Renew Help Please


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.clarksclater.com

I ran this command: certbot renew

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/www.clarksclater.com.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for www.clarksclater.com
Cleaning up challenges
Attempting to renew cert (www.clarksclater.com) from /etc/letsencrypt/renewal/www.clarksclater.com.conf produced an unexpected error: Problem binding to port 443: Could not bind to IPv4 or IPv6… Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.clarksclater.com/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.clarksclater.com/fullchain.pem (failure)

My web server is (include version): Ubuntu 14.04.5 LTS (GNU/Linux 3.13.0-135-generic x86_64)

The operating system my web server runs on is (include version): macOS Sierra 10.12.24

My hosting provider, if applicable, is: AWS -EC2

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

I searched around and see others had same/similiar issues. I couldn’t find a solution. The ports 80 & 443 seem tied up with other services. I run a simple static wordpress site on the server if that matters at all. I appreciate any help in getting my certificate renewed.

Thank you,

John


#2

Hi,

Your certbot recorded that you obtained the certificate using TLS-SNI-01, which is depreciated (due to security). You can try run the command certbot renew --preferred-challenges http and use http challenges or change http to webroot, which ever worked for you.

Thank you


#3

I tried the following:

certbot renew --preferred-challenges webroot
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] …

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: argument --preferred-challenges: Unrecognized challenges: webroot

Is this what you were suggesting? I had tried the http before and got the error for port 80

Thanks for any help.


#4

You’re using the standalone authenticator, which won’t work while other services are running on port 80 (in some situations it can use port 443, but as stevenzhu mentioned that’s deprecated and you shouldn’t rely on it; it doesn’t seem to help in your case anyway).

Your server seems to be running Apache, right? In that case you might try:

certbot renew --authenticator apache

If that doesn’t work, update certbot to the latest version and try again. If you can’t do that, you may need to start over and use the webroot method (certbot certonly --webroot etc).

Another option is to temporarily stop Apache while you do the renewal.


#5

Thank you. If I have decided I need to just start over as you suggested with “cerbot certonly --webroot”. How would I find the webroot?


#6

I’m now at this point. Any suggestions?

How would you like to authenticate with the ACME CA?

1: Apache Web Server plugin - Beta (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)

Select the appropriate number [1-3] then [enter] (press ‘c’ to cancel): 3
Plugins selected: Authenticator webroot, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’
to cancel): www.clarksclater.com
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.clarksclater.com
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.clarksclater.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.clarksclater.com/.well-known/acme-challenge/sBSglSIfru53XIxBHT7Orxk0T2GxCf5hwtxbrS7925k: "

<meta name="viewport" content"

IMPORTANT NOTES:


#7

It’s probably the directory where Wordpress is installed. Or you can check your Apache configuration and find the DocumentRoot. As a test, try placing a file in that directory and see if you can access it in your browser.

So, something along the lines of

certbot certonly --webroot -w /var/www/wordpress

replacing /var/www/wordpress with whatever the directory is. You might also want to add a --deploy-hook to reload Apache after renewing as well:

certbot certonly --webroot -w /var/www/wordpress --deploy-hook "service apache2 reload"

Another variation that might be useful, especially if you want any new certificates:

certbot -a webroot -i apache -w /var/www/whatever


#8

How would you like to authenticate with the ACME CA?
1: Apache Web Server plugin - Beta (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
Select the appropriate number [1-3] then [enter] (press ‘c’ to cancel): 3
Plugins selected: Authenticator webroot, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’
to cancel): www.clarksclater.com
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.clarksclater.com
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.clarksclater.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.clarksclater.com/.well-known/acme-challenge/sBSglSIfru53XIxBHT7Orxk0T2GxCf5hwtxbrS7925k: 1 "

<meta name="viewport" content" IMPORTANT NOTES:

The following errors were reported by the server:

Domain: www.clarksclater.com
Type: unauthorized
Detail: Invalid response from
http://www.clarksclater.com/.well-known/acme-challenge/sBSglSIfru53XIxBHT7Orxk0T2GxCf5hwtxbrS7925k: 1
"

<meta name="viewport" content" To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.

Do I need to update the DNS for authentication? Where can I find the documentation for this?


#9

Is wordpress installed in /var/www/html?

Try putting a file there, eg /var/www/html/test.txt - can you then see that file at http://www.clarksclater.com/test.txt (skipping any certificate warnings) in a web browser?

If not, /var/www/html is not correct and you’ll need to find the correct webroot directory.


#10

I appreciate your help. Are there any commands you can recommend for me to see the entire directory of files? I should have full access to anything I need to get to in order to find out the information required.


#11

Hmm. You might try something like

apachectl -S

(note the capital S) to get an overview of your Apache configuration and where the configuration is for everything. Then look in the file containing the virtual host configuration for your domain, and see if you can find the DocumentRoot.


