Trouble renewing SSL cert using lego

Help
1

I've been struggling to renew my SSL cert for the last several days. I've checked letsdebug.net and get an "OK". I'm using a bitnami stack and followed the instructions here:

https://docs.bitnami.com/aws/how-to/understand-bncert/#resetting-the-certificates

I'm considering following the instructions for Resetting the Certificates from the above page but it's not clear to me whether I would be able to create new certs after that?

I also tried bncert_tool but it warns:

Warning: A certificate for the list of domains you entered already exists. It
will be used instead of generating a new one.

Appreciate your help...

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ca-17.com

I ran this command: sudo /opt/bitnami/letsencrypt/lego --path /opt/bitnami/letsencrypt --email="myemail@address.com" --http --http-timeout 30 --http.webroot /opt/bitnami/apps/letsencrypt --domains=ca-17.com renew --days 90

It produced this output:
2021/07/13 18:27:30 [INFO] [ca-17.com] acme: Trying renewal with 220 hours remaining
2021/07/13 18:27:30 [INFO] [ca-17.com, www.ca-17.com] acme: Obtaining bundled SAN certificate
2021/07/13 18:27:30 [INFO] [ca-17.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/14793125172
2021/07/13 18:27:30 [INFO] [www.ca-17.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/14793125174
2021/07/13 18:27:30 [INFO] [ca-17.com] acme: Could not find solver for: tls-alpn-01
2021/07/13 18:27:30 [INFO] [ca-17.com] acme: use http-01 solver
2021/07/13 18:27:30 [INFO] [www.ca-17.com] acme: Could not find solver for: tls-alpn-01
2021/07/13 18:27:30 [INFO] [www.ca-17.com] acme: use http-01 solver
2021/07/13 18:27:30 [INFO] [ca-17.com] acme: Trying to solve HTTP-01
2021/07/13 18:27:37 [INFO] [www.ca-17.com] acme: Trying to solve HTTP-01
2021/07/13 18:27:44 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/14793125172
2021/07/13 18:27:44 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/14793125172
2021/07/13 18:27:44 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/14793125174
2021/07/13 18:27:45 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/14793125174
2021/07/13 18:27:45 error: one or more domains had a problem:
[ca-17.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from https://ca-17.com/ [35.164.46.189]: "<html lang="en"><script src="https://www.googleoptimize.com/optimize.js?id=OPT-WG2B7BH"><!-- Googl"
[www.ca-17.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from https://ca-17.com/ [35.164.46.189]: "<html lang="en"><script src="https://www.googleoptimize.com/optimize.js?id=OPT-WG2B7BH"><!-- Googl"

My web server is (include version): Apache/2.4.43 (Unix)

The operating system my web server runs on is (include version): SMP Debian 4.19.194-1 (2021-06-10) x86_64

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): lego version 4.3.1 linux/amd64

2

Hi @strefethen, and welcome to the LE community forum :slight_smile:

I see a redirection problem with the expected challenge file location (and all others too):

curl -Iki http://ca-17.com/.well-known/acme-challenge/test-file-1234
HTTP/1.1 302 Found
Date: Wed, 14 Jul 2021 02:03:13 GMT
Server: Apache/2.4.43 (Unix) OpenSSL/1.1.1d
Location: https://ca-17.com/
Content-Type: text/html; charset=iso-8859-1
3

Thanks for such a quick response!

I've changed my apache config and now the URL you gave above returns a stock apache 404. Is that what's expected? There is no file by that name but lego still fails with the same 403 error as mentioned above.

I suspect that's my last lego try for the next hour.

Again, really appreciate the help.

1 Like
4

No.
If it is going to redirect all HTTP connections to HTTPS, it has to keep the URL(uri) intact and only change the protocol from HTTP to HTTPS.
So that:
http://ca-17.com/.well-known/acme-challenge/test-file-1234
redirects to:
https://ca-17.com/.well-known/acme-challenge/test-file-1234
NOT TO:
https://ca-17.com/

1 Like
5

@rg305 I really can't thank you enough. Quick and spot on responses have helped me solve my problem AND fix a problem in my site configuration. Certs are now updated.

I have to say, I just joined this community after having used Let's Encrypt for years prior with no issues and this was a great community experience. I joined and after searching for my issue I was greeted with a "thanks for spending time with us" note and when I finally posted I got immediate help. So good.

Thank you.

3 Likes
6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.