Renew fails, Ubuntu 16

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: loncapa.winona.edu

I ran this command: sudo certbot renew

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/loncapa.winona.edu.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for loncapa.winona.edu
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (loncapa.winona.edu) from /etc/letsencrypt/renewal/loncapa.winona.edu.conf produced an unexpected error: Failed authorization procedure. loncapa.winona.edu (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://loncapa.winona.edu/.well-known/acme-challenge/8VYiRsr_G9bonKMnbn0BDKTp575tOmSplyxrPKNwibw [52.162.238.218]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p". Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/loncapa.winona.edu/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/loncapa.winona.edu/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: loncapa.winona.edu
   Type:   unauthorized
   Detail: Invalid response from
   http://loncapa.winona.edu/.well-known/acme-challenge/8VYiRsr_G9bonKMnbn0BDKTp575tOmSplyxrPKNwibw
   [52.162.238.218]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version):
/usr/sbin/apache2 -v
Server version: Apache/2.4.18 (Ubuntu)
Server built: 2018-06-07T19:43:03

The operating system my web server runs on is (include version): Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-1040-azure x86_64)

My hosting provider, if applicable, is: vm via Azure

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.28.0

Are you sure the IP address is correct?

Can you post “sudo apachectl -t -D DUMP_VHOSTS”?

Here’s the command output.

[Sun Mar 10 08:36:36.768592 2019] [alias:warn] [pid 6061] AH00671: The ScriptAlias directive in /etc/apache2/conf-enabled/serve-cgi-bin.conf at line 12 will probably never match because it overlaps an earlier ScriptAlias.
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 10.1.0.4. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:80                   10.1.0.4 (/etc/apache2/sites-enabled/000-default.conf:1)
*:443                  loncapa.winona.edu (/etc/apache2/sites-enabled/loncapa-le-ssl.conf:2)

Note, the system is an Azure VM, so the hostname is bananas,

hostname --fqdn
LonCappa.iel215phooculndmj5ogxpf3zg.ex.internal.cloudapp.net

Grateful for any suggestions! Does this suggest

Hi @nmoore

there is an older thread with the same domain name.

How did you create that certificate? And what's the content of

/etc/apache2/sites-enabled/loncapa-le-ssl.conf

Find your DocumentRoot and use it:

certbot run -a webroot -i apache -w documentRoot -d loncapa.winona.edu

Thanks @JuergenAuer . Yes, that old thread was mine. I had some trouble getting the system working initially, but the problem then seemed to be some local DNS settings within my institution. Those were resolved, certbot worked fine, and I was actually quite surprised when the renew command initially failed last week.

with regard to your suggestion, do I understand you correctly?

sudo certbot run -a webroot -i apache -w documentRoot -d loncapa.winona.edu
documentRoot does not exist or is not a directory

The conf file is the following,

cat /etc/apache2/sites-enabled/loncapa-le-ssl.conf

<VirtualHost *:443>
ServerAdmin webmaster@localhost

    DocumentRoot /home/httpd/html
    <Directory />
            Options FollowSymLinks
            AllowOverride None
    </Directory>
    ErrorLog /var/log/apache2/error.log

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel warn

    CustomLog /var/log/apache2/access.log combined

Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
    Options Indexes MultiViews FollowSymLinks
    AllowOverride None
    Order deny,allow
    Deny from all
    Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
Include conf/loncapa_rewrite.conf

ServerName loncapa.winona.edu
SSLCertificateFile /etc/letsencrypt/live/loncapa.winona.edu/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/loncapa.winona.edu/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

You have to find your real documentRoot, then replace that placeholder.

Gotcha.

Ok, what about this. ip-based DNS lookup looks to only work within my domain. Would this be an issue for certbot?

[nmoore@toulouse ~]$ nslookup loncapa.winona.edu 8.8.4.4
Server: 8.8.4.4
Address: 8.8.4.4#53

Non-authoritative answer:
Name: loncapa.winona.edu
Address: 52.162.238.218

[nmoore@toulouse ~]$ nslookup 52.162.238.218 8.8.4.4
Server: 8.8.4.4
Address: 8.8.4.4#53

** server can't find 218.238.162.52.in-addr.arpa.: NXDOMAIN

[nmoore@toulouse ~]$ nslookup 52.162.238.218
Server: 199.17.171.5
Address: 199.17.171.5#53

218.238.162.52.in-addr.arpa name = loncapa.winona.edu.

No. The domain based DNS must work.

And your domain

Domainname Http-Status redirect Sec. G
http://loncapa.winona.edu/
52.162.238.218 200 0.240 H
https://loncapa.winona.edu/
52.162.238.218 200 2.274 B
http://loncapa.winona.edu/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
52.162.238.218 404 0.240 A
Not Found
Visible Content: Not Found The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server. Apache/2.4.18 (Ubuntu) Server at loncapa.winona.edu Port 80

is visible.

I think this has the appropriate document root specified:

certbot run -a webroot -i apache -w /home/httpd/ -d loncapa.winona.edu
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for loncapa.winona.edu
Using the webroot path /home/httpd for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. loncapa.winona.edu (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://loncapa.winona.edu/.well-known/acme-challenge/pa77F24k5VbsmDjqRQwLyR79jr_XNvntugIKI_ySvng [52.162.238.218]: "\n\n404 Not Found\n\n

Not Found

\n<p"

IMPORTANT NOTES:

Check it, if this is your webroot.

Create the two subdirectories

/home/http/.well-known/acme-challenge

there a file (file name 1234), then try to load that file with your browser.

http://loncapa.winona.edu/.well-known/acme-challenge/1234

That must work.

FIXED.

I feel like a fool now. Document root was incorrectly specified in command above. This worked:

certbot run -a webroot -i apache -w /home/httpd/html/ -d loncapa.winona.edu

Is there anything obvious that I have misconfigured? Grateful for your help @JuergenAuer @mnordhoff !

1 Like

Very good:

CN=loncapa.winona.edu
	10.03.2019
	08.06.2019
expires in 90 days	loncapa.winona.edu - 1 entry

You can add a redirect http -> https.

Domainname Http-Status redirect Sec. G
http://loncapa.winona.edu/
52.162.238.218 200 0.240 H
https://loncapa.winona.edu/
52.162.238.218 200 2.543 B
http://loncapa.winona.edu/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
52.162.238.218 404 0.237 A
Not Found
Visible Content: Not Found The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server. Apache/2.4.18 (Ubuntu) Server at loncapa.winona.edu Port 80

If a user starts with http, he will never see your https - version.

So check your port 80 vHost and add a redirect.

RewriteEngine on
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]

Then recheck the domain if that works.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.