Problem updating ssl certificate

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
trustserv.de

I ran this command:
certbot renewq

It produced this output:

root@srv1:/etc/apache2/sites-enabled# certbot --dry-run renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/trustserv.de.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer None
Running pre-hook command: /etc/letsencrypt/renewal-hooks/pre/stopservices.sh
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for trustserv.de
http-01 challenge for www.trustserv.de
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (trustserv.de) from /etc/letsencrypt/renewal/trustserv.de.conf produced an unexpected error: Failed authorization procedure. trustserv.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://trustserv.de/.well-known/acme-challenge/K40tMPkbKI8ANGSewFkDRVKXlwQSHVJVgTaL8jaGlm0 [185.207.106.7]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p", www.trustserv.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://www.trustserv.de/.well-known/acme-challenge/hNg-RshhyIe45wIJ9KpGXAmf7eyM7SKbBQQAu4Aw68c [185.207.106.7]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p". Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/trustserv.de/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/trustserv.de/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Running post-hook command: /etc/letsencrypt/renewal-hooks/post/restart_services.sh
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: trustserv.de
   Type:   unauthorized
   Detail: Invalid response from
   https://trustserv.de/.well-known/acme-challenge/K40tMPkbKI8ANGSewFkDRVKXlwQSHVJVgTaL8jaGlm0
   [185.207.106.7]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   Domain: www.trustserv.de
   Type:   unauthorized
   Detail: Invalid response from
   https://www.trustserv.de/.well-known/acme-challenge/hNg-RshhyIe45wIJ9KpGXAmf7eyM7SKbBQQAu4Aw68c
   [185.207.106.7]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version):
apache 2.x

The operating system my web server runs on is (include version):
debian 10

My hosting provider, if applicable, is:
netcup

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31

I have multiple subdomains. I have to renew the certificates all the time with certonly and i really want to have this somehow automated. Can someone please help me to get that working with just “certbot renew” without all that hacking around?

When i create the file it is complaining about, i can access it. So it is for sure not a “easy” configuration problem. I noticed that certbot does something with /var/lib/letsencrypt and manipulates my apache2 conf files. I guess the problem is somehow related to that.

The conf of the main page is:

<VirtualHost *:80>
        <IfModule mod_rewrite.c>
                RewriteEngine On
                RewriteCond %{HTTPS} off
                RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
        </IfModule>
        ServerName trustserv.de
        ServerAlias www.trustserv.de
</VirtualHost>

The conf of the ssl page is:

<IfModule mod_ssl.c>
        <VirtualHost *:443>

                #Include global.conf
                ServerAdmin some@mydomain.de

                DocumentRoot /home/website/public

                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined

                Include /etc/apache2/ssl.conf

                # HTTP Strict Transport Security Header.
                Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

                Header set Content-Security-Policy "default-src 'self' https://trustserv.de; script-src 'self' 'sha256-nP0EI9B9ad8IoFUti2q7EQBabcE5MS5v0nkvRfUbYnM=' https://trustserv.de; img-src 'self' https://trustserv.de; style-src-elem 'self'; style-src 'self' https://trustserv.de"

                Header set Access-Control-Allow-Origin "*"

                <Directory "/">
                        Options None
                        AllowOverride All
                        <RequireAny>
                                Require all granted
                        </RequireAny>
                </Directory>

                #<IfModule alias_module>
                #        Alias /.well-known/acme-challenge/ /home/website/public/.well-known/acme-challenge/
                #</IfModule>

        </VirtualHost>
</IfModule>
1 Like
2

The HTTP is being redirected to HTTPS.
The HTTPS block has no specific handling for the challenge requests…
So, please place a test text file in the expected challenge folder:
[$DocumentRoot + /.well-known/acme-challenge/]
[create the folders first]
mkdir /home/website/public/.well-known/
mkdir /home/website/public/.well-known/acme-challenge/
[make a testfile]
echo '12345' > /home/website/public/.well-known/acme-challenge/testfile
[test access to the file]
http://trustserve.de/.well-known/acme-challenge/testfile

3

hi rg305,
as mentioned, i already made that. exactly with the naming that certbot did.
https://trustserv.de/.well-known/acme-challenge/QAqKBEwwLSffq3iXPelyLP6uU_qscj4mFq8Dcf3kIBM

4

Hi @someuser

your output shows a problem.

