Letsencrypt stopped working

Having issues with your DietPi installation, or, found a bug? Post it here.
Post Reply
molnart
Posts: 17
Joined: Sat Apr 15, 2017 12:56 am

Letsencrypt stopped working

Post by molnart »

I have been using letscenrypt without problems on Dietpi for months, but now it stopped working and I am unable to generate a new certificate, with the following error:

Code: Select all

2019-08-08 21:48:25,061:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: mydomain.tld
Type:   unauthorized
Detail: Invalid response from http://mydomain.tld/.well-known/acme-challenge/FONW8pPwooYpSL6EtTJt9GifMCgwAI4j_Wa2zQmG_wI [xxx.xxx.xxx.xxx]: "<?xml version=\"1.0\" encoding=\"iso-8859-1\"?>\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\"\n         \"http://www."

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
2019-08-08 21:48:25,063:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 168, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 239, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. mydomain.tld (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mydomain.tld/.well-known/acme-challenge/FONW8pPwooYpSL6EtTJt9GifMCgwAI4j_Wa2zQmG_wI [xxx.xxx.xxx.xxx]: "<?xml version=\"1.0\" encoding=\"iso-8859-1\"?>\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\"\n         \"http://www."
 
the domain is set up properly, visiting it takes me to the webpage hosted on my dietpi. I have also tried to generate for a different domain but with the same results. I am using lighttpd as webserver.

Any ideas for troubleshootting?
baz123
Posts: 166
Joined: Thu Jan 12, 2017 9:23 pm

Re: Letsencrypt stopped working

Post by baz123 »

There are a couple of similar posts. Apparently, you need to stop lighttpd first before renewal.
User avatar
MichaIng
Site Admin
Posts: 2295
Joined: Sat Nov 18, 2017 6:21 pm

Re: Letsencrypt stopped working

Post by MichaIng »

@molnart
Can you please try:

Code: Select all

certbot renew --force-renewal --webroot -w /var/www
molnart
Posts: 17
Joined: Sat Apr 15, 2017 12:56 am

Re: Letsencrypt stopped working

Post by molnart »

i have started with a fresh dietpi install since then, so i cannot renew.

stopping the webserver makes no sense, as letsecnrypt server cannot access the local files for verification.

trying MichaIng's approach gives me the following:

Code: Select all

root@DietPi:~# certbot certonly --webroot -w /var/www
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): mydomain.tld
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mydomain.tld
Using the webroot path /var/www for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. mydomain.tld (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mydomain.tld/.well-known/acme-challenge/hVtUb-8Oa8Iyvhxt6WtZQbbc6lNgkKouo0jt7GpM14M [xxx.xxx.xxx.xxx]: "<?xml version=\"1.0\" encoding=\"iso-8859-1\"?>\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\"\n         \"http://www."

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: mydomain.tld
   Type:   unauthorized
   Detail: Invalid response from
   http://mydomain.tld/.well-known/acme-challenge/hVtUb-8Oa8Iyvhxt6WtZQbbc6lNgkKouo0jt7GpM14M
   [xxx.xxx.xxx.xxx]: "<?xml version=\"1.0\"
   encoding=\"iso-8859-1\"?>\n<!DOCTYPE html PUBLIC \"-//W3C//DTD
   XHTML 1.0 Transitional//EN\"\n         \"http://www."

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
EDIT: it seems i am just plain stupid. my home directory in lighttpd.conf is set to /var/www/html instead of /var/www. no wonder the certbot server could not access the challange
User avatar
MichaIng
Site Admin
Posts: 2295
Joined: Sat Nov 18, 2017 6:21 pm

Re: Letsencrypt stopped working

Post by MichaIng »

@molnart
When starting with a fresh DietPi image, my --force-renewal command should not be required anymore. DietPi-LetsEncrypt already uses this authentication method then and by this allows automated renewal every 2 months via certbot.timer + merging of cert + key into a combined file via drop-in config for the renewal certbot.service.

Ah yeah, DietPi assumes/sets the webserver root to /var/www to allow multiple websites/applications beside each other accessible via sub dirs. When installing Lighttpd or any other webserver via DietPi-Software this should be set automatically.
Post Reply