Renew of multi domain certificate fails

Hi,
I have a postfix installation on Apache/2.4.38 (Debian Buster) with certbot 0.31.0
that requires a certificate with multiple domains (webmailer, smpt, imap). The installation had worked in his time, only the renewal fails after 90 days.

certbot renew --pre-hook "systemctl stop apache2" --post-hook "/usr/local/bin/renew_certbot" >> /var/log/letsencrypt/letsencrypt.log

Output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log 
Cert is due for renewal, auto-renewing... 
Plugins selected: Authenticator apache, Installer apache 
Running pre-hook command: systemctl stop apache2 
Renewing an existing certificate 
Performing the following challenges: 
http-01 challenge for mail.germany.com 
http-01 challenge for smtp.germany.com 
Waiting for verification... 
Cleaning up challenges 
Attempting to renew cert (mx.germany.com) from /etc/letsencrypt/renewal/mx.germany.com.conf produced an unexpected error: Failed authorization procedure. mail.germany.com (http-01): urn:ietf:params:acme:error:unauthorized ::
The client lacks sufficient authorization :: Invalid response from http://mail.germany.com/.well-known/acme-challenge/6-e0ILIlWa2TrPRASFjAG7ksfWdnquS9gY23NI8WtC0 [192.109.24.70]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2
.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p", smtp.germany.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid respo
nse from http://smtp.germany.com/.well-known/acme-challenge/5tN99X2nmbxFWzhLFufwVSi3Pdde9iKg5P5y-0cVXN8 [192.109.24.70]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</he
ad><body>\n<h1>Not Found</h1>\n<p". Skipping.                                                                                                                                                                                    
All renewal attempts failed. The following certs could not be renewed: 
 /etc/letsencrypt/live/mx.germany.com/fullchain.pem (failure) 
Running post-hook command: /usr/local/bin/renew_certbot 
1 renew failure(s), 0 parse failure(s)

The mail server is called mx.germany.com and mail.germany.com etc. are CNAME on mx.germany.com.

certbot certonly --apache --agree-tos --email certbot@germany.com -d mx.germany.com -d mail.germany.com -d smtp.germany.comn -d 
imap.germany.com

had worked well at the time.
What works is synonymous

certbot --dry-run certonly --apache --agree-tos --email certbot@germany.com -d mx.germany.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate

**IMPORTANT NOTES:**
**- The dry run was successful.**

But that does not work anymore

certbot --dry-run certonly --apache --agree-tos --email certbot@germany.com -d smtp.germany.com 
Saving debug log to /var/log/letsencrypt/letsencrypt.log 
Plugins selected: Authenticator apache, Installer apache 
Obtaining a new certificate 
Performing the following challenges: 
http-01 challenge for smtp.germany.com 
Waiting for verification... 
Cleaning up challenges 
Failed authorization procedure. smtp.germany.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://smtp.germany.com/.well-known/acme-challenge/1EY
gvcUHFDxLQiQ2FJUSoTt2g2gClKGZiLP6LJ3qtdQ [192.109.24.70]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p" 

IMPORTANT NOTES: 
- The following errors were reported by the server: 

  Domain: smtp.germany.com 
  Type:   unauthorized 
  Detail: Invalid response from 
  http://smtp.germany.com/.well-known/acme-challenge/1EYgvcUHFDxLQiQ2FJUSoTt2g2gClKGZiLP6LJ3qtdQ 
  [192.109.24.70]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 
  2.0//EN\">\n<html><head>\n<title>404 Not 
  Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

How do I permanently persist that the Postfix server works with a certificate for multiple domains?

Thanks for your support

Kaheto

1 Like

OK, "mx" works.
But there is problem a problem accessing the challenge files for "mail":

You should review the "mail" vhost config and ensure requests to /.well-known/acme-challenge/ are handled properly.
[you may look at how you did that with the "mx" vhost config for an easy copy/paste fix]

This was a problem passing to https, so http was unreachable for this directory.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.