Problem with renewing certificates


#1

My domain is: partcatalog.ru

I ran this command:
./letsencrypt-auto renew

It produced this output:

Processing /etc/letsencrypt/renewal/partcatalog.ru.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for partcatalog.ru
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (partcatalog.ru) from /etc/letsencrypt/renewal/partcatalog.ru.conf produced an unexpected error: Failed authorization procedure. partcatalog.ru (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://partcatalog.ru/.well-known/acme-challenge/IlAXbhDd3Su72SFWzXJy9j96-8sGW1pvUIcS5GFkUus: “\n\n404 Not Found\n\n

Not Found

\n<p”. Skipping.

My web server is (include version):
Apache

The operating system my web server runs on is (include version):
Debian 7

I can login to a root shell on my machine:
Yes

I’m using a control panel to manage my site:
No

I understand that an error occurs when confirming domain rights.
I created folders at: /var/www/partcatalog.ru/.well-known/acme-challenge
Exposed permission level 755
What text should I place and where can the system check my domain? Or do you need to add some information in DNS?


#2

Hi @oleg_antonov

I see, you have already checked your domain via https://check-your-website.server-daten.de/?q=partcatalog.ru :

There is one problem:


Domainname Http-Status redirect Sec. G
http://partcatalog.ru/
5.44.103.11 302 https://partcatalog.ru/ 0.047 A
http://www.partcatalog.ru/
5.44.103.11 302 https://www.partcatalog.ru/ 0.047 A
https://partcatalog.ru/
5.44.103.11 200 1.423 N
Certificate error: RemoteCertificateChainErrors
https://www.partcatalog.ru/
5.44.103.11 200 1.360 N
Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors
http://partcatalog.ru/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
5.44.103.11 302 https://partcatalog.ru/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.064 A
http://www.partcatalog.ru/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
5.44.103.11 302 https://www.partcatalog.ru/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.043 A
https://partcatalog.ru/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 200 1.267 N
Certificate error: RemoteCertificateChainErrors
https://www.partcatalog.ru/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 200 1.266 N
Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors

The redirect http -> https is ok, Letsencrypt ignores the wrong certificate. But checking a not existing file

https://www.partcatalog.ru/.well-known/acme-challenge/1234

your server sends a http status 200 (ok), not the expected status 404 (not found).

So it looks there are other redirects or a misconfiguration. Ah - loading the url manual, there is a big 404, so it’s only the wrong http status.

I created folders at: /var/www/partcatalog.ru/.well-known/acme-challenge

That’s good, now create there a file (file name 1234 with random content) and try to load this file via

http://partcatalog.ru/.well-known/acme-challenge/1234

If this works, you have found your correct webroot, so you can use

./letsencrypt-auto run -a webroot -i apache -w /var/www/partcatalog.ru -d partcatalog.ru

to create a new certificate.


#3

Thank you very much! It all worked.


#4

Yep, now it works.

But if you want, you can create one certificate with two names:

-d partcatalog.ru -d www.partcatalog.ru

Your current certificate has only one domain name, but www has a dns entry.

Different countries, different people. Some people add always www, some people add never www.

If you use one certificate with two domain names, both versions work.