Renew letsencrypt certificate error https


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: datastore.ro
I ran this command: sudo certbot renew --dry-run

It produced this output:

Processing /etc/letsencrypt/renewal/www.datastore.ro-0001.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.datastore.ro
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (www.datastore.ro-0001) from /etc/letsencrypt/-----/www.datastore.ro-0001.conf produced an unexpected error: Failed authorization procedure. www.datastore.ro (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http:/ /www.datastore.ro/.well-known/acme-challenge/-lU1wsuFnQEa1QKa3Gbx71HY4HS8tPFEKrvaCZpNZ8k: “\n\n404 Not Found\n\n

Not Found

\n<p”. Skipping.
The following certs could not be renewed:
/etc/letsencrypt/live/www.datastore.ro-0001/fullchain.pem (failure)

My web server is (include version): Apache 2.4.29

The operating system my web server runs on is (include version): Ubuntu 18.04LTS
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know): YES
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): YES
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): Cerbot 0.28.0

The thing is that I made my website to automatically redirect to https. So if I create a simple file (1234) in https://www.datastore.ro/.well-known/acme-challenge I can see the file. If I create the file in the http://www.datastore.ro/.well-known/acme-challenge I cannot access the created file(1234).
For some reasons the renewal seems to use http rather than https.
How can I renew the certificates by keeping my website within the https ?

Thank you.


#2

Hi @letsencryptdeb

your dns settings are bad ( https://check-your-website.server-daten.de/?q=datastore.ro ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
datastore.ro Refused yes 1 0
www.datastore.ro Refused yes 1 0
datastore.ro A 108.61.245.78 no
www.datastore.ro A 108.61.245.78 no

Your authoritative Nameservers send a Refused, so your domain may be blocked.

An ip is only available via cached values, not direct.

And your DNSSEC settings are inconsistent:

0 DS RR in the parent zone found
	DS-Query in the parent zone has a valide NSEC3 RR as result with the hashed domain name between the hashed NSEC3-owner and the hashed NextOwner. So the parent zone confirmes the non-existence of a DS RR.

versus

Fatal error: DNSKEY 8541 signs DNSKEY RRset, but no confirming DS RR in the parent zone found. No chain of trust created.
Fatal error: DNSKEY 26537 signs DNSKEY RRset, but no confirming DS RR in the parent zone found. No chain of trust created.

Your parent zone says, there is no DNSSEC. Your zone has a DNSKEY.

But “Refused” means: Your domain can’t work.


#3

Hi. I just restarted the server.
I’m still not able to renew.

Http as Destination - no encryption

last check:
28.01.2019 00:46:58 Host T IP-Address is auth. ∑ Queries ∑ Timeout



datastore.ro A 108.61.245.78 yes 1 0
AAAA yes
www.datastore.ro A 108.61.245.78 yes 1 0
AAAA yes


#4

It doesn’t automatically redirect to HTTPS.

http://www.datastore.ro/ is some sort of blank HTML page.
http://www.datastore.ro/.well-known/acme-challenge/ is a 404 Not Found error.

If it did redirect to HTTPS – preserving the path – that would work.


#5

In addition:
Redirections done in html/java/etc. code will fail.
[they rely on the client interacting with that code - LE will NOT]
Redirections should be done by the web server/service.


#6

I’m using htaccess file for redirecting traffic and ports.


#7

Can you show the file?

Also I don’t get redirected.
[perhaps file is in wrong folder]


#9

And yet no redirection seen:

 wget http://www.datastore.ro/
--2019-01-28 01:54:06--  http://www.datastore.ro/
Resolving www.datastore.ro (www.datastore.ro)... 108.61.245.78
Connecting to www.datastore.ro (www.datastore.ro)|108.61.245.78|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1485 (1.5K) [text/html]

#10

You are right.I think I have a problem with redirecting.


#11

Ah, yep, I see, you have rechecked your domain, the refused is gone.

And you have a valide certificate:

CN=datastore.ro
	27.01.2019
	27.04.2019
	datastore.ro, nsds1.datastore.ro, www.datastore.ro - 3 entries

but (time of your check) only one redirect.

Uhm - looks that the nameservers are very buggy, they send again a refused. Now they have again EDNS-warnings: Two are good, two are bad.

Ok, again rechecked - now there is no refused, it’s really a problem of buggy nameservers.


#12

OK. I also have two more, I think old certificates. It is with them that I get the errors. Should I delete them.
one is in /etc/—/---/www.datastore.ro-002.conf and the other one /etc/—/---/www.datastore.ro-001.conf.
Thank you.


#13

It’s a problem of your nameservers from your hoster.

It’s not a problem of your old certificates. They may be expired.