Renewal suddenly stopped working (http-01)


#1

Hello!

I have been a happy user of letsencrypt/certbot-auto for quite a while now, but suddenly my auto-renewals fail. I tried a lot already but didn’t get it up and running again.

My domain is: markus-keppeler.no-ip.biz

I ran this command: certbot-auto renew --rsa-key-size 4096 --hsts -vv

It produced this output:

Damn, now I ran into the “too many renewal attempts limitations”, and I don’t have exact old output logs at hand (you see I’m desperately trying to getaround this). The problems are very similar to those here:

I’ll update once I’m allowed to renew again…

Relevant part of my apache2.conf:

< Directory /> // “extra whitespace as it otherwise would not show up in this post!?”
Options None
AllowOverride None
Require all denied
SSLRequireSSL
< /Directory>

< Directory /var/lib/letsencrypt>
Require all granted
Order allow,deny
allow from all
< /Directory>

< Directory /var/www/.well-known>
Require all granted
Order allow,deny
allow from all
< /Directory>

000-default.conf:

<VirtualHost *:80>
ServerName markuskeppeler.no-ip.biz
Redirect permanent / https://markuskeppeler.no-ip.biz/
RewriteEngine on
RewriteCond %{SERVER_NAME} =markuskeppeler.no-ip.biz
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
< /VirtualHost>

Any help is appreciated! I tried creating .well-known with permission 777 upfront, didn’t help either.

thanks in advance,
Markus


#2

Hi @markus1

I can’t find an ip address:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
markus-keppeler.no-ip.biz A yes 11 0
www.markus-keppeler.no-ip.biz A yes 11 0

If the authoritative query doesn’t find an address, the tool tries to find a non authoritative ip address. But this is empty. Then I thought this is an error in my tool, so checked manual.

D:\temp>nslookup markus-keppler.no-ip.biz.

Name: markus-keppler.no-ip.biz

Same result. No ip address is visible. To get a http status 404, an ip address is required.


#3

Oh my, I‘m sorry. It is markuskeppeler.no-ip.biz (this exists and does have an ip).


#4

Two things: Your website



Checking the /.well-known/acme-challenge/not-existing-file, there is a redirect to https (this isn’t a problem), but then there is a 403, Forbidden. A 404 - not exist - is expected.

Your configuration has raw xml errors:

< Directory /> // “extra whitespace as it otherwise would not show up in this post!?”

You open the element, then you close it - ending />.

<Directory>

is correct. So you have an empty directory and a wrong isolated < /Directory>.

Perhaps only a copy-paste problem: < Directory: Between < and Directory - no white space is allowed. Same with < /Directory>.


#5

@markus1, if you want to paste items on this forum that contain < and > characters, the easiest way is to enclose them in triple-backticks (```). Then the enclosed text will be formatted as code and not parsed as forum markup.

<an example>

This might help @JuergenAuer to better determine whether there’s a problem with your original configuration file, because you could post it in an unchanged form.


#6

The Apache configuration file isn’t XML. The items between <> are “sections” and a section can have a variable, such as the *nix “root”, which would be /. So <Directory /> would mean a section called “directory” with / as it’s “main” variable.


#7

Thank you all for your help!

I have now (temporarily) updated my apache2.conf not to block anything (commented out the Directory-things). Now I get a 404 error when trying to access a not-existing file in .well-known/acme-challenge, so it should work now? But it does not, I still get the same error.

This is the outcome of /root/bin/certbot/certbot-auto renew --rsa-key-size 4096 --hsts -vv

