Renewing expired certificate fails

Help
1

Hello,
I have not been able to renew the certificate of this server:

My domain is: mail.stage-gate.la

I ran this command: sudo certbot --apache --agree-tos --redirect --hsts --email german.garcia@stage-gate.com --renew-by-default -d mail.stage-gate.la

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for mail.stage-gate.la
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. mail.stage-gate.la (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mail.stage-gate.la/.well-known/acme-challenge/fz0hlMLuWOzrU8a8Os_-vXj2d8kfiNS7Og1Vvsk2OS0 [18.207.54.221]: “\n\n404 Not Found\n\n

Not Found

\n<p”

IMPORTANT NOTES:

  • The following errors were reported by the server:
    Domain: mail.stage-gate.la
    Type: unauthorized
    Detail: Invalid response from
    http://mail.stage-gate.la/.well-known/acme-challenge/fz0hlMLuWOzrU8a8Os_-vXj2d8kfiNS7Og1Vvsk2OS0
    [18.207.54.221]: “\n\n404 Not Found\n\n

    Not Found

    \n<p”

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

My web server is (include version): apache

The operating system my web server runs on is (include version): ubuntu 16.04

The version of my client is Certbot 0.31.0

I added a test.html at the server to see if it was been able to get accessed through a browser and if apache was blocking it or not.:
http://mail.stage-gate.la/.well-known/acme-challenge/test.html
It opens fine.

What can I do? I’m lost.

Thanks in advance!

  • German
2

Hello,
I removed the redirect from apache at /etc/apache2/sites-available/mail.stage-gate.la.conf :

RewriteEngine on
RewriteCond %{SERVER_NAME} =mail.stage-gate.la
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]


Also at /etc/apache2/sites-available/000-default.conf:
I commented the line

enableSSL on

Then I ran
sudo certbot run -a webroot -i apache -w /var/www/mail.stage-gate.la -d mail.stage-gate.la

Output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer apache
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for mail.stage-gate.la
Using the webroot path /var/www/mail.stage-gate.la for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/mail.stage-gate.la-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/mail.stage-gate.la-le-ss
l.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.

1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you’re confident your site works on HTTPS. You can undo this
change by editing your web server’s configuration.

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Redirecting vhost in /etc/apache2/sites-enabled/mail.stage-gate.la.conf to ssl vhost in /e
tc/apache2/sites-available/mail.stage-gate.la-le-ssl.conf

Your existing certificate has been successfully renewed, and the new certificate
has been installed.

The new certificate covers the following domains: https://mail.stage-gate.la

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=mail.stage-gate.la

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/mail.stage-gate.la/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/mail.stage-gate.la/privkey.pem
    Your cert will expire on 2019-08-08. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the “certonly” option. To non-interactively renew all of
    your certificates, run “certbot renew”
  • If you like Certbot, please consider supporting our work by:
    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

ubuntu@mail:~$

I think I solved it.

Thanks

3

Hi @siramthar

happy to read that it had worked.

I see, there are three checks of your domain ( https://check-your-website.server-daten.de/?q=mail.stage-gate.la ):

You have removed the redirect http -> https.

But your first and second check doesn't show such a redirect. So this redirect rule or the complete vHost isn't used.

Rechecked your domain now - there is no redirect.

Looks like you have different vHosts with the same port and the same ServerName / ServerAlias.

Every combination von port and ServerName should be unique.

What says

apachectl -S
4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.