I inherited a web-server that uses letsencrypt with certbot. At first I thought it seemed straight forward, but running certbot-auto renew fails. I then did a certbot-auto certonly --apache and that downloaded a cert just fine (That then running renew again pick ups and even says its new doesnt neeed renewal). Not sure what I am missing or have yet to learn but some of the failure messages are: (names changed to protect the innocent)
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/xyx.someaddress.com-0004.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for xyx.someaddress.com
Waiting for verification...
Challenge failed for domain xyx.someaddress.com
Cleaning up challenges
Attempting to renew cert (xyx.someaddress.com-0004) from /etc/letsencrypt/renewal/xyx.someaddress.com-0004.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/xyx.someaddress.com-0004/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- The following errors were reported by the server:
1 renew failure(s), 0 parse failure(s)
Domain: xyx.someaddress.com
Type: unauthorized
Detail: Invalid response from
https://xyx.someaddress.com/.well-known/acme-challenge/oMvZoCPBM8qZjYcIOlSHs0SLophprew9-c9zASc9d1s
[192.41.211.157]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
2.0//EN\">\n<html><head>\n<title>404 Not
Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
So the biggest thing is I see the 'to fix these errors', but what does it mean domain name was entered correctly..where? and the DNS A/AAA are the right Ip address? No Idea where i check that. The conf file has many (omitted) domain names in it here but looks like this:
[renewalparams]
authenticator = webroot
account = ******************
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
xyx.someaddress.com = /var/www/html
www.xyx.someaddress.com = /var/www/html
Running the standard certbot-auto with the certonly for apache created a new folder in:
/etc/letsencrypt/live
and in that folder had the latest .pem files, so i went to where the only place I saw where to change the SSLCertificateFile
which was in:
/etc/httpd/extra/ssl-certs and also /etc/httpd/extra/ssl-certs-proxy.
The files I have point now to the new location of the .pem files (which are symlinked from the live folder).
Running openssl on these pem files it does seem like they expire correctly now yet when I goto:
https://www.ssllabs.com/ssltest
put in my site that is live, it says the cert was valid giving a date of yesterday and that it is expired. I cannot figure out where my apache insists on using old certs. Is there a cache to clear out?
Also to note, /etc/httpd/logs
the ssl_error_log gives a lot of these warnings:
[Mon Sep 02 06:43:22.246692 2019] [ssl:warn] [pid 4478] AH01909: RSA certificate configured for web-server.xxx.yyy.zzz:443 does NOT include an ID which matches the server name (not sure if this is relevant)
I did make sure the .well-known/acme-challenges was writable (just made it chmod 777 for now to triple make sure, won't keep it like that of course). Though again, I have all new certs (ditching the renewal option) and apache still isn't using them.
Have you checked that path "https://xyx.someaddress.com/.well-known/acme-challenge/" exists and apache/httpd have permission to this path?
Create this path and provide apache/httpd permission.
https://community.letsencrypt.org/t/renewal-attempts-http01-challenge-failed-for-all-domains/89891