Root logging level set at 0
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/markuskeppeler.no-ip.biz.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Requested authenticator <certbot.cli._Default object at 0x766eab90> and installer <certbot.cli._Default object at 0x766eab90>
Var rsa_key_size=4096 (set by user).
Should renew, less than 30 days before certificate expiry 2019-01-21 09:09:31 UTC.
Cert is due for renewal, auto-renewing...
Requested authenticator apache and installer apache
Apache version is 2.4.25
Single candidate plugin: * apache
Description: Apache Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_debian.DebianConfigurator object at 0x75b38fd0>
Prep: True
Single candidate plugin: * apache
Description: Apache Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_debian.DebianConfigurator object at 0x75b38fd0>
Prep: True
Selected authenticator <certbot_apache.override_debian.DebianConfigurator object at 0x75b38fd0> and installer <certbot_apache.override_debian.DebianConfigurator object at 0x75b38fd0>
Plugins selected: Authenticator apache, Installer apache
Picked account: <Account(RegistrationResource(body=Registration(status=None, terms_of_service_agreed=None, agreement=u'https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf', only_return_existing=None, contact=(u'mailto:homepage7@markus-keppeler.de',), key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x766ef450>)>), external_account_binding=None), uri=u'https://acme-v01.api.letsencrypt.org/acme/reg/4611141', new_authzr_uri=u'https://acme-v01.api.letsencrypt.org/acme/new-authz', terms_of_service=u'https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf'), 819dc099059676abf08efeaa0999f51a, Meta(creation_host=u'raspberrypi', creation_dt=datetime.datetime(2016, 9, 25, 17, 12, 44, tzinfo=<UTC>)))>
Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 658
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 02 Jan 2019 15:19:27 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 02 Jan 2019 15:19:27 GMT
Connection: keep-alive

{
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "mndLvvQUpnA": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
Renewing an existing certificate
Generating key (4096 bits): /etc/letsencrypt/keys/0056_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0056_csr-certbot.pem
Requesting fresh nonce
Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 204 0
Received response:
HTTP 204
Server: nginx
Replay-Nonce: lmmJC1J2qI_hYyF7o4FNAWXQ-QYrnxE0j0UGs1HyPsU
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 02 Jan 2019 15:19:34 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 02 Jan 2019 15:19:34 GMT
Connection: keep-alive


Storing nonce: lmmJC1J2qI_hYyF7o4FNAWXQ-QYrnxE0j0UGs1HyPsU
JWS payload:
{
  "identifiers": [
    {
      "type": "dns", 
      "value": "markuskeppeler.no-ip.biz"
    }
  ]
}
Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJub25jZSI6ICJsbW1KQzFKMnFJX2hZeUY3bzRGTkFXWFEtUVlybnhFMGowVUdzMUh5UHNVIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctb3JkZXIiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDEuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL3JlZy80NjExMTQxIiwgImFsZyI6ICJSUzI1NiJ9", 
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwgCiAgICAgICJ2YWx1ZSI6ICJtYXJrdXNrZXBwZWxlci5uby1pcC5iaXoiCiAgICB9CiAgXQp9", 
  "signature": "iKK1CeZzCYBYtn-mm9ZuSGNlWV3UC14825QY15TfroHNS7Z430boS4guVm0PP-dEJxxgiAo5kVFV2GGUNl2571xT3EJJTOGFBzpWdtDqYPc4MDFcDvLCYw87WdizLFwUl68pmx1rGutc_jfLABZ0nNwjbcqKNGoC5Ruz5-Q94bARvbxQRa0B2N0q8tB2ID6fzdYyVn2y6ED6ITJvKAlrQ4sQmhNCMLGQI9x8BngCMtGQ5XjWRLXjmvnErK4ixz_dWSz0HFdSCjeAF3uBUm-qrifsQ6wZA0ZFf_MYcYGaf2SXlJeo9OUJxFI6Lx8F2rph3TZs8vtPRir3JTg1GsNRTg"
}
https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 381
Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 381
Boulder-Requester: 4611141
Location: https://acme-v02.api.letsencrypt.org/acme/order/4611141/252625875
Replay-Nonce: DoAT61H4XpMd2T_8oX85TR7Ua14eyuYATCoEbn9fcrY
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 02 Jan 2019 15:19:34 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 02 Jan 2019 15:19:34 GMT
Connection: keep-alive

{
  "status": "pending",
  "expires": "2019-01-09T15:19:34.58970074Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "markuskeppeler.no-ip.biz"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz/ePbnwBzCmgf3Vt_g4hFeDv43h-MvYcCMZyjp28uGGCY"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/4611141/252625875"
}
Storing nonce: DoAT61H4XpMd2T_8oX85TR7Ua14eyuYATCoEbn9fcrY
JWS payload:

Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz/ePbnwBzCmgf3Vt_g4hFeDv43h-MvYcCMZyjp28uGGCY:
{
  "protected": "eyJub25jZSI6ICJEb0FUNjFINFhwTWQyVF84b1g4NVRSN1VhMTRleXVZQVRDb0VibjlmY3JZIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei9lUGJud0J6Q21nZjNWdF9nNGhGZUR2NDNoLU12WWNDTVp5anAyOHVHR0NZIiwgImtpZCI6ICJodHRwczovL2FjbWUtdjAxLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9yZWcvNDYxMTE0MSIsICJhbGciOiAiUlMyNTYifQ", 
  "payload": "", 
  "signature": "3UBkw7dpuZRY5DIxwLh9v8gzbQcznHTHLe8kgF2m7-eyRvvCYwSUFtJwX7blrayUHd27isT9GlhfvMeTAQ1Ra8EVFuL4S5uR1-QM6aERYuEmnuEtqSZdRCDgMG8P-Nj02D7fztsGnnUkV0SD4Z1GSG9vLpJZGV8SIQMlZWF3WcB0YTqgBv7bJB9386Whn4lk6PZ20J8VLOoYMmewi6vjKXJtIKG71ePg1FNUy76v4_DHNhcLzjXFcKffGrwa1Z1ySnqp6zqagHvBDLQmhOeIg3TEKP_7pPRNlYDRY1jflzZHI4Wz356URxOiDHH5EwaOBqxzDXw15t4PnHoP36Pq0g"
}
https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz/ePbnwBzCmgf3Vt_g4hFeDv43h-MvYcCMZyjp28uGGCY HTTP/1.1" 200 1172
Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1172
Boulder-Requester: 4611141
Replay-Nonce: jJFzBMezVnFTibVPNgrKowntE7ppI7sg7daCGj4QInk
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 02 Jan 2019 15:19:34 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 02 Jan 2019 15:19:34 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "markuskeppeler.no-ip.biz"
  },
  "status": "pending",
  "expires": "2019-01-09T15:19:34Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/ePbnwBzCmgf3Vt_g4hFeDv43h-MvYcCMZyjp28uGGCY/10991436395",
      "token": "hiU_k58cnm0cKUHWbzirobP9mlE05P3E1MHU3T9HP7Q"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/ePbnwBzCmgf3Vt_g4hFeDv43h-MvYcCMZyjp28uGGCY/10991436396",
      "token": "Z-UGErE3xRglyO826kJR_PspAribUrpAKhedjNJ45-4"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/ePbnwBzCmgf3Vt_g4hFeDv43h-MvYcCMZyjp28uGGCY/10991436397",
      "token": "0863pMrc0LmLaxURFFzQsU9I0h4LlwymRtNRAfbWKVk"
    },
    {
      "type": "tls-sni-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/ePbnwBzCmgf3Vt_g4hFeDv43h-MvYcCMZyjp28uGGCY/10991436398",
      "token": "wAuM9ML_BqJwHCtWpbuwM_7nl5Y8cq-Kbp2f0IInI0E"
    }
  ]
}
Storing nonce: jJFzBMezVnFTibVPNgrKowntE7ppI7sg7daCGj4QInk
Performing the following challenges:
http-01 challenge for markuskeppeler.no-ip.biz
Adding a temporary challenge validation Include for name: markuskeppeler.no-ip.biz in: /etc/apache2/sites-enabled/000-default.conf
writing a pre config file with text:
         RewriteEngine on
        RewriteRule ^/\.well-known/acme-challenge/([A-Za-z0-9-_=]+)$ /var/lib/letsencrypt/http_challenges/$1 [END]
    
writing a post config file with text:
         <Directory /var/lib/letsencrypt/http_challenges>
            Require all granted
        </Directory>
        <Location /.well-known/acme-challenge>
            Require all granted
        </Location>
    
