To date I've never been able to renew my certs

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.gregofamily.org

I ran this command: /usr/bin/dehydrated -c

It produced this output:

Processing gregofamily.org with alternative names: www.gregofamily.org

My web server is (include version): apache 2.4.41

The operating system my web server runs on is (include version): slackware current

My hosting provider, if applicable, is: me

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): command line

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

There are a few things I’d like to point to:

  • your HTTPS sites return a 403 Forbidden error; however, trying the challenge file returns a 404 File not found, which suggests you’ve already managed to allow the challenge files to be accessed.
  • your IPv6 is broken. Let’s Encrypt prefers IPv6 over IPv4.

Heres my work around to renew my certs.

  1. I edit my httpd.conf file and comment out “#Include /etc/httpd/extra/httpd-ssl.conf”

  2. Then I uncomment the following in the same http.conf file…

Alias /.well-known/acme-challenge /usr/local/dehydrated
<Directory /usr/local/dehydrated>
Options None
AllowOverride None
Require all granted

  1. Next I restart httpd service and run “/usr/bin/dehydrated -c”

No Problem at all. I receive the follow result…
Processing gregofamily.org with alternative names: www.gregofamily.org

  • Checking domain name(s) of existing cert… unchanged.
  • Checking expire date of existing cert…
  • Valid till May 2 02:46:08 2020 GMT Certificate will expire
    (Less than 30 days). Renewing!
  • Signing domains…
  • Generating private key…
  • Generating signing request…
  • Requesting new certificate order from CA…
  • Received 2 authorizations URLs from the CA
  • Handling authorization for gregofamily.org
  • Handling authorization for www.gregofamily.org
  • 2 pending challenge(s)
  • Deploying challenge tokens…
  • Responding to challenge for gregofamily.org authorization…
  • Challenge is valid!
  • Responding to challenge for www.gregofamily.org authorization…
  • Challenge is valid!
  • Cleaning challenge tokens…
  • Requesting certificate…
  • Checking certificate…
  • Done!
  • Creating fullchain.pem…
  • Done!

My question is why do I have to manually go through this procedure every time I update my certifications and does this have to do with my IP6 not working properly.

Thanks in advance. Just trying to understand the process.

Why wouldn’t you let that part you uncommented just uncommented? That Alias is what makes dehydrated work. Nothing else uses /usr/local/dehydrated I assume, so it shouldn’t be a security risk or something. Although personally, I perhaps would have chosen another location, probably somewhere on /var/.
Also, is it really necessary to comment out httpd-ssl.conf?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.