Can't renew letsencrypt because of redirection to https

NethServer Version: 7.7.1908

Hello all,
I’m trying to renew letsencrypt certificates but I have errors, and I think it’s due to a redirection from http to https on the default host.
I have deactivated my htaccess on the default host. But I still have a redirection to the secure connection, and I don’t know from what it’s arriving!

In my request for this new certificate I have 10 (subs) domains in the list.
The thing I don’t understand is : letsencrypt send an error only for the 2 (primary) domains that pointing to the default vhost: mydomain.tld and www.mydomain.tld

Before this operations, I have renew other certificates on this same server for others domains and it works.

Can you help me please?

Please share relevant error messages from /var/log/letsencrypt

Did you move it away?

In this thread an .htaccess file was the problem.

Thanks @mrmarkuz,

I have renamed the .htaccess in htaccess.txt and that do the job: my url rewriting doesn’t work on the website. But the redirection to https stay alive…

I have see this thread, and it helped me to identify my problem is the redirection to https.

Here is part of the log:

2020-01-23 18:43:11,460:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/34601936:
{
  "protected": "eyJub25jZSI6ICIwMDAyTjdzTnl0dWU1YlVwYmRRb28tRWE3dGhzM0NUWkE5bmlwZXp6dDE1Q3Z1WSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8zNDYwMTkzNiIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzEyMTk0Nzk2IiwgImFsZyI6ICJSUzI1NiJ9", 
  "payload": "", 
  "signature": "cfY0F8CphgQgcyQh5cqsVD_PAy5foaz9gk32RfPWd_WfTYhGC54PTdVs3UCplPNksDTRVFGK-tAs68zU4Fa57kr8Nru2NXwep7_ctJ18XFxRRRpcRmltCO6_8Vc4M17AUayO2ttxxUmR-LAlGDSgJi16d_36qf0AfHWTDjy1BDUgDTyzXPG5hZjJ0gXIf51mFz7Oy8eMpOWR7HhVNVoK1s6WrW7zLtBEq9cE1eACfswuthpgyXTwL6L3fmAcXazGEFX9PeLWv61fIAtg6N1gqW7CGPiOftEuJbK9jhIe1uTfxQZLmHTcoIsDEtNPXCyqTdA-q87foFDervm0FL92sw"
}
2020-01-23 18:43:11,627:DEBUG:urllib3.connectionpool:"POST /acme/authz-v3/34601936 HTTP/1.1" 200 1077
2020-01-23 18:43:11,628:DEBUG:acme.client:Received response:
HTTP 200
content-length: 1077
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
boulder-requester: 12194796
date: Thu, 23 Jan 2020 17:43:11 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 0002hUO1zDkOISVVQCEz2zdHpjYFHGNyNGjBjaS5ahdtBQ4

{
  "identifier": {
    "type": "dns",
    "value": "sub.mydomain.tld"
  },
  "status": "valid",
  "expires": "2020-02-22T17:43:10Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "valid",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/34601936/fZLevQ",
      "token": "kxUQ0jQqDwRdbYNy1lEZw5rq2J6RnBHrPGNuHL8RhX0",
      "validationRecord": [
        {
          "url": "http://sub.mydomain.tld/.well-known/acme-challenge/kxUQ0jQqDwRdbYNy1lEZw5rq2J6RnBHrPGNuHL8RhX0",
          "hostname": "sub.mydomain.tld",
          "port": "80",
          "addressesResolved": [
            "XX.XX.XX.XX"
          ],
          "addressUsed": "XX.XX.XX.XX"
        },
        {
          "url": "https://sub.mydomain.tld/.well-known/acme-challenge/kxUQ0jQqDwRdbYNy1lEZw5rq2J6RnBHrPGNuHL8RhX0",
          "hostname": "sub.mydomain.tld",
          "port": "443",
          "addressesResolved": [
            "XX.XX.XX.XX"
          ],
          "addressUsed": "XX.XX.XX.XX"
        }
      ]
    }
  ]
}
2020-01-23 18:43:11,628:DEBUG:acme.client:Storing nonce: 0002hUO1zDkOISVVQCEz2zdHpjYFHGNyNGjBjaS5ahdtBQ4
2020-01-23 18:43:11,629:DEBUG:acme.client:JWS payload:

