Work deadline Certbot certificate

Hello,

This morning was a deadline to put a site live www.therevisionist.org.uk

Yesterday I ran the steps to get a Certbot certificate and have run into errors, related to the security issue.

It seems now that the site is in limbo; between requiring a certificate, and not being able to complete the setup or use regular http?

The domain is currently showing another site on my server- I have checked all permissions and they seem to be fine.

I ran this command:
sudo certbot --apache -d therevsisionist.org.uk -d www.therevisionist.org.uk

It produced this output:

Client with the currently selected authenticator does not support any combination of
challenges that will satisfy the CA.

Then after reading on the forum a work-around I ran:

sudo certbot --authenticator webroot --installer apache

but got:

The client lacks sufficient authorization :: Invalid response

Apache
httpd-2.4.6-45.el7.centos.4.x86_64
Centos 7

Thank you

You also need to pass --webroot-path /var/www/html (or whatever directory files are publicly served to the Internet from on your server).

Hi Patches,

My careless posting … I did actually try:

sudo certbot --authenticator webroot --webroot-path /home/user/www/mystie/public_html --installer apache

I get:

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel):28,29
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mydomain
http-01 challenge for www.mydomain
Using the webroot path /home/jerp/www/mydomain/public_html for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Unable to clean up challenge directory
/home/jerp/www/mydomain/public_html/.well-known/acme-challenge
Failed authorization procedure. mydomain (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mydomain/.well-known/acme-challenge/3UcRZ2TS7ENTTrKnD8o5eBXPYqZBIFxnT23TXAr7D_I: "

    <html>
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
     <meta name="viewport" conte", www.mydomain (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.mydomain/.well-known/acme-challenge/JZmzVkn4j7DJcD8D2W9RCvOlVTzgeQ-J8uC8fEPzz2E: "<!DOCTYPE html>
    <html>
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
     <meta name="viewport" conte"


   Domain: mydomain
   Type:   unauthorized
   Detail: Invalid response from
   http://mydomain/.well-known/acme-challenge/3UcRZ2TS7ENTTrKnD8o5eBXPYqZBIFxnT23TXAr7D_I:
   "<!DOCTYPE html>
   <html>
   <head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8"
   />
<meta name="viewport" conte"

   Domain: www.mydomain
   Type:   unauthorized
   Detail: Invalid response from
   http://www.mydomain/.well-known/acme-challenge/JZmzVkn4j7DJcD8D2W9RCvOlVTzgeQ-J8uC8fEPzz2E:

If you’re sure the webroot path is correct, something is interfering with the ability for Apache to serve the challenge file. Do you have an .htaccess file at the root of your web directory?

You can create a /home/jerp/www/mydomain/public_html/.well-known/acme-challenge/test file and try and access it at http://mydomain.com/.well-known/acme-challenge/test to reproduce the issue. (Also please note the validation servers will ignore the security error you currently get when trying that.)

There are no other files in the web directory other than index.php, and .well-known/. The domain is currently showing content/ files from another domain on the server (that has a certificate), which sometimes happens when I have not set correct web directory permissions. I get 404 when trying to access the test file.

I did a ssllabs ssltest
and got:

Certificate name mismatch

We were able to retrieve a certificate for this site, but the domain names listed in it do not match the domain name you requested us to inspect.

Possible cause given, which corresponds to my situation:

The web site does not use SSL, but shares an IP address with some other site that does.

The ssltest result lists the domain which I mention in my last post that is replacing the domain I am trying to get a certificate for.

I have got the https warning - ! Not Secure. Be good if I could revert the request?

There's your problem. :wink:

You will need to resolve this issue. If you need the certificate first in order to correct it, pass the webroot for the website that is actually being served from the domain right now, and then once you've fixed the server, update the renewal configuration file with the correct webroot so renewal will work later.

1 Like

Is this meant to be a link, I am not familiar with the process.

Thanks

Sorry my browser likes to only highlight the portion of the URL that is visible in the address bar for some stupid reason.

The link was to https://certbot.eff.org/docs/using.html#modifying-the-renewal-configuration-file

I also updated it in the original post.

You can also just rerun certbot with the right path. It will get you a new certificate you don’t necessarily need, but it’s a bit safer that way because it will only update the renewal configuration file if it works.

1 Like

The ‘renewal config file’ for the domain that was being served and which I rerun certbot on, looks fine. Should I now try and rerun certbot/ pass the webroot on the domain that I am trying to get a certificate for?

The domain I am trying to register does not exist in my server renewal dir.

Thanks

When you visit your domain, you said a different website appears. Since that domain’s webroot is effectively the webroot for your new domain at the present time, you need to call certbot with that domain’s webroot, but keeping the new domains you want to issue for in the -d argument.

sudo certbot -a webroot -i nginx -w /path/to/oldsite.com -d newsite.com,www.newsite.com

Then you’ll have a certificate and you’ll be able to fix up the rest of your configuration and get the right webroot showing up at the website.

Only when the correct webroot works and loads on your site would you want to edit the renewal configuration file for the new domain, which will now exist, to replace the webroot from the other domain with the right one that now works.

2 Likes

I would never have worked it out - thank you for the example - fixed :slight_smile:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.