Renewal fails (auto + manual) though acme-challenge dir is reachable


#1

Hi,

I’ve seen many similar problems but not this exact one.

I run

letsencrypt renew

And get this (domain name has been changed):

...
 Invalid response from http://mydomain.com/.well-known/acme-challenge/LJf7H3mThOewfe7ZPVHSuerctGN1lP5z5nhLVpJgjgM:
...

So I create a file in /var/www/html/.well-known/acme-challenge called LJf7H3mThOewfe7ZPVHSuerctGN1lP5z5nhLVpJgjgM and verify that I can access it:

# curl -i http://mydomain.com/.well-known/acme-challenge/LJf7H3mThOewfe7ZPVHSuerctGN1lP5z5nhLVpJgjgM
HTTP/1.1 200 OK
Date: Sat, 25 Feb 2017 01:20:39 GMT
Server: Apache/2.4.18 (Ubuntu)
Last-Modified: Sat, 25 Feb 2017 01:20:09 GMT
ETag: "5-54950a5ab9baf"
Accept-Ranges: bytes
Content-Length: 5
Content-Type: text/plain

haha

That works both from my host and from my local computer, so it’s accessible over the internet.

Then I run letsencrypt renew again and get this:

...
Invalid response from http://mydomain.com/.well-known/acme-challenge/kJ0HkAahabrr-Ugv6TRom07LdxU5K4nkqlxyF48MFDw
...

Note that the filename that it’s looking for has changed (from LJf7H3mThOewfe7ZPVHSuerctGN1lP5z5nhLVpJgjgM to kJ0HkAahabrr-Ugv6TRom07LdxU5K4nkqlxyF48MFDw).

So it seems that it picks a new random filename each time. Which means that I can’t pre-arrange for that file to be there. How do I get around this?

I also tried to do the command manually:

letsencrypt certonly --renew --email me@mydomain.com -a manual -d mydomain.com -d www.mydomain.com  --dry-run --agree-tos

Any got essentially the same error.

I could maybe do some apache redirect/forwarding trickery so that any url that starts with /.well-known/acme-challenge would match some valid text file, but that seems like a lot of trouble to go to. Any easier solutions?

I’m on ubuntu 16.04 with Apache/2.4.18 and letsencrypt 4.0.1.


#2

Answering my own question, it seems that letsencrypt had a different idea of where my web root was than where it actually is (/var/www/html).

When I specified the web root it worked:

letsencrypt renew --webroot-path /var/www/html/

#3

Good to see you’ve got things figured out! But it’s kinda weird certbot (or its old name, letsencrypt) didn’t remember it correctly!

Did it somehow change, the webroot?


#4

No. The webroot has always been /var/www/html.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.