2020-01-23 18:43:11,632:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/34601938:
{
  "protected": "eyJub25jZSI6ICIwMDAyaFVPMXpEa09JU1ZWUUNFejJ6ZEhwallGSEdOeU5HakJqYVM1YWhkdEJRNCIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8zNDYwMTkzOCIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzEyMTk0Nzk2IiwgImFsZyI6ICJSUzI1NiJ9", 
  "payload": "", 
  "signature": "jOWYp-kw5oTeCYEsu4FNhTgaoC0MQyABvvYN-DYZTIdP64nKtGsXghJguaHMO_it0l-K7FUfI-MbSyvt8eK-7zi7Szb-l7WmJQdIDCJ3XUDaUqHsx5RYzUGroRvb1HG5QHWJLmkYW78vw4SVf8TYGpezL-bd5CJ3vDE49NvfdGtp2ykIaq4SS0S7D4QB5DRoEXVPqbikZWCocNqJPileKRnvVKDHRrXqI1DyNB18sRN-ww_7j6BTmf-UX8yYArr10y5W793Xm77jUN1L37McZOwkZuf3NcTiVOAFctIPJwakTVxg4VZXv_CBV1_SuwVj-Rbcm3F7fUjy0TBd5d2zMA"
}
2020-01-23 18:43:11,799:DEBUG:urllib3.connectionpool:"POST /acme/authz-v3/34601938 HTTP/1.1" 200 1253
2020-01-23 18:43:11,800:DEBUG:acme.client:Received response:
HTTP 200
content-length: 1253
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
boulder-requester: 12194796
date: Thu, 23 Jan 2020 17:43:11 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 0002RIFd7LYMtNNIGRoq63wHPmg2YvgPOJIWI7MvlBmQRi0

{
  "identifier": {
    "type": "dns",
    "value": "www.mydomain.tld"
  },
  "status": "invalid",
  "expires": "2020-01-30T17:43:05Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "Invalid response from http://www.mydomain.tld/.well-known/acme-challenge/Eb_if4e_gwE5VhreIi0FiN0WuOk5-sCjq5R7lpyfXmY [XX.XX.XX.XX]: \"\u003c!DOCTYPE HTML PUBLIC \\\"-//IETF//DTD HTML 2.0//EN\\\"\u003e\\n\u003chtml\u003e\u003chead\u003e\\n\u003ctitle\u003e404 Not Found\u003c/title\u003e\\n\u003c/head\u003e\u003cbody\u003e\\n\u003ch1\u003eNot Found\u003c/h1\u003e\\n\u003cp\"",
        "status": 403
      },
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/34601938/wndz2w",
      "token": "Eb_if4e_gwE5VhreIi0FiN0WuOk5-sCjq5R7lpyfXmY",
      "validationRecord": [
        {
          "url": "http://www.mydomain.tld/.well-known/acme-challenge/Eb_if4e_gwE5VhreIi0FiN0WuOk5-sCjq5R7lpyfXmY",
          "hostname": "www.mydomain.tld",
          "port": "80",
          "addressesResolved": [
            "XX.XX.XX.XX"
          ],
          "addressUsed": "XX.XX.XX.XX"
        }
      ]
    }
  ]
}
2020-01-23 18:43:11,800:DEBUG:acme.client:Storing nonce: 0002RIFd7LYMtNNIGRoq63wHPmg2YvgPOJIWI7MvlBmQRi0
2020-01-23 18:43:11,801:WARNING:certbot._internal.auth_handler:Challenge failed for domain mydomain.tld
2020-01-23 18:43:11,801:WARNING:certbot._internal.auth_handler:Challenge failed for domain www.mydomain.tld
2020-01-23 18:43:11,802:INFO:certbot._internal.auth_handler:http-01 challenge for mydomain.tld
2020-01-23 18:43:11,802:INFO:certbot._internal.auth_handler:http-01 challenge for www.mydomain.tld
2020-01-23 18:43:11,802:DEBUG:certbot._internal.reporter:Reporting to user: The following errors were reported by the server:

Domain: mydomain.tld
Type:   unauthorized
Detail: Invalid response from http://mydomain.tld/.well-known/acme-challenge/GNawrGddGHA0fphB51mgEQr7DKpYRJ7JTF4_npI_XOg [XX.XX.XX.XX]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

Domain: www.mydomain.tld
Type:   unauthorized
Detail: Invalid response from http://www.mydomain.tld/.well-known/acme-challenge/Eb_if4e_gwE5VhreIi0FiN0WuOk5-sCjq5R7lpyfXmY [XX.XX.XX.XX]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
2020-01-23 18:43:11,803:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
AuthorizationError: Some challenges have failed.

