Trouble renewing using HTTP-01 when last use TLS-SNI-01


#1

My domain is: My client won’t let me post it here :frowning: Yeah, I know they are in the public logs…

I ran this command: certbot renew --dry-run as root

My web server is (include version): Apache/2.4.18

The operating system my web server runs on is (include version): Ubuntu 16.04.5 LTS (Xenial)

I can login to a root shell on my machine (yes or no, or I don’t know): yup

I have a server that was built in May/18, and just did a normal certbot --apache and followed the prompts to install the needed certs. Looking back in logs, it looks like is renewed in Nov/18 using TLS-SNI-01. It is due for renewal now, and certbot 0.28.0 is trying to use HTTP-01 and failing.

The original vert covered four domains, each with its own DOCROOT, so the dry run shows

Processing /etc/letsencrypt/renewal/EXAMPLE1.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for EXAMPLE4.com
http-01 challenge for EXAMPLE3.com
http-01 challenge for EXAMPLE2.com
http-01 challenge for EXAMPLE1.com
Waiting for verification...
Cleaning up challenges

Then I get an “Invalid response from” because the challenge for EXAMPLE1.com got a 404.

I can wget http://EXAMPLE1.com/.well-known/acme-challenge/foo.txt and get a real file back. I see the 404 in my Apache log from the real challenge.

If I cd to /var/www/EXAMPLE1.com/html/.well-known/acme-challenge I see foo.txt, but I never see and files related to the challenge while certbot renew --dry-run is running.

Oddly, I have a nearly identical setup (but same docroot for all domains), where a Nov renew did TLS-SNI-01 and a certbot renew --dry-run looks fine.

I am not sure where to start debugging this one.


#2

Hi @mdonadio

then you have found your correct webroot. So use

certbot run -a webroot -i apache -d example.com -w yourwebroot

and split authentication and installation.


#3

Thanks, that worked and got that domain working (though it creates a new .conf)

Oddly, when I ran certbot renew is ran the HTTP-10 challenges for all four domains in the original conf, and they worked. I would love to know what really happened here but ¯_(ツ)_/¯


#4

Got to the bottom of this.

The virtual host that wouldn’t renew had a line line this in it

ServerHost example1.com # oldexample1.com

Apparently, the apache auth plugin doesn’t like this. Cleaned up all of the vhost config, and regenerated certs, one per vhost with certbot --apache and all is well.


#5

So did you replace:
ServerHost example1.com # oldexample1.com
with just:
ServerHost example1.com

? ? ?


#6

@rg305 Correct, removing the comment from the ServerHost directive fixed this. I think this may be a bug in parsing the Apache conf files (may have seen something similar before), but need to spin up a test server to fully verify before I make a GitHub issue.


closed #7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.