Creating backup of /etc/apache2/sites-enabled/000-default.conf
Waiting for verification...
JWS payload:
{
  "keyAuthorization": "hiU_k58cnm0cKUHWbzirobP9mlE05P3E1MHU3T9HP7Q.weHC0SFVCU97HOHuRgOLg5kASql47qAOWtBfL69y_AE", 
  "type": "http-01", 
  "resource": "challenge"
}
Sending POST request to https://acme-v02.api.letsencrypt.org/acme/challenge/ePbnwBzCmgf3Vt_g4hFeDv43h-MvYcCMZyjp28uGGCY/10991436395:
{
  "protected": "eyJub25jZSI6ICJqSkZ6Qk1lelZuRlRpYlZQTmdyS293bnRFN3BwSTdzZzdkYUNHajRRSW5rIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbGVuZ2UvZVBibndCekNtZ2YzVnRfZzRoRmVEdjQzaC1NdlljQ01aeWpwMjh1R0dDWS8xMDk5MTQzNjM5NSIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXYwMS5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvcmVnLzQ2MTExNDEiLCAiYWxnIjogIlJTMjU2In0", 
  "payload": "ewogICJrZXlBdXRob3JpemF0aW9uIjogImhpVV9rNThjbm0wY0tVSFdiemlyb2JQOW1sRTA1UDNFMU1IVTNUOUhQN1Eud2VIQzBTRlZDVTk3SE9IdVJnT0xnNWtBU3FsNDdxQU9XdEJmTDY5eV9BRSIsIAogICJ0eXBlIjogImh0dHAtMDEiLCAKICAicmVzb3VyY2UiOiAiY2hhbGxlbmdlIgp9", 
  "signature": "UywKPFa-1AquAN8GXHEZ5MlGmV6108K0yhNRYK5aGj8rm4gFbgNx8QqIE84AqNyn1GvAu0VOAYQe6MrdVEkDJcW4iubqcqx3IfHLsaM4twhL-_HXV6_7NHO2oZzYyumXTAsfg1gS8T1ZfmUpsaS9DTxmOaP2oFJWmHWqNCDmkLCH_vpzxJTAz1MA2jzIWy8PBwIuAo3qlgEjoeP_A74DPNxTdID3Xo2t_VqNizJMw1nM8Ug0B6C-noqokeEz0-jk_BV1WSj0dHXrj1TcVySgcX_7CTz1oB2hBdMKx_0UWbj6RkTSsiFH82h7cigXHFHI4YGJkt_IboWpal7wASml6Q"
}
https://acme-v02.api.letsencrypt.org:443 "POST /acme/challenge/ePbnwBzCmgf3Vt_g4hFeDv43h-MvYcCMZyjp28uGGCY/10991436395 HTTP/1.1" 200 224
Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 224
Boulder-Requester: 4611141
Link: <https://acme-v02.api.letsencrypt.org/acme/authz/ePbnwBzCmgf3Vt_g4hFeDv43h-MvYcCMZyjp28uGGCY>;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/challenge/ePbnwBzCmgf3Vt_g4hFeDv43h-MvYcCMZyjp28uGGCY/10991436395
Replay-Nonce: KahPM4jRfvzdeNxcyz-oTAyoxpi2bTKha0R95AamvXk
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 02 Jan 2019 15:19:40 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 02 Jan 2019 15:19:40 GMT
Connection: keep-alive

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/ePbnwBzCmgf3Vt_g4hFeDv43h-MvYcCMZyjp28uGGCY/10991436395",
  "token": "hiU_k58cnm0cKUHWbzirobP9mlE05P3E1MHU3T9HP7Q"
}
Storing nonce: KahPM4jRfvzdeNxcyz-oTAyoxpi2bTKha0R95AamvXk
JWS payload:

Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz/ePbnwBzCmgf3Vt_g4hFeDv43h-MvYcCMZyjp28uGGCY:
{
  "protected": "eyJub25jZSI6ICJLYWhQTTRqUmZ2emRlTnhjeXotb1RBeW94cGkyYlRLaGEwUjk1QWFtdlhrIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei9lUGJud0J6Q21nZjNWdF9nNGhGZUR2NDNoLU12WWNDTVp5anAyOHVHR0NZIiwgImtpZCI6ICJodHRwczovL2FjbWUtdjAxLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9yZWcvNDYxMTE0MSIsICJhbGciOiAiUlMyNTYifQ", 
  "payload": "", 
  "signature": "KQtSb2Otl46LCTfdxuaiPxD5aW3e6LSlf_u45Cje2NYKpOpUdOnFZmB3SyBnB3xNLmN2nwlDXGi0vcxgZqqMbvLRM2JhLHnt8O-zUkIC7ngsV5tBMr4ggngFAuRxzj8yB89waE3TR0uagXdz3jGAKY3Oh-iiuEFfHXHg73qz4Z024A6MK1sAYwixTSwilaWUzRWx57x-L_3jrCewiAB3YdkQJs14qp7ayCI8RMFC2bo8CRwbZmzq-Aehr8BayK15NRYwkTYdRnnWY4FApGKFdf1DtG0EGp8QL52Ev0iCpKIVs6Q-Irdfyn1bdSfxkqdTZd9lz_0PlIdvO2d-WCDiVA"
}
https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz/ePbnwBzCmgf3Vt_g4hFeDv43h-MvYcCMZyjp28uGGCY HTTP/1.1" 200 2374
Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Boulder-Requester: 4611141
Replay-Nonce: 12i00ejI6L7FUsdti8D2u2hRPQzyOG6brhq3oA6DEdg
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Content-Length: 2374
Expires: Wed, 02 Jan 2019 15:19:43 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 02 Jan 2019 15:19:43 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "markuskeppeler.no-ip.biz"
  },
  "status": "invalid",
  "expires": "2019-01-09T15:19:34Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "Invalid response from http://markuskeppeler.no-ip.biz/.well-known/acme-challenge/hiU_k58cnm0cKUHWbzirobP9mlE05P3E1MHU3T9HP7Q: \"\u003c!DOCTYPE HTML PUBLIC \\\"-//IETF//DTD HTML 2.0//EN\\\"\u003e\\n\u003chtml\u003e\u003chead\u003e\\n\u003ctitle\u003e404 Not Found\u003c/title\u003e\\n\u003c/head\u003e\u003cbody\u003e\\n\u003ch1\u003eNot Found\u003c/h1\u003e\\n\u003cp\"",
        "status": 403
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/ePbnwBzCmgf3Vt_g4hFeDv43h-MvYcCMZyjp28uGGCY/10991436395",
      "token": "hiU_k58cnm0cKUHWbzirobP9mlE05P3E1MHU3T9HP7Q",
      "validationRecord": [
        {
          "url": "http://markuskeppeler.no-ip.biz/.well-known/acme-challenge/hiU_k58cnm0cKUHWbzirobP9mlE05P3E1MHU3T9HP7Q",
          "hostname": "markuskeppeler.no-ip.biz",
          "port": "80",
          "addressesResolved": [
            "95.223.40.122"
          ],
          "addressUsed": "95.223.40.122"
        },
        {
          "url": "https://markuskeppeler.no-ip.biz/.well-known/acme-challenge/hiU_k58cnm0cKUHWbzirobP9mlE05P3E1MHU3T9HP7Q",
          "hostname": "markuskeppeler.no-ip.biz",
          "port": "443",
          "addressesResolved": [
            "95.223.40.122"
          ],
          "addressUsed": "95.223.40.122"
        }
      ]
    },
    {
      "type": "tls-alpn-01",
      "status": "invalid",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/ePbnwBzCmgf3Vt_g4hFeDv43h-MvYcCMZyjp28uGGCY/10991436396",
      "token": "Z-UGErE3xRglyO826kJR_PspAribUrpAKhedjNJ45-4"
    },
    {
      "type": "dns-01",
      "status": "invalid",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/ePbnwBzCmgf3Vt_g4hFeDv43h-MvYcCMZyjp28uGGCY/10991436397",
      "token": "0863pMrc0LmLaxURFFzQsU9I0h4LlwymRtNRAfbWKVk"
    },
    {
      "type": "tls-sni-01",
      "status": "invalid",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/ePbnwBzCmgf3Vt_g4hFeDv43h-MvYcCMZyjp28uGGCY/10991436398",
      "token": "wAuM9ML_BqJwHCtWpbuwM_7nl5Y8cq-Kbp2f0IInI0E"
    }
  ]
}
Storing nonce: 12i00ejI6L7FUsdti8D2u2hRPQzyOG6brhq3oA6DEdg
Reporting to user: The following errors were reported by the server:

