Renews fails from certbot

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: bios-living.com - That is my domain. Do you mean HOST - that is admin.bios-living.com

I ran this command:

certbot-auto certonly -d bios-living.com --webroot -w /usr/local/apache2/htdocs --deploy-hook "/usr/local/apache2/bin/apachectl -k graceful

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for bios-living.com
Using the webroot path /usr/local/apache2/htdocs for all unmatched domains.
Waiting for verification…
Challenge failed for domain bios-living.com
http-01 challenge for bios-living.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: bios-living.com
  Type: unauthorized
  Detail: Invalid response from
  http://bios-living.com/.well-known/acme-challenge/t0fo78QQMDsMLHOow92GpVLSVO0qIGJg5ST8WTqy2s0
  [96.57.23.85]: "<?xml version=“1.0”
  encoding=“UTF-8”?>\n<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0
  Strict//EN”\n “http://www.w3.org/TR/xhtml1/D”

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address.

My web server is (include version): apache

aps:~ # httpd -v
Server version: Apache/2.4.33 (Linux/SUSE)
Server built: 2020-02-25 09:51:10.000000000 +0000
The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:
ME

I can login to a root shell on my machine (yes or no, or I don’t know):
YES

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
NEVER

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
aps:~ # certbot-auto --version
certbot 1.3.0

IF i run admin like this:
aps:~ # certbot-auto certonly -d admin.bios-living.com --webroot -w /usr/local/apache2/htdocs --deploy-hook “/usr/local/apache2/bin/apachectl -k graceful”
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for admin.bios-living.com
Using the webroot path /usr/local/apache2/htdocs for all unmatched domains.
Waiting for verification…
Challenge failed for domain admin.bios-living.com
http-01 challenge for admin.bios-living.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: admin.bios-living.com
  Type: unauthorized
  Detail: Invalid response from
  http://admin.bios-living.com/.well-known/acme-challenge/O33LhhjFEScDIIIMPJ_lR69ZxWmcdUD2n3PWuAIjf64
  [96.57.23.85]: "<?xml version=“1.0”
  encoding=“UTF-8”?>\n<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0
  Strict//EN”\n “http://www.w3.org/TR/xhtml1/D”

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address.

FWIW - I am defaulting to port 443

<VirtualHost _default_:443>
    ServerName admin.bios-living.com
    ServerAdmin ruben@
    DocumentRoot "/usr/local/apache2/htdocs/admin"
    SSLEngine on
    SSLOptions +StrictRequire
    SSLCertificateFile /var/lib/ca-certificates/pem/bios-living.com.crt
    SSLCertificateKeyFile /etc/ssl/private/bios-living.com.key
    Header set Cache-Control "no-store, must-revalidate"
    Header set Pragma "no-cache"
    Header set Expires "0"

    Options Indexes
    <Files *.html>
       SetHandler perl-script
       PerlResponseHandler Embperl
    </Files>
    <Location "/">
      AuthType basic
      AuthName "admin"
      AuthBasicProvider file
      AuthUserFile "/usr/local/apache2/conf/admin.auth"
      Require valid-user
      Options +Indexes +FollowSymLinks
    </Location>
    <Directory "/usr/local/apache2/htdocs/admin/docs/vita">
      Require all granted
      Dav on
      AuthType basic
      AuthName "admin"
      AuthBasicProvider file
      AuthUserFile "/usr/local/apache2/conf/admin.auth"
      Require valid-user
      Options +Indexes +FollowSymLinks
    </Directory>
    <Location "/images">
    </Location>
    CustomLog logs/access_log common
</VirtualHost>

Two problems...

#1
This:

does NOT match this:

#2
LE challenge requests won't be able to Auth

your mixing admin and non admin areas

<VirtualHost *:80>
    ServerName www.bios-living.com
    ServerAdmin ruben@mrbrklyn.com
    DocumentRoot "/usr/local/apache2/htdocs"
    Redirect permanent "/admin" "https://admin.bios-living.com"
    Options Indexes
    <Files *.html>
       SetHandler perl-script
       PerlResponseHandler Embperl
    </Files>
    <Location "/images">
    </Location>
    CustomLog logs/access_log common
</VirtualHost>

<VirtualHost *:80>
   ServerName admin.bios-living.com
   Redirect permanent /  https://admin.bios-living.com/
</VirtualHost>

There is no "bios-living.com", only "www.bios-living.com":

As such, the first (or default) HTTP config will be used to match your request.
You need to add:
ServerAlias bios-living.com
to your config.

Will use the secure ADMIN config:

After the forced HTTP to HTTPS redirection:

I see - this is a problem. I can’t open up the authentication. admin.bios-living.com MUST be locked down with the authentication and open access on 80 can’t be done.

