Hi,
I have a postfix installation on Apache/2.4.38 (Debian Buster) with certbot 0.31.0
that requires a certificate with multiple domains (webmailer, smpt, imap). The installation had worked in his time, only the renewal fails after 90 days.
certbot renew --pre-hook "systemctl stop apache2" --post-hook "/usr/local/bin/renew_certbot" >> /var/log/letsencrypt/letsencrypt.log
Output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log Cert is due for renewal, auto-renewing... Plugins selected: Authenticator apache, Installer apache Running pre-hook command: systemctl stop apache2 Renewing an existing certificate Performing the following challenges: http-01 challenge for mail.germany.com http-01 challenge for smtp.germany.com Waiting for verification... Cleaning up challenges Attempting to renew cert (mx.germany.com) from /etc/letsencrypt/renewal/mx.germany.com.conf produced an unexpected error: Failed authorization procedure. mail.germany.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mail.germany.com/.well-known/acme-challenge/6-e0ILIlWa2TrPRASFjAG7ksfWdnquS9gY23NI8WtC0 [192.109.24.70]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2 .0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p", smtp.germany.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid respo nse from http://smtp.germany.com/.well-known/acme-challenge/5tN99X2nmbxFWzhLFufwVSi3Pdde9iKg5P5y-0cVXN8 [192.109.24.70]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</he ad><body>\n<h1>Not Found</h1>\n<p". Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/mx.germany.com/fullchain.pem (failure) Running post-hook command: /usr/local/bin/renew_certbot 1 renew failure(s), 0 parse failure(s)
The mail server is called mx.germany.com and mail.germany.com etc. are CNAME on mx.germany.com.
certbot certonly --apache --agree-tos --email certbot@germany.com -d mx.germany.com -d mail.germany.com -d smtp.germany.comn -d
imap.germany.com
had worked well at the time.
What works is synonymous
certbot --dry-run certonly --apache --agree-tos --email certbot@germany.com -d mx.germany.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
**IMPORTANT NOTES:**
**- The dry run was successful.**
But that does not work anymore
certbot --dry-run certonly --apache --agree-tos --email certbot@germany.com -d smtp.germany.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for smtp.germany.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. smtp.germany.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://smtp.germany.com/.well-known/acme-challenge/1EY
gvcUHFDxLQiQ2FJUSoTt2g2gClKGZiLP6LJ3qtdQ [192.109.24.70]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: smtp.germany.com
Type: unauthorized
Detail: Invalid response from
http://smtp.germany.com/.well-known/acme-challenge/1EYgvcUHFDxLQiQ2FJUSoTt2g2gClKGZiLP6LJ3qtdQ
[192.109.24.70]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
2.0//EN\">\n<html><head>\n<title>404 Not
Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"
How do I permanently persist that the Postfix server works with a certificate for multiple domains?
Thanks for your support
Kaheto