Error setting up Let's Encrypt with Apache

December 2, 2019 108 views
Let's Encrypt

Hello, I’m trying to set up Let’s crypt SSL certificate on a server running Apache following this tutorial for the domain clinicapragma.com.br. I follow everything to the risk, but when I run sudo certbot renew –dry-run, I receive an output with the following errors:

Attempting to renew cert (yourdomain.com.br) from /etc/letsencrypt/renewal/yourdomain.com.br.conf produced an unexpected error: Failed authorization procedure. www.yourdomain.com.br (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.yourdomain.com.br/.well-known/acme-challenge/uCyqlVSFmcCpFWcBQ0HWF-ilE8ReqpVgKvV6TGDhjgM [45.55.150.150]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p". Skipping.

(...)

The following certs could not be renewed:
  /etc/letsencrypt/live/yourdomain.com.br/fullchain.pem (failure)

I’m a newbie and I’m having a hard time figuring out how to solve this problem. Could someone please help me?

edited by alexdo
4 Answers

Hello, @renatov

Can you please confirm if the fullchain file is present: /etc/letsencrypt/live/yourdomain.com.br/fullchain.pem

Also I will suggest to check our latest tutorial for Ubuntu 18.04:

https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-18-04

Looking forward to your reply.

Regards,
Alex

by Kathleen Juell
by Erika Heidi
Let's Encrypt is a Certificate Authority (CA) that provides an easy way to obtain and install free TLS/SSL certificates, thereby enabling encrypted HTTPS on web servers. In this tutorial, you will use Certbot to obtain a free SSL certificate for Apache on Ubuntu 18.04 and set up your certificate to renew automatically.

Hello @alexdo

Thank you for your reply. I think the file you mentioned is present, but it’s seems to be a link to another file:

$ sudo ls -l /etc/letsencrypt/live/clinicapragma.com.br/
total 4
lrwxrwxrwx 1 root root  44 Dec  2 00:30 cert.pem -> ../../archive/clinicapragma.com.br/cert2.pem
lrwxrwxrwx 1 root root  45 Dec  2 00:30 chain.pem -> ../../archive/clinicapragma.com.br/chain2.pem
lrwxrwxrwx 1 root root  49 Dec  2 00:30 fullchain.pem -> ../../archive/clinicapragma.com.br/fullchain2.pem
lrwxrwxrwx 1 root root  47 Dec  2 00:30 privkey.pem -> ../../archive/clinicapragma.com.br/privkey2.pem
-rw-r--r-- 1 root root 692 Dec  2 00:30 README

By the way, it only has read access as root. Is everything the way it should be? Concerning the tutorial you mentioned, I must stick with Ubuntu 14.04 until 04/2020. I can’t afford to install and configure the whole server just now, but I’m scheduling to do it when Ubuntu 20.04 LTS is out. I’d like to keep going with Ubuntu 14.04 until then. Everything is working just fine, I just need to provide a HTTPS to this domain and everything is running ok.

Hello, @renatov

This looks okay from what I can see. Let’s encrypt creates those symlinks so it’s fine.

You can also check if the yourdomain.com.br/.well-known/acme-challenge directory is present and if it has sufficient permissions (both .well-known and acme-challenge are 755)

Let me know how it goes.

Regards,
Alex

  • There is no such directory:

    $ ls -a
    .  ..  index.html
    
    $ ls -l
    total 4
    -rw-rw-r-- 1 rvernucio rvernucio 325 Dec  2 00:12 index.html
    

    My other 2 domains, which I successfully set their SSL using Let’s Encrypt in the begining of 2019 (about 10 months ago), don’t have this directory too. Maybe something changed in Let’s Encrypt? I don’t get what’s the problem exactly.

    • Hello, @renatov

      What happens when you run the following command:

      ./letsencrypt-auto --test-cert --apache --domain yourdomain.com
      

      You need to change yourdomain.com with your actual domain name.

      Let me know how it goes.

      Regards,
      Alex

The command letsencrypt-auto was not found and find / -name letsencrypt-auto didn’t find anything. I think this command is deprecated. Some more informations: as I said in the original post, there are 2 other domains that were created about 10 months ago which HTTPS are working fine. This new domain I’m trying to create using the exact same method is giving this ACME error. The thing is, when I run sudo certbot renew –dry-run, the output shows that the ACME validation fails to the 3 domains (it fails to the new one I’m trying to create and to the other 2 that are already validated and running fine). So, I think if I created this new domain 10 months ago, it would probably be working just fine. Also, if I was creating those 2 other (old) domains now, they would provide some error too. My guess is that some update in Let’s Encrypt added this ACME validation as necessary, which doesn’t work on Ubuntu 14.04. I don’t know if this makes sense, but if it does, maybe I should roll back Let’s encrypt to an older version, or understand why the new version doesn’t work on Ubuntu 14.04 anymore. I’m currently running certbot version 0.28.0 in Ubuntu 14.04.

Have another answer? Share your knowledge.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!