Please check the vhosts with httpd -S

I don’t know how to understand this output,
but I can see that default server is not the same for :80 and for :443
(“mogador” is the hostname of the server)

[root@mogador live]# httpd -S
[Thu Jan 23 20:37:09.458342 2020] [so:warn] [pid 26272] AH01574: module php5_module is already loaded, skipping
VirtualHost configuration:
*:80                   is a NameVirtualHost
         default server video.mydomain.tld (/etc/httpd/conf.d/peertube.conf:20)
         port 80 namevhost video.mydomain.tld (/etc/httpd/conf.d/peertube.conf:20)
         port 80 namevhost mogador.mydomain.tld (/etc/httpd/conf.d/virtualhosts.conf:12)
         port 80 namevhost demos.mydomain.tld (/etc/httpd/conf.d/virtualhosts.conf:541)
         port 80 namevhost mp3.mydomain.tld (/etc/httpd/conf.d/virtualhosts.conf:719)
         port 80 namevhost projets.mydomain.tld (/etc/httpd/conf.d/virtualhosts.conf:809)
         port 80 namevhost sauvegardes.mydomain.tld (/etc/httpd/conf.d/virtualhosts.conf:893)
         port 80 namevhost stats.mydomain.tld (/etc/httpd/conf.d/virtualhosts.conf:977)
         port 80 namevhost vhasi.mydomain.tld (/etc/httpd/conf.d/virtualhosts.conf:1071)
         port 80 namevhost video.mydomain.tld (/etc/httpd/conf.d/virtualhosts.conf:1159)
         port 80 namevhost mogador.mydomain.tld (/etc/httpd/conf.d/zz_nextcloud.conf:9)
         port 80 namevhost fichiers.mydomain.tld (/etc/httpd/conf.d/zz_nextcloud.conf:13)
         port 80 namevhost fichiers.mydomain.tld (/etc/httpd/conf.d/zz_nextcloud.conf:18)
*:443                  is a NameVirtualHost
         default server mogador.mydomain.tld (/etc/httpd/conf.d/nethserver.conf:44)
         port 443 namevhost mogador.mydomain.tld (/etc/httpd/conf.d/nethserver.conf:44)
         port 443 namevhost video.mydomain.tld (/etc/httpd/conf.d/peertube.conf:43)
         port 443 namevhost mogador.mydomain.tld (/etc/httpd/conf.d/ssl.conf:56)
         port 443 namevhost demos.mydomain.tld (/etc/httpd/conf.d/virtualhosts.conf:489)
         port 443 namevhost mp3.mydomain.tld (/etc/httpd/conf.d/virtualhosts.conf:672)
         port 443 namevhost projets.mydomain.tld (/etc/httpd/conf.d/virtualhosts.conf:762)
         port 443 namevhost sauvegardes.mydomain.tld (/etc/httpd/conf.d/virtualhosts.conf:852)
         port 443 namevhost stats.mydomain.tld (/etc/httpd/conf.d/virtualhosts.conf:930)
         port 443 namevhost vhasi.mydomain.tld (/etc/httpd/conf.d/virtualhosts.conf:1020)
         port 443 namevhost video.mydomain.tld (/etc/httpd/conf.d/virtualhosts.conf:1118)
         port 443 namevhost docs.mydomain.tld (/etc/httpd/conf.d/zz_collabora.conf:9)
         port 443 namevhost fichiers.mydomain.tld (/etc/httpd/conf.d/zz_nextcloud.conf:23)
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/etc/httpd/logs/error_log"
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/httpd/" mechanism=default 
Mutex mpm-accept: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
Mutex ssl-stapling: using_defaults
PidFile: "/run/httpd/httpd.pid"
Define: _RH_HAS_HTTPPROTOCOLOPTIONS
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="apache" id=48
Group: name="apache" id=48

The :443 part looks ok but maybe peertube makes problems.

You may try to move/rename /etc/httpd/conf.d/peertube.conf and do a systemctl restart httpd and see if letsencrypt works.
Then we can look for peertube…

EDIT:

Maybe the nextcloud configuration points to a virtual host that is the hostname of the server?

1 Like

Nothing in the output you’ve posted indicates that there is a redirect to https, much less that it’s causing a problem. Here’s the relevant lines:

    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "Invalid response from http://www.mydomain.tld/.well-known/acme-challenge/Eb_if4e_gwE5VhreIi0FiN0WuOk5-sCjq5R7lpyfXmY [XX.XX.XX.XX]: \"\u003c!DOCTYPE HTML PUBLIC \\\"-//IETF//DTD HTML 2.0//EN\\\"\u003e\\n\u003chtml\u003e\u003chead\u003e\\n\u003ctitle\u003e404 Not Found\u003c/title\u003e\\n\u003c/head\u003e\u003cbody\u003e\\n\u003ch1\u003eNot Found\u003c/h1\u003e\\n\u003cp\"",
        "status": 403
      },

You’re getting a 404 on the validation token.

It works. I have a new certificate! :+1:

Peertube is an ‘old’ installation that doesn’t work actualy. I think I have to reinstall it or at least look into its configuration.

As now I’m saved on the certificate renewal, and I’m not really in a hurry for the optional features, I choose to go to sleep. I need it!
I’ll pick this up again next week.
Many thanks @mrmarkuz!

That’s right!
But I can tell that when I point my browser to http pages it is redirected to https.
What you saw is very interesting, I’ll take a look next week.
Thanks for your help @danb35

1 Like