There

you use apache as Authenticator. But that means, Certbot is checking your config and adds a location definition.

So Letsencrypt should never redirected to https. But there

is such a redirect. So certbot doesn't understand your configuration.

What says

apachectl -S
1 Like
5

Try removing these lines:

or add them (without the #) to the HTTP block (amended):

<IfModule alias_module> 
 Alias /.well-known/acme-challenge/ /home/website/public/
</IfModule>
6 
VirtualHost configuration:
*:8448                 matrix.trustserv.de; (/etc/apache2/sites-enabled/matrix-ssl.conf:34)
*:443                  is a NameVirtualHost
         default server trustserv.de (/etc/apache2/sites-enabled/hugo-ssl.conf:2)
         port 443 namevhost trustserv.de (/etc/apache2/sites-enabled/hugo-ssl.conf:2)
         port 443 namevhost matreg.trustserv.de (/etc/apache2/sites-enabled/matreg-ssl.conf:2)
         port 443 namevhost matrix.trustserv.de (/etc/apache2/sites-enabled/matrix-ssl.conf:6)
         port 443 namevhost mta-sts.trustserv.de (/etc/apache2/sites-enabled/mta-sts-ssl.conf:2)
         port 443 namevhost postfixadmin.trustserv.de (/etc/apache2/sites-enabled/postfixadmin-ssl.conf:2)
         port 443 namevhost roundcube.trustserv.de (/etc/apache2/sites-enabled/roundcube-ssl.conf:2)
*:80                   is a NameVirtualHost
         default server trustserv.de (/etc/apache2/sites-enabled/hugo.conf:1)
         port 80 namevhost trustserv.de (/etc/apache2/sites-enabled/hugo.conf:1)
                 alias www.trustserv.de
         port 80 namevhost matreg.trustserv.de (/etc/apache2/sites-enabled/matreg.conf:1)
         port 80 namevhost matrix.trustserv.de (/etc/apache2/sites-enabled/matrix.conf:1)
         port 80 namevhost postfixadmin.trustserv.de (/etc/apache2/sites-enabled/postfixadmin.conf:1)
         port 80 namevhost roundcube.trustserv.de (/etc/apache2/sites-enabled/roundcube.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

thats a nice command, was not aware of that!

7

Please show this file:

8

thats the file i posted in the first posting, it is hugo.conf (http main page) and hugo-ssl.conf (https main page)

9

Ok, try adding that “Alias” logic to the HTTP conf:

<IfModule alias_module> 
 Alias /.well-known/acme-challenge/ /home/website/public/
</IfModule>

[I would avoid the website folders and use a dedicated path like: `/ACME-challenges/`]

10

still the same error message

is there any way to avoid the cleanup of certbot, so i can see what it is doing? this is a bit too much magic imo

11

i used now this command which worked:

certbot certonly --webroot-path /home/website/public/ -w /home/website/public/ -d trustserv.de -d www.trustserv.de -d postfixadmin.trustserv.de -d roundcube.trustserv.de -d mta-sts.trustserv.de -d matrix.trustserv.de -d matreg.trustserv.de

i could modify the certbot.service file but would really like to just issue a: certbot renew

12

Check the renewal conf file:
/etc/letsencrypt/renewal/<cert-name>.conf

13

I don't think so; but you could run it with -v (or -vv or even -vvv) to show more detail in the log file.

1 Like
15 
# renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/trustserv.de
cert = /etc/letsencrypt/live/trustserv.de/cert.pem
privkey = /etc/letsencrypt/live/trustserv.de/privkey.pem
chain = /etc/letsencrypt/live/trustserv.de/chain.pem
fullchain = /etc/letsencrypt/live/trustserv.de/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = some_account_token
authenticator = webroot
server = https://acme-v02.api.letsencrypt.org/directory
webroot_path = /home/website/public, /home/website/public
[[webroot_map]]
trustserv.de = /home/website/public
www.trustserv.de = /home/website/public
#installer = apache

i commented out that installer=apache as i dont want certbot to destroy my apache conf files (what it did a couple of month ago)
guess i can now not test/renew that as i have a new certificate now.
i will test that in 2 month :wink:

1 Like
16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.