Unable to renew certificate for a subdomain

HappyCerberus · May 25, 2019, 12:24pm

My domain is: rss.simontoth.cz (works for normal domains and www subdomain on the same server)

I ran this command: certbot

It produced this output:
IMPORTANT NOTES:
- The following errors were reported by the server:

   Domain: rss.simontoth.cz
   Type:   unauthorized
   Detail: Invalid response from
   http://rss.simontoth.cz/.well-known/acme-challenge/tYBQgRrCYrzs0eLE3vjPuuepqLf7gF4mU3434Z8o95M
   [46.36.39.148]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): apache2

The operating system my web server runs on is (include version): Ubuntu 17.10

I can login to a root shell on my machine (yes or no, or I don’t know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.21.1

The access rights are correct for www-data to write into the directory, I can see plain files in the directory if I access them through the URL, example http://rss.simontoth.cz/.well-known/acme-challenge/test

JuergenAuer · May 25, 2019, 12:33pm

Hi @HappyCerberus

you have a lot of older certificates - first with only that domain name is from 2016-01-04 14:57:00 ( https://check-your-website.server-daten.de/?q=rss.simontoth.cz#ct-logs ).

Looks like you have used tls-sni-01 validation, that's not longer supported.

Your current certificate

CN=rss.simontoth.cz
	20.02.2019
	22.05.2019
3 days expired	rss.simontoth.cz - 1 entry

is created before tls-sni-01 support had stopped (~2019-03-15). The main configuration is ok:

Domainname	Http-Status	Sec.	G
• http://rss.simontoth.cz/
46.36.39.148	200	0.140	H

• https://rss.simontoth.cz/
46.36.39.148	200	0.780	N
Certificate error: RemoteCertificateChainErrors

• http://rss.simontoth.cz/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
46.36.39.148	404	0.097	A
Not Found
Visible Content: Not Found The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server. Apache/2.4.27 (Ubuntu) Server at rss.simontoth.cz Port 80

Port 80 is open and answers.

This is

good, so you have found your correct webroot (the folder where .well-known is the subfolder). So use that:

certbot run -a webroot -i apache -w yourWebRoot -d rss.simontoth.cz

If that doesn't work: Update your certbot, 0.21.1 is very old.

PS: You have one error you should fix.

https://rss.simontoth.cz/

sends an incomplete header:

Content-Type: text/html; charset=

that's bad. charset is an important parameter.

HappyCerberus · May 25, 2019, 12:35pm

Perfect, this worked. Thanks. The cert expired, since I was struggling to renew it.

system · June 24, 2019, 12:35pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.