.well-known/acme-challenge issues w/ expired cert


#1

My domain is: liedra.net, notjustagame.eu

I ran this command: sudo certbot renew --dry-run (and --force-renew, and many other things which all produced the same result)

It produced this output:
Processing /etc/letsencrypt/renewal/www.liedra.net.conf


Cert is due for renewal, auto-renewing…

Plugins selected: Authenticator apache, Installer apache

Renewing an existing certificate

Performing the following challenges:

http-01 challenge for liedra.net

http-01 challenge for notjustagame.eu

http-01 challenge for www.liedra.net

http-01 challenge for www.notjustagame.eu

Waiting for verification…

Cleaning up challenges

Attempting to renew cert (www.liedra.net) from /etc/letsencrypt/renewal/www.liedra.net.conf produced an unexpected error: Failed authorization procedure. liedra.net (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://liedra.net/.well-known/acme-challenge/88Sft0eFJjco8tqxIyLiT3mY9p0TLg6rSyMR-2IqrVE: “<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p”, www.liedra.net (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.liedra.net/.well-known/acme-challenge/RQwWPrWNyFcj8HksCTK0rgtvBNsRCgxGlm7rduKZQyY: “<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p”. Skipping.


Running post-hook command: apachectl restart

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

Domain: www.liedra.net

Type: unauthorized

Detail: Invalid response from

http://www.liedra.net/.well-known/acme-challenge/etqdAEzxLgDIZTzjq_bj1Khqpr5azwd_5q0RSHYHXUY:

"<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML

2.0//EN">\n<html><head>\n<title>404 Not

Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

Domain: liedra.net

Type: unauthorized

Detail: Invalid response from

http://liedra.net/.well-known/acme-challenge/DNWgE3I0PuPH5EPg9qQ9Od65Cbr9HRzs5ApPmz4dRFI:

"<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML

2.0//EN">\n<html><head>\n<title>404 Not

Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

To fix these errors, please make sure that your domain name was

entered correctly and the DNS A/AAAA record(s) for that domain

contain(s) the right IP address.

My web server is (include version):Apache/2.4.37 (Debian) Server at www.liedra.net Port 80

The operating system my web server runs on is (include version): testing

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


Hi all,
I’ve been struggling with this today with a certificate that expired (I got super busy and didn’t get time to renew it before it expired) - all the previous help has focused on port 80 not being accessible, but I can access port 80 with no problem. I’ve tried all kinds of things - certbot --force-renew, certbot --apache, etc. but I keep getting the same error as above. I’m at my wits’ end! :slight_smile:
It was a long time ago that I set this up so I can’t remember what I did initially to set it up.
Thanks for any help!


#2

annnnd I think I have worked it out because when I click on the link to the .well-known etc. it tries to find index.php! Duh. :slight_smile:


#3

OK so I fixed that and I’m still getting the same error :frowning:


#4

What does your Virtual Host setup look like? I can’t see any good reason for this to be failing, yet.

apachectl -t -D DUMP_VHOSTS
cat /etc/letsencrypt/renewal/www.liedra.net.conf

#5

The problem is renewals are months apart…
So maybe you changed something… weeks ago, and now you are feeling its’ effect.
Or maybe it just broke… after something updated something else that is now out of sorts…
In any case, we should be able to get to the bottom of it and get your renewals working again.
To that end, along with @_az requested output, please also show the output of:
grep -Eri 'documentroot|rewrite|serveralias|servername|sslcert|virtual' /etc/apache2/
[which should show us a very basic “stripped-down” version of what apache is doing - relating to SSL]


#6

Thanks _az; here it is:

*:443 is a NameVirtualHost
default server liedra.net (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
port 443 namevhost liedra.net (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
alias www.liedra.net
port 443 namevhost notjustagame.eu (/etc/apache2/sites-enabled/notjustagame-le-ssl.conf:2)
alias www.notjustagame.eu
*:80 is a NameVirtualHost
default server liedra.net (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost liedra.net (/etc/apache2/sites-enabled/000-default.conf:1)
alias www.liedra.net
port 80 namevhost liedra.net (/etc/apache2/apache2.conf:240)
alias www.liedra.net
port 80 namevhost notjustagame.eu (/etc/apache2/apache2.conf:283)
alias www.notjustagame.eu


liedra@liedra:~$ cat /etc/letsencrypt/renewal/www.liedra.net.conf

renew_before_expiry = 30 days

version = 0.27.0

archive_dir = /etc/letsencrypt/archive/www.liedra.net

cert = /etc/letsencrypt/live/www.liedra.net/cert.pem

privkey = /etc/letsencrypt/live/www.liedra.net/privkey.pem

chain = /etc/letsencrypt/live/www.liedra.net/chain.pem

fullchain = /etc/letsencrypt/live/www.liedra.net/fullchain.pem

Options used in the renewal process

[renewalparams]

authenticator = apache

installer = apache

account = 67ecfefe005c395a228d1ba0590fe4d5

post_hook = apachectl restart

server = https://acme-v02.api.letsencrypt.org/directory


#7

Hi rg305,
This actually spits a lot of stuff out (I have other domains as well, but they are not needing renewal just yet), so I’m just putting in the info that relates to this cert.

/etc/apache2/apache2.conf:<VirtualHost *:80>
/etc/apache2/apache2.conf: ServerName liedra.net
/etc/apache2/apache2.conf: ServerAlias www.liedra.net
/etc/apache2/apache2.conf: ServerAlias webmail.liedra.net
/etc/apache2/apache2.conf: DocumentRoot /var/www
/etc/apache2/apache2.conf:

/etc/apache2/sites-available/000-default-le-ssl.conf:<VirtualHost *:443>

/etc/apache2/sites-available/000-default-le-ssl.conf: ServerName liedra.net

/etc/apache2/sites-available/000-default-le-ssl.conf: ServerAlias www.liedra.net

/etc/apache2/sites-available/000-default-le-ssl.conf: ServerAlias webmail.liedra.net

/etc/apache2/sites-available/000-default-le-ssl.conf: DocumentRoot /var/www

/etc/apache2/sites-available/000-default-le-ssl.conf:SSLCertificateFile /etc/letsencrypt/live/www.liedra.net/fullchain.pem

/etc/apache2/sites-available/000-default-le-ssl.conf:SSLCertificateKeyFile /etc/letsencrypt/live/www.liedra.net/privkey.pem

/etc/apache2/sites-available/000-default-le-ssl.conf:</VirtualHost>

/etc/apache2/sites-available/000-default.conf:<VirtualHost *:80>

/etc/apache2/sites-available/000-default.conf: ServerName liedra.net

/etc/apache2/sites-available/000-default.conf: ServerAlias www.liedra.net

/etc/apache2/sites-available/000-default.conf: ServerAlias webmail.liedra.net

/etc/apache2/sites-available/000-default.conf: DocumentRoot /var/www

/etc/apache2/sites-available/000-default.conf:</VirtualHost>

/etc/apache2/mods-available/cache_disk.conf: # put this into the configuration for just one virtual host.


#8

There are duplicate Virtual Hosts.

It means you have two port 80 Virtual Hosts both configured to respond for liedra.net, but only one of them can actually win when Apache runs.

This confuses Certbot. Certbot has a 50/50 chance of configuring the correct VirtualHost for Let’s Encrypt validation - and it’s choosing the wrong one.

Solution: Ensure you only have one port 80 VirtualHost for this domain.

This could mean commenting one of them out, whatever makes the most sense for your intent.


#9

Bingo, thank you! It all works now. Plus I have a much cleaner apache config, so thanks for that too XD


closed #10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.