Renew Dry Run 404 Error

RobJVargas · February 19, 2018, 8:26pm

sudo certbot --apache renew --dry-run
Fails:

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: www.robjvargas.com
Type: unauthorized
Detail: Invalid response from
http://www.robjvargas.com/.well-known/acme-challenge/XaXMxeXHvTODispJ7xeI27Xwj6j-e4oqtDKNWQofgrg:
"
404 Not Found
Not Found
<p"
Domain: robjvargas.com
Type: unauthorized
Detail: Invalid response from
http://robjvargas.com/.well-known/acme-challenge/uHBwpC7Xj4FBmRtzLSFITp2SMMKVa9OwHaf5vDghqGs:
"
404 Not Found
Not Found
<p"

I have a redirect in httpd.conf sending all 80 to 443. But I’m pretty sure that’s not the problem. I previously had trouble getting the certs to apply, but discovered that /etc/httpd/conf/httpd.conf was pointing to Apache-generated self-signed certs. I manually changed that and the SSL started working. I think that may be related to why the dry run is failing.

I did find the following (I have the cert set for both robjvargas.com as well as www.robjvargas.com):

FailedChallenges: Failed authorization procedure. www.robjvargas.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.robjvargas.com/.well-known/acme-challenge/XaXMxeXHvTODispJ7xeI27Xwj6j-e4oqtDKNWQofgrg: "
404 Not Found
Not Found
<p", robjvargas.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://robjvargas.com/.well-known/acme-challenge/uHBwpC7Xj4FBmRtzLSFITp2SMMKVa9OwHaf5vDghqGs: " 404 Not Found
Not Found
<p"

So, do I lack permissions somewhere? I thought certbot --apache would take care of that (and it was run as sudo, which may be a clue).

rg305 · February 20, 2018, 1:06am

try adding a test.txt file in the acme-challenge folder and verify access to it from the Internet.

in the meantime, you should check your forwarding which seems to add an extra “/” into the URL:
Location: http://www.robjvargas.com/.well-known/acme-challenge/test.txt
becomes
Location: https://www.robjvargas.com//.well-known/acme-challenge/test.txt

RobJVargas · February 20, 2018, 2:16pm

I’m confused. The redirect seems fine insofar as using the CMS that I installed on the site (Joomla). I don’t see that extra slash in any of the URI’s for the site, nor in any of the status messages as the dry run proceeds.

The challenge folder seems not to be there.

sudo ls -lZ /%site root%/.well-known/a*

That yields no such file or directory. I don’t see that directory with the -a switch, either.

Since I’m primarily a Windows guy, I’m checking some newbie sites to make sure I’m not missing something basic. Right now, I wonder if I need to create that directory

mnordhoff · February 20, 2018, 2:39pm

That’s normal.

Certbot will create .well-known and acme-challenge as necessary; it will delete acme-challenge before exiting (if it’s empty), but it will leave .well-known.

So it’s normal to only have an acme-challenge directory for a few seconds while Certbot is running.

For testing purposes, you can create it.

RobJVargas · February 20, 2018, 3:19pm

Actually, the .well-known isn’t there, either. I’ll try creating it.

ls -aCF %site root%

./ bin/ error.log info.php* modules/ robots.txt.dist
../ cache/ htaccess.txt language/ plugins/ templates/
LICENSE.txt cli/ images/ layouts/ requests.com tmp/
README.txt components/ includes/ libraries/ requests.log web.config.txt
administrator/ configuration.php index.php media/ robots.txt*
Formatting’s a bit off, but I think that gives you the gist.

Hope you don’t mind me obfuscating the site root directory. I know it’s not that hard to guess, but I think you can see that it is the root for the site.

RobJVargas · February 20, 2018, 6:08pm

Thanks, @rg305. I think I’ve got the slash issue resolved. Still getting the errors, however. I run the certbot renew (as above) with sudo. But I’m seeing claimed authentication failures:

Same error as in the OP.

That’s a local authorization error, right? Not a Letsencrypt failure?

rg305 · February 20, 2018, 11:24pm

were you able to add the test.txt file in the acme-challenge folder?

RobJVargas · February 21, 2018, 6:46pm

Thanks again, @rg305.

Yes. In fact, it’s still there, with two lines of plain text.

It was immediately accessible after creating both the .well-known and the acme-challenge folder. I also ran chown apache:apache on the folders as well as chmod 755:
from the site root folder:

sudo chown -R apache:apache ./.well-known
sudo chmod -R 755 ./.well-known

[root@www html]# ls -lZ ./.well-known/acme-challenge/
-rwxr-xr-x apache apache ? test.txt

Files in the parent directories have that same question mark. But since the site is running, and since the initial cert succeeded, I haven’t bothered to fix that, if I even need to.

rg305 · February 22, 2018, 4:50am

I’m not sure how you’re doing your HTTPS redirection but I think the problem may be somehow related.
You could try excluding the challenge requests from the redirection.
with something (more or less) like this:

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteCond Request_URI !="^/.well-known/acme-challenge/*"
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

RobJVargas · February 22, 2018, 2:09pm

Appreciate the patience. Added the exception, restarted httpd service.

The manual request from my browser still redirects, so I’ll look at how to add an exception and get back to you.

RobJVargas · February 22, 2018, 2:19pm

A-HA! Your syntax appears to have been off (and I recognize the “more or less” in your reply).

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteCond %{Request_URI} ^/test.txt
RewriteRule (.*) https://www.robjvargas.com$1 [R,L]

That stopped the redirect. Found that thanks to stackoverflow.

Now the dry run succeeds. Thanks a ton!

Now to learn crontab. Doesn’t look hard, just not done yet.

system · March 24, 2018, 2:19pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.