Problems renewing/creating certs in webroot on Golang server

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: socketclient.com

I ran this command: sudo certbot renew --dry-run

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/socketclient.com.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for socketclient.com
http-01 challenge for www.socketclient.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (socketclient.com) from /etc/letsencrypt/renewal/socketclient.com.conf produced an unexpected error: Failed authorization procedure. www.socketclient.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://www.socketclient.com/.well-known/acme-challenge/51kmC_caQDA6Wu9UarD7s4dKpknbpMvAo8_ZzLE-kgQ [167.114.2.125]: 404, socketclient.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://socketclient.com/.well-known/acme-challenge/m77H-AM8w8KuXIYJHEif682UZjtPkEBrNqf9t6yNc2U [167.114.2.125]: 404. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/socketclient.com/fullchain.pem (failure)


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/socketclient.com/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version): Golang(Echo framework)

The operating system my web server runs on is (include version): Debian 9

My hosting provider, if applicable, is: Namecheap

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): webmin-latest

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.28

Additionally i can reach : https://socketclient.com/.well-known/acme-challenge/name.txt
Once i created a standalone cert, it created webroot succesfully.
I have 2 other servers i need to renew but same setup as this and same errors.

1 Like

What’s the contents of /etc/letsencrypt/renewal/socketclient.com.conf?

Could you also show your Echo handler which is routing /.well-known/acme-challenge/ requests to the filesystem?

1 Like
  • contents /etc/letsencrypt/renewal/socketclient.com.conf

renew_before_expiry = 30 days

version = 0.28.0
archive_dir = /etc/letsencrypt/archive/socketclient.com
cert = /etc/letsencrypt/live/socketclient.com/cert.pem
privkey = /etc/letsencrypt/live/socketclient.com/privkey.pem
chain = /etc/letsencrypt/live/socketclient.com/chain.pem
fullchain = /etc/letsencrypt/live/socketclient.com/fullchain.pem

Options used in the renewal process

[renewalparams]
account = bbbd3d037ad4e85676a982466f5b9132
authenticator = webroot
server = https://acme-v02.api.letsencrypt.org/directory
webroot_path = /home/debian/go/src/socketclient,
[[webroot_map]]
www.socketclient.com = /home/debian/go/src/socketclient
socketclient.com = /home/debian/go/src/socketclient

  • Echo handler which is routing /.well-known/acme-challenge/

`
//assetHandler := http.FileServer(http.FileSystem(http.Dir("/home/debian/go/src/socketclient")))

//e.Match(string{“GET”, “POST”}, “/.well-known/acme-challenge/”, echo.WrapHandler(assetHandler))
////////////////////////////////////////////////////

e.Static("/.well-known/acme-challenge", “/home/debian/go/src/socketclient”)
`

I am using the static version.
Also hosting is provided by OVH, Namecheap is the registrar.

1 Like

The problem here is that Certbot ends up creating the challenge response files under /home/debian/go/src/socketclient/.well-known/acme-challenge/{token}, but your Echo handler is trying to serve them directly from the parent directory.

Ordinarily I would suggest you use http.StripPrefix on your route, but I’m not sure what the Echo equivalent is.

The other way to solve it would be to change your call to e.Static to be:

e.Static("/.well-known/acme-challenge", "/home/debian/go/src/socketclient/.well-known/acme-challenge")
3 Likes

@_az, this has taken me one month.
These both finally work.

assetHandler := http.FileServer(http.FileSystem(http.Dir("/home/debian/go/src/socketclient/.well-known/acme-challenge")))

e.Match(string{“GET”, “POST”}, “/.well-known/acme-challenge/”, echo.WrapHandler(assetHandler))
////////////////////////////////////////////////////

//e.Static("/.well-known/acme-challenge", “/home/debian/go/src/socketclient/.well-known/acme-challenge”)
Thanks!

1 Like