Renewing my certificate doesnt work and it has expired

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: etrip.tips

I ran this command:
chris@wp-ms:/etc/letsencrypt$ ./certbot-auto certonly --manual -d etrip.tips -d www.etrip.tips

It produced this output:
Requesting to rerun ./certbot-auto with root privileges…
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.etrip.tips


NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you’re running certbot in manual mode on a machine that is not
your server, please ensure you’re okay with that.
Are you OK with your IP being logged?


(Y)es/(N)o: y


Create a file containing just this data:

6fvBFDY-HKPsUv268KAUmdo86ASyh_IpB76sFzBaqj8.cakB4wmhYpZnqoUzh65FLExKNUiBVxXeeh4wZvA4oGY

And make it available on your web server at this URL:

http://www.etrip.tips/.well-known/acme-challenge/6fvBFDY-HKPsUv268KAUmdo86ASyh_IpB76sFzBaqj8


Press Enter to Continue
Waiting for verification…
Challenge failed for domain www.etrip.tips
http-01 challenge for www.etrip.tips
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

My web server is (include version): Server version: Apache/2.4.29 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 18.04.1 LTS (GNU/Linux 4.15.0-1026-gcp x86_64)

My hosting provider, if applicable, is: GCP

I can login to a root shell on my machine (yes or no, or I don’t know): YES

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):certbot 0.32.0

.htaccess

RewriteEngine On RewriteBase / # Exception # If the URL starts "/.well-known/" then stop here. RewriteRule ^\.well_known/. - [L] RewriteRule ^index\.php$ - [L]

add a trailing slash to /wp-admin

RewriteRule ^wp-admin$ wp-admin/ [R=301,L]

RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
RewriteRule ^(wp-(content|admin|includes).*) 1 [L] RewriteRule ^(.*\.php) $1 [L]
RewriteRule . index.php [L]

I manually added the directory .well-known/acme-challenge and made www-data the owner
I added a file (called it auth) into a new folder with the required name and value, but it isnt visible there.
I’m assuming I dont need to alter the apache conf file for the site as it worked with creating the certificate.

Hi @sigh_whynowork

checking your domain your rewrite rule doesn't work ( https://check-your-website.server-daten.de/?q=etrip.tips ):

Domainname Http-Status redirect Sec. G
http://etrip.tips/
35.200.138.136 302 https://etrip.tips/ 0.730 A
http://www.etrip.tips/
35.200.138.136 200 0.730 H
https://etrip.tips/
35.200.138.136 200 5.523 N
Certificate error: RemoteCertificateChainErrors
https://www.etrip.tips/
35.200.138.136 200 3.353 N
Certificate error: RemoteCertificateChainErrors
http://etrip.tips/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
35.200.138.136 302 https://etrip.tips/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.730 A
Visible Content: Found The document has moved here . Apache/2.4.29 (Ubuntu) Server at etrip.tips Port 80
http://www.etrip.tips/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
35.200.138.136 404 0.727 A
Not Found
Visible Content: Not Found The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server. Apache/2.4.29 (Ubuntu) Server at www.etrip.tips Port 80
https://etrip.tips/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 404 5.056 N
Not Found

Your http + non-www + /.well-known is redirected to https, your http + www + /.well-known not.

But the redirect is correct (the folder and filename is added). Have both versions (http and https) the same webroot? If yes, this isn't really a problem.

What's your DocumentRoot?

There you have to create the two subdirectories

DocumentRoot/.well-known/acme-challenge

Create there a file (file name 1234) and check that file via

 http://www.etrip.tips/.well-known/acme-challenge/1234

Or use my online tool to test that file (domain + folder + filename).

Thanks for responding

The document root is /srv/sites/etrip.tips and has the two sub directories
I’ve added the 1234 file in there but still cant see it using browser

DocumentRoot is specified in https in the conf file in apache, and I’ve added in the same for http and will restart the service

Any recommendations for the rewrite rule in the .htaccess?

