12

So it's been years i put a certbot-auto certificate for multiple domains on the same server (Apache 2.2 - Debian 7). But today I saw my crontab didn't renew the certificate so I tried to do it in SSH with the followin line :

./certbot-auto renew

Here is the error statement :

    Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.domain1.fr.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for domain2.fr
http-01 challenge for domain1.fr
http-01 challenge for www.domain2.fr
http-01 challenge for www.domain1.fr
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (www.domain1.fr) from /etc/letsencrypt/renewal/www.domain1.fr.conf produced an unexpected error: Failed authorization procedure. domain2.fr (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://domain2.fr/.well-known/acme-challenge/ZIp1x0730t7J0iJii67jS95Fli2eLhPA12SgXGzR6P8 [151.80.100.117]: 503, www.domain1.fr (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.domain1.fr/.well-known/acme-challenge/hoy1fNZkCyBkK2kA7gQhhW8QpWiCk7K00kFHsxNcZgc [151.80.100.117]: 503, domain1.fr (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://domain1.fr/.well-known/acme-challenge/LvfaVWC1VzbOehKgFvJe1gNd3tsEWUH3eBDan1-q8Oo [151.80.100.117]: 503, www.domain2.fr (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.domain2.fr/.well-known/acme-challenge/fOAwU_IAvKW7AC9nAFNZ6InVHrYB9VmuB9tGvEGpU2c [151.80.100.117]: 503. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/www.domain1.fr/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/www.domain1.fr/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: domain2.fr
   Type:   unauthorized
   Detail: Invalid response from
   http://domain2.fr/.well-known/acme-challenge/ZIp1x0730t7J0iJii67jS95Fli2eLhPA12SgXGzR6P8
   [151.80.100.117]: 503

   Domain: www.domain1.fr
   Type:   unauthorized
   Detail: Invalid response from
   http://www.domain1.fr/.well-known/acme-challenge/hoy1fNZkCyBkK2kA7gQhhW8QpWiCk7K00kFHsxNcZgc
   [151.80.100.117]: 503

   Domain: domain1.fr
   Type:   unauthorized
   Detail: Invalid response from
   http://domain1.fr/.well-known/acme-challenge/LvfaVWC1VzbOehKgFvJe1gNd3tsEWUH3eBDan1-q8Oo
   [151.80.100.117]: 503

   Domain: www.domain2.fr
   Type:   unauthorized
   Detail: Invalid response from
   http://www.domain2.fr/.well-known/acme-challenge/fOAwU_IAvKW7AC9nAFNZ6InVHrYB9VmuB9tGvEGpU2c
   [151.80.100.117]: 503

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

I did not change anything about the Vhost configurations or server config so I don't know why certbot don't have autorization to update anymore.

EDIT :

All domains have an A record in DNS with the right IP.

My /.well-known/ folders are currently in 0777 rights.

Alain.D
  • 308
  • 1
  • 2
  • 11

6 Answers6

6

In our case, our DNS was working fine but were still receiving the lacks sufficient authorization error.

Finally came across a resource here: https://webdock.io/en/docs/webdock-control-panel/common-certbot-errors

That brought to light running:

certbot rollback

Followed by:

certbot renew

And we were finally able to renew the certificate.

We were seriously on the verge of bringing up a brand new VM and migrating everything over - Because after multiple attempts at solving that issue, the certificate had finally expired and we were in crunch mode.

Maybe this will save someone some grief.

Joshua Burns
  • 8,268
  • 4
  • 48
  • 61
4

I found an alternativ solution but I did not solve the problem.

I did the tricks like here : I used the following command : 

./certbot-auto certonly -d www.domain1.fr -d domain1.fr -d domain2.fr -d www.domain2.fr

My certificates are now working again.

So the problem (i suppose) is the way certbot-auto renew match the webroot of each website.

Thank you very much @Martin Zeitler for you help and your time.

Alain.D
  • 308
  • 1
  • 2
  • 11
3

make sure that each of these host-names have an A record in DNS and that each directory .well-known/acme-challenge can be accessed; it could not be any more obvious, when it complains about 503 Service Unavailable. the log file /var/log/letsencrypt/letsencrypt.log might possibly contain further information.

a) on the one domain, .well-known/acme-challenge needs to be excluded from URL rewriting:

RewriteCond %{REQUEST_URI} !^\.well-known/(.*)$

b) and on the other one domain, :80 must not redirect to :443.

