Recently I started using Let’s Encrypt SSL certificates for my site cPanelTips.com. Let’s face it, Let’s Encrypt has changed the way we install SSL certificates.
The old days when you had to fill in your company and personal details, generate the CSR code, and then submit to the SSL registrar, to finally wait for the CRT code ware now gone.
Let’s Encrypt is an easy and fast way to install SSL certificates for both, cPanel and plain Linux servers. In my case, this SSL Certificates were installed on CentOS 7.x 64 bits and they work perfectly until the due date for the SSL renewal came up.
However, when the time of renewing the Let’s Encrypt ssl certificate was about to come, I noticed something weird while running the ‘renew’ option using ‘certbot’ command. See below.
[[email protected]:~]/usr/bin/certbot renew Saving debug log to /var/log/letsencrypt/letsencrypt.log Cert is due for renewal, auto-renewing... Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org Renewing an existing certificate Performing the following challenges: http-01 challenge for nixcp.com Waiting for verification... Cleaning up challenges Attempting to renew cert from /etc/letsencrypt/renewal/nixcp.com.conf produced an unexpected error: Failed authorization procedure. nixcp.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://nixcp.com/.well-known/acme-challenge/qtxjYi0a3FYNWpvqW-WTyZZzj848Yr0J6Sfx-75xDrg
The error was clear:
The client lacks sufficient authorization :: Invalid response from http://nixcp.com/.well-known/acme-challenge/
On the same renewal process I also saw another error on another website I manage:
All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/mysecondsite.com/fullchain.pem (failure) 1 renew failure(s), 0 parse failure(s) IMPORTANT NOTES: - The following errors were reported by the server: Domain: mysecondsite.com Type: unauthorized Detail: Invalid response from http://mysecondsite.com/.well-known/acme-challenge/YjP9PAcIEANeX50kZJ9vJ-lARkryYs7yFSLhKBU9Y_M: 404 Not Found To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address. The A records were configured ok at the DNS server, and the first thing that came to my mind was that certbot was trying to connect to http://, instead of https://.
I had configured those two domains to use a 301 redirect from http to https, I tested this running curl against http to see if there was a problem with the 301 redirection, but that wasn’t the issue as far as I see.
curl -I http://nixcp.com/.well-known/acme-challenge/
Returned a 301 redirect OK state, then why certbot is not able to reach the final URL?
I don’t know, but there is something that worked out. I created an exception for the 301 redirect from http to https, and that made certbot renewal process to run without problems for both domains.
This was the code I used to redirect 301 all from http to https except for the .well-known directory used by Let’s Encrypt:
server { listen 80; server_name www.nixcp.com nixcp.com; # Redirect all requests to https location / { return 301 https://nixcp.com$request_uri; } # This rule excludes the .well-known directory from the 301 redirect. location /.well-known { root /var/www/nixcp.com; } }
Leaving the .well-known directory accesible using http was the key to run the certbot renewal process without issues. After that, I ensured myself that the verification directory used by certbot was indeed created:
mkdir -p /var/www/caneltips.com/.well-known/acme-challenge
After that I run the renewal command again, and this was the result:
It was renewed OK for another 3 months period! 🙂