Trouble renewing using HTTP-01 when last use TLS-SNI-01

mdonadio · January 18, 2019, 8:32pm

My domain is: My client won’t let me post it here Yeah, I know they are in the public logs…

I ran this command: certbot renew --dry-run as root

My web server is (include version): Apache/2.4.18

The operating system my web server runs on is (include version): Ubuntu 16.04.5 LTS (Xenial)

I can login to a root shell on my machine (yes or no, or I don’t know): yup

I have a server that was built in May/18, and just did a normal certbot --apache and followed the prompts to install the needed certs. Looking back in logs, it looks like is renewed in Nov/18 using TLS-SNI-01. It is due for renewal now, and certbot 0.28.0 is trying to use HTTP-01 and failing.

The original vert covered four domains, each with its own DOCROOT, so the dry run shows

Processing /etc/letsencrypt/renewal/EXAMPLE1.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for EXAMPLE4.com
http-01 challenge for EXAMPLE3.com
http-01 challenge for EXAMPLE2.com
http-01 challenge for EXAMPLE1.com
Waiting for verification...
Cleaning up challenges

Then I get an “Invalid response from” because the challenge for EXAMPLE1.com got a 404.

I can wget http://EXAMPLE1.com/.well-known/acme-challenge/foo.txt and get a real file back. I see the 404 in my Apache log from the real challenge.

If I cd to /var/www/EXAMPLE1.com/html/.well-known/acme-challenge I see foo.txt, but I never see and files related to the challenge while certbot renew --dry-run is running.

Oddly, I have a nearly identical setup (but same docroot for all domains), where a Nov renew did TLS-SNI-01 and a certbot renew --dry-run looks fine.

I am not sure where to start debugging this one.

JuergenAuer · January 18, 2019, 8:35pm

Hi @mdonadio

then you have found your correct webroot. So use

certbot run -a webroot -i apache -d example.com -w yourwebroot

and split authentication and installation.

mdonadio · January 18, 2019, 9:03pm

Thanks, that worked and got that domain working (though it creates a new .conf)

Oddly, when I ran certbot renew is ran the HTTP-10 challenges for all four domains in the original conf, and they worked. I would love to know what really happened here but ¯_(ツ)_/¯

mdonadio · January 18, 2019, 10:44pm

Got to the bottom of this.

The virtual host that wouldn’t renew had a line line this in it

ServerHost example1.com # oldexample1.com

Apparently, the apache auth plugin doesn’t like this. Cleaned up all of the vhost config, and regenerated certs, one per vhost with certbot --apache and all is well.

rg305 · January 18, 2019, 11:22pm

So did you replace:
ServerHost example1.com # oldexample1.com
with just:
ServerHost example1.com

? ? ?

mdonadio · January 21, 2019, 8:49pm

@rg305 Correct, removing the comment from the ServerHost directive fixed this. I think this may be a bug in parsing the Apache conf files (may have seen something similar before), but need to spin up a test server to fully verify before I make a GitHub issue.

system · February 20, 2019, 8:49pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Upgraded certbot renew --dry-run shows it still using tls-sni-01 unless overridden Help	5	2919	February 19, 2019
Certbot - Hard Coded URL Rewrite Means HTTP-01 Challenge Fails on Apache Server	25	8023	June 11, 2017
Here's how to resolve the "Action required" / TLS-SNI-01 issue for Apache plugin users Help	8	1512	March 2, 2019
Renewal attempts, http01 challenge failed for all domains Help	3	10091	April 28, 2019
Problem creating new certificate with http-01 validation Help	18	7086	March 9, 2019

Trouble renewing using HTTP-01 when last use TLS-SNI-01

Related topics