Tried to renew, ran into ACME Challenge 404


#1

I tried to obtain a new certificate for a lapsed Let’s Encrypt SSL. I’ve never done this before (someone else set up the site and the SSL).

Once I ssh’d into the server, I ran sudo add-apt-repository ppa:certbot/certbot followed by sudo apt-get update and then `sudo apt-get install python-certbot-apache’.

It did its thing. I agreed to terms, etc., and it produced this output.

The file exists within the /.well-known/acme-challenge/ folder, however, the http redirects to https and then produces a 404.

Given that I am a novice at this, I don’t know what to do next and could use any step-by-step instructions.

The site is live on a CloudFlare SSL with weaker settings than it was before the Let’s Encrypt SSL lapsed without warning.


#2

I think there’s a command and maybe some output missing from your description, after sudo apt-get install python-certbot-apache … (mainly I want to know if you actually used the apache plugin, or webroot)

Could you please also answer the other questions from the questionnaire, if you can?


My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


#3

At that point, I input sudo apt-get install python-certbot-apache and it went through a bunch of lines. There are a few questions it asks along the way about continuing, a bunch more lines about unpacking, selecting, preparing, then I input sudo certbot --apache -d smartjusticeaz.org following these instructions.

It asked for my email address, I accepted the terms, declined to share my email address, which leads to the pastebin link output.

My domain is: smartjusticeaz.org

I ran this command: sudo certbot --apache -d smartjusticeaz.org

It produced this output: (see pastebin link)

My web server is (include version): Apache, not sure version.

The operating system my web server runs on is (include version): Ubuntu 16.04.4 x64

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don’t know): Not that I am aware of, I didn’t set this up

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No


#4

Okay, so you used the apache plugin. That should try to temporarily modify one of your Apache VirtualHosts to answer the domain validation challenge. If it doesn’t work as in your case, it may be that it’s picking the wrong one for some reason. Could you share the output of sudo apachectl -S and/or any relevant-looking parts of your Apache configuration?

Alternatively if you know where your DocumentRoot is, you could try the webroot plugin instead, although you would need to install the new certificate yourself if the apache plugin isn’t working. If you want to try that:

sudo certbot certonly --webroot -w /path/to/your/document/root -d smartjusticeaz.org


#5

Here’s everything that appears from sudo apachectl -S available at this pastebin.


#6

Hm. Nothing on port 443 at all? Is Apache even listening on port 443? You weren’t using Cloudflare before? What was handling the HTTPS traffic previously? Do you have a second webserver on the machine?

sudo lsof -i
may help answer these questions.

Is WordPress actually installed in /var/www/html?


#7

Hmmm I just thought of something else… are you using Bitnami?


#8

Ran sudo lsof -i and here’s the result.

I don’t know they used CloudFlare prior but it goes domain -> CloudFlare -> DigitalOcean with Let’s Encrypt on DigitalOcean. I set CloudFlare from Full (Strict) to Full to get it back online since the Let’s Encrypt SSL expired.

I don’t know how it was specifically set up previously. When I ls under /var/www/ folders html and wordpress are separate.

As far as I can tell, there’s no Bitnami.


#9

http forwards to https.
What does the https vhost config look like?
How does it handle the /.well-known/acme-challenge/ requests?


#10

This is what was in the 000-default.conf file.

I’m not sure how to check how it handles the acme-challenge requests. It comes up as 404 when trying to renew the cert and the http forwards to https then renders 404.


#11

There’s no https vhost, as far as I can see from the apachectl output … HTTPS is being handled by Cloudflare. But - again as far as I can tell from the above - Apache isn’t even listening on port 443, so neither of Cloudflare’s “Full” or “Full (Strict)” modes should be working… Are you sure it’s not set to “Flexible”?


#12

Yes, 100% positive.


#13

DocumentRoot /var/www/wordpress/html

For testing, try adding this ‘1234’ file in expected the challenge folder:
mkdir /var/www/wordpress/html/.well-known
mkdir /var/www/wordpress/html/.well-known/acme-challenge
echo "testing" > /var/www/wordpress/html/.well-known/acme-challenge/1234

With any luck, it will be accessible via (both):
http://smartjusticeaz.org/.well-known/acme-challenge/1234
[which should redirect to;}
https://smartjusticeaz.org/.well-known/acme-challenge/1234


#14

unrelated but worth mentioning as it should be corrected later:
http://www.smartjusticeaz.org/*
forwards to:
https://smartjusticeaz.org/*

It changes protocols and changes the FQDN (doing both in one step is not recommended)


#15

Successfully created the file. When I go to that URL, it redirects to the https version and comes up 404 still.


#16

Is your server accessible from the Internet?
Can you send your real IP via DM?

It is difficult to tell where the problem is - cloudflare or your server.


#17

Checking your IP now…

ROFL
now I’m stuck to https by HSTS policy…
working around that.
Give me a minute…


#18

wget http://smartjusticeaz.org/.well-known/acme-challenge/1234
–2019-01-15 15:44:32-- http://smartjusticeaz.org/.well-known/acme-challenge/1234
Resolving smartjusticeaz.org (smartjusticeaz.org)… YOUR-IP
Connecting to smartjusticeaz.org (smartjusticeaz.org)|YOUR-IP|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 0
Saving to: ‘1234’

It seemed to get the file but it is size 0 (empty).


#19

I added the word “test” just now.


#20

Ok I do see “test” now.
So the problem seems to be with CloudFlare or the settings used.