Domain: markuskeppeler.no-ip.biz
Type:   unauthorized
Detail: Invalid response from http://markuskeppeler.no-ip.biz/.well-known/acme-challenge/hiU_k58cnm0cKUHWbzirobP9mlE05P3E1MHU3T9HP7Q: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
Encountered exception:
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 161, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 232, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. markuskeppeler.no-ip.biz (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://markuskeppeler.no-ip.biz/.well-known/acme-challenge/hiU_k58cnm0cKUHWbzirobP9mlE05P3E1MHU3T9HP7Q: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

Calling registered functions
Cleaning up challenges
Attempting to renew cert (markuskeppeler.no-ip.biz) from /etc/letsencrypt/renewal/markuskeppeler.no-ip.biz.conf produced an unexpected error: Failed authorization procedure. markuskeppeler.no-ip.biz (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://markuskeppeler.no-ip.biz/.well-known/acme-challenge/hiU_k58cnm0cKUHWbzirobP9mlE05P3E1MHU3T9HP7Q: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p". Skipping.
Traceback was:
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/renewal.py", line 432, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 1170, in renew_cert
    renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 118, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/renewal.py", line 307, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.py", line 353, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.py", line 389, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 161, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 232, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. markuskeppeler.no-ip.biz (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://markuskeppeler.no-ip.biz/.well-known/acme-challenge/hiU_k58cnm0cKUHWbzirobP9mlE05P3E1MHU3T9HP7Q: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/markuskeppeler.no-ip.biz/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/markuskeppeler.no-ip.biz/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Exiting abnormally:
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 11, in <module>
    sys.exit(main())
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 1352, in main
    return config.func(config, plugins)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 1259, in renew
    renewal.handle_renewal_request(config)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/renewal.py", line 457, in handle_renewal_request
    len(renew_failures), len(parse_failures)))
Error: 1 renew failure(s), 0 parse failure(s)
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: markuskeppeler.no-ip.biz
   Type:   unauthorized
   Detail: Invalid response from
   http://markuskeppeler.no-ip.biz/.well-known/acme-challenge/hiU_k58cnm0cKUHWbzirobP9mlE05P3E1MHU3T9HP7Q:
   "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

Regarding the invalid “xml”: I have added the extra whitespace to make the post work, because I didn’t know about the tripple backticks (see other replies). The slash at the end IMHO was correct, as it is not xml. But I commented all of those out now to simplify the setup, it still doesn’t work.

Any help is appreciated, I have no clue what I can do here :-(.


#8

Yep, now I see a 404 too.

So create a file (file name 1234 without extension) in

/.well-known/acme-challenge

then try to load this file with your browser:

http://markuskeppeler.no-ip.biz/.well-known/acme-challenge/1234

If this works, you have your correct webroot, so you can use

certbot run -a webroot -i apache -w YourWebroot -d markuskeppeler.no-ip.biz

#9

Hi Jürgen!

Thank you very much, I managed now to create a new certificate (and renewal seems to work as well), using this command (for others that may run into the same issue):

certbot-auto certonly --rsa-key-size 4096 --hsts --webroot -w /var/www -d markuskeppeler.no-ip.biz

So the problems have been:

  1. My restrictive setting prohibited access to .well-known (fixed by modifying apache2.conf, I will try go get it more restrictive again but this is not for this forum ;-)).
  2. certbot must use/know the webroot (fixed by using new command posted above).

It is - for me - strange that this worked before (with the restrictive apache2.conf), but there was probably a change in the certbot-auto.

thanks a lot for all your help! :slight_smile:
Markus


closed #10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.