Problem unauthorized in renew

Hi. Suddenly certbot stop renewing one of my sites. When I try to renew manually it gives this error. How can I fix it?

My domain is: masatermica.com

I ran this command: certbot renew --dry-run

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/masatermica.com.conf


Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for masatermica.com
http-01 challenge for www.masatermica.com
Waiting for verification...
Challenge failed for domain masatermica.com
Challenge failed for domain www.masatermica.com
http-01 challenge for masatermica.com
http-01 challenge for www.masatermica.com
Cleaning up challenges
Attempting to renew cert (masatermica.com) from /etc/letsencrypt/renewal/masatermica.com.conf produced an unexpected error: Some challenges have failed.. Skipping.


Processing /etc/letsencrypt/renewal/masatermica.online.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for masatermica.online
Waiting for verification...
Cleaning up challenges


new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/masatermica.online/fullchain.pem


The following certs could not be renewed:
/etc/letsencrypt/live/masatermica.com/fullchain.pem (failure)


** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

The following certs were successfully renewed:
/etc/letsencrypt/live/masatermica.online/fullchain.pem (success)

The following certs could not be renewed:
/etc/letsencrypt/live/masatermica.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version): apache 2.4.41

The operating system my web server runs on is (include version): Ubuntu Linux 20.04.5

My hosting provider, if applicable, is: Hostinger

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site: No

The version of my client is: certbot 0.40.0

Different websites are accessible over IPv4 than over IPv6. I suggest you to verify the IP addresses that they are pointing to the same host where you intend to run the website.

4 Likes

Thanks for your response. I have this records:

A @ 0 45.82.72.84 14400
AAAA @ 0 2a02:4780:1:1::1:9f4d 14400

But the problem persist. Something is wrong or missing?

You should check those are your correct IP addresses. The result of below commands are your IPv4 and IPv6 addresses. Should match your DNS

curl -4 https://ifconfig.io
curl -6 https://ifconfig.io

Because, as bruncsak pointed out, requests using IPv4 respond differently than IPv6. This often means a server config problem or incorrect IP address

Also see Let's Debug test site for details (link here)

3 Likes

Your Apache is severely misconfigured with regard to IPv6. While IPv4 performs an HTTP to HTTPS redirect, IPv6 does not. Further more, when using IPv6, your server responds with HTTP on port 443!

Please fix your Apache configuration with regard to IPv6 and try again.

3 Likes

root@masatermica:/home/carl# curl -4 https://ifconfig.io
45.82.72.84
root@masatermica:/home/carl# curl -6 https://ifconfig.io
2a02:4780:1:1::1:9f4d
root@masatermica:/home/carl#

The IP's seems to be ok, but when I follow the debugger:

MultipleIPAddressDiscrepancy

Warning

www.masatermica.com has multiple IP addresses in its DNS records. While they appear to be accessible on the network, we have detected that they produce differing results when sent an ACME HTTP validation request. This may indicate that some of the IP addresses may unintentionally point to different servers, which would cause validation to fail.

[Address=2a02:4780:1:1::1:9f4d,Address Type=IPv6,Server=Apache,HTTP Status=404] vs [Address=45.82.72.84,Address Type=IPv4,Server=Apache,HTTP Status=301,Number of Redirects=1,Final HTTP Status=404]

Yes, the IP addresses look correct. The AAAA address is different than shown in the error in your first post so I assume you changed it recently.

Still, Osiris pointed out a server config problem. And, here are some more. Your apex and www domains don't respond the same and neither when using IPv4 or IPv6. These should all respond the same but don't (see below).

