Problem with renewing Let's Encrypt certificate

adamp · May 20, 2023, 8:38am

Hello,

3 months ago, I configured our company cloud: qnap / ubuntu 22 (in qnap's container) / apache2 / ownCloud. I used Let's Encrypt certificate in apache2 config files to start https service. Everything worked well till the beginning of May, when your certificate expired. I need help to renew the certificate and configure it to cyclic renewing. I know that there are tons of articles in the internet, how to do this. I tried many things, without success.

During my trials, I created the folder:
/var/www/letsencrypt/.well-known/acme-challenge/

and also configured this directory in Apache site config file (/etc/apache2/sites-available/owncloud4.conf) adding below:

Alias "/.well-known/acme-challenge/" "/var/www/letsencrypt/.well-known/acme-challenge/"
<Directory "/var/www/letsencrypt/.well-known/acme-challenge/">
        Options None
        AllowOverride None
        ForceType text/plain
        RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
</Directory>

I added above outside all "VirtualHost"" sections (I have two such sections: regarding 80 and 443 port).

Please help! Thank you in advance!

My domain is: cloud.energoster.com.pl

I ran this command:
./renew.sh (from /etc/letsencrypt/ directory)
and also
certbot certonly (from any directory)

It produced this output:
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: cloud.energoster.com.pl
Type: unauthorized
Detail: 78.9.96.130: Invalid response from http://cloud.energoster.com.pl/.well-known/acme-challenge/HynaH1G7SjAHUxDqc5CIsrc1-pyazyZ6iCT77TZOe9A: 404

My web server is (include version):
Apache/2.4.52 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 22.04.1 LTS
(uname -a produces below:
Linux ubuntu-2 5.10.60-qnap #1 SMP Fri Apr 21 01:51:27 CST 2023 x86_64 x86_64 x86_64 GNU/Linux)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.21.0

_az · May 20, 2023, 9:41am

Can you please post your port 80 <VirtualHost> and also the output of

sudo apachectl -t -D DUMP_VHOSTS

adamp · May 21, 2023, 7:22am

Hello,

root@ubuntu-2:~# sudo apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:80 cloud.energoster.com.pl (/etc/apache2/sites-enabled/owncloud4.conf:1)
*:443 cloud.energoster.com.pl (/etc/apache2/sites-enabled/owncloud4.conf:15)

owncloud4.conf:


<VirtualHost *:80>

        ServerName cloud.energoster.com.pl
        ServerAlias chmura.energoster.com.pl

        #Redirect permanent / https://cloud.energoster.com.pl
        LogLevel debug

        ErrorLog /var/log/apache2/http_owncloud_error.log
        CustomLog /var/log/apache2/http_owncloud_access.log combined

</VirtualHost>

# Default host
<VirtualHost *:443>
        ServerAdmin cloud@energoster.com.pl
        ServerName cloud.energoster.com.pl
        DocumentRoot /var/www/owncloud
        LogLevel Debug
        ErrorLog /var/log/apache2/https_owncloud_error.log
        CustomLog /var/log/apache2/https_owncloud_access.log combined

        SSLEngine on
        SSLCertificateChainFile /etc/letsencrypt/live/cloud.energoster.com.pl/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/cloud.energoster.com.pl/privkey.pem
        SSLCertificateFile /etc/letsencrypt/live/cloud.energoster.com.pl/cert.pem

</VirtualHost>

SSLUseStapling on
SSLStaplingCache "shmcb:/tmp/stapling_cache(2097152)"

<Directory /var/www/owncloud/>
        AllowOverride All
</Directory>

# konfiguracja kartoteki "well-known" dla certbot przy odnowieniu
# certyfikatu - on potrzebuje zapisać tu pliki z sieci
Alias "/.well-known/acme-challenge/" "/var/www/letsencrypt/.well-known/acme-challenge/"
<Directory "/var/www/letsencrypt/.well-known/acme-challenge/">
        Options None
        AllowOverride None
        ForceType text/plain
        RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
</Directory>

For port 80 virtual host, I commented "Redirect" directive during my last testing. Normally, during last 3 months, this redirecting was active.

_az · May 21, 2023, 7:41am

The port 80 virtual host you linked to, does not have a document root.

If you want to use --webroot, the port 80 virtual host's DocumentRoot needs to agree with the webroot path that you pass to Certbot.

rg305 · May 21, 2023, 7:45am

I concur with using --webroot.
But, I also think that you should move that alias statement.
Using the alias outside the <Virtualhost> may be problematic for certbot Apache plugin.

adamp · May 21, 2023, 8:55am

Nothing changed. Conf file (after modification) and terminal screenshot - attached.

rg305 · May 21, 2023, 9:18am

By using alias you overwrite the DocumentRoot for the matching ACME requests.

Try matching --webroot to the alias:

--webroot -w /var/www/letsencrypt/.well-known/acme-challenge/
OR
--webroot -w /var/www/letsencrypt/

OR

Remove the alias.

rg305 · May 21, 2023, 9:21am

Try:

certbot certonly \
--webroot -w /var/www/letsencrypt/.well-known/acme-challenge/ \
-d cloud.energoster.com.pl \
--dry-run

and

certbot certonly \
--webroot -w /var/www/letsencrypt/ \
-d cloud.energoster.com.pl \
--dry-run

One of them should pass the test.
Whichever does pass, then redo it without the --dry-run testing.

adamp · May 21, 2023, 6:30pm

@rg305, your second certbot calling proposal was successful. First with --dry-run, and next, without this. Now my certificate is renewed. Thank you.

I made this without any modifications of my last "owncloud4.conf" (directory alias still exists in both 80 and 443 virtual hosts). After that, I modified "owncloud4.conf" and removed these directory aliases - I issued the command "certbot certonly" and success.

I know, that it sounds strange, but after few hours, I tried "certbot certonly" command again (now I always use --dry-run), and it don't work! It is suprise, because you wrote earlier, that I can remove directory aliases.

I restored the previous "owncloud4.conf" (directory aliases present) and now "certbot certonly --dry-run" works.

For me it is a half of success, because I need to configure automatic renewing of certificate. Unfortunately, the command "certbot renew --dry-run" is not working. What I need to renew: "certbot certonly" or "certbot renew"? I'm not understand the differences between these two. How often I can issue "certonly" or "renew" commands (without --dry-run)?

rg305 · May 22, 2023, 12:02am

For renewals, just do:
certbot renew

NOT:
certbot certonly

system · June 21, 2023, 12:02am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.