Renew letsencrypt certificate error https

letsencryptdeb · January 27, 2019, 10:56pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: datastore.ro
I ran this command: sudo certbot renew --dry-run

It produced this output:

Processing /etc/letsencrypt/renewal/www.datastore.ro-0001.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.datastore.ro
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (www.datastore.ro-0001) from /etc/letsencrypt/-----/www.datastore.ro-0001.conf produced an unexpected error: Failed authorization procedure. www.datastore.ro (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http:/ /www.datastore.ro/.well-known/acme-challenge/-lU1wsuFnQEa1QKa3Gbx71HY4HS8tPFEKrvaCZpNZ8k: “\n\n404 Not Found\n\n

Not Found

\n<p”. Skipping.
The following certs could not be renewed:
/etc/letsencrypt/live/www.datastore.ro-0001/fullchain.pem (failure)

My web server is (include version): Apache 2.4.29

The operating system my web server runs on is (include version): Ubuntu 18.04LTS
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know): YES
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): YES
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): Cerbot 0.28.0

The thing is that I made my website to automatically redirect to https. So if I create a simple file (1234) in https://www.datastore.ro/.well-known/acme-challenge I can see the file. If I create the file in the http://www.datastore.ro/.well-known/acme-challenge I cannot access the created file(1234).
For some reasons the renewal seems to use http rather than https.
How can I renew the certificates by keeping my website within the https ?

Thank you.

JuergenAuer · January 27, 2019, 11:22pm

Hi @letsencryptdeb

your dns settings are bad ( https://check-your-website.server-daten.de/?q=datastore.ro ):

Host	T	IP-Address	is auth.	∑ Queries	∑ Timeout
datastore.ro		Refused	yes	1	0
www.datastore.ro		Refused	yes	1	0
datastore.ro	A	108.61.245.78	no
www.datastore.ro	A	108.61.245.78	no

Your authoritative Nameservers send a Refused, so your domain may be blocked.

An ip is only available via cached values, not direct.

And your DNSSEC settings are inconsistent:

0 DS RR in the parent zone found
	DS-Query in the parent zone has a valide NSEC3 RR as result with the hashed domain name between the hashed NSEC3-owner and the hashed NextOwner. So the parent zone confirmes the non-existence of a DS RR.

versus

Fatal error: DNSKEY 8541 signs DNSKEY RRset, but no confirming DS RR in the parent zone found. No chain of trust created.
Fatal error: DNSKEY 26537 signs DNSKEY RRset, but no confirming DS RR in the parent zone found. No chain of trust created.

Your parent zone says, there is no DNSSEC. Your zone has a DNSKEY.

But "Refused" means: Your domain can't work.

letsencryptdeb · January 27, 2019, 11:51pm

Hi. I just restarted the server.
I’m still not able to renew.

Http as Destination - no encryption

last check:
28.01.2019 00:46:58 Host T IP-Address is auth. ∑ Queries ∑ Timeout

datastore.ro A 108.61.245.78 yes 1 0
AAAA yes
www.datastore.ro A 108.61.245.78 yes 1 0
AAAA yes

mnordhoff · January 27, 2019, 11:53pm

It doesn't automatically redirect to HTTPS.

http://www.datastore.ro/ is some sort of blank HTML page.
Index of /.well-known/acme-challenge is a 404 Not Found error.

If it did redirect to HTTPS -- preserving the path -- that would work.

rg305 · January 28, 2019, 1:01am

In addition:
Redirections done in html/java/etc. code will fail.
[they rely on the client interacting with that code - LE will NOT]
Redirections should be done by the web server/service.

letsencryptdeb · January 28, 2019, 1:14am

I’m using htaccess file for redirecting traffic and ports.

rg305 · January 28, 2019, 1:27am

Can you show the file?

Also I don’t get redirected.
[perhaps file is in wrong folder]

rg305 · January 28, 2019, 1:55am

And yet no redirection seen:

 wget http://www.datastore.ro/
--2019-01-28 01:54:06--  http://www.datastore.ro/
Resolving www.datastore.ro (www.datastore.ro)... 108.61.245.78
Connecting to www.datastore.ro (www.datastore.ro)|108.61.245.78|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1485 (1.5K) [text/html]

letsencryptdeb · January 28, 2019, 1:59am

You are right.I think I have a problem with redirecting.

JuergenAuer · January 28, 2019, 8:28am

Ah, yep, I see, you have rechecked your domain, the refused is gone.

And you have a valide certificate:

CN=datastore.ro
	27.01.2019
	27.04.2019
	datastore.ro, nsds1.datastore.ro, www.datastore.ro - 3 entries

but (time of your check) only one redirect.

Uhm - looks that the nameservers are very buggy, they send again a refused. Now they have again EDNS-warnings: Two are good, two are bad.

Ok, again rechecked - now there is no refused, it's really a problem of buggy nameservers.

letsencryptdeb · January 28, 2019, 5:51pm

OK. I also have two more, I think old certificates. It is with them that I get the errors. Should I delete them.
one is in /etc/—/---/www.datastore.ro-002.conf and the other one /etc/—/---/www.datastore.ro-001.conf.
Thank you.

JuergenAuer · January 28, 2019, 5:53pm

It's a problem of your nameservers from your hoster.

It's not a problem of your old certificates. They may be expired.

system · February 27, 2019, 5:53pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.