#12

I deployed Bitnami Wordpress if that matters as you will see a list of some files below. As you can probably tell, I’m not really sure exactly what I’m looking for. Could any of these be it?

/opt/bitnami/apps/wordpress
/opt/bitnami/apps/wordpress/.bitnamimeta
/opt/bitnami/apps/wordpress/bnconfig
/opt/bitnami/apps/wordpress/conf
/opt/bitnami/apps/wordpress/htdocs
/opt/bitnami/apps/wordpress/licenses
/opt/bitnami/apps/wordpress/tmp
/opt/bitnami/apps/wordpress/updateip
/opt/bitnami/apps/wordpress/conf/banner.conf
/opt/bitnami/apps/wordpress/conf/certs
/opt/bitnami/apps/wordpress/conf/htaccess.conf
/opt/bitnami/apps/wordpress/conf/httpd-app.conf
/opt/bitnami/apps/wordpress/conf/httpd-prefix.conf
/opt/bitnami/apps/wordpress/conf/httpd-vhosts.conf
/opt/bitnami/apps/wordpress/conf/php-fpm
/opt/bitnami/apps/wordpress/conf/certs/server.crt
/opt/bitnami/apps/wordpress/conf/certs/server.key
/opt/bitnami/apps/wordpress/conf/php-fpm/php-settings.conf
/opt/bitnami/apps/wordpress/conf/php-fpm/pool.conf
/opt/bitnami/apps/wordpress/htdocs/.htaccess
/opt/bitnami/apps/wordpress/htdocs/index.php
/opt/bitnami/apps/wordpress/htdocs/license.txt
/opt/bitnami/apps/wordpress/htdocs/readme.html
/opt/bitnami/apps/wordpress/htdocs/wp-activate.php
/opt/bitnami/apps/wordpress/htdocs/wp-admin
/opt/bitnami/apps/wordpress/htdocs/wp-blog-header.php
/opt/bitnami/apps/wordpress/htdocs/wp-comments-post.php
/opt/bitnami/apps/wordpress/htdocs/wp-config-sample.php
/opt/bitnami/apps/wordpress/htdocs/wp-config.php
/opt/bitnami/apps/wordpress/htdocs/wp-content
/opt/bitnami/apps/wordpress/htdocs/wp-cron.php
/opt/bitnami/apps/wordpress/htdocs/wp-includes
/opt/bitnami/apps/wordpress/htdocs/wp-links-opml.php
/opt/bitnami/apps/wordpress/htdocs/wp-load.php
/opt/bitnami/apps/wordpress/htdocs/wp-login.php
/opt/bitnami/apps/wordpress/htdocs/wp-mail.php
/opt/bitnami/apps/wordpress/htdocs/wp-settings.php
/opt/bitnami/apps/wordpress/htdocs/wp-signup.php
/opt/bitnami/apps/wordpress/htdocs/wp-trackback.php
/opt/bitnami/apps/wordpress/htdocs/xmlrpc.php
/opt/bitnami/apps/wordpress/htdocs/wp-admin/about.php
/opt/bitnami/apps/wordpress/htdocs/wp-admin/admin-ajax.php
/opt/bitnami/apps/wordpress/htdocs/wp-admin/admin-footer.php
/opt/bitnami/apps/wordpress/htdocs/wp-admin/admin-functions.php
/opt/bitnami/apps/wordpress/htdocs/wp-admin/admin-header.php
/opt/bitnami/apps/wordpress/htdocs/wp-admin/admin-post.php
/opt/bitnami/apps/wordpress/htdocs/wp-admin/admin.php
/opt/bitnami/apps/wordpress/htdocs/wp-admin/async-upload.php
/opt/bitnami/apps/wordpress/htdocs/wp-admin/comment.php
/opt/bitnami/apps/wordpress/htdocs/wp-admin/credits.php
/opt/bitnami/apps/wordpress/htdocs/wp-admin/css
/opt/bitnami/apps/wordpress/htdocs/wp-admin/custom-background.php
/opt/bitnami/apps/wordpress/htdocs/wp-admin/custom-header.php
/opt/bitnami/apps/wordpress/htdocs/wp-admin/customize.php
/opt/bitnami/apps/wordpress/htdocs/wp-admin/edit-comments.php


#13

Bitnami. Of course it is.

Okay, try this:

certbot certonly --webroot -w /opt/bitnami/apps/wordpress/htdocs -d www.clarksclater.com --deploy-hook "/opt/bitnami/ctlscript.sh restart apache"


#14

Thank you so much! That worked. I really appreciate your help.


#15

By the way, I know that you eventually got things working another way, but I wanted to point out that --preferred-challenges webroot is different from --preferred-challenges http (which @stevenzhu suggested to you). In Certbot terminology, HTTP-01 is a challenge type and webroot is a plugin (which implements the HTTP-01 challenge type). So, --preferred-challenges webroot doesn’t identify a valid challenge type to Certbot.


#16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.