If that doesn't work:

  • This isn't your webroot
  • There are additional location definitions
  • there are other redirect definitions

Perhaps create a test file in your document root and check, if you can load that file in your browser.

Aaargh! And because I deleted my certificate, the default-ssl.conf is saying that my pem files arent there and so the whole site is down.

That's always bad. Don't delete active certificates. It's enough time to delete certificates if they are expired.

Your server should have self signed certificates.

You can use these to restart your server.

If that isn't possible: Remove the port 443 vHost (but first: Make a backup).

You could also make a self-signed certificate on https://zerossl.com/free-ssl/#self and copy that into the location that the web server is looking for, so the web server will be able to start.

Now your https sends http, but that’s not relevant if there is no redirect http -> https.

But both urls

http://etrip.tips/.well-known/acme-challenge/1234
http://www.etrip.tips/.well-known/acme-challenge/1234

don’t work. So it’s not your webroot or there are other definitions. Or there is an application that handles the request.

OK! So, I now have those two URLs working with the content showing which means http works. Hooray.

Now when I run
chris@wp-ms:/etc/letsencrypt$ ./certbot-auto certonly --manual -d etrip.tips -d www.etrip.tips

I get a 403
Press Enter to ContinueWaiting for verification…Challenge failed for domain www.etrip.tipshttp-01 challenge for www.etrip.tipsCleaning up challengesSome challenges have failed.IMPORTANT NOTES: - The following errors were reported by the server: Domain: www.etrip.tips Type: unauthorized Detail: Invalid response from http://www.etrip.tips/.well-known/acme-challenge/bedbGZaj8qK1O9rNmTL-HLNNdAG2Wn80R2Mge-Mbmw4/ [35.200.138.136]: “<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>\n<html><head>\n<title>403 Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p” To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.

This is after trying all sorts of combinations in the manually created files and folders:
chris@wp-ms:/srv/sites/etrip.tips/.well-known/acme-challenge$ ls -l
total 40
drwxrwxrwx 2 root root 4096 Apr 4 13:15 12
-rwxrwxrwx 1 root root 5 Apr 3 14:35 1234
drwxrwxrwx 2 root root 4096 Apr 4 13:05 2_wxsqrP5XkYrRm87_3lUDc56tBMqbkLKqVEPJZbkzs
drwxrwxrwx 2 root root 4096 Apr 4 13:24 3AH9mgTGYEhPgxg7pYPREnMm8lwCYTjxaYY34ZL72T0
drwxrwxrwx 2 root root 4096 Apr 3 13:42 6fvBFDY-HKPsUv268KAUmdo86ASyh_IpB76sFzBaqj8
drwxrwxrwx 2 root root 4096 Apr 4 12:59 OnaagoPqjCMho1UWnP8iFlBP3vhHsa13cE58Da8zWRg
-rwxrwxrwx 1 root root 88 Apr 4 13:08 auth
drwxrwxrwx 2 root root 4096 Apr 4 13:29 bedbGZaj8qK1O9rNmTL-HLNNdAG2Wn80R2Mge-Mbmw4
drwxrwxrwx 2 root root 4096 Apr 4 13:08 tcQHyDbTYTGUFWAkTLD4nmsjHk9vjpyK_Z307dcDb68
-rwxrwxrwx 1 root root 10 Apr 4 13:13 trial

Can someone let me know what the correct command would be for the manually created folder.file permissisons?

Yep, now the first url works.

chmod 775 should be enough.

But if you have found your correct webroot, use it (instead of --manual):

certbot run -a webroot certonly -w /srv/sites/etrip.tips -d etrip.tips -d www.etrip.tips

Hi Juergen - thanks for all your help thus far - I’m so close total success.
I have SSL for https://etrip.tips, but not for https://www.etrip.tips
I added a ServerAlias www.etrip.tips to each of the 80 and 443 sections of the conf file, and then apache started failing saying it couldnt see the pem files. they’re certainly there - do I have to manually change their permissions? Was the ServerAlias entries wrong?

