdhzUGwYXml0_Efr6UyAufF-Ck [84.85.123.108]: “\n\n404 Not Found\n\n

Not Found

\n<p”, www.teamtalk.nl-web.net (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.teamtalk.nl-web.net/.well-known/acme-challenge/qmvrhEyQ0dmcTh5voPbHGBtVkCB2PwqiiAMGJ7ef8i0 [84.85.123.108]: “\n\n404 Not Found\n\n

Not Found

\n<p”

IMPORTANT NOTES:

If you use webroot and if that doesn’t work, your webroot is wrong. Or your have additional location definitions or something else, so that webroot isn’t your real webroot.

1 Like

Hi Jurgen,
Thanks for your quick responce! I do not understand how this could be? The webrood is defenitly the right one. Could it be something else? Suggestions wath to try?

The certbot command looks in the /etc/apache2/sites-available/*conf files This conf files all toots to the right webroot location. Alsow the apache2.conf file is whit this webroot locations. the webroot in the given command is deffenetly right. Are there other ways the certbot certonly looks at other locations where me be a wrong webrood is given.

Any suggestions wher to find additional location definitions ?

Is it possible to remove (apt purge certbot ) and start it all from the start, a brand new installation and configuration? would this leads to a solution?

Jurgen, today I received mail from Let’s Encrypt Expiry Bot. "Let’s Encrypt certificate expiration notice for domain "teamtalk.nl-web.net”. In 10 days expiration! I hope to fix the problem for renewal before this expiration. Is the option removing the certbot a good one? I know, me be a hard one but if it solves the problem, that will be fine! How strange it is, it has been working for a while and out of nothing this problem appaired. The web rood does not has been changed so I do not understand how this problem can be there at once. For now I hoop you have a solution. In case of a (after remove or purge certbot) Re-install,(keeping the apache installation and the basic configuration on the raspberry) what procedure do you advice?

Hi Jurgen,

Tried the command certbot -auto renew. This gives a missing plugin. Can that missing plugin be the reason for mi problem?

root@raspberry3b:/etc# certbot -auto renew

Processing /etc/letsencrypt/renewal/teamtalk.nl-web.net.conf


Cert is due for renewal, auto-renewing…

Could not choose appropriate plugin: The requested uto plugin does not appear to be installed

Attempting to renew cert (teamtalk.nl-web.net) from /etc/letsencrypt/renewal/teamtalk.nl-web.net.conf produced an unexpected error: The requested uto plugin does not appear to be installed. Skipping.

All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/teamtalk.nl-web.net/fullchain.pem (failure)

Indeed there appears to be a wrong root dir reference somewhere. The site http: //www.teamtalk (unsecured) I arrive at the standard apache “it works” page. https: //www.teamtalk is available. Still, because it expires on July 10. The default “it works” page does not come from /var/www/html/index.html. Likewise not from /usr/share/apache2/default-site/index.html. But I can’t find out where this index is. Likewise, I don’t find where this reference is assigned. The site is a Virtual Host and when I disconnect it (a2dissite teamtalk.nl-web.net) it remains accessible via https://teamtalk.nl-web.net. Who oh who, where should I look for it?

Okay, it was left there for a while. Sometimes that’s good to get it clear for yourself. Today, 1 day before the certificate expired, I got an idea. And often, and that is a pity, you encounter a problem on the internet in various forums that does not provide a solution. And because I often find it frustrating, I want to share with you the solution I found for this problem. And just like often, it is kind of simple in the end, but yeah, come on. Well, I have several Raspberry’s running. A while ago I wanted to realize a stream via another Raspberry secured. Unfortunately that did not work and after much experimentation I let it rest for the first time. I did not remember that I also installed Apache on that Raspberry, opened port 80 in my router for this. It could be that simple, so this port 80 was apparently in the port 80 of the Raspberry where I got the websites running on it. I first removed all apache installations from other Raspberry’s. This did not yield much more than just removing the “apache, iT works” page. Long story short, I then went to check the configuration of my router. And there I saw that port 80 was open for another Raspberry. Bingo, removed it here and the problem is solved. Thank everyone who contributed!