Renewing SSL Certificate - non technical

Help
1

Hello everyone,

I am a non-technical person so please bear with me. I have a website snackconscious.com and the SSL certificate has expired and I understand it has to be renewed every 90 days. I am not able to get hold of the developer who implemented it. We are running on CraftCMS and this is what I found on the CMS. I have no idea how to renew it, any help is really appreciated.

Apache Environment

REDIRECT_SCRIPT_URL /admin/utilities/php-info
REDIRECT_SCRIPT_URI https://www.snackconscious.com/admin/utilities/php-info
REDIRECT_HTTPS on
REDIRECT_SSL_TLS_SNI www.snackconscious.com
REDIRECT_STATUS 200
SCRIPT_URL /admin/utilities/php-info
SCRIPT_URI https://www.snackconscious.com/admin/utilities/php-info
HTTPS on
SSL_TLS_SNI www.snackconscious.com
HTTP_HOST www.snackconscious.com
HTTP_CONNECTION keep-alive
HTTP_UPGRADE_INSECURE_REQUESTS 1
HTTP_USER_AGENT Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
HTTP_ACCEPT text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3
HTTP_REFERER https://www.snackconscious.com/admin/utilities/system-report
HTTP_ACCEPT_ENCODING gzip, deflate, br
HTTP_ACCEPT_LANGUAGE en-US,en;q=0.9
HTTP_COOKIE [redacted]
PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
SERVER_SIGNATURE <address>Apache/2.4.18 (Ubuntu) Server at www.snackconscious.com Port 443</address>
SERVER_SOFTWARE Apache/2.4.18 (Ubuntu)
SERVER_NAME www.snackconscious.com
2

Bumping this up, any help?

3

Do you have shared hosting or a VPS or dedicated server? Do you have cPanel?

1 Like
4

Thanks for the reply. We are using hostinger which is an unmanaged VPS, we don’t have cPanel and Godaddy as our host

5

Okay, if it’s an unmanaged VPS and you don’t have cPanel, you’ll probably need to log in via SSH. Do you have that ability?

1 Like
6

Yes I do. I used Terminal on my Mac to login. I tried using “certbot renew” but it says

“Cert not yet due for renewal
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.veganlabs.com/fullchain.pem (failure)
/etc/letsencrypt/live/snackconscious.com/fullchain.pem (failure)”

I don’t think certbot is installed, also the certificate has expired so does that mean I have to install a new certificate or I can renew it

7

Okay, certbot is definitely installed. Is that the complete output or was there more?

1 Like
9

Processing /etc/letsencrypt/renewal/snackconscious.com.conf

Cert is due for renewal, auto-renewing…

Plugins selected: Authenticator apache, Installer apache

Renewing an existing certificate

Performing the following challenges:

http-01 challenge for snackconscious.com

http-01 challenge for www.snackconscious.com

Waiting for verification…

Cleaning up challenges

Attempting to renew cert (snackconscious.com) from /etc/letsencrypt/renewal/snackconscious.com.conf produced an unexpected error: Failed authorization procedure. www.snackconscious.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.snackconscious.com/.well-known/acme-challenge/CMjxfydfS4NgGleGGkyOQT4POsMr5S32IyxBj2BAglA [31.220.56.204]: "\n\n\n<!–[if IE 7]> <html class=“lt-ie9 lt-ie8”> ", snackconscious.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://www.snackconscious.com/index.php?p=.well-known/acme-challenge/jzedxf7nDPHvdd0Xq_tSZniYCVVOnJv6vADAz8AoLtA [31.220.56.204]: "\n\n\n<!–[if IE 7]> <html class=“lt-ie9 lt-ie8”> ". Skipping.

Processing /etc/letsencrypt/renewal/staging.snackconscious.com.conf

Cert not yet due for renewal

All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/www.veganlabs.com/fullchain.pem (failure)

/etc/letsencrypt/live/snackconscious.com/fullchain.pem (failure)

The following certs are not due for renewal yet:

/etc/letsencrypt/live/staging.snackconscious.com/fullchain.pem expires on 2019-07-17 (skipped)

All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/www.veganlabs.com/fullchain.pem (failure)

/etc/letsencrypt/live/snackconscious.com/fullchain.pem (failure)

10

The Let’s Encrypt validation service is attempting to retrieve http://snackconscious.com/.well-known/acme-challenge/<challenge> to satisfy the http-01 challenge type and verify that you control the domain.

However, your services appear to be redirecting that request to /index.php?p= - any idea how that might be happening?

Certbot creates the .well-known/acme-challenge/<challenge> file for you, but your HTTP services need to serve it correctly.

1 Like
12

I don’t know why it’s redirecting :frowning: I remember the developer creating a site index for the Google console manager - does that make sense

I really appreciate the help

13

It might be the default behaviour of the CMS.

What’s in the renewal configuration file?

cat /etc/letsencrypt/renewal/snackconscious.com.conf

(I’m thinking it might be using the webroot plugin, while the apache plugin might handle this situation better…)

1 Like
14

renew_before_expiry = 30 days

version = 0.22.2

archive_dir = /etc/letsencrypt/archive/snackconscious.com

cert = /etc/letsencrypt/live/snackconscious.com/cert.pem

privkey = /etc/letsencrypt/live/snackconscious.com/privkey.pem

chain = /etc/letsencrypt/live/snackconscious.com/chain.pem

fullchain = /etc/letsencrypt/live/snackconscious.com/fullchain.pem

Options used in the renewal process

[renewalparams]

authenticator = apache

installer = apache

account = XXX

15

Your server seems to run Ubuntu 16.04, so you might have some luck upgrading your installation of Certbot. There were some bug fixes since version 0.22.2 that improved how it works with Apache.

