Menu
So it's been years i put a certbot-auto certificate for multiple domains on the same server (Apache 2.2 - Debian 7). But today I saw my crontab didn't renew the certificate so I tried to do it in SSH with the followin line :
./certbot-auto renew
Here is the error statement :
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.domain1.fr.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for domain2.fr
http-01 challenge for domain1.fr
http-01 challenge for www.domain2.fr
http-01 challenge for www.domain1.fr
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (www.domain1.fr) from /etc/letsencrypt/renewal/www.domain1.fr.conf produced an unexpected error: Failed authorization procedure. domain2.fr (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://domain2.fr/.well-known/acme-challenge/ZIp1x0730t7J0iJii67jS95Fli2eLhPA12SgXGzR6P8 [151.80.100.117]: 503, www.domain1.fr (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.domain1.fr/.well-known/acme-challenge/hoy1fNZkCyBkK2kA7gQhhW8QpWiCk7K00kFHsxNcZgc [151.80.100.117]: 503, domain1.fr (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://domain1.fr/.well-known/acme-challenge/LvfaVWC1VzbOehKgFvJe1gNd3tsEWUH3eBDan1-q8Oo [151.80.100.117]: 503, www.domain2.fr (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.domain2.fr/.well-known/acme-challenge/fOAwU_IAvKW7AC9nAFNZ6InVHrYB9VmuB9tGvEGpU2c [151.80.100.117]: 503. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.domain1.fr/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.domain1.fr/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: domain2.fr
Type: unauthorized
Detail: Invalid response from
http://domain2.fr/.well-known/acme-challenge/ZIp1x0730t7J0iJii67jS95Fli2eLhPA12SgXGzR6P8
[151.80.100.117]: 503
Domain: www.domain1.fr
Type: unauthorized
Detail: Invalid response from
http://www.domain1.fr/.well-known/acme-challenge/hoy1fNZkCyBkK2kA7gQhhW8QpWiCk7K00kFHsxNcZgc
[151.80.100.117]: 503
Domain: domain1.fr
Type: unauthorized
Detail: Invalid response from
http://domain1.fr/.well-known/acme-challenge/LvfaVWC1VzbOehKgFvJe1gNd3tsEWUH3eBDan1-q8Oo
[151.80.100.117]: 503
Domain: www.domain2.fr
Type: unauthorized
Detail: Invalid response from
http://www.domain2.fr/.well-known/acme-challenge/fOAwU_IAvKW7AC9nAFNZ6InVHrYB9VmuB9tGvEGpU2c
[151.80.100.117]: 503
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
I did not change anything about the Vhost configurations or server config so I don't know why certbot don't have autorization to update anymore.
EDIT :
All domains have an A record in DNS with the right IP.
My /.well-known/ folders are currently in 0777 rights.
928
In our case, our DNS was working fine but were still receiving the lacks sufficient authorization error.
Finally came across a resource here: https://webdock.io/en/docs/webdock-control-panel/common-certbot-errors
That brought to light running:
certbot rollback
Followed by:
certbot renew
And we were finally able to renew the certificate.
We were seriously on the verge of bringing up a brand new VM and migrating everything over - Because after multiple attempts at solving that issue, the certificate had finally expired and we were in crunch mode.
Maybe this will save someone some grief.
196
I found an alternativ solution but I did not solve the problem.
I did the tricks like here : I used the following command :
./certbot-auto certonly -d www.domain1.fr -d domain1.fr -d domain2.fr -d www.domain2.fr
My certificates are now working again.
So the problem (i suppose) is the way certbot-auto renew match the webroot of each website.
Thank you very much @Martin Zeitler for you help and your time.
35
make sure that each of these host-names have an A record in DNS and that each directory .well-known/acme-challenge can be accessed; it could not be any more obvious, when it complains about 503 Service Unavailable. the log file /var/log/letsencrypt/letsencrypt.log might possibly contain further information.
a) on the one domain, .well-known/acme-challenge needs to be excluded from URL rewriting:
RewriteCond %{REQUEST_URI} !^\.well-known/(.*)$
b) and on the other one domain, :80 must not redirect to :443.
3
In my case i had updated the DocumentRoot for some vhosts in Apache configuration ; thus breaking the LE renewal.
You can check the LE renewal configuration under /etc/letsencrypt/renewal/mysite.com.conf
Those paths under the webroot_map section :
[[webroot_map]]
mysite.com = /var/www/vhosts/mysite.com
www.mysite.com = /var/www/vhosts/mysite.com
Should match the DocumentRoot from your Apache vhost configuration
Following my example you can compare using : grep DocumentRoot /etc/apache2/sites-enabled/mysite.com.conf
2
Try this using the nginx-certbot solution
sudo add-apt-repository ppa:certbot/certbot
sudo apt install python-certbot-nginx
sudo certbot --nginx -d xxx.xxx.com
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-18-04
1
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
