Certbot-auto renew fails

apache-2.4certbotlets-encryptssl-certificate

I inherited a web-server that uses letsencrypt with certbot. At first I thought it seemed straight forward, but running certbot-auto renew fails. I then did a certbot-auto certonly –apache and that downloaded a cert just fine (That then running renew again pick ups and even says its new doesnt neeed renewal). Not sure what I am missing or have yet to learn but some of the failure messages are: (names changed to protect the innocent)

Saving debug log to /var/log/letsencrypt/letsencrypt.log



- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/xyx.someaddress.com-0004.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for xyx.someaddress.com
Waiting for verification...
Challenge failed for domain xyx.someaddress.com
Cleaning up challenges
Attempting to renew cert (xyx.someaddress.com-0004) from /etc/letsencrypt/renewal/xyx.someaddress.com-0004.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/xyx.someaddress.com-0004/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
 - The following errors were reported by the server:
1 renew failure(s), 0 parse failure(s)
Domain: xyx.someaddress.com
   Type:   unauthorized
   Detail: Invalid response from
   https://xyx.someaddress.com/.well-known/acme-challenge/oMvZoCPBM8qZjYcIOlSHs0SLophprew9-c9zASc9d1s
   [192.41.211.157]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

So the biggest thing is I see the 'to fix these errors', but what does it mean domain name was entered correctly..where? and the DNS A/AAA are the right Ip address? No Idea where i check that. The conf file has many (omitted) domain names in it here but looks like this:

[renewalparams]
authenticator = webroot
account = ******************
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
xyx.someaddress.com = /var/www/html
www.xyx.someaddress.com = /var/www/html

Running the standard certbot-auto with the certonly for apache created a new folder in:

/etc/letsencrypt/live

and in that folder had the latest .pem files, so i went to where the only place I saw where to change the SSLCertificateFile which was in:

/etc/httpd/extra/ssl-certs and also /etc/httpd/extra/ssl-certs-proxy.

The files I have point now to the new location of the .pem files (which are symlinked from the live folder).

Running openssl on these pem files it does seem like they expire correctly now yet when I goto:

https://www.ssllabs.com/ssltest

put in my site that is live, it says the cert was valid giving a date of yesterday and that it is expired. I cannot figure out where my apache insists on using old certs. Is there a cache to clear out?

Also to note, /etc/httpd/logs the ssl_error_log gives a lot of these warnings:

[Mon Sep 02 06:43:22.246692 2019] [ssl:warn] [pid 4478] AH01909: RSA certificate configured for web-server.xxx.yyy.zzz:443 does NOT include an ID which matches the server name
(not sure if this is relevant)

I did make sure the .well-known/acme-challenges was writable (just made it chmod 777 for now to triple make sure, won't keep it like that of course). Though again, I have all new certs (ditching the renewal option) and apache still isn't using them.

Best Answer

Have you checked that path "https://xyx.someaddress.com/.well-known/acme-challenge/" exists and apache/httpd have permission to this path?

Create this path and provide apache/httpd permission.

https://community.letsencrypt.org/t/renewal-attempts-http01-challenge-failed-for-all-domains/89891

Updated answer (see original answer below)

In my original answer I focused on the fact that the script you provided is not required when using the renew command. However, I did not make sure the renew command is actually applicable in this scenario.

As cdhowie and bobpaul in the comments state: certbot renew is a non-interactive mode that - in conjunction with the dns challenge - requires you to provide a script via the --manual-auth-hook parameter. Said script must be capable of setting a TXT record. You can also provide another script to cleanup afterwards via the --manual-cleanup-hook parameter.

If you provide these parameters, the whole process will run automatically without any interaction.

If you do not provide these parameters, certbot will fail:

/opt/certbot # certbot renew --force-renewal
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/foobar.w9f.de.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)

If you want to renew your certificates via the manual mode, you must re-run the commands you used to acquire the certificates. In this case, your script is a nice option since the certonly command does not look at the present certificates/configuration and instead requires you to provide the domain names either via the -d parameter or in interactive mode.

when I run "certbot renew", will it renew all of them automatically without using my script?

TL;DR: Yes, it should.

Let us have a look at the documentation of certbot:

As of version 0.10.0, Certbot supports a renew action to check all installed certificates for impending expiry and attempt to renew them. The simplest form is simply

certbot renew

So far, so good.

This command attempts to renew any previously-obtained certificates that expire in less than 30 days.

This should answer your question. Beware: Im not aware how well certbot can handle situations where you move the certificates to different directories.

Later in the same paragraph:

The same plugin and options that were used at the time the certificate was originally issued will be used for the renewal attempt, unless you specify other plugins or options. Unlike certonly, renew acts on multiple certificates and always takes into account whether each one is near expiry.

So, yes; certbot should renew all your certificates without the help of your script.

How do I actually create a new certificate using the DNS challenge to start with?

What's wrong with the command you posted at the beginning of your post? certbot -d example.com --manual --preferred-challenges dns certonly will acquire a certificate for example.com using the dns challenge.

The steps to create a certificate are:

Run the certbot command you posted
Wait for the command to show you a DNS TXT record
Create that TXT record
Continue the certbot command
Get a certificate for the specified domain
Delete the TXT record (since you only need it for the creation and a new one for the renewal)

If you want to automate that complete process, you might want to have a look at a tool like lego which supports a couple of DNS providers.

Nginx – Dockerized Nginx + Certbot + tls-sni challenge not working on renewal

Not much activity on ServerFault, so here is the answer:

https://github.com/certbot/certbot/issues/5252#issuecomment-346500852

Best Answer

Related Solutions

Renew domains using certbot and using DNS challenge

Updated answer (see original answer below)

when I run "certbot renew", will it renew all of them automatically without using my script?

How do I actually create a new certificate using the DNS challenge to start with?

Nginx – Dockerized Nginx + Certbot + tls-sni challenge not working on renewal

Related Topic