Problem with renewing a certifcate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: betschart-it.ch

I ran this command: certbot renew --dry-run

It produced this output:
Attempting to renew cert (betschart-it.ch) from /etc/letsencrypt/renewal/betschart-it.ch.conf produced an unexpected error: Failed authorization procedure. betschart-it.ch (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 46.231.207.58: Invalid response from http://betschart-it.ch/.well-known/acme-challenge/XTpuVe4K_HWldiCm-ce0NZRyu9SicStkkhmOmZvcwOM: 404. Skipping.

I use this certificate since a long time and had no problem. On the same server I can renew many other certificate but not this one, eg. ldap.betschart-it.ch. I can't remember to change anything at the webserver. The ip address is correct.

My web server is (include version): Apache 2.4.38

The operating system my web server runs on is (include version): Debian GNU/Linux 10 (buster).

My hosting provider, if applicable, is: own VM, hosted by Metanet Switzerland

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.31.0

Take nothing for granted; Especially with Apache.

Something must have changed since your last renewal.
Let's try to unravel that mystery with the output of:
apachectl -t -D DUMP_VHOSTS

2 Likes
VirtualHost configuration:
*:8843                 pim.betschart-it.ch (/etc/apache2/sites-enabled/pim-apple-adressbook-ssl.conf:2)
*:443                  is a NameVirtualHost
         default server betschart-it.ch (/etc/apache2/sites-enabled/000-default-ssl.conf:2)
         port 443 namevhost betschart-it.ch (/etc/apache2/sites-enabled/000-default-ssl.conf:2)
         port 443 namevhost www.betschart-it.ch (/etc/apache2/sites-enabled/001-bit-ssl.conf:2)
         port 443 namevhost baikal.betschart-it.ch (/etc/apache2/sites-enabled/baikal-ssl.conf:2)
         port 443 namevhost lam.betschart-it.ch (/etc/apache2/sites-enabled/lam-ssl.conf:2)
         port 443 namevhost packages.betschart-it.ch (/etc/apache2/sites-enabled/packages-ssl.conf:2)
         port 443 namevhost phpldapadmin.betschart-it.ch (/etc/apache2/sites-enabled/phpldapadmin-ssl.conf:2)
         port 443 namevhost phpmyadmin.betschart-it.ch (/etc/apache2/sites-enabled/phpmyadmin-ssl.conf:2)
         port 443 namevhost pim.betschart-it.ch (/etc/apache2/sites-enabled/pim-ssl.conf:2)
         port 443 namevhost www.redabe.ch (/etc/apache2/sites-enabled/redabe-ssl.conf:2)
                 alias redabe.ch
         port 443 namevhost webmail.betschart-it.ch (/etc/apache2/sites-enabled/roundcube-ssl.conf:2)
         port 443 namevhost cloud.betschart-it.ch (/etc/apache2/sites-enabled/seafbit-ssl.conf:2)
         port 443 namevhost t3t.betschart-it.ch (/etc/apache2/sites-enabled/t3t-ssl.conf:2)
*:80                   is a NameVirtualHost
         default server betschart-it.ch (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost betschart-it.ch (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost www.betschart-it.ch (/etc/apache2/sites-enabled/001-bit.conf:1)
                 alias betschart-it.ch:80
         port 80 namevhost baikal.betschart-it.ch (/etc/apache2/sites-enabled/baikal.conf:1)
         port 80 namevhost lam.betschart-it.ch (/etc/apache2/sites-enabled/lam.conf:1)
         port 80 namevhost packages.betschart-it.ch (/etc/apache2/sites-enabled/packages.conf:1)
         port 80 namevhost pbx.betschart-it.ch (/etc/apache2/sites-enabled/pbx.conf:1)
         port 80 namevhost phpldapadmin.betschart-it.ch (/etc/apache2/sites-enabled/phpldapadmin.conf:1)
         port 80 namevhost phpmyadmin.betschart-it.ch (/etc/apache2/sites-enabled/phpmyadmin.conf:1)
         port 80 namevhost pim.betschart-it.ch (/etc/apache2/sites-enabled/pim.conf:1)
         port 80 namevhost provisioning.betschart-it.ch (/etc/apache2/sites-enabled/provisioning.conf:1)
         port 80 namevhost www.redabe.ch (/etc/apache2/sites-enabled/redabe.conf:1)
                 alias redabe.ch
         port 80 namevhost webmail.betschart-it.ch (/etc/apache2/sites-enabled/roundcube.conf:1)
         port 80 namevhost cloud.betschart-it.ch (/etc/apache2/sites-enabled/seafbit.conf:1)
         port 80 namevhost t3t.betschart-it.ch (/etc/apache2/sites-enabled/t3t.conf:1)
1 Like

This appears to be a name:port conflict/overlap:

port 80 namevhost     betschart-it.ch (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost www.betschart-it.ch (/etc/apache2/sites-enabled/001-bit.conf:1)
                alias betschart-it.ch:80

We should have a look at both of those files.

2 Likes

000-default.conf:

<VirtualHost *:80>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.

	DocumentRoot /var/www/html

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/request.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf

</VirtualHost>

001-bit.conf

<VirtualHost _default_:80>
	ServerName www.betschart-it.ch:80
	ServerAlias betschart-it.ch:80
	Include conf-available/bit-default.conf
	Redirect permanent / https://www.betschart-it.ch/

	ErrorLog ${APACHE_LOG_DIR}/bit_error.log
	CustomLog ${APACHE_LOG_DIR}/bit_access.log combined
</VirtualHost>

000-default.conf is only there to ensure that LE does not get a redirect to https.

Ok, it's your config so you need to wrangle it into shape. Your site is currently using basic authentication for the /.well-known/acme-challenge path and obviously certbot can't read files if that happens.

Your version of certbot is also very old, you should probably update that if you can.

When adding blocks of config/code on the forum try using triple back tick characters at the start and end of long code sections so they get formatted properly and folks will be able to read what you've posted.

3 Likes

I don't know where I set up authentication for /.well-known/acme-challenge.
Does LE follow a redirect to HTTPS? It's not clear to me whether I have to specifically configure a virtual host that doesn't redirect to HTTPS.

Yes, LE can follow https redirects.

3 Likes

That makes no sense.
It can't only do that.
If you don't want the challenge requests to be redirected to HTTPS (I wouldn't either), then you need to handle that within the server block that services those requests [not by creating another conflicting/overlapping service block].

3 Likes

Thank you, I have adjusted the Apache configuration. Everything works as desired again.

2 Likes