Hello, my letsencrypt certificates fail to renew. It seems that certbot always ends up with a 404 error. My server runs Apache2 and Ubuntu 14.04 LTS here are some logs: Code: Upgrading certbot-auto 0.14.1 to 0.14.2... Replacing certbot-auto... Creating virtual environment... Installing Python packages... Installation succeeded. ------------------------------------------------------------------------------- Processing /etc/letsencrypt/renewal/example.com.conf ------------------------------------------------------------------------------- All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/example.com/fullchain.pem (failure) IMPORTANT NOTES: - The following errors were reported by the server: Domain: example.com Type: unauthorized Detail: Invalid response from http://example.com/.well-known/acme-challenge/3VORZMYZUq1SUetGmrp5uDa7PJARBm8z0uxqQZGNEK8: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <ht" Domain: www.example.com Type: unauthorized Detail: Invalid response from http://www.example.com/.well-known/acme-challenge/KMjjPf4EWgcrGwSN8YjaYBO7Lo8eHAfiNIlqkiwMm4M: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <ht" To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address.
Ok, I found the issue: I tried to create a file in /var/www/example.com/web/.well-known/acme-challenge/test and checked if I would be able to get that file in my browser. Code: echo "It works!" > /var/www/example.com/web/.well-known/acme-challenge/test but that also ended in a 404 error. I checkt the error.log of apache and found the following: Code: [Mon May 22 12:41:59.555219 2017] [autoindex:error] [pid 6680] [client 213.xx.yy.tzz:8110] AH01276: Cannot serve directory /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/: No matching DirectoryIndex (index.html,index.cgi,index.pl,index.php,index.xhtml,index.htm) found, and server-generated directory index forbidden by Options directive So I looks like ".well-known" got setup as an alias for all domains. I found the entry in the ispconfig.conf in "sites-available". I commented that out and now I'm able to renew my certs again.
I'm guessing you setup letsencrypt certificates manually (prior to ISPconfig 3.1?)? The global alias is correct for how ISPconfig integrates letsencrypt support, but if you did it manually it certainly could cause problems.
