Renewing SSL Certificate - non technical

I believe the problem is related to the duplication of port 80 namevhost snackconscious.com in the above.

But if your Certbot was upgraded, I believe the problem would be resolved. So I await your response regarding the other questions about upgrading and certbot --version.

This is what I got
Hit:1 Index of /ubuntu xenial-security InRelease
Hit:2 Index of /ubuntu xenial InRelease
Hit:3 Index of /ubuntu xenial InRelease
Hit:4 Index of /ubuntu xenial-updates InRelease
Hit:5 Index of /certbot/certbot/ubuntu xenial InRelease
Reading package lists... Done
Building dependency tree
Reading state information... Done
164 packages can be upgraded. Run 'apt list --upgradable' to see them.

That's the output of apt update .

Can you run these two individually please:

and

apt install -y --only-upgrade certbot python-certbot-apache

Reading package lists… Done
Building dependency tree
Reading state information… Done
certbot is already the newest version (0.31.0-1+ubuntu16.04.1+certbot+1).
python-certbot-apache is already the newest version (0.31.0-1+ubuntu16.04.1+certbot+1).
0 upgraded, 0 newly installed, 0 to remove and 160 not upgraded.

certbot --version
certbot 0.31.0

Looks like I had to type in Y for the disk space so it might have upgraded it now

Shall I run: certbot renew --dry-run

Alright. Let’s try again with:

certbot renew --dry-run

The vegan and staging ones will fail (since they don’t point to this server), but hopefully the live site will succeed.

This is what I got:

Processing /etc/letsencrypt/renewal/snackconscious.com.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for snackconscious.com
http-01 challenge for www.snackconscious.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (snackconscious.com) from /etc/letsencrypt/renewal/snackconscious.com.conf produced an unexpected error: Failed authorization procedure. www.snackconscious.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.snackconscious.com/.well-known/acme-challenge/7X2Rzrk4N8iXrF-vDrZBxNfIHLOMMhnnbJg1CS8jLyg [31.220.56.204]: "\n\n\n<!–[if IE 7]> <html class=“lt-ie9 lt-ie8”> ", snackconscious.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://www.snackconscious.com/index.php?p=.well-known/acme-challenge/a6AH4CTpwIYZqhCpKmCW4xlpeF7k0hcdenaMWLG2Awc [31.220.56.204]: "\n\n\n<!–[if IE 7]> <html class=“lt-ie9 lt-ie8”> ". Skipping.

Processing /etc/letsencrypt/renewal/staging.snackconscious.com.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate

new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/staging.snackconscious.com/fullchain.pem

Processing /etc/letsencrypt/renewal/www.veganlabs.com.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for staging.veganlabs.com
http-01 challenge for www.veganlabs.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (www.veganlabs.com) from /etc/letsencrypt/renewal/www.veganlabs.com.conf produced an unexpected error: Failed authorization procedure. www.veganlabs.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://www.snackconscious.com/.well-known/acme-challenge/A9NITjUo4rSUXqUnJmqVWGNGNYZOecxO4kLqeYkmXU8 [31.220.56.204]: "\n\n\n<!–[if IE 7]> <html class=“lt-ie9 lt-ie8”> ", staging.veganlabs.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: dns :: DNS problem: NXDOMAIN looking up A for staging.veganlabs.com. Skipping.
The following certs could not be renewed:
/etc/letsencrypt/live/snackconscious.com/fullchain.pem (failure)
/etc/letsencrypt/live/www.veganlabs.com/fullchain.pem (failure)

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

The following certs were successfully renewed:
/etc/letsencrypt/live/staging.snackconscious.com/fullchain.pem (success)

The following certs could not be renewed:
/etc/letsencrypt/live/snackconscious.com/fullchain.pem (failure)
/etc/letsencrypt/live/www.veganlabs.com/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

2 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

Upgrading didn’t help :frowning: . It seems like Certbot’s Apache plugin is having a hard time understanding how to work with your Apache configuration.

Next thing I’d try is to post the contents of these two files:

  • /etc/apache2/sites-enabled/snackconscious.com.conf
  • /etc/apache2/sites-enabled/snackconscious.com-le-ssl.conf

Same F1289 user, for some reason I can’t post more replies since I am a new user.

Oh I had to change the server password since the developer is not with us, not sure if that has any bearing. So I need to update it anywhere?

No, it wouldn’t make any difference.

1 Like

How do I do this - sorry :frowning:

One way could be to run:

cat /etc/apache2/sites-enabled/snackconscious.com.conf

and

cat /etc/apache2/sites-enabled/snackconscious.com-le-ssl.conf

and it would show the contents of the file on your terminal, from which you could copy it.

