Renewal problems after upgrading certbot

I started with letsencrypt before there was an ubuntu package of certbot (i.e. previously using letsencrypt_auto). I’ve recently upgraded to use certbot (version 0.23.0 on ubuntu 18.04), but now renew is failing. I’m using the Apache plugin.

$ certbot renew --dry-run

Attempting to renew cert (MYDOMAIN.org) from /etc/letsencrypt/renewal/MYDOMAIN.org.conf produced an unexpected error: Failed authorization procedure. MYDOMAIN.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://MYDOMAIN.org/.well-known/acme-challenge/j-o_KAnVLIk5_WKVksXsFrIJ5tfErPudurIplF2rwvk [206.189.123.47]: “\n\n404 Not Found\n\n

Not Found

\n<p”. Skipping.

From poking around it looks as though the Apache config is being updated to serve .well-known/acme-challenge/… from /var/lib/letsencrypt/http_challenges, which is fine except it seems my redirect to https is happening first, so the result is a 404.

<VirtualHost *:80>
    ServerName www.MYDOMAIN.org
    CustomLog /var/log/apache2/access.MYDOMAIN.log combined
    RewriteEngine on
    RewriteCond %{SERVER_NAME} =www.MYDOMAIN.org
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

This worked previously, and the failure seems basic so I’m not sure what’s wrong. Anyone help me work out what’s up?

Hi @joewalker

please answer the following questions (template in #help ):

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

1 Like

My domain is: alsdiary.org

I ran this command: certbot renew --dry-run

It produced this output: Attempting to renew cert (alsdiary.org) from /etc/letsencrypt/renewal/alsdiary.org.conf produced an unexpected error: Failed authorization procedure. alsdiary.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://alsdiary.org/.well-known/acme-challenge/j-o_KAnVLIk5_WKVksXsFrIJ5tfErPudurIplF2rwvk [206.189.123.47]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p". Skipping.

My web server is (include version): Apache 2.4.29

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.23.0

Should be updated to 0.28.0 (if possible).

TLS-SNI-01 (HTTPS) authentication will soon be completely shutoff.

That said, it should have renewed today…

Please show file:
/etc/letsencrypt/renewal/alsdiary.org.conf

And the vhost config for port 443 covering site alsdiary.org

Actually this is a bit confusing:

The “brown out” period of (I think) 1 week has started recently. See March 13, 2019: End-of-Life for All TLS-SNI-01 Validation Support

1 Like

Checking your domain there is one curious thing ( https://check-your-website.server-daten.de/?q=alsdiary.org ):

Your http + non-www redirects to https, that’s ok. But your www-version doesn’t redirect.

Your certbot is old, perhaps certbot doesn’t understand your configuration -> update or use certbot-auto.

The vHosts of http + www and https + non-www: Do they have the same DocumentRoot?

If yes, use something like

certbot certonly -a webroot -w yourDocumentRoot -d alsdiary.org -d www.alsdiary.org --dry-run
1 Like

PS: That may be part of the problem.

Add your non-www as Alias:

ServerName www.alsdiary.org
ServerAlias alsdiary.org

Then both have the same vHost - only one vHost port 80.

1 Like

This sounds like it’s the root of the problem. I’ll check this out (and upgrade certbot too).
Thanks for the help - I’ll report back

2 Likes

So the apache update is still broken, but I think I have a workaround.

certbot --version is now 0.28.0. The redirects are fixed (I broken them while trying to diagnose what was up). https://check-your-website.server-daten.de/?q=alsdiary.org is now green.

However (formatted for clarity):

$ certbot renew --dry-run

Attempting to renew cert (alsdiary.org) from
    /etc/letsencrypt/renewal/alsdiary.org.conf produced an unexpected error:
    Failed authorization procedure. alsdiary.org (http-01):
        urn:ietf:params:acme:error:unauthorized ::
            The client lacks sufficient authorization ::
                Invalid response from https://alsdiary.org/.well-known/acme-challenge/0rxu5DvuGvYP059tzj2-T9-JYtvM3lvOv9tFvejMv0k [206.189.123.47]:
                "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p".
Skipping.
The following certs could not be renewed:
  /etc/letsencrypt/live/alsdiary.org/fullchain.pem (failure)

It still looks as though the Apache config is being updated to serve .well-known/acme-challenge/… from /var/lib/letsencrypt/http_challenges, which is fine except it seems my redirect to https is happening first, so the result is a 404 (because the https site doesn’t have the same config update)

Now it seems that certbot certonly -a webroot -w /web/root -d alsdiary.org -d www.alsdiary.org --dry-run works OK, so perhaps I have a workaround.

Yes, it’s green, Grade A is very good. But there you see the problem:

You have two connections - this if normal, one ip address, one non-www, one www.

But two certificates are listed:

CN=alsdiary.org
	05.01.2019
	05.04.2019
expires in 48 days	alsdiary.org - 1 entry
CN=alsdiary.org
	16.02.2019
	17.05.2019
expires in 90 days	alsdiary.org, www.alsdiary.org - 2 entries

So you must have two different VirtualHosts with different certificates.

So add alsdiary.org as ServerAlias to your www.alsdiary.org - vHost and remove the standalone alsdiary.org vHost.

Thanks for your help:

I fixed that problem - There is only one certificate now:

$ certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: alsdiary.org
    Domains: alsdiary.org www.alsdiary.org
    Expiry Date: 2019-05-17 14:38:09+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/alsdiary.org/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/alsdiary.org/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

However this doesn’t fix the problem: The error message from certbot renew --dry-run is unchanged.

Yep, now your two connections use the same certificate with two domain names:

CN=alsdiary.org
	16.02.2019
	17.05.2019
expires in 90 days	alsdiary.org, www.alsdiary.org - 2 entries

You have a brand-new certificate, so you can ignore the error.

And in two months, instead of

use

certbot run -a webroot -w /web/root -d alsdiary.org -d www.alsdiary.org -i apache

one time, then your config file should be new. Perhaps now your config file has the old values. More then one vHost with the same name is sometimes a problem.

1 Like

OK - I think this will work - Thanks for your help. I’ve been tearing my hair out about this, and you’ve been super helpful.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.