Share your config file. Wrong place, wrong entry, duplicate entries ...

<VirtualHost *:80>
ServerName etrip.tips
ServerAlias www.etrip.tips
Redirect “/” “https://etrip.tips/
DocumentRoot /srv/sites/etrip.tips

    <Directory /srv/sites/etrip.tips>
       DirectoryIndex index.php
       AllowOverride All
       Require all granted
    </Directory>

<VirtualHost *:443>
ServerName etrip.tips
ServerAlias www.etrip.tips
DocumentRoot /srv/sites/etrip.tips
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/etrip.tips/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/etrip.tips/privkey.pem
<Directory /srv/sites/etrip.tips>
DirectoryIndex index.php
AllowOverride All
Require all granted

What’s the error message from Apache, and what’s the output of certbot certificates?

./certbot-auto certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: etrip.tips
Domains: etrip.tips www.etrip.tips
Expiry Date: 2019-07-03 13:54:16+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/etrip.tips/fullchain.pem
Private Key Path: /etc/letsencrypt/live/etrip.tips/privkey.pem


systemctl status apache2.service
● apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
Drop-In: /lib/systemd/system/apache2.service.d
└─apache2-systemd.conf
Active: failed (Result: exit-code) since Thu 2019-04-04 15:35:13 UTC; 1h 41min ago
Process: 10391 ExecStop=/usr/sbin/apachectl stop (code=exited, status=0/SUCCESS)
Process: 10717 ExecReload=/usr/sbin/apachectl graceful (code=exited, status=0/SUCCESS)
Process: 11119 ExecStart=/usr/sbin/apachectl start (code=exited, status=1/FAILURE)
Main PID: 10410 (code=exited, status=1/FAILURE)

Apr 04 15:35:13 wp-ms systemd[1]: Starting The Apache HTTP Server…
Apr 04 15:35:13 wp-ms apachectl[11119]: Action ‘start’ failed.
Apr 04 15:35:13 wp-ms apachectl[11119]: The Apache error log may have more information.
Apr 04 15:35:13 wp-ms systemd[1]: apache2.service: Control process exited, code=exited status=1
Apr 04 15:35:13 wp-ms systemd[1]: apache2.service: Failed with result ‘exit-code’.
Apr 04 15:35:13 wp-ms systemd[1]: Failed to start The Apache HTTP Server.

So looks like the certs are there - just not sure why apache cant see them

What says

apachectl configtest
apachectl fullstatus
apachectl -S

root@wp-ms:/etc/letsencrypt# apachectl configtest
Syntax OK
root@wp-ms:/etc/letsencrypt# apachectl fullstatus
/usr/sbin/apachectl: 113: /usr/sbin/apachectl: www-browser: not found
‘www-browser -dump http://localhost:80/server-status’ failed.
Maybe you need to install a package providing www-browser or you
need to adjust the APACHE_LYNX variable in /etc/apache2/envvars
root@wp-ms:/etc/letsencrypt# apachectl -S
VirtualHost configuration:
*:80 etrip.tips (/etc/apache2/sites-enabled/etrip.tips.conf:1)
*:443 is a NameVirtualHost
default server wp-ms.c.wordpress-202201.internal (/etc/apache2/sites-enabled/default-ssl.conf:2)
port 443 namevhost wp-ms.c.wordpress-202201.internal (/etc/apache2/sites-enabled/default-ssl.conf:2)
port 443 namevhost etrip.tips (/etc/apache2/sites-enabled/etrip.tips.conf:14)
alias www.etrip.tips
ServerRoot: “/etc/apache2”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/var/log/apache2/error.log”
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
PidFile: “/var/run/apache2/apache2.pid”
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“www-data” id=33
Group: name=“www-data” id=33

I don't know if this is the problem.

But combinations of port and servername should be unique. So change name of your default server, so the namevhost is unique and used.

1 Like

OMG: got it working. Thanks so much for all your help!!

1 Like