Unable to convert from standalone to webroot

Hello! my domain is ns4.nontrivial.net, my web server is apache2 running on linux, I have root access, and my certbot version is 2.9.0.

I run several web servers and I managed to get webroot authentication set up on them so that renewal happens automatically. But I have one web server that I have never been able to get it to work on, and with the email notifications going away I would really like to get it working now. My standalone config is:

[renewalparams]
account =
server = https://acme-v02.api.letsencrypt.org/directory
authenticator = standalone
key_type = rsa

When I stop the web server and run "certbot renew" it works.

The new config I am tryin to get working is:

[renewalparams]
authenticator = webroot
account =
server = https://acme-v02.api.letsencrypt.org/directory
key_type = rsa
rsa_key_size = 4096
installer = None
[[webroot_map]]
ns4.nontrivial.net = /var/www/www.nontrivial.net

I have tried "certbot renew" and "certbot renew -a webroot" and I always get output like:

Renewing an existing certificate for ns4.nontrivial.net and 6 more domains
Failed to renew certificate ns4.nontrivial.net-0001 with error: You've asked to renew/replace a seemingly valid certificate with a test certificate (domains: ns4.nontrivial.net, james.nontrivial.org, monitor.nontrivial.net, neocaddy.com, www.neocaddy.com, www.nontrivial.net, www.nontrivial.org). We will not do that unless you use the --break-my-certs flag!

All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/ns4.nontrivial.net-0001/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

and

Renewing an existing certificate for ns4.nontrivial.net and 6 more domains

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:

Domain: ns4.nontrivial.net
Type: unauthorized
Detail: 45.79.30.220: Invalid response from http://ns4.nontrivial.net/.well-known/acme-challenge/8uqou9eQCFxrAclzioyjnnCM_5bzstaKZk1BCUMQgSs: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Failed to renew certificate ns4.nontrivial.net-0001 with error: Some challenges have failed.

I have confirmed that content is served from the content path provided. I'm really not set on using webroot, I just want to get it automated. Any help would be appreciated.

Not sure if you did, but you shouldn't edit the renewal configuration files manually.

This is either due to the use of the --staging option or perhaps specifying the incorrect server in the configuration file.

I guess the -w option is incorrect for the hostname ns4.nontrivial.net.

This suggests you have multiple certificates for the same hostname, possibly duplicates. Please check the output of certbot certificates if there are indeed duplicate certificates and clean up the certs that are not in use.

There are also some smaller things like the URL http://www.nontrivial.net/ not redirecting to HTTPS.

Yes, I have several virtual hosts setup on one server using apache on linux. I had no idea you weren't supposed to edit the file directly, so I guess you are supposed to use different combinations of certbot options? When I run

certbot certificates

it comes back with only one for all the domains hosted on the server: ns4.nontrivial.net james.nontrivial.org monitor.nontrivial.net neocaddy.com www.neocaddy.com www.nontrivial.net www.nontrivial.org

Yes, I was flailing around trying different options like --staging, --dry-run, and --break-my-certs but nothing seemed to work. Maybe I should have dedicated certificates for each domain hosted? If so I don't know how to set that up with certbot? I tried looking at the documentation and there seems to be a lot of "you can do this" but not a lot of "to do this run this" type of documentation. Again, I'm open to other methods if it is easier/better than webroot.

The webroot authenticator is one of the easiest authentication methods there is, next to --apache perhaps (depending on your Apache configuration, sometimes the configuration is too heavily customised so that the --apache plugin can't handle it).

You just need to make sure the webroot paths (there can be multiple!) are congruent with the DocumentRoot directives in the different Apache virtualhosts. Please see the webroot documentation of Certbot to learn how to properly set the webroot paths.

If you are using Apache >= 2.4.30, I wouldn't even bother with certbot. I moved to mod_md once it was included in Apache.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.