1 Like
cat /etc/apache2/sites-enabled/snackconscious.com.conf

<VirtualHost *:80>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	#ServerName www.example.com

	ServerName snackconscious.com
	ServerAlias snackconscious.com www.snackconscious.com
	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/snackconscious.com/html/web

	<Directory /var/www/snackconscious.com/html/web>
		Options Indexes FollowSymLinks
		AllowOverride All
		Require all granted
	</Directory>

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf
	#RewriteEngine on
	#RewriteCond %{SERVER_NAME} =www.snackconscious.com
	#RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>             

<VirtualHost *:80>
        ServerName staging.snackconscious.com
	ServerAlias staging.snackconscious.com
        ServerAdmin me@example.com
        DocumentRoot /var/www/snackconscious.com/staging/web

        <Directory /var/www/snackconscious.com/staging/web>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                allow from all
        </Directory>

	ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

	#RewriteEngine on
	#RewriteCond %{SERVER_NAME} =staging.snackconscious.com
	#RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

cat /etc/apache2/sites-enabled/snackconscious.com-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerName staging.snackconscious.com
	ServerAlias staging.snackconscious.com
        ServerAdmin me@example.com
        DocumentRoot /var/www/snackconscious.com/staging/web

        <Directory /var/www/snackconscious.com/staging/web>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                allow from all
        </Directory>

	ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

	RewriteEngine on
	#RewriteCond %{SERVER_NAME} =staging.snackconscious.com
	#RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
Include /etc/letsencrypt/options-ssl-apache.conf
ServerAlias snackconscious.com
SSLCertificateFile /etc/letsencrypt/live/snackconscious.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/snackconscious.com/privkey.pem
</VirtualHost>
</IfModule>
<IfModule mod_ssl.c>
<VirtualHost *:80>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	#ServerName www.example.com

	ServerName snackconscious.com
	ServerAlias snackconscious.com www.snackconscious.com
	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/snackconscious.com/html/web

	<Directory /var/www/snackconscious.com/html/web>
		Options Indexes FollowSymLinks
		AllowOverride All
		Require all granted
	</Directory>

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf
	RewriteEngine on
# Some rewrite rules in this file were disabled on your HTTPS site,
# because they have the potential to create redirection loops.

#RewriteCond %{SERVER_NAME} =www.snackconscious.com
#RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
</IfModule>
<IfModule mod_ssl.c>
<VirtualHost *:443>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	#ServerName www.example.com

	ServerName snackconscious.com
	ServerAlias snackconscious.com www.snackconscious.com
	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/snackconscious.com/html/web

	<Directory /var/www/snackconscious.com/html/web>
		Options Indexes FollowSymLinks
		AllowOverride All
		Require all granted
	</Directory>

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf
	RewriteEngine on
# Some rewrite rules in this file were disabled on your HTTPS site,
# because they have the potential to create redirection loops.

#RewriteCond %{SERVER_NAME} =www.snackconscious.com
#RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
SSLCertificateFile /etc/letsencrypt/live/snackconscious.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/snackconscious.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

Thanks. Let me have breakfast and I’ll see whether I can get that working on my own system.

1 Like

OMG thank you az, I would love to donate to you

I’m afraid it still doesn’t make much sense to me. Based on your upgraded Certbot version, what’s happening shouldn’t be happening.

Craft CMS is intercepting the validation requests on your server is not right - Certbot 0.31 should be preventing that.

Your config on my system works just fine :frowning: .

The last idea I have is to just try webroot:

certbot renew --cert-name snackconscious.com --webroot -w /var/www/snackconscious.com/html/web --dry-run
1 Like

This won’t cause any problem to the server right ?

No, it’ll just create a file inside your webroot and then delete it afterwards. Won’t affect the site or server.

This is what I got:

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/snackconscious.com.conf


Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for snackconscious.com
http-01 challenge for www.snackconscious.com
Using the webroot path /var/www/snackconscious.com/html/web for all unmatched domains.
Waiting for verification...
Cleaning up challenges


new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/snackconscious.com/fullchain.pem



** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/snackconscious.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)


:partying_face:

You can remove the --dry-run from the end of the command and run it again.

This will actually renew your certificate, and additionally save that setting for future renewals. So next time it’ll be automatic.

We should have tried this a lot earlier but I wanted to get your existing config working.

WOW YAY YAY

Is this the code I run? certbot renew --cert-name snackconscious.com --webroot -w /var/www/snackconscious.com/html/web