Trouble renewing SSL cert using lego

I've been struggling to renew my SSL cert for the last several days. I've checked letsdebug.net and get an "OK". I'm using a bitnami stack and followed the instructions here:

https://docs.bitnami.com/aws/how-to/understand-bncert/#resetting-the-certificates

I'm considering following the instructions for Resetting the Certificates from the above page but it's not clear to me whether I would be able to create new certs after that?

I also tried bncert_tool but it warns:

Warning: A certificate for the list of domains you entered already exists. It
will be used instead of generating a new one.

Appreciate your help...

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ca-17.com

I ran this command: sudo /opt/bitnami/letsencrypt/lego --path /opt/bitnami/letsencrypt --email="myemail@address.com" --http --http-timeout 30 --http.webroot /opt/bitnami/apps/letsencrypt --domains=ca-17.com renew --days 90

It produced this output:
2021/07/13 18:27:30 [INFO] [ca-17.com] acme: Trying renewal with 220 hours remaining
2021/07/13 18:27:30 [INFO] [ca-17.com, www.ca-17.com] acme: Obtaining bundled SAN certificate
2021/07/13 18:27:30 [INFO] [ca-17.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/14793125172
2021/07/13 18:27:30 [INFO] [www.ca-17.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/14793125174
2021/07/13 18:27:30 [INFO] [ca-17.com] acme: Could not find solver for: tls-alpn-01
2021/07/13 18:27:30 [INFO] [ca-17.com] acme: use http-01 solver
2021/07/13 18:27:30 [INFO] [www.ca-17.com] acme: Could not find solver for: tls-alpn-01
2021/07/13 18:27:30 [INFO] [www.ca-17.com] acme: use http-01 solver
2021/07/13 18:27:30 [INFO] [ca-17.com] acme: Trying to solve HTTP-01
2021/07/13 18:27:37 [INFO] [www.ca-17.com] acme: Trying to solve HTTP-01
2021/07/13 18:27:44 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/14793125172
2021/07/13 18:27:44 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/14793125172
2021/07/13 18:27:44 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/14793125174
2021/07/13 18:27:45 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/14793125174
2021/07/13 18:27:45 error: one or more domains had a problem:
[ca-17.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from https://ca-17.com/ [35.164.46.189]: "<html lang="en"><script src="https://www.googleoptimize.com/optimize.js?id=OPT-WG2B7BH"><!-- Googl"
[www.ca-17.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from https://ca-17.com/ [35.164.46.189]: "<html lang="en"><script src="https://www.googleoptimize.com/optimize.js?id=OPT-WG2B7BH"><!-- Googl"

My web server is (include version): Apache/2.4.43 (Unix)

The operating system my web server runs on is (include version): SMP Debian 4.19.194-1 (2021-06-10) x86_64

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): lego version 4.3.1 linux/amd64

Hi @strefethen, and welcome to the LE community forum :slight_smile:

I see a redirection problem with the expected challenge file location (and all others too):

curl -Iki http://ca-17.com/.well-known/acme-challenge/test-file-1234
HTTP/1.1 302 Found
Date: Wed, 14 Jul 2021 02:03:13 GMT
Server: Apache/2.4.43 (Unix) OpenSSL/1.1.1d
Location: https://ca-17.com/
Content-Type: text/html; charset=iso-8859-1

Thanks for such a quick response!

I've changed my apache config and now the URL you gave above returns a stock apache 404. Is that what's expected? There is no file by that name but lego still fails with the same 403 error as mentioned above.

I suspect that's my last lego try for the next hour.

Again, really appreciate the help.

1 Like

No.
If it is going to redirect all HTTP connections to HTTPS, it has to keep the URL(uri) intact and only change the protocol from HTTP to HTTPS.
So that:
http://ca-17.com/.well-known/acme-challenge/test-file-1234
redirects to:
https://ca-17.com/.well-known/acme-challenge/test-file-1234
NOT TO:
https://ca-17.com/

1 Like

@rg305 I really can't thank you enough. Quick and spot on responses have helped me solve my problem AND fix a problem in my site configuration. Certs are now updated.

I have to say, I just joined this community after having used Let's Encrypt for years prior with no issues and this was a great community experience. I joined and after searching for my issue I was greeted with a "thanks for spending time with us" note and when I finally posted I got immediate help. So good.

Thank you.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.