Yet another Renewal Failure

I’ve worked a number of the the existing tickets where others have had similar issues… but no luck.
DNS entries are valid. Defined in Cloudflare, but for this subdomain the DNS only option is selected.
Have confirmed ability to ping outbound1.letsencrypt.org
Looking back at cmdline history, confirmed it was installed using simple certbot-auto --apache command.
I just don’t understand how it was able to successfully verify/install initially, but cannot do the same now.

Only configuration change I can think of that happened when the initial certficate was setup was the option to allow auto redirection of any HTTP traffic to HTTPS.

Cert is expiring… any help s apprecated.

My domain is:
support.lmi3d.com

I ran this command:
./certbot-auto renew

It produced this output:

Processing /etc/letsencrypt/renewal/support.lmi3d.com.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
/opt/eff.org/certbot/venv/lib/python2.6/site-packages/acme/jose/jwa.py:110: DeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.
signer = key.signer(self.padding, self.hash)
Performing the following challenges:
tls-sni-01 challenge for support.lmi3d.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (support.lmi3d.com) from /etc/letsencrypt/renewal/support.lmi3d.com.conf produced an unexpected error: Failed authorization procedure. support.lmi3d.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 2ad1ceac372e9d947ec65fe00222c8af.2447196e27505f86f206dfbecca077c0.acme.invalid from 50.22.186.217:443. Received 2 certificate(s), first certificate had names “support.lmi3d.com”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/support.lmi3d.com/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/support.lmi3d.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: support.lmi3d.com
  Type: unauthorized
  Detail: Incorrect validation certificate for tls-sni-01 challenge.
  Requested
  2ad1ceac372e9d947ec65fe00222c8af.2447196e27505f86f206dfbecca077c0.acme.invalid
  from 50.22.186.217:443. Received 2 certificate(s), first
  certificate had names “support.lmi3d.com”

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address.

My web server is (include version):
Apache 2.2.15

The operating system my web server runs on is (include version):
CentOS 6.9

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

Some added info…

Digging through the Apache log I could see another issue was requesting a Graceful restart of the server, so after the restart, I checked the logs and the following line was added:

Warning: DocumentRoot [/var/lib/letsencrypt/tls_sni_01_page/] does not exist

This appears to be my cron job executing an attempted renewal after startup, but why would it be looking in that directory?

Oh, and I neglected to mention in my original post that there is only the one host on this server (no additional vhosts).

Is the server you’re running certbot on, the same as the server the DNS A record is pointed at?

Can you share your Apache configuration for the one vhost that you have (both HTTP and HTTPS)?

Is the server you’re running certbot on, the same as the server the DNS A record is pointed at?
Yes. The IP address listed in the in my first message matches the DNS entry for the site.

I've attached the http.conf file for your reference.

LetsEncrypt_http.conf.txt (8.5 KB)

Well, yeah, it would - that message displays the IP address taken from a DNS lookup What I meant was, is that actually the IP address of the server running certbot? (Sounds like it probably is, but it never hurts to ask)

Thanks; are there also some relevant files in /etc/httpd/conf.d/ perhaps? Especially anything containing a <VirtualHost>.

Alternatively can you share the output of this command?

apachectl -S

Yes.... that address is the address of my server.

The output of the command shows 2 files in the httpd/conf.d folder that are referenced.

apachectl -S
VirtualHost configuration:
wildcard NameVirtualHosts and default servers:
*:80 support.lmi3d.com (/etc/httpd/conf.d/le-redirect-support.lmi3d.com.conf:1)
*:443 support.lmi3d.com (/etc/httpd/conf.d/ssl.conf:74)
Syntax OK

I'm guessing that the le-redrect is what certbot configured when I said it could handle both HTTP and HTTPS requests. Anyways.... I've uploaded those 2 files as well.
le-redirect-support.lmi3d.com.conf.txt (232 Bytes)
LetsEncrypt_ssl.conf.txt (9.4 KB)

Hmm.

I wonder if you need to add:

NameVirtualHost *:443

to one of those? Perhaps after the Listen 443 in /etc/httpd/conf.d/ssl.conf.

I think it’s needed to enable SNI in Apache 2.2, which is used for the validation challenge.

(Certbot should add it automatically, I think … but then again, by that logic it should already be there).

Tried specifically adding the additional VirtualHost and port 443 Listens... also attempted to add the Listen 443 to the Global conf. In all cases results failed.

In the case of the httpd.conf changes, adding Listen 443 prevented the Apace server from restarting.

The adding NameVirtualHost *:443 or even a specific VirtualHost had no effec.

Since the certificate is expiring within the next 10 hours I was desperate to get things resolved as it is an actively used site.

Though not a complete fix that can be resolved using a cron job, I found a solution using:

./certbot-auto --authenticator webroot --installer apache

from the terminal and manually entering the webroot location.

Well, glad you got it working
Certbot should remember those settings and use them the next time you run certbot-auto renew from cron, so in theory that should just work next time.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.