I started with letsencrypt before there was an ubuntu package of certbot (i.e. previously using letsencrypt_auto). I've recently upgraded to use certbot (version 0.23.0 on ubuntu 18.04), but now renew is failing. I'm using the Apache plugin.

$ certbot renew --dry-run

Attempting to renew cert (MYDOMAIN.org) from /etc/letsencrypt/renewal/MYDOMAIN.org.conf produced an unexpected error: Failed authorization procedure. MYDOMAIN.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://MYDOMAIN.org/.well-known/acme-challenge/j-o_KAnVLIk5_WKVksXsFrIJ5tfErPudurIplF2rwvk [206.189.123.47]: "\n\n404 Not Found\n\n

Not Found

\n<p". Skipping.

From poking around it looks as though the Apache config is being updated to serve .well-known/acme-challenge/... from /var/lib/letsencrypt/http_challenges, which is fine except it seems my redirect to https is happening first, so the result is a 404.

<VirtualHost *:80>
    ServerName www.MYDOMAIN.org
    CustomLog /var/log/apache2/access.MYDOMAIN.log combined
    RewriteEngine on
    RewriteCond %{SERVER_NAME} =www.MYDOMAIN.org
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

This worked previously, and the failure seems basic so I'm not sure what's wrong. Anyone help me work out what's up?

Hi @joewalker

please answer the following questions (template in Help ):

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

My domain is: alsdiary.org

I ran this command: certbot renew --dry-run

It produced this output: Attempting to renew cert (alsdiary.org) from /etc/letsencrypt/renewal/alsdiary.org.conf produced an unexpected error: Failed authorization procedure. alsdiary.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://alsdiary.org/.well-known/acme-challenge/j-o_KAnVLIk5_WKVksXsFrIJ5tfErPudurIplF2rwvk [206.189.123.47]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p". Skipping.

My web server is (include version): Apache 2.4.29

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.23.0

Should be updated to 0.28.0 (if possible).

TLS-SNI-01 (HTTPS) authentication will soon be completely shutoff.

That said, it should have renewed today...

Please show file:
/etc/letsencrypt/renewal/alsdiary.org.conf

And the vhost config for port 443 covering site alsdiary.org

Actually this is a bit confusing:

The "brown out" period of (I think) 1 week has started recently. See March 13, 2019: End-of-Life for All TLS-SNI-01 Validation Support - #4 by jsha

Checking your domain there is one curious thing ( https://check-your-website.server-daten.de/?q=alsdiary.org ):

Your http + non-www redirects to https, that's ok. But your www-version doesn't redirect.

Your certbot is old, perhaps certbot doesn't understand your configuration -> update or use certbot-auto.

The vHosts of http + www and https + non-www: Do they have the same DocumentRoot?

If yes, use something like

certbot certonly -a webroot -w yourDocumentRoot -d alsdiary.org -d www.alsdiary.org --dry-run

PS: That may be part of the problem.

Add your non-www as Alias:

ServerName www.alsdiary.org
ServerAlias alsdiary.org

Then both have the same vHost - only one vHost port 80.

This sounds like it’s the root of the problem. I’ll check this out (and upgrade certbot too).
Thanks for the help - I’ll report back

So the apache update is still broken, but I think I have a workaround.

certbot --version is now 0.28.0. The redirects are fixed (I broken them while trying to diagnose what was up). https://check-your-website.server-daten.de/?q=alsdiary.org is now green.

However (formatted for clarity):

$ certbot renew --dry-run

Attempting to renew cert (alsdiary.org) from
    /etc/letsencrypt/renewal/alsdiary.org.conf produced an unexpected error:
    Failed authorization procedure. alsdiary.org (http-01):
        urn:ietf:params:acme:error:unauthorized ::
            The client lacks sufficient authorization ::
                Invalid response from https://alsdiary.org/.well-known/acme-challenge/0rxu5DvuGvYP059tzj2-T9-JYtvM3lvOv9tFvejMv0k [206.189.123.47]:
                "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p".
Skipping.
The following certs could not be renewed:
  /etc/letsencrypt/live/alsdiary.org/fullchain.pem (failure)

It still looks as though the Apache config is being updated to serve .well-known/acme-challenge/… from /var/lib/letsencrypt/http_challenges, which is fine except it seems my redirect to https is happening first, so the result is a 404 (because the https site doesn’t have the same config update)

Now it seems that certbot certonly -a webroot -w /web/root -d alsdiary.org -d www.alsdiary.org --dry-run works OK, so perhaps I have a workaround.

Yes, it's green, Grade A is very good. But there you see the problem:

You have two connections - this if normal, one ip address, one non-www, one www.

But two certificates are listed:

CN=alsdiary.org
	05.01.2019
	05.04.2019
expires in 48 days	alsdiary.org - 1 entry

CN=alsdiary.org
	16.02.2019
	17.05.2019
expires in 90 days	alsdiary.org, www.alsdiary.org - 2 entries

So you must have two different VirtualHosts with different certificates.

So add alsdiary.org as ServerAlias to your www.alsdiary.org - vHost and remove the standalone alsdiary.org vHost.

Thanks for your help:

I fixed that problem - There is only one certificate now:

$ certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: alsdiary.org
    Domains: alsdiary.org www.alsdiary.org
    Expiry Date: 2019-05-17 14:38:09+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/alsdiary.org/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/alsdiary.org/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

However this doesn’t fix the problem: The error message from certbot renew --dry-run is unchanged.

Yep, now your two connections use the same certificate with two domain names:

CN=alsdiary.org
	16.02.2019
	17.05.2019
expires in 90 days	alsdiary.org, www.alsdiary.org - 2 entries

You have a brand-new certificate, so you can ignore the error.

And in two months, instead of

use

certbot run -a webroot -w /web/root -d alsdiary.org -d www.alsdiary.org -i apache

one time, then your config file should be new. Perhaps now your config file has the old values. More then one vHost with the same name is sometimes a problem.

OK - I think this will work - Thanks for your help. I’ve been tearing my hair out about this, and you’ve been super helpful.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.