(IPv4 to www gets a 301)
curl -I4 www.masatermica.com
HTTP/1.1 301 Moved Permanently
Location: https://www.masatermica.com/

(IPv6 to www gets 200 OK)
curl -I6 www.masatermica.com
HTTP/1.1 200 OK

(IPv4 to apex domain gets 301 but to /blog)
curl -I4  masatermica.com
HTTP/1.1 301 Moved Permanently
Location: https://masatermica.com/blog/

(IPv6 to apex gets 200 OK)
curl -I6  masatermica.com
HTTP/1.1 200 OK

Show the result of this

apachectl -t -D DUMP_VHOSTS
3 Likes

root@masatermica:/home/adminblog# apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
45.82.72.84:80 is a NameVirtualHost
default server masatermica.com (/etc/apache2/sites-enabled/masatermica.com.conf:1)
port 80 namevhost masatermica.com (/etc/apache2/sites-enabled/masatermica.com.conf:1)
alias www.masatermica.com
alias mail.masatermica.com
alias webmail.masatermica.com
alias admin.masatermica.com
port 80 namevhost masatermica.online (/etc/apache2/sites-enabled/masatermica.online.conf:1)
alias www.masatermica.online
alias mail.masatermica.online
alias webmail.masatermica.online
alias admin.masatermica.online
45.82.72.84:443 is a NameVirtualHost
default server masatermica.com (/etc/apache2/sites-enabled/masatermica.com-le-ssl.conf:2)
port 443 namevhost masatermica.com (/etc/apache2/sites-enabled/masatermica.com-le-ssl.conf:2)
alias www.masatermica.com
alias mail.masatermica.com
alias webmail.masatermica.com
alias admin.masatermica.com
port 443 namevhost masatermica.online (/etc/apache2/sites-enabled/masatermica.online.conf:43)
alias www.masatermica.online
alias mail.masatermica.online
alias webmail.masatermica.online
alias admin.masatermica.online
*:80 masatermica.com/matomo/ (/etc/apache2/sites-enabled/matomo.conf:1)

Please show the contents of the following files:

/etc/apache2/sites-enabled/masatermica.com.conf
/etc/apache2/sites-enabled/masatermica.online.conf
/etc/apache2/sites-enabled/masatermica.com-le-ssl.conf

It seems you've forced your virtualhosts to IPv4, which makes IPv6 problematic.

2 Likes

root@masatermica:/home/adminblog# cat /etc/apache2/sites-enabled/masatermica.com.conf
<VirtualHost 45.82.72.84:80>
SuexecUserGroup "#1004" "#1003"
ServerName masatermica.com
ServerAlias www.masatermica.com
ServerAlias mail.masatermica.com
ServerAlias webmail.masatermica.com
ServerAlias admin.masatermica.com
DocumentRoot /home/adminblog/public_html
ErrorLog /var/log/virtualmin/masatermica.com_error_log
CustomLog /var/log/virtualmin/masatermica.com_access_log combined
ScriptAlias /cgi-bin/ /home/adminblog/cgi-bin/
ScriptAlias /awstats/ /home/adminblog/cgi-bin/
DirectoryIndex index.php index.php4 index.php5 index.htm index.html
<Directory /home/adminblog/public_html>
Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted
AddType application/x-httpd-php .php
AddHandler fcgid-script .php
AddHandler fcgid-script .php7.4
FCGIWrapper /home/adminblog/fcgi-bin/php7.4.fcgi .php
FCGIWrapper /home/adminblog/fcgi-bin/php7.4.fcgi .php7.4

<Directory /home/adminblog/cgi-bin>
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted

RewriteEngine on
RewriteCond %{HTTP_HOST} =webmail.masatermica.com
RewriteRule ^(?!/.well-known)(.) https://masatermica.com:20000/ [R]
RewriteCond %{HTTP_HOST} =admin.masatermica.com
RewriteRule ^(?!/.well-known)(.
) https://masatermica.com:10000/ [R]
RemoveHandler .php
RemoveHandler .php7.4
FcgidMaxRequestLen 1073741824

AuthName "masatermica.com statistics"
AuthType Basic
AuthUserFile /home/adminblog/.awstats-htpasswd
require valid-user

