Trying to renew certificate - almost fixed!


#1

I have two websites on a Virtual Host. Running Apache2 and Ubuntu 14.04. I got the certificate to work for onlinedegreedatabase.com and now it is expiring so I need to renew it. I downloaded certbot-auto and ran it with verbose. This is the result: (any suggestions would be appreciated)


Processing /etc/letsencrypt/renewal/onlinedegreedatabase.com.conf

2016-05-31 14:28:21,209:INFO:certbot.renewal:Cert is due for renewal, auto-renewing…
2016-05-31 14:28:21,486:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-05-31 14:28:22,067:INFO:certbot.auth_handler:Performing the following challenges:
2016-05-31 14:28:22,067:INFO:certbot.auth_handler:http-01 challenge for onlinedegreedatabase.com
2016-05-31 14:28:22,067:INFO:certbot.auth_handler:http-01 challenge for www.onlinedegreedatabase.com
2016-05-31 14:28:22,077:INFO:certbot.auth_handler:Waiting for verification…
2016-05-31 14:28:25,551:INFO:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: onlinedegreedatabase.com
Type: unauthorized
Detail: Invalid response from http://onlinedegreedatabase.com/.well-known/acme-challenge/QBgtSVZDa-8ytKRZEuCBwnSUZ0z8Aj47Rf0Xf4mrVmc: "

404 Not Found

Not Found

<p"

Domain: www.onlinedegreedatabase.com
Type: unauthorized
Detail: Invalid response from http://www.onlinedegreedatabase.com/.well-known/acme-challenge/CB02GFlfGaPwMP_IaaulZ38yIVUlXBk62f4gDtFi9tI: "

404 Not Found

Not Found

<p"

To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address.
2016-05-31 14:28:25,551:INFO:certbot.auth_handler:Cleaning up challenges
2016-05-31 14:28:25,552:WARNING:certbot.renewal:Attempting to renew cert from /etc/letsencrypt/renewal/onlinedegreedatabase.com.conf produced an unexpected error: Failed authorization procedure. onlinedegreedatabase.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://onlinedegreedatabase.com/.well-known/acme-challenge/QBgtSVZDa-8ytKRZEuCBwnSUZ0z8Aj47Rf0Xf4mrVmc: "

404 Not Found

Not Found

<p", www.onlinedegreedatabase.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.onlinedegreedatabase.com/.well-known/acme-challenge/CB02GFlfGaPwMP_IaaulZ38yIVUlXBk62f4gDtFi9tI: " 404 Not Found

Not Found

<p". Skipping.

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/onlinedegreedatabase.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:


#2

Hi @douglas, do you know what command you used to get the certificate originally? Has anything changed in the server configuration there?

If you manually create some files inside of /.well-known/acme-challenge in your server’s webroot (like /.well-known/acme-challenge/test.txt), can you see them in a web browser if you go to the corresponding URLs on the web sites?


#3

Thanks so much for responding.

I can see those files:
Index of /.well-known/acme-challenge

[ICO] Name Last modified Size Description
[PARENTDIR] Parent Directory -
[TXT] test.txt 2016-05-31 17:14 14
Apache/2.4.7 (Ubuntu) Server at www.onlinedegreedatabase.com Port 80

Because it was a Virtual server, I had to use the certonly command. I tried to renew and when that didn’t work, I tried changing my server configuration. Previously it was /var/www/html/project.com/ and now it is /var/www/onlinedegreedatabase.com/public_html/

I can get to the site fine right now.


#4

Aha! I think changing the directory of your webroot is exactly the trouble, because the client has saved the original location and is still trying to use it for renewal purposes.

If you edit the file /etc/letsencrypt/renewal/onlinedegreedatabase.com.conf and find the place where /var/www/html/project.com is mentioned, you can replace it with /var/www/onlinedegreedatabase.com/public_html and then the renewal process should complete successfully. You may also be able to achieve the same thing with

certbot certonly --force-renewal -a webroot -d www.onlinedegreedatabase.com -w /var/www/onlinedegreedatabase.com/public_html -d onlinedegreedatabase.com -w /var/www/onlinedegreedatabase.com/public_html

although editing the onlinedegreedatabase.com.conf is more certain, if you have a text editor on that machine that you’re comfortable with.


