To date I've never been able to renew my certs

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.gregofamily.org

I ran this command: /usr/bin/dehydrated -c

It produced this output:

Processing gregofamily.org with alternative names: www.gregofamily.org

My web server is (include version): apache 2.4.41

The operating system my web server runs on is (include version): slackware current

My hosting provider, if applicable, is: me

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): command line

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

2

There are a few things I’d like to point to:

  • your HTTPS sites return a 403 Forbidden error; however, trying the challenge file returns a 404 File not found, which suggests you’ve already managed to allow the challenge files to be accessed.
  • your IPv6 is broken. Let’s Encrypt prefers IPv6 over IPv4.
3

Heres my work around to renew my certs.

  1. I edit my httpd.conf file and comment out “#Include /etc/httpd/extra/httpd-ssl.conf”

  2. Then I uncomment the following in the same http.conf file…

Alias /.well-known/acme-challenge /usr/local/dehydrated
<Directory /usr/local/dehydrated>
Options None
AllowOverride None
Require all granted

  1. Next I restart httpd service and run “/usr/bin/dehydrated -c”

No Problem at all. I receive the follow result…
Processing gregofamily.org with alternative names: www.gregofamily.org

  • Checking domain name(s) of existing cert… unchanged.
  • Checking expire date of existing cert…
  • Valid till May 2 02:46:08 2020 GMT Certificate will expire
    (Less than 30 days). Renewing!
  • Signing domains…
  • Generating private key…
  • Generating signing request…
  • Requesting new certificate order from CA…
  • Received 2 authorizations URLs from the CA
  • Handling authorization for gregofamily.org
  • Handling authorization for www.gregofamily.org
  • 2 pending challenge(s)
  • Deploying challenge tokens…
  • Responding to challenge for gregofamily.org authorization…
  • Challenge is valid!
  • Responding to challenge for www.gregofamily.org authorization…
  • Challenge is valid!
  • Cleaning challenge tokens…
  • Requesting certificate…
  • Checking certificate…
  • Done!
  • Creating fullchain.pem…
  • Done!

My question is why do I have to manually go through this procedure every time I update my certifications and does this have to do with my IP6 not working properly.

Thanks in advance. Just trying to understand the process.

4

Why wouldn't you let that part you uncommented just uncommented? That Alias is what makes dehydrated work. Nothing else uses /usr/local/dehydrated I assume, so it shouldn't be a security risk or something. Although personally, I perhaps would have chosen another location, probably somewhere on /var/.
Also, is it really necessary to comment out httpd-ssl.conf?

5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.