Procedure for working around TLS_SNI-01: renewal failure


#1

My domain is: golftripscoring.com & www.golftripscoring.come

After following the directions on the post “How to stop using TLS-SNI-01 with Certbot”, I ran this command: sudo certbot renew --dry-run

It produced this output:
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
_ - The following errors were reported by the server:_

_ Domain: www.golftripscoring.com_
_ Type: unauthorized_
_ Detail: Invalid response from_
_ http://www.golftripscoring.com/.well-known/acme-challenge/o5eK7LCYJQLcKwwm8jT aPY8ai_iWwCmp1lEH0c8h_Jk:_
_ “\n\n500 Internal Server_
_ Error\n\n

Inter”_

_ To fix these errors, please make sure that your domain name was_
_ entered correctly and the DNS A/AAAA record(s) for that domain_
_ contain(s) the right IP address._

My web server is (include version): Apache

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):Yes, AWS EC2 Control Panel

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.28.0

Since this is a renewal, I know the DNS works since I can get to the site when I enter the address into my browser.

I’ve also tried the suggestion made in another post to add: ‘preferred-challenges = http’ to the /etc/letsencrypt/cli.ini file. It also didn’t solve the problem.

FYI, the /etc/letsencrypt/renewal/golftripscoring.com.conf file looks like this:
# renew_before_expiry = 30 days
version = 0.19.0
archive_dir = /etc/letsencrypt/archive/golftripscoring.com
cert = /etc/letsencrypt/live/golftripscoring.com/cert.pem
privkey = /etc/letsencrypt/live/golftripscoring.com/privkey.pem
chain = /etc/letsencrypt/live/golftripscoring.com/chain.pem
fullchain = /etc/letsencrypt/live/golftripscoring.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = apache
installer = apache
account = XXXXXXXXX

Any help is much appreciated.


#2

wget http://golftripscoring.com/.well-known/acme-challenge/1234
wget https://golftripscoring.com/.well-known/acme-challenge/1234
wget http://www.golftripscoring.com/.well-known/acme-challenge/1234
wget https://www.golftripscoring.com/.well-known/acme-challenge/1234

All return:
HTTP request sent, awaiting response… 500 Internal Server Error
2019-01-23 05:11:27 ERROR 500: Internal Server Error.


#3

Ok, how do I fix that?


#4

I would only be able to guess.
I have no idea why…
I would:

  • Check the access and error logs for any clues.
  • Restart the web service

#5

Hi @psanchir

as @rg305 wrote: Your website doesn’t like /.well-known/acme-challenge. Your other urls are ok ( https://check-your-website.server-daten.de/?q=golftripscoring.com ) - redirects or http status 200 :

But if you use http-01 validation, Certbot creates a file in /.well-known/acme-challenge, Certbot checks this file.

So a http status 404 is expected if the file doesn’t exist.

Create both directories manual and recheck your domain.


#6

Thanks Juergen. I apologize if this is something I should know the answer to, but where do I put the directory ‘/.well-known/acme-challenge’ and what’s the name and contents of the file I put there?


#7

You have to find your DocumentRoot. Check the vHost file, there should be your DocumentRoot defined.

Use as filename 1234, same as content, a simple text file.


#8

Thanks again Juergen. I got it to work. Here are the steps I followed:
1/ created the directories ‘/.well-known/acme-challenge’ in my Document Root directory.
2/ Since my website was created using flask, I had to add the following to my views file:
@app.route(’/.well-known/acme-challenge/‘key’)
def acme_challenge(key):
return send_from_directory(os.path.join(app.root_path, ‘.well-known/acme-challenge’), key)
3/ran the following command in my console:
sudo certbot certonly –manual –preferred-challenges http
4/followed the instructions and created files with keys and placed them in …/.well-known/acme-challenge directory
5/It worked!


closed #9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.