Problem with renewing a certifcate again

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: mail.betschart-it.ch

I ran this command: certbot --dry-run renew

It produced this output:
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for imap.betschart-it.ch
http-01 challenge for smtp.betschart-it.ch
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (mail.betschart-it.ch) from /etc/letsencrypt/renewal/mail.betschart-it.ch.conf produced an unexpected error: Failed authorization procedure. smtp.betschart-it.ch (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 46.231.207.58: Invalid response from https://baikal.betschart-it.ch/.well-known/acme-challenge/OrOujaUWVCke5z3OBktQJ9B11Vc50AGOE_UCeHuj6oU: 404, imap.betschart-it.ch (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 46.231.207.58: Invalid response from https://baikal.betschart-it.ch/.well-known/acme-challenge/hfLBk5IR0OFNwW_bc_mP4dZ2_LLO5DutW9HWxq0sfrg: 404. Skipping.

My web server is (include version): Apache 2.4.38-3

The operating system my web server runs on is (include version): Debian 10

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.31.0

I had this problem before a few weeks ago (ticket 179310).
I haven't done anything since that problem was fixed. Now suddenly two certificates cannot be renewed again.

Apparently it has to do with me configuring a website that does nothing but redirect HTTP calls to HTTPS. Once I take this away, the certificates can be renewed.

I do the HTTPS redirection with the following Apache configuration:

<VirtualHost _default_:80>
         Server name www.betschart-it.ch:80
         Server alias betschart-it.ch:80
         Include conf-available/bit-default.conf
         Redirect permanent / https://www.betschart-it.ch/

         ErrorLog ${APACHE_LOG_DIR}/bit_error.log
         CustomLog ${APACHE_LOG_DIR}/bit_access.log combined
</VirtualHost>

This works great for any call, but obviously not for the http-01 challenge.

Can anyone explain to me?

Please show this file:

Please also show the output of:
apachectl -t -D DUMP_VHOSTS

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.