The upgrade should be straightforward for you:

apt update
apt install --only-upgrade certbot python-certbot-apache

and then try again:

certbot renew --dry-run
1 Like
16

I am a non-developer :slight_smile: :slight_smile: just to clarify, I put this script in my terminal? Also can it be renewed if it’s expired?

17

(Hm. of course it was already using the apache plugin, I should have noticed that in the log earlier :frowning: )

Yes, enter the commands in the terminal where you logged in to the server with SSH.

And yes, you can renew a certificate after it’s expired.

1 Like
18

It says

164 packages can be upgraded. Run 'apt list --upgradable' to see them.

** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

The following certs were successfully renewed:
/etc/letsencrypt/live/staging.snackconscious.com/fullchain.pem (success)

The following certs could not be renewed:
/etc/letsencrypt/live/www.veganlabs.com/fullchain.pem (failure)
/etc/letsencrypt/live/snackconscious.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)

19

Looks like it renewed the staging certificate. Veganlabs is the old domain

20

Here is the full log

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for snackconscious.com
http-01 challenge for www.snackconscious.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (snackconscious.com) from /etc/letsencrypt/renewal/snackconscious.com.conf produced an unexpected error: Failed authorization procedure. snackconscious.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://www.snackconscious.com/index.php?p=.well-known/acme-challenge/3QDxu3vqqe9zTEmQhGUjifN8df4NIvWtLcnnZozFfkY [31.220.56.204]: "\n\n\n<!–[if IE 7]> <html class=“lt-ie9 lt-ie8”> ", www.snackconscious.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.snackconscious.com/.well-known/acme-challenge/dpCQ03sULQoUNn9C1nFiaJk5qNDnUXbo34YVNY0iqw4 [31.220.56.204]: "\n\n\n<!–[if IE 7]> <html class=“lt-ie9 lt-ie8”> ". Skipping.

Processing /etc/letsencrypt/renewal/staging.snackconscious.com.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for staging.snackconscious.com
Waiting for verification…
Cleaning up challenges

new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/staging.snackconscious.com/fullchain.pem

The following certs could not be renewed:
/etc/letsencrypt/live/www.veganlabs.com/fullchain.pem (failure)
/etc/letsencrypt/live/snackconscious.com/fullchain.pem (failure)

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

The following certs were successfully renewed:
/etc/letsencrypt/live/staging.snackconscious.com/fullchain.pem (success)

The following certs could not be renewed:
/etc/letsencrypt/live/www.veganlabs.com/fullchain.pem (failure)
/etc/letsencrypt/live/snackconscious.com/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

2 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

21

Hi,

Did you definitely run the below command?

apt install -y --only-upgrade certbot python-certbot-apache

what does this show?

certbot --version

and let’s get some additional diagnostic information from you:

grep -FRi "index.php?p=" /etc/apache2/{conf,conf.d,sites-enabled}

and

apachectl -t -D DUMP_VHOSTS
22

Thanks AZ. let me do it step bu step

grep -FRi "index.php?p=" /etc/apache2/{conf,conf.d,sites-enabled}

grep: /etc/apache2/conf: No such file or directory

grep: /etc/apache2/conf.d: No such file or directory

apachectl -t -D DUMP_VHOSTS

AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/ports.conf:15
AH00112: Warning: DocumentRoot [/var/www/snackconscious.com/staging/web] does not exist
AH00112: Warning: DocumentRoot [/var/www/snackconscious.com/staging/web] does not exist
VirtualHost configuration:
*:443 is a NameVirtualHost
default server www.veganlabs.com (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
port 443 namevhost www.veganlabs.com (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
port 443 namevhost staging.veganlabs.com (/etc/apache2/sites-enabled/000-default-le-ssl.conf:45)
alias staging.veganlabs.com
port 443 namevhost staging.snackconscious.com (/etc/apache2/sites-enabled/snackconscious.com-le-ssl.conf:2)
alias staging.snackconscious.com
alias snackconscious.com
port 443 namevhost snackconscious.com (/etc/apache2/sites-enabled/snackconscious.com-le-ssl.conf:73)
alias snackconscious.com
alias www.snackconscious.com
*:80 is a NameVirtualHost
default server veganlabs.com (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost veganlabs.com (/etc/apache2/sites-enabled/000-default.conf:1)
alias veganlabs.com
alias www.veganlabs.com
port 80 namevhost staging.veganlabs.com (/etc/apache2/sites-enabled/000-default.conf:42)
alias staging.veganlabs.com
port 80 namevhost snackconscious.com (/etc/apache2/sites-enabled/snackconscious.com-le-ssl.conf:28)
alias snackconscious.com
alias www.snackconscious.com
port 80 namevhost snackconscious.com (/etc/apache2/sites-enabled/snackconscious.com.conf:1)
alias snackconscious.com
alias www.snackconscious.com
port 80 namevhost staging.snackconscious.com (/etc/apache2/sites-enabled/snackconscious.com.conf:42)
alias staging.snackconscious.com