Alias /dav /home/adminblog/public_html
<Location /dav>
DAV on
AuthType Basic
AuthName "masatermica.com"
AuthUserFile /home/adminblog/etc/dav.digest.passwd
Require valid-user
ForceType text/plain
Satisfy All
RemoveHandler .php
RemoveHandler .php7.4
RewriteEngine off

RewriteCond %{SERVER_NAME} =webmail.masatermica.com [OR]
RewriteCond %{SERVER_NAME} =mail.masatermica.com [OR]
#RewriteCond %{SERVER_NAME} =masatermica.com [OR]
RewriteCond %{SERVER_NAME} =www.masatermica.com [OR]
RewriteCond %{SERVER_NAME} =admin.masatermica.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
RewriteCond %{SERVER_NAME} =masatermica.com
RewriteRule ^ https://%{SERVER_NAME}/blog%{REQUEST_URI} [END,NE,R=permanent]
IPCCommTimeout 301


root@masatermica:/home/adminblog# cat /etc/apache2/sites-enabled/masatermica.online.conf
<VirtualHost 45.82.72.84:80>
SuexecUserGroup "#1000" "#1000"
ServerName masatermica.online
ServerAlias www.masatermica.online
ServerAlias mail.masatermica.online
ServerAlias webmail.masatermica.online
ServerAlias admin.masatermica.online
DocumentRoot /home/masatermica/public_html
ErrorLog /var/log/virtualmin/masatermica.online_error_log
CustomLog /var/log/virtualmin/masatermica.online_access_log combined
ScriptAlias /cgi-bin/ /home/masatermica/cgi-bin/
ScriptAlias /awstats/ /home/masatermica/cgi-bin/
DirectoryIndex index.php index.php4 index.php5 index.htm index.html
<Directory /home/masatermica/public_html>
Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted
AddType application/x-httpd-php .php

<Directory /home/masatermica/cgi-bin>
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted

RewriteEngine on
RewriteCond %{HTTP_HOST} =webmail.masatermica.online
RewriteRule ^(?!/.well-known)(.) https://masatermica.online:20000/ [R]
RewriteCond %{HTTP_HOST} =admin.masatermica.online
RewriteRule ^(?!/.well-known)(.
) https://masatermica.online:10000/ [R]
RemoveHandler .php
RemoveHandler .php7.4

AuthName "masatermica.online statistics"
AuthType Basic
AuthUserFile /home/masatermica/.awstats-htpasswd
require valid-user

<FilesMatch .php$>
SetHandler proxy:fcgi://localhost:8000


<VirtualHost 45.82.72.84:443>
SuexecUserGroup "#1000" "#1000"
ServerName masatermica.online
ServerAlias www.masatermica.online
ServerAlias mail.masatermica.online
ServerAlias webmail.masatermica.online
ServerAlias admin.masatermica.online
DocumentRoot /home/masatermica/public_html
ErrorLog /var/log/virtualmin/masatermica.online_error_log
CustomLog /var/log/virtualmin/masatermica.online_access_log combined
ScriptAlias /cgi-bin/ /home/masatermica/cgi-bin/
ScriptAlias /awstats/ /home/masatermica/cgi-bin/
DirectoryIndex index.php index.php4 index.php5 index.htm index.html
<Directory /home/masatermica/public_html>
Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted
AddType application/x-httpd-php .php

<Directory /home/masatermica/cgi-bin>
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted

RewriteEngine on
RewriteCond %{HTTP_HOST} =webmail.masatermica.online
RewriteRule ^(?!/.well-known)(.) https://masatermica.online:20000/ [R]
RewriteCond %{HTTP_HOST} =admin.masatermica.online
RewriteRule ^(?!/.well-known)(.
) https://masatermica.online:10000/ [R]
RemoveHandler .php
RemoveHandler .php7.4
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

AuthName "masatermica.online statistics"
AuthType Basic
AuthUserFile /home/masatermica/.awstats-htpasswd
require valid-user

