letsencrypt - problem renewing certs. "Invalid response from domain..."

April 25, 2016 9.8k views
Let's Encrypt WordPress Ubuntu

I'm hoping someone can advisee.

I am attempting to renew the letsencrypt certificates on my droplet. The droplet is running Ubuntu 14.04 and the Wordpress application (from the droplet templates).

I have updated the letsencrypt client to the latest version.

When I run the ./letsencrypt-auto certonly -a webroot --webroot-path=/usr/share/nginx/html -d bizzi-body.com command

I get the message....

Failed authorization procedure. bizzi-body.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://bizzi-body.com/.well-known/acme-challenge/JPohzID6xfYLBs25Riju1AUnECWWOFmvSR71b2KfoT8 [46.101.210.75]: 404...

If I attempt that same url in a browser I get a 404 message from Wordpress.

I am wondering if the issue is simply wordpress getting in the way. Of if there is a routing issue.

Any advice much appreciated.

6 comments
  • LE connects via http to confirm the site, so it needs to be reachable there. Is it possible you're running port forwarding? If the traffic from Let's Encrypt is being redirected on port 443, that may cause this issue. Can you get to http://bizzi-body.com/.well-known/acme-challenge/JPohzID6xfYLBs25Riju1AUnECWWOFmvSR71b2KfoT8 externally? When I attempted to reach the site, I got a 404 not found page.

    This could be an Apache issue, or a permissions issue - make sure you've got the permissions on .well-known and acme-challenge set to 755. Another possibility is that it is a .htaccess file, that is causing this issue, due to redirects.

  • Thanks @BrookDO.

    I'll investigate. Folder permissions must equal 755. Port 443 redirection. .htaaccess.

  • I've moved forward a step. :)

    The lets encrypt folder did not have 755 permissions.

    Now that it does I can view files in this folder. Yip Yip.

    However. Now when I run the LE renew command I get.....

    2016-04-28 10:53:36,152:WARNING:letsencrypt.renewal:Attempting to renew cert from /etc/letsencrypt/renewal/bizzi-body.com.conf produced an unexpected error: Failed to run Apache plugin non-interactively
    Missing command line flag or config entry for this setting:
    We were unable to find a vhost with a ServerName or Address of bizzi-body.com.
    Which virtual host would you like to choose?
    (note: conf files with multiple vhosts are not yet supported)
    Choices: ['default-ssl.conf               |                       | HTTPS | Enabled', '000-default.conf               |                       |       | Enabled', '000-default-le-ssl.conf        |                       | HTTPS | Enabled']
    (The best solution is to add ServerName or ServerAlias entries to the VirtualHost directives of your apache configuration files.). Skipping.
    
    All renewal attempts failed. The following certs could not be renewed:
      /etc/letsencrypt/live/bizzi-body.com/fullchain.pem (failure)
    1 renew failure(s), 0 parse failure(s)
    
    

    Yuk. I am lost.

    Reading the message I see "Failed to run Apache plugin non-interactively. Missing command line flag or config entry for this setting". I've googled but can not find an example of how to configure this flag/config.

    Can anyone point me to a tutorial that might help?

  • It looks like the key to that error is We were unable to find a vhost with a ServerName or Address of bizzi-body.com. which indicates that you may need to use the FQDN or otherwise specify the specific server, and not just the domain. What does hostname return on this server? Try adding that to the beginning of bizzi-body.com.

  • I just went through this problem this weekend. Notice that the renewal URL is HTTP, versus HTTPS. Letsencrypt has updated their package; it is renamed and updated to "certbot". The short and skinny of it is that you have to clone the new certot git repo, configure for port 80, and then upgrade the cert. Here's my writeup - [https://nwlinux.com/update-letsencrypt-to-certbot-on-nginx-and-ubuntu/](http://)

  • @nwlinux - Good work. They sure don't make this easy..... Thanks for writing this up - I'll be running through it soon so knowing this will be very useful.

1 Answer

This question was answered by @nwlinux:

I just went through this problem this weekend. Notice that the renewal URL is HTTP, versus HTTPS. Letsencrypt has updated their package; it is renamed and updated to "certbot". The short and skinny of it is that you have to clone the new certot git repo, configure for port 80, and then upgrade the cert. Here's my writeup - [https://nwlinux.com/update-letsencrypt-to-certbot-on-nginx-and-ubuntu/](http://)

View the original comment

Have another answer? Share your knowledge.