I have been using letscenrypt without problems on Dietpi for months, but now it stopped working and I am unable to generate a new certificate, with the following error:
2019-08-08 21:48:25,061:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:
Domain: mydomain.tld
Type: unauthorized
Detail: Invalid response from http://mydomain.tld/.well-known/acme-challenge/FONW8pPwooYpSL6EtTJt9GifMCgwAI4j_Wa2zQmG_wI [xxx.xxx.xxx.xxx]: "<?xml version=\"1.0\" encoding=\"iso-8859-1\"?>\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\"\n \"http://www."
To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
2019-08-08 21:48:25,063:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 168, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 239, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. mydomain.tld (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mydomain.tld/.well-known/acme-challenge/FONW8pPwooYpSL6EtTJt9GifMCgwAI4j_Wa2zQmG_wI [xxx.xxx.xxx.xxx]: "<?xml version=\"1.0\" encoding=\"iso-8859-1\"?>\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\"\n \"http://www."
the domain is set up properly, visiting it takes me to the webpage hosted on my dietpi. I have also tried to generate for a different domain but with the same results. I am using lighttpd as webserver.
Any ideas for troubleshootting?
There are a couple of similar posts. Apparently, you need to stop lighttpd first before renewal.
molnart
Can you please try:
certbot renew --force-renewal --webroot -w /var/www
i have started with a fresh dietpi install since then, so i cannot renew.
stopping the webserver makes no sense, as letsecnrypt server cannot access the local files for verification.
trying MichaIng’s approach gives me the following:
root@DietPi:~# certbot certonly --webroot -w /var/www
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): mydomain.tld
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mydomain.tld
Using the webroot path /var/www for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. mydomain.tld (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mydomain.tld/.well-known/acme-challenge/hVtUb-8Oa8Iyvhxt6WtZQbbc6lNgkKouo0jt7GpM14M [xxx.xxx.xxx.xxx]: "<?xml version=\"1.0\" encoding=\"iso-8859-1\"?>\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\"\n \"http://www."
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: mydomain.tld
Type: unauthorized
Detail: Invalid response from
http://mydomain.tld/.well-known/acme-challenge/hVtUb-8Oa8Iyvhxt6WtZQbbc6lNgkKouo0jt7GpM14M
[xxx.xxx.xxx.xxx]: "<?xml version=\"1.0\"
encoding=\"iso-8859-1\"?>\n<!DOCTYPE html PUBLIC \"-//W3C//DTD
XHTML 1.0 Transitional//EN\"\n \"http://www."
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
EDIT: it seems i am just plain stupid. my home directory in lighttpd.conf is set to /var/www/html instead of /var/www. no wonder the certbot server could not access the challange
molnart
When starting with a fresh DietPi image, my --force-renewal command should not be required anymore. DietPi-LetsEncrypt already uses this authentication method then and by this allows automated renewal every 2 months via certbot.timer + merging of cert + key into a combined file via drop-in config for the renewal certbot.service.
Ah yeah, DietPi assumes/sets the webserver root to /var/www to allow multiple websites/applications beside each other accessible via sub dirs. When installing Lighttpd or any other webserver via DietPi-Software this should be set automatically.