<FilesMatch .php$>
SetHandler proxy:fcgi://localhost:8000

#SSLCACertificateFile /home/masatermica/sslComodo/SectigoRSADomainValidationSecureServerCA.crt
#X-Frame-Options: "ALLOWALL"
SSLCertificateFile /etc/letsencrypt/live/masatermica.online/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/masatermica.online/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf


root@masatermica:/home/adminblog# cat /etc/apache2/sites-enabled/masatermica.com-le-ssl.conf

<VirtualHost 45.82.72.84:443>
SuexecUserGroup "#1004" "#1003"
ServerName masatermica.com
ServerAlias www.masatermica.com
ServerAlias mail.masatermica.com
ServerAlias webmail.masatermica.com
ServerAlias admin.masatermica.com
DocumentRoot /home/adminblog/public_html
ErrorLog /var/log/virtualmin/masatermica.com_error_log
CustomLog /var/log/virtualmin/masatermica.com_access_log combined
ScriptAlias /cgi-bin/ /home/adminblog/cgi-bin/
ScriptAlias /awstats/ /home/adminblog/cgi-bin/
DirectoryIndex index.php index.php4 index.php5 index.htm index.html
<Directory /home/adminblog/public_html>
Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted
AddType application/x-httpd-php .php
AddHandler fcgid-script .php
AddHandler fcgid-script .php7.4
FCGIWrapper /home/adminblog/fcgi-bin/php7.4.fcgi .php
FCGIWrapper /home/adminblog/fcgi-bin/php7.4.fcgi .php7.4

<Directory /home/adminblog/cgi-bin>
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted

RewriteEngine on

Some rewrite rules in this file were disabled on your HTTPS site,

because they have the potential to create redirection loops.

RewriteCond %{HTTP_HOST} =webmail.masatermica.com

RewriteRule ^(?!/.well-known)(.*) https://masatermica.com:20000/ [R]

RewriteCond %{HTTP_HOST} =admin.masatermica.com

RewriteRule ^(?!/.well-known)(.*) https://masatermica.com:10000/ [R]

RemoveHandler .php
RemoveHandler .php7.4
FcgidMaxRequestLen 1073741824
AuthName "masatermica.com statistics" AuthType Basic AuthUserFile /home/adminblog/.awstats-htpasswd require valid-user Alias /dav /home/adminblog/public_html DAV on AuthType Basic AuthName "masatermica.com" AuthUserFile /home/adminblog/etc/dav.digest.passwd Require valid-user ForceType text/plain Satisfy All RemoveHandler .php RemoveHandler .php7.4 RewriteEngine off

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/masatermica.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/masatermica.com/privkey.pem

If you want IPv6 to work you need to remove the IPv4 address from VirtualHost. Try this instead <VirtualHost *:80>

Same for HTTPS VHost. If you want IPv6 to work you need to remove the IPv4 address from VirtualHost. Try this instead <VirtualHost *:443>

Your domain ending on .online only has an IPv4 address in the DNS so this change is not required for those VHosts. But, you could probably do that for those too.

Now we know why the redirect for your apex domain goes to /blog but the www domain does not. You set those different above (note the commented out line). That's up to you but is very unusual. And, you do not have similar redirects in your HTTPS VHost so I don't think this does what you think it does. Configuring redirects for different purposes is beyond scope of this forum although it's possible a different volunteer here will help anyway.

5 Likes

This is not a valid configuration setting:

3 Likes

First of all, thank you all very much for the responses. I've already replaced the IP's with "*", removed the invalid line referring to Matomo, and commented the redirects. The certificate was now renewed without giving an error, but there is another problem: the masatermica.com certificate was issued for masatermica.online, and now it gives an error

SSL_ERROR_BAD_CERT_DOMAIN

1 Like

set domain manually, add -d mastermica.com -d mastermica.online on certbot options

4 Likes

All is working ok now. Thanks a lot!

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.