404 challenge Ubuntu 18, Apache2

wave · January 3, 2022, 10:22am

My domains are:decompile.com and www.decompile.com

I ran this command: sudo certbot --apache

It produced this output:

Requesting a certificate for decompile.com and www.decompile.com

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Domain: decompile.com
  Type:   unauthorized
  Detail: Invalid response from http://decompile.com/.well-known/acme-challenge/M7HBlrdsSXhZgCGSsrTV5lUv_qavFyHaN33QXIcZty4 [52.32.71.173]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

  Domain: www.decompile.com
  Type:   unauthorized
  Detail: Invalid response from http://www.decompile.com/.well-known/acme-challenge/FT_pNqLleLNEWAj21aBCKRe0TIcUFdV8qy_L7TpO0VI [52.32.71.173]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.

My web server is:
Server version: Apache/2.4.29 (Ubuntu)
Server built: 2021-11-14T23:52:18

The operating system my web server runs on is (include version): Ubuntu 18.04.6 LTS

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine Yes

I'm using a control panel to manage my site No

The version of my client is certbot 1.22.0

Analysis:

The /var/lib/letsencrypt/http_challenges directory is empty. Did a file not get written there?
When I manually put an .html file in the folder, I am able to access it ONLY when I do not use a '.' in the '.well-known' folder. I now have these definitions in my VirtualHost definition:

RewriteEngine on
RewriteRule ^/well-known/acme-challenge/([A-Za-z0-9-_=.]+)$ /var/lib/letsencrypt/http_challenges/$1
RewriteRule ^/\.well-known/acme-challenge/([A-Za-z0-9-_=.]+)$ /var/lib/letsencrypt/http_challenges/$1

(note that I added a '.' to the regex to be able to serve 'hello.html')

http://decompile.com/well-known/acme-challenge/hello.html serves a page but the '.well-known' rule does not.

Setting the LogLevel for the rewrite module to trace8 (lowest level) shows debug messages for the "well-known" rule but there are no debug messages for ".well-known". None of the Apache error logs on the machine have any debug messages -- so did Apache even process it as a rewrite? If not, then why not?

All help is appreciated.

rg305 · January 3, 2022, 4:51pm

Hi @wave and welcome to the LE community forum

You will need to review the Apache config to ensure it handles /.well-known/acme-challenge/ correctly.
[the challenge request path can't be changed]

You can test by creating a sample file.
Like:
http://decompile.com/.well-known/acme-challenge/Test_File-1234

rg305 · January 3, 2022, 4:58pm

OR
Try it this way:

  #skip challenge requests and
  <LocationMatch "^/(?!\.well-known)">
    #send all other requests to HTTPS
    RewriteEngine On
    RewriteCond %{HTTPS} !=on
    RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1
  </LocationMatch>

  <Location /.well-known/acme-challenge/>
   DocumentRoot /var/lib/letsencrypt/http_challenges
  </Location>

wave · January 3, 2022, 7:56pm

Thank you for the help and ideas.

The Apache configuration tester complains that DocumentRoot is not allowed "here". I tried putting the Location inside the VirtualHost definition. The DocumentRoot Apache docs say it should either be in the VirtualHost or in the server config. Since the VirtualHost already has a DocumentRoot, I'm not sure where you expected your code snippet to go.

AH00526: Syntax error on line 60 of /etc/apache2/sites-enabled/000-default.conf:
DocumentRoot not allowed here
Action 'configtest' failed.

rg305 · January 3, 2022, 9:21pm

Try it this way:

  #skip challenge requests and
  <LocationMatch "^/(?!\.well-known)">
    #send all other requests to HTTPS
    RewriteEngine On
    RewriteCond %{HTTPS} !=on
    RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1
  </LocationMatch>

  DocumentRoot /var/lib/letsencrypt/http_challenges

wave · January 4, 2022, 1:10pm

I reviewed all of the Apache config files. Most of them were the defaults from the original installation, and the few that were changed did not reveal any clues about what was wrong and certainly none of them had overrides that prevented processing paths with a leading dot.

I ended up punting and I instantiated a new AWS instance on Ubuntu 20. Certbot worked fine out-of-the-box and now I have a security certificate for my website.

Thanks for the help rg305. I didn't find the root cause of the problem but I found a solution: to upgrade to Ubuntu 20 on a new instance.

system · February 3, 2022, 1:11pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Invalid response from /.well-known/acme-challenge/ when running certbot --apache (Apache, Ubuntu 20.04) Help	10	2089	March 27, 2022
Apache: ACME challenge 403's Help	5	3713	May 17, 2019
Certbot gets 404 Not Found when trying to verify Help	3	2423	February 21, 