Renewing certificate 404 Invalid response from

Help
1

My domain is: wooljersey.com

I ran this command: 'sudo certbot renew'

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/wooljersey.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for wooljersey.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (wooljersey.com) from /etc/letsencrypt/renewal/wooljersey.com.conf produced an unexpected error: Failed authorization procedure. wooljersey.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://wooljersey.com/.well-known/acme-challenge/a7m3luWa8t00vnWIQOQ6P6ZyVZ1zd9gM9xqzOmruHro [34.82.65.163]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p". Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/wooljersey.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/wooljersey.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: wooljersey.com
   Type:   unauthorized
   Detail: Invalid response from
   http://wooljersey.com/.well-known/acme-challenge/a7m3luWa8t00vnWIQOQ6P6ZyVZ1zd9gM9xqzOmruHro
   [34.82.65.163]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version):

morgan@mediawiki-2-vm:~$ apachectl -v
Server version: Apache/2.4.51 (Unix)
Server built:   Nov 26 2021 15:27:08

The operating system my web server runs on is (include version):

morgan@mediawiki-2-vm:~$ uname -a
Linux mediawiki-2-vm 4.19.0-18-cloud-amd64 #1 SMP Debian 4.19.208-1 (2021-09-29) x86_64 GNU/Linux

My hosting provider, if applicable, is:

GCP

I can login to a root shell on my machine (yes or no, or I don't know):\

Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

morgan@mediawiki-2-vm:~$ certbot --version
certbot 0.31.0

I received an email " [Urgent] Let's Encrypt revocations affecting your TLS certificates."

I had previously built a site on a vm from GCP, using a bitnami mediawiki image. I fumbled through the apache/letsencrypt steps to get a working site. When mediawiki produced a new version, I backed up and restored apache/letsencrypt onto the new vm. It works, but this renewal isn't. My A record matches curl ifconfig.io for the vm + load balancer assigned to me, from GCP. I don't have an AAAA record set.

I've tried multiple commands, following google searches, and searches on this site.

Help, please, and thank you,

Morgan

2 Likes
2

Welcome @AlPastor

Very nice trouble report.

A number of things look odd. First, you say you got the email about the revocations due to TLS-ALPN-01 challenge certificates. But, Certbot does not support that type of challenge.
Here is a list of your cert history.

Your server is sending the cert created Dec13

Let's see which one Certbot is managing. Can you show result of this command:

sudo certbot certificates
2 Likes
3

@MikeMcQ The hostname is present in the list of affected certificates:

318831580,"043aa8b3bceac172315e10ef288587d90cd3","2022-03-13T01:39:22Z","wooljersey.com","www.wooljersey.com"

So perhaps @AlPastor used a different client before using Certbot?

3 Likes
4

Likely after. The earlier certs which are due for renewal only have the apex domain.

Thanks for the research

2 Likes
5

Ah, good catch, the certificate which is being renewed indeed only includes a single hostname. Although it could be the other certificate is also present in Certbot, but just not ready to renew by default. I agree we should check the certificates available to Certbot.

The most recent cert is also an ECDSA certificate, whereas Certbot still defaults to RSA currently. Although it's fairly easy to issue an ECDSA cert..

3 Likes
6

MikeMcQ, thank you.

morgan@mediawiki-2-vm:~$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: wooljersey.com
    Domains: wooljersey.com
    Expiry Date: 2022-02-12 11:49:58+00:00 (VALID: 15 days)
    Certificate Path: /etc/letsencrypt/live/wooljersey.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/wooljersey.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

I was definitely learning as I went. I may have used something else. I do see this command in the shell history of my first vm - have kept it running, but no longer in service / dns.

sudo certbot --authenticator webroot --installer apache

Morgan

2 Likes
7

OK. That is not the certificate your server is sending. That only has the domain name wooljersey.com but your active cert has that and the www name. I earlier linked to crt.sh which shows your cert history. This may make more sense to you now.

So, certbot is not your answer.

Can you look in your Apache conf files for lines related to:

SSLCertificate...

There will be at least two. What are the file names? Might be a clue as to how you created them.

3 Likes
8 
root@mediawiki-2-vm:/opt/bitnami/apache2/conf# find . -name "*conf" -exec grep -e "^ *SSLCertificate" {} \; -print
SSLCertificateFile "/opt/bitnami/apache/conf/server.crt"
SSLCertificateKeyFile "/opt/bitnami/apache/conf/server.key"
./original/extra/httpd-ssl.conf
SSLCertificateFile "/opt/bitnami/apache/conf/server.crt"
SSLCertificateKeyFile "/opt/bitnami/apache/conf/server.key"
./extra/httpd-ssl.conf
  SSLCertificateFile "/opt/bitnami/apache/conf/wooljersey.com.crt"
  SSLCertificateKeyFile "/opt/bitnami/apache/conf/wooljersey.com.key"
./vhosts/mediawiki-https-vhost.conf
  SSLCertificateFile "/opt/bitnami/apache/conf/wooljersey.com.crt"
  SSLCertificateKeyFile "/opt/bitnami/apache/conf/wooljersey.com.key"
./bitnami/bitnami-ssl.conf
root@mediawiki-2-vm:/opt/bitnami/apache/conf# grep -e "^ *Include" httpd.conf
Include conf/extra/proxy-html.conf
Include "/opt/bitnami/apache/conf/extra/httpd-default.conf"
Include "/opt/bitnami/apache/conf/deflate.conf"
IncludeOptional "/opt/bitnami/apache/conf/vhosts/*.conf"
 Include "/opt/bitnami/apache/conf/bitnami/bitnami.conf"
Include "/opt/bitnami/apache/conf/bitnami/httpd.conf"
Include "/opt/bitnami/apache/conf/bitnami/phpmyadmin.conf"
  Include "/opt/bitnami/apache/conf/bitnami/php-fpm.conf"

You can see, I fumbled my way through the config.

Thank you,

Morgan

1 Like
9

Ouch. Making a guess based on the names the above is likely your active VirtualHost and its cert files. Do you remember how you created those files?

Did you use the bncert tool in bitnami maybe? If so, here is a thread of others using that and updating for the TLS-ALPN-01 revocation problem.

Earlier I said certbot is not the answer. I should have said certbot did not create your currently active cert. Maybe it is a way to go forward but not without some serious rework of your config first. That is beyond the scope of what I could assist with. I just wanted to clarify my earlier comment.

2 Likes
10

Thanks. No, I don't remember how I made them. Unfortunately, I don't see clues in history, for my account, or the ones I might have su-ed into...

I'll try to follow the bncert path.

Morgan

1 Like
11

You should not be using certbot, I think.

Read this, mainly the "certificates not renewed automatically" section:

https://docs.bitnami.com/aws/how-to/understand-bncert/

2 Likes
12

FWIW, the fix was to restore the original dummy certificates to the bitnami apache2 conf dir, then run the bitnami cert tool. I guess I was more clever than intelligent, when I set this up. Thanks for the help.

morgan@mediawiki-2-vm:~$ sudo ln -s /opt/bitnami/apache/conf/bitnami/certs/server.crt /opt/bitnami/apache2/conf/
morgan@mediawiki-2-vm:~$ sudo ln -s /opt/bitnami/apache/conf/bitnami/certs/server.key /opt/bitnami/apache2/conf/
...
morgan@mediawiki-2-vm:~$ sudo /opt/bitnami/bncert-tool

https://www.wooljersey.com/

Thanks.

1 Like
13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.