Debian Question posted in
The oficial documentation can be found here.

letsencrypt / certbot fails after upgrade – Debian

I just received an email from Let’s Encrypt stating:

Beginning June 1, 2020, we will stop allowing new domains to validate using
the ACMEv1 protocol. You should upgrade to an ACMEv2 compatible client before
then, or certificate issuance will fail. For most people, simply upgrading to
the latest version of your existing client will suffice.

I did the following to upgrade on Debian 9:

  • sudo apt-get update
  • sudo apt-get upgrade
  • It proceded to upgrade many packages but said certbot was being held back
  • I then did sudo apt-get upgrade certbot
  • It upgraded certbot (as well as python3-acme, python3-certbot, and python3-certbot-apache). It also installed a new package (python3-requests-toolbelt).
  • Everything seemed to install fine
  • I then ran sudo certbot renew –dry-run

On the dry-run I got several errors as follows (some items have been REDACTED by me as I wasn’t sure if it was sensitive info to post here):

Attempting to renew cert (mail.example.com) from /etc/letsencrypt/renewal/mail.example.com.conf produced an unexpected error: Failed authorization procedure. mail.example.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mail.example.com/.well-known/acme-challenge/REDACTED_STRING_EXAMPLE [REDACTED HEXADECIMAL ADDRESS]: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">n<html><head>n<title>404 Not Found</title>n</head><body>n<h1>Not Found</h1>n<p". Skipping.

and

 The following errors were reported by the server:

   Domain: mail.example.com
   Type:   unauthorized
   Detail: Invalid response from
   http://mail.example.com/.well-known/acme-challenge/REDACTED CODE
   [REDACTED HEXADECIMAL ADDRESS]: "<!DOCTYPE HTML PUBLIC
   "-//IETF//DTD HTML 2.0//EN">n<html><head>n<title>404 Not
   Found</title>n</head><body>n<h1>Not Found</h1>n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

What is causing this issue? I do not have a .well-known directory in my root web directory. Is this a new requirement that I need to add? If so, what can I do to fix my certbot so that I can correctly renew my certificates?

Tags:

2

Answers


  1. 0

    So, as I saw that you are using Apache, I think that it is wrongly configured to serve properly the ACME Challenge.

    What certbot is doing is creating the .well-known/acme-challenge/ folder and then adding it to your Apache configuration for the website (here mail.example.com). So my guess is:

    • Check that you have a mail.example.com configuration in Apache (/etc/apache2). You can dump all your current active configurations with something like apachectl -t -D DUMP_VHOSTS.
    • Check your mail.example.com configuration in Apache and especially the :80 part where certbot is gonna try to insert code.

    I think that you have an issue here as certbot is unable to make the .well-known folder available (over HTTP, port 80). Check your <Directory> tags in your configuration to try to understand where Apache is redirecting your traffic.

    Login or Signup to reply.
  2. 0

    Sometimes the automatic verification fails, especially with custom configurations in place.
    If not done already, check out the certbot documentation for HTTP-01 Challenge. The important parts

    When using the Webroot plugin or the manual plugin, make sure the the
    webroot directory exists and that you specify it properly. If you set
    the webroot directory for example.com to /var/www/example.com then a
    file placed in
    /var/www/example.com/.well-known/acme-challenge/testfile should appear
    on your web site at
    http://example.com/.well-known/acme-challenge/testfile (A redirection
    to HTTPS is OK here and should not stop the challenge from working.)

    Make sure your web server serves files properly from the directory
    where the challenge file is placed (e. g. /.well-known/acme-challenge)
    to the expected location on the website without adding a header or
    footer.

    This tutorial describes how to allow acme http requests with apache server.

    In short:

    To make it simple you can map all HTTP requests for .well-known/acme-challenge to a single directory, /var/lib/letsencrypt.
    Therefor you should create the directory beforehand.

    sudo mkdir -p /var/lib/letsencrypt/.well-known
sudo chgrp www-data /var/lib/letsencrypt
sudo chmod g+s /var/lib/letsencrypt

    Then to make sure the folder is accessible you can use the following config snippet

    Alias /.well-known/acme-challenge/ "/var/lib/letsencrypt/.well-known/acme-challenge/"
<Directory "/var/lib/letsencrypt/">
    AllowOverride None
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    Require method GET POST OPTIONS
</Directory>
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search