#5

When I change the file, I still fail on the renew: Log here

2016-05-31 17:36:59,456:WARNING:certbot.renewal:Attempting to renew cert from /etc/letsencrypt/renewal/onlinedegreedatabase.com.conf produced an unexpected error: Failed authorization procedure. onlinedegreedatabase.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://onlinedegreedatabase.com/.well-known/acme-challenge/IZ2bhmMibrdPsEy4yf0ajXo2lty2Sm7nNM5A-U8hauM: "

404 Not Found

Not Found

<p", www.onlinedegreedatabase.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.onlinedegreedatabase.com/.well-known/acme-challenge/kqsuRzWhrxvMrhMnt6BrLhm4jEnQn_ntwoUW3dFADvc: " 404 Not Found

Not Found

<p". Skipping.

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/onlinedegreedatabase.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

Using the second method, (presuming I needed to use ./certbot-auto) I got the following error:

If you specify multiple webroot paths, one of them must precede all domain flags


#6

Should probably then be

certbot certonly --force-renewal -a webroot -w /var/www/onlinedegreedatabase.com/public_html -d www.onlinedegreedatabase.com -w /var/www/onlinedegreedatabase.com/public_html -d onlinedegreedatabase.com

Sorry about that, I’m just working from memory rather than consulting documentation in this case.


#7

Thank you so much for all your hard work. This solution worked.

Doug


#8

Alas, I spoke slightly too soon. Here is the response from your suggestion:


IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at
    /etc/letsencrypt/live/onlinedegreedatabase.com/fullchain.pem. Your
    cert will expire on 2016-08-30. To obtain a new or tweaked version
    of this certificate in the future, simply run certbot-auto again.
    To non-interactively renew all of your ceriticates, run
    "certbot-auto renew"

However, when I go to https://www.onlinedegreedatabase.com, it is not there. Do I need to edit the /etc/apache2/sites-available/onlinedegreedatabase.com.conf file or do something else?

Thanks again for all your work and assistance

Doug


#9

You may need to edit the /etc/apache2/sites-available/onlinedegreedatabase.com.conf file, yes ( it depends if it already points to the /etc/letsencrypt/live/onlinedegreedatabase.com/ folder for the certs.

If it does, thenn you probably just need to reload / restart apache.


#10

Ok, I am getting closer…

I added the following to the bottom of the conf file:


ServerAdmin webmaster@localhost DocumentRoot /var/www/onlinedegreedatabase.com/public_html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLEngine on SSLCertificateFile /etc/letsencrypt/live/onlinedegreedatabase.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/onlinedegreedatabase.com/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/onlinedegreedatabase.com/chain.pem SSLOptions +StdEnvVars SSLOptions +StdEnvVars BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

However it still did not work.


#11

Your conf file is incorrect somewhere. Your server is providing http not https on port 443 ( you can tell by going to http://www.onlinedegreedatabase.com:443/ in the browser )

are you happy to provide your complete config file in pastebin.com ( for a limited time ) ? or do you know someone locally who understands how to configure apache ?


#12

See if this works

pastebin.com/y5VDaeYC


#13

That works - thanks.

You need to add

ServerName onlinedegreedatabase.com
ServerAlias www.onlinedegreedatabase.com

into the :443 section

Also, do you have other config files that may be conflicting ? (although add thos 2 lines and restart apache and test first.


#14

Added those lines - thanks; I am still a newbie at all of this.

This is the message I got on restart:

[Thu Jun 02 14:02:43.605619 2016] [core:error] [pid 7083] (EAI 2)Name or service not known: AH00547: Could not resolve host name default


#15

That’s because you have “VirtualHost default:443” try changing that to “VirtualHost *:443”


#16

Thanks - now it works. Hopefully this thread will help someone else learn from my mistakes and thanks again for your patience.

Doug