What would be best, if I could, is the set up encryption for all the hosts on domain bios-living.com, including admin.bios-living.com.

aps:~ # certbot-auto certonly -d bios-admin.com --webroot -w /usr/local/apache2/htdocs --deploy-hook "/usr/local/apache2/bin/apachectl -k graceful"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for bios-admin.com
Using the webroot path /usr/local/apache2/htdocs for all unmatched domains.
Waiting for verification...
Challenge failed for domain bios-admin.com
http-01 challenge for bios-admin.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: bios-admin.com
   Type:   dns
   Detail: DNS problem: NXDOMAIN looking up A for bios-admin.com -
   check that a DNS record exists for this domain
aps:~ #

Actually, I got it work. I used the wrong domain. This cert will be good for all of bios-living.com?

aps:~ # certbot-auto certonly -d bios-living.com --webroot -w /usr/local/apache2/htdocs --deploy-hook "/usr/local/apache2/bin/apachectl -k graceful"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for bios-living.com
Using the webroot path /usr/local/apache2/htdocs for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Running deploy-hook command: /usr/local/apache2/bin/apachectl -k graceful

IMPORTANT NOTES:

• Congratulations! Your certificate and chain have been saved at:
  /etc/letsencrypt/live/bios-living.com/fullchain.pem
  Your key file has been saved at:
  /etc/letsencrypt/live/bios-living.com/privkey.pem
  Your cert will expire on 2020-08-02. To obtain a new or tweaked
  version of this certificate in the future, simply run certbot-auto
  again. To non-interactively renew all of your certificates, run
  "certbot-auto renew"

• If you like Certbot, please consider supporting our work by:

  Donating to ISRG / Let's Encrypt: Donate - Let's Encrypt
  Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation

Only for that one name.
[not for *.bios-living.com]

You can resolve your problem by NOT forwarding the HTTP requests to /.well-known/acme-challenge/ folder.

Something like this:

<VirtualHost *:80>
 ServerName admin.bios-living.com
 <location /.well-known/acme-challenge/>
  DocumentRoot /some/unique/path/for/acme/auths
 </location>
 Redirect permanent / https://admin.bios-living.com/ 
</VirtualHost>

OR this:

<VirtualHost *:80>
 ServerName admin.bios-living.com
 DocumentRoot /some/unique/path/for/acme/auths
 RewriteEngine On
 RewriteRule ^\.well-known\/acme-challenge\/ - [L]
 RewriteCond %{HTTPS} !=on
 RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
</VirtualHost>

In either case, you should create a dedicated unique path to handle all the HTTP auth challenges.
You can then use that path with the --webroot option.

Thank you for your time.

I know I can do this but I am mandated not to do that. All the connections to admin need to redirect, not negotiable.

There is no way to get a certificate for the entire bios-living.com domain? East host needs to have its own certificate?

Then add that logic to the *:443 vhost instead.
[LE will follow the redirection]

That is called a wildcard cert.
You can get one, but it requires DNS authentication (not HTTP).
The catch is in the automation.
You can do it manually but that would require you to do it manually every 90 days (or less).
So to make it work automated, you will need an API that works with your DNS provider.
[note: not all DNS providers support API updates]

Hi

I'm not sure of your point here. That is what is supposed to happen. authentation should happen after authorization. Doing it any other way seems pointless.

I’m NOT referring to how you do auth.
I’m simply stating that LE is forced to AUTH - and it can’t / won’t ever.
[all traffic is being forced to auth]

OK - we are understanding each other. That is true. There is no way to get to admin without authentication, and that is how it should be.

Here is the requirements:

1. http://admin.bios-living.com redirects to https://admin.bios-living.com
2. http://www.bios-living.com redicts to https://www.bios-living.com
3. https//admin.bios-living.com authenticates

There is no port 80 access to admin.bios-living.com through an unecrypted channel

it that a real folder?

If you understand SNI, then you can see how your IP is already accepting unauthenticated traffic (via other names).
Separating the “clear text” traffic via name or path is identical (within the same web server).
If you can’t sleep at night knowing HTTP traffic is being accepted through the ADMIN name, then instead of accepting unauthenticated traffic to the challenge folder via that super secure name, redirect that traffic to a less secure name (still on the same system).
Like:

<VirtualHost *:80>
 ServerName admin.bios-living.com
 <location /.well-known/acme-challenge/>
   Redirect permanent / http://SOME.OTHER.NAME.bios-living.com/ 
 </location>
 Redirect permanent / https://admin.bios-living.com/ 
</VirtualHost>

I changed www.bios-living.com to port 80 just to run certbot. If I have to I can keep 80 open for www, but not admin.

I understnad. But is this a real part of LE or a euphorism for something I should know about, but am evidentely ignorant of

You can do what makes you happy.
But LE needs 80 if only to redirect to 443.
But in all cases it will not authenticate to your system
So plan accordingly.

https://tools.ietf.org/html/rfc8555
Search for “.well-known/acme-challenge”