My domain is: My client won’t let me post it here Yeah, I know they are in the public logs…
I ran this command:
certbot renew --dry-run as root
My web server is (include version): Apache/2.4.18
The operating system my web server runs on is (include version): Ubuntu 16.04.5 LTS (Xenial)
I can login to a root shell on my machine (yes or no, or I don’t know): yup
I have a server that was built in May/18, and just did a normal
certbot --apache and followed the prompts to install the needed certs. Looking back in logs, it looks like is renewed in Nov/18 using TLS-SNI-01. It is due for renewal now, and certbot 0.28.0 is trying to use HTTP-01 and failing.
The original vert covered four domains, each with its own DOCROOT, so the dry run shows
Processing /etc/letsencrypt/renewal/EXAMPLE1.com.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert is due for renewal, auto-renewing... Plugins selected: Authenticator apache, Installer apache Renewing an existing certificate Performing the following challenges: http-01 challenge for EXAMPLE4.com http-01 challenge for EXAMPLE3.com http-01 challenge for EXAMPLE2.com http-01 challenge for EXAMPLE1.com Waiting for verification... Cleaning up challenges
Then I get an “Invalid response from” because the challenge for EXAMPLE1.com got a 404.
wget http://EXAMPLE1.com/.well-known/acme-challenge/foo.txt and get a real file back. I see the 404 in my Apache log from the real challenge.
cd to /var/www/EXAMPLE1.com/html/.well-known/acme-challenge I see foo.txt, but I never see and files related to the challenge while
certbot renew --dry-run is running.
Oddly, I have a nearly identical setup (but same docroot for all domains), where a Nov renew did TLS-SNI-01 and a
certbot renew --dry-run looks fine.
I am not sure where to start debugging this one.