Renewals failing

ddyer · December 17, 2018, 5:51pm

I ran this command: certbot-auto --apache renew

It produced this output: Invalid response from http://www.real-me.net/.well-known/acme-challenge/oO42xuTqlCl1Mgz_VbFTk1vJYXU01WBo4OO_tcgAY5c: "\n\n404 Not Found\n\n

Not Found

This renewal script has been running successfully for several years, nothing has changed on my end, but it no longer works. As far as I can tell, the challenge files are not being written
which results in the “404 not found” errors.

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

rg305 · December 17, 2018, 6:07pm

Please show the actual cron job you run.
And also the file:
/etc/letsencrypt/renewal/{your.cert.name}.conf

ddyer · December 17, 2018, 9:26pm

There’s extraneous stuff in the cron job, which runs as root, but the action line is this:

 ../certbot-auto -v --apache renew >> renew.log

Here’s the conf file

renew_before_expiry = 30 days

version = 0.27.1
archive_dir = /etc/letsencrypt/archive/www.boardspace.net
cert = /etc/letsencrypt/live/www.boardspace.net/cert.pem
privkey = /etc/letsencrypt/live/www.boardspace.net/privkey.pem
chain = /etc/letsencrypt/live/www.boardspace.net/chain.pem
fullchain = /etc/letsencrypt/live/www.boardspace.net/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = apache
installer = apache
account = f12f2787322263e15c409190710c9595
server = https://acme-v02.api.letsencrypt.org/directory

Here’s a sample from the log file’s daily run.

Processing /etc/letsencrypt/renewal/www.boardspace.net.conf

Mon Dec 17 17:33:22 UTC 2018

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.boardspace.net/fullchain.pem (failure)

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: www.real-me.net
Type: unauthorized
Detail: Invalid response from
http://www.real-me.net/.well-known/acme-challenge/pAuDJZgIxvo1LJVB-7ed6uvY8o2WYbTfVBtGKi4QVsI:
“\n\n404 Not
Found\n\n

Not Found
\n<p”
Domain: boardspace.net
Type: unauthorized
Detail: Invalid response from
http://boardspace.net/.well-known/acme-challenge/kTEJw_dTsawPb77C2C0qmgvmO2vjSzOLnJ13BUw2FaQ:
“\n\n404 Not
Found\n\n

Not Found
\n<p”
Domain: real-me.net
Type: unauthorized
Detail: Invalid response from
http://real-me.net/.well-known/acme-challenge/kgjSi3S8q44J6aA0Whvajgijx8b94Cb5j91BkjeUWxA:
“\n\n404 Not
Found\n\n

Not Found
\n<p”
Domain: www.boardspace.net
Type: unauthorized
Detail: Invalid response from
http://www.boardspace.net/.well-known/acme-challenge/GOSD4KRAyurF311oy-LUIejDhP5Nz8Vcmi6rm1QAryE:
“\n\n404 Not
Found\n\n

Not Found
\n<p”
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
Mon Dec 17 17:34:01 UTC 2018

rg305 · December 17, 2018, 9:35pm

I think using --webroot may fix this quickly - otherwise it may take much troubleshooting.

Please show the document root in the vhost config for www.boardspace.net with port 80.

rg305 · December 17, 2018, 9:38pm

You can use that document root path as:
certbot-auto --apache renew --webroot -w /your/path

ddyer · December 17, 2018, 10:55pm

using -webroot succeeds in generating the new certificates, but doesn’t install them.
adding the --installer apache clause suggested by the log causes the script to hang.

is there a “just install” option?

ddyer · December 18, 2018, 12:10am

Here’s a trace from the version that hangs.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer apache
Cert not yet due for renewal
<>
^CExiting abnormally:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/bin/letsencrypt”, line 11, in
load_entry_point(‘letsencrypt==0.7.0’, ‘console_scripts’, ‘letsencrypt’)()
File “/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/main.py”, line 1352, in main
return config.func(config, plugins)
File “/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/main.py”, line 1220, in certonly
should_get_cert, lineage = _find_cert(config, domains, certname)
File “/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/main.py”, line 288, in _find_cert
action, lineage = _find_lineage_for_domains_and_certname(config, domains, certname)
File “/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/main.py”, line 315, in _find_lineage_for_domains_and_certname
return _find_lineage_for_domains(config, domains)
File “/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/main.py”, line 266, in _find_lineage_for_domains
return _handle_identical_cert_request(config, ident_names_cert)
File “/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/main.py”, line 219, in _handle_identical_cert_request
default=0, force_interactive=True)
File “/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/display/util.py”, line 155, in menu
code, selection = self._get_valid_int_ans(len(choices))
File “/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/display/util.py”, line 418, in _get_valid_int_ans
ans = input_with_timeout(input_msg)
File “/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/display/util.py”, line 82, in input_with_timeout
line = compat.readline_with_timeout(timeout, prompt)
File “/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/compat.py”, line 107, in readline_with_timeout
rlist, _, _ = select.select([sys.stdin], , , timeout)
KeyboardInterrupt

_az · December 18, 2018, 12:15am

If you're trying to do this non-interactively, you should add -n to your parameters. That way it will either succeed, or fail fast.

That trace shows that Certbot was waiting for input from the command line, which suggests that you did not provide enough information for the installer to do its job.

Since you pipe everything to renew.log, but you are running this in an interactive terminal, I think Certbot is confused and is waiting for input from you, but you can't see the prompt.

rg305 · December 18, 2018, 1:10am

I'm confused about this, doesn't it change the latest live cert?
Have you restarted the web service since the --webroot renewal?

ddyer · December 18, 2018, 1:26am

using only -webroot without a --installer apache, no attempt was made to install
the certs. I tried manually restarting the server, but that had no effect.

adding --installer apache induced an unexpected break into interactive mode.
also adding -n seems to have taken care of it, so the net, final command line
is along the lines of
…/certbot-auto -n --installer apache --webroot -w /home/boardspa/boardspace.net/html/ -d www.boardspace.net,boardspace.net certonly >> renew.log

This got my certs renewed and installed, and has some hope of continuing to work. Check
in another 80 days or so!

BTW, my overall script has a manual fixup to preserve the httpd.conf to avoid my
previous panic, where my apache servers were knocked off the air by a duplicate
“listen” clause. There are several old threads about this, and that problem is still
unfixed.

rg305 · December 18, 2018, 1:30am

Please show:
certbot-auto certificates

[so I can better understand what is going on]

system · January 17, 2019, 1:36am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.