Renewal Apache2 Error


#1

Hay, i try to update my ACME client and renewal my domain, but get error.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: spotqoe.com

I ran this command: ./certbot-auto renew --dry-run

It produced this output:
The following certs could not be renewed:
/etc/letsencrypt/live/spotqoe.com/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


Running post-hook command: systemctl start apache2
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version): apache2

The operating system my web server runs on is (include version): Ubuntu 15.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0


#2

What was the rest of Certbot’s output?

Can you paste the contents of /etc/letsencrypt/renewal/spotqoe.com.conf?


#3

2019-02-12 17:00:08,810:DEBUG:certbot.error_handler:Calling registered functions
2019-02-12 17:00:08,810:INFO:certbot.auth_handler:Cleaning up challenges
2019-02-12 17:00:09,252:WARNING:certbot.renewal:Attempting to renew cert (spotqoe.com) from /etc/letsencrypt/renewal/spotqoe.com.conf produced an unexpected error: Fail
ed authorization procedure. spotqoe.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://
spotqoe.com/.well-known/acme-challenge/DIyRgtVRcx5AgEWC8lCYpxnznS8iQmlxwQiBokIAQgU: “\n\n\n <meta charset=“utf-8”>\n <meta http-equiv
=“X-UA-Compatible” content=“IE=edge”>\n Sp”, www.spotqoe.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorizati
on :: Invalid response from http://www.spotqoe.com/.well-known/acme-challenge/MDvqkFwel31Sv-k6GPAePLC2A3i4vYXLOLcJIlif6JY: “\n\n\n <meta charset=“utf-8”>\n <meta http-equiv=“X-UA-Compatible” content=“IE=edge”>\n Sp”. Skipping.
2019-02-12 17:00:09,254:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/renewal.py”, line 452, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py”, line 1193, in renew_cert
renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py”, line 116, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/renewal.py”, line 310, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.py”, line 353, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.py”, line 389, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 168, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 239, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. spotqoe.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://spotqoe.com/.well-known/acme-challenge/DIyRgtVRcx5AgEWC8lCYpxnznS8iQmlxwQiBokIAQgU: “\n\n\n <meta charset=“utf-8”>\n <meta http-equiv=“X-UA-Compatible” content=“IE=edge”>\n Sp”, www.spotqoe.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.spotqoe.com/.well-known/acme-challenge/MDvqkFwel31Sv-k6GPAePLC2A3i4vYXLOLcJIlif6JY: “\n\n\n <meta charset=“utf-8”>\n <meta http-equiv=“X-UA-Compatible” content=“IE=edge”>\n Sp”

2019-02-12 17:00:09,254:ERROR:certbot.renewal:The following certs could not be renewed:
2019-02-12 17:00:09,254:ERROR:certbot.renewal: /etc/letsencrypt/live/spotqoe.com/fullchain.pem (failure)
2019-02-12 17:00:09,257:INFO:certbot.hooks:Running post-hook command: systemctl start apache2
2019-02-12 17:00:09,298:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/bin/letsencrypt”, line 11, in
sys.exit(main())
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py”, line 1365, in main
return config.func(config, plugins)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py”, line 1272, in renew
renewal.handle_renewal_request(config)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/renewal.py”, line 477, in handle_renewal_request
len(renew_failures), len(parse_failures)))
Error: 1 renew failure(s), 0 parse failure(s)


#4

#renew_before_expiry = 30 days
version = 0.19.0
archive_dir = /etc/letsencrypt/archive/spotqoe.com
cert = /etc/letsencrypt/live/spotqoe.com/cert.pem
privkey = /etc/letsencrypt/live/spotqoe.com/privkey.pem
chain = /etc/letsencrypt/live/spotqoe.com/chain.pem
fullchain = /etc/letsencrypt/live/spotqoe.com/fullchain.pem

##Options used in the renewal process
[renewalparams]
authenticator = apache
installer = apache
account = 7556af9027410904910fd032f771437012


#5

Perhaps, since http redirects to https, the webroots aren’t equal and certbot gets confused and is putting the challenge response in the http webroot.

Adding more detail to the command may show exactly where the challenge response is being placed.
Try:
./certbot-auto renew --dry-run -vvv

Or you could force it to the right one with --webroot option.