Martin Zeitler
  • 1
  • 19
  • 155
  • 216
  • Hi, all my domains have an `A` record in `DNS` but in each website folder the `./well-known` folder is empty. – Alain.D Jan 30 '19 at 09:54
  • @Alain.D you need to stop rewriting from `:80` to `:443` ...the second one vhost always switches - and when it serves an expired SSL certificate, this is usually a `500`. – Martin Zeitler Jan 30 '19 at 10:01
  • I did create myself the `acme-challenge` folder in the second domain to make a test. I added the `123` file by myself to see if I can access it by browser. – Alain.D Jan 30 '19 at 10:02
  • @Alain.D updated my answer, because both domains seem to have a rewrite issue. – Martin Zeitler Jan 30 '19 at 10:08
  • what do you mean by "stop rewritting from :80 to :443" ? Should I edit Vhosts configuration and delete all 443 conf lines ? – Alain.D Jan 30 '19 at 10:09
  • @Alain.D this should only be one rule, to be commented out, temporarily... because when I went to `http`, it redirected me to `https`... and the `TLS-SNI` challenge cannot have that. – Martin Zeitler Jan 30 '19 at 10:31
  • This is weird my website are on Prestashop, there is no :80 to :443 in htaccess or Vhost conf – Alain.D Jan 30 '19 at 10:43
  • @Alain.D `non www` is also rewritten to `www`, at least on one of both (or better said four domains, as `TLS_SNI` sees it). one can use the above rewrite condition for all kinds of rewrite rules, no matter if `http` to `https` - or `non www` to `www`... it must be able to serve the file from where it saves it to. – Martin Zeitler Jan 30 '19 at 11:19
  • Well my websites were configured like this a long time ago and since then `Certbot-auto renew` always worked well. IDK why this redirection would be a problem now. – Alain.D Jan 30 '19 at 11:24
  • @Alain.D the refresh probably never worked (at least for the `non www` host-names), because when it redirects before it has the least chance to respond to the incoming challenge, the challenge will not succeed. – Martin Zeitler Jan 30 '19 at 11:35
  • Ok so I checked all `.htaccess` and Vhost conf in `site-enabled` and there is no redirection anymore but right now both website continuent to redirect... Still when I try to renew CERT I get the same error. i'm suspecting my root user doesn't have enough permission to write in /.well-known/ folder or that the /.well-known/ folder certbot tr to match is not in the right place. – Alain.D Jan 30 '19 at 11:57
2

In my case i had updated the DocumentRoot for some vhosts in Apache configuration ; thus breaking the LE renewal.

You can check the LE renewal configuration under /etc/letsencrypt/renewal/mysite.com.conf

Those paths under the webroot_map section :

[[webroot_map]]
mysite.com = /var/www/vhosts/mysite.com
www.mysite.com = /var/www/vhosts/mysite.com

Should match the DocumentRoot from your Apache vhost configuration

Following my example you can compare using : grep DocumentRoot /etc/apache2/sites-enabled/mysite.com.conf

rilCy
  • 413
  • 4
  • 11
1

Try this using the nginx-certbot solution

sudo add-apt-repository ppa:certbot/certbot
sudo apt install python-certbot-nginx
sudo certbot --nginx -d xxx.xxx.com

https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-18-04

Phillip Kigenyi
  • 1,359
  • 14
  • 21
1

I had the same problem and in my case it was a newly introduced rule of the organization's Firewall that explicitly blocks the acme-protocol. Hell yeah, it took me several hours of investigation and in the end, I placed such a callenge file in the .well-known/acme-challenge folder and tried to load it in the browser. Just to get that page instead:

Application Blocked Access to the application you were trying to use has been blocked in accordance with company policy. Please contact your system administrator if you believe this is in error.

User: MY-IP-ADDRESS

Application: acme-protocol

So when all the other answers could not help you, give it a try and check also for such unpleasant greetings from the network-department.

spackmat
  • 892
  • 9
  • 23