Unable to renew certificates

Help
21

Try placing the test.txt file there.

22

That actually worked. The test file is placed and showes up in the browser

23

Top down processingā€¦ got you!
Letā€™s review that vhost config file:
/etc/apache2/sites-available/ispconfig.conf

The Alias directive in not within a block so it is considered global.
Alias /.well-known/acme-challenge /usr/local/ispconfig/interface/acme/.well-known/acme-challenge

So from that point all challenges will go there.

24

You can view the file here: https://pastebin.com/ztevaHm7

Wait, Iā€™m not following you there. Do I need to put that Alias somewhere?

25

Imagine that all the conf files are one big long single config.
It will try to match the acme-challenge request top down.
Once it finds a match it stops looking any further.
So you couldā€¦

  • Make them all point to the same place (use only the global setting)
  • Make sure the alias directives are all within their respective blocks (remove the global setting)
  • reorder the files so that the global setting is seen last (the local setting will match first)
    (rename 000-ispconfig.conf ZZZ-ispconfig.conf or zzz-ispconfig.conf)
    not sure which would be seen lastā€¦

Understanding that certbot will do what is in the particular vhost config block.
And place the challenge response where you expected.
While the web server will do what is in the entire configuration.
And (try to) fulfill the challenge request from the first matching location (alias).
(as shown by the access to the test.txt file from the unexpected directory)
Option #1 may not provide the desired result.
Options #2 and #3 should work just fine.

Morale of this story: Order matters.

27

I get what youā€™re saying, but unfortunetely it isnā€™t solving the issue. Iā€™ve changed the Alias in all config files to

Alias /.well-known/acme-challenge/ /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/

so all are redirected to the same location. Restarted the apache2 service obviously, but still no change. Itā€™s still working fine for chat.icecub.nl but not for any of the others. Slowly driving me crazy thisā€¦

28

Please show the updated:
grep -Eri 'well-known|challenge' /etc/apache2

and
ls -l /var/www/icecub.nl/web/.well-known/acme-challenge/

29 
root@server:/etc/apache2/sites-available# grep -Eri 'well-known|challenge' /etc/apache2
/etc/apache2/sites-available/ispconfig.conf:Alias /.well-known/acme-challenge /usr/local/ispconfig/interface/acme/.well-known/acme-challenge
/etc/apache2/sites-available/ispconfig.conf:<Directory /usr/local/ispconfig/interface/acme/.well-known/acme-challenge>
/etc/apache2/sites-available/home.icecub.nl.vhost:                Alias /.well-known/acme-challenge /usr/local/ispconfig/interface/acme/.well-known/acme-challenge
/etc/apache2/sites-available/home.icecub.nl.vhost:                <Directory /var/www/home.icecub.nl/web/.well-known/acme-challenge>
/etc/apache2/sites-available/home.icecub.nl.vhost:                                RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
/etc/apache2/sites-available/chat.icecub.nl.vhost:                Alias /.well-known/acme-challenge /usr/local/ispconfig/interface/acme/.well-known/acme-challenge
/etc/apache2/sites-available/chat.icecub.nl.vhost:                <Directory /var/www/chat.icecub.nl/web/.well-known/acme-challenge>
/etc/apache2/sites-available/chat.icecub.nl.vhost:                                RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
/etc/apache2/sites-available/icecub.nl.vhost:                Alias /.well-known/acme-challenge /usr/local/ispconfig/interface/acme/.well-known/acme-challenge
/etc/apache2/sites-available/icecub.nl.vhost:                <Directory /var/www/icecub.nl/web/.well-known/acme-challenge>
/etc/apache2/sites-available/icecub.nl.vhost:                                RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
/etc/apache2/sites-available/xgn-gaming.com.vhost:              Alias /.well-known/acme-challenge /usr/local/ispconfig/interface/acme/.well-known/acme-challenge
/etc/apache2/sites-available/xgn-gaming.com.vhost:              <Directory /var/www/xgn-gaming.com/web/.well-known/acme-challenge>
/etc/apache2/sites-available/xgn-gaming.com.vhost:                               RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"

root@server:/etc/apache2/sites-available# ls -l /var/www/icecub.nl/web/.well-known/acme-challenge/
total 4
-rwxr-xr-x 1 root root 25 May 23 03:46 test.txt
30

retry:
certbot renew --dry-run --cert-name icecub.nl

show tail of
/var/log/letsencrypt/letsencrypt.log

31

Not sure how much of that file it is that you need, so I pasted what I think was the last entry of a domain tried: https://pastebin.com/vfyezWM6

32

Pastebin.com is under heavy load right now :frowning:

Try the one cert only:
certbot renew --dry-run --cert-name icecub.nl

33

This was the console return: https://pastebin.com/4F8tv7mr

Would it perhaps be possible for us to contact eachother on Discord / Skype or some other means so I can temporarily open up the SSH ports and give you access to the server itself? Itā€™s just a test server at home with nothing secret so Iā€™m not worried you messing something up.

I think thatā€™ll speed things up a lot for both us. Even though I very much appreciate all the help youā€™re giving me of course :slight_smile:

34

This may not be returning the desired results:
RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
Try rem it out from:
/etc/apache2/sites-available/icecub.nl.vhost

restart apache
retry
certbot renew --dry-run --cert-name icecub.nl

35

Tried, same result. Hereā€™s something that comes to mind: The Alias is inside <VirtualHost *:80> and my rewrite rules force a redirect to ssl, which is in <VirtualHost *:443>. Perhaps this is causing an issue? Just thinking out loud hereā€¦

36

certbot follows the redirect and the test.txt file can be reachedā€¦
Iā€™m running out of places to look.

Did you rename the 000 file to zzz ???

37

Ye thatā€™s why I suggested giving you access. I wouldnā€™t suggest that before weā€™ve pretty much run out of options, haha.

38

Try option #3:
rename 000-ispconfig.conf ZZZ-ispconfig.conf or zzz-ispconfig.conf

39

Ok the answer may be in this part of the conf file:
/etc/letsencrypt/renewal/icecub.nl.conf

Try rem out those 3 lines

40

Those arenā€™t actual files. Theyā€™re just symlinks inside sites-enabled directing to the files inside sites-available. Which are the same names without any xxx-. So 000-ispconfig.conf is a symlink to ispconfig.conf

Tried what you suggested, but that returned:

Attempting to renew cert (icecub.nl) from /etc/letsencrypt/renewal/icecub.nl.conf produced an unexpected error: Missing command line flag or config entry for this setting:
Select the webroot for icecub.nl:
Choices: ['Enter a new webroot']

(You can set this with the --webroot-path flag). Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/icecub.nl/fullchain.pem (failure)
42

that was a looong shot

Ok, put those back:
[[webroot_map]]
www.icecub.nl = /var/www/icecub.nl/web
icecub.nl = /var/www/icecub.nl/web

Ok then just mv the sym link
or delete 000-ispā€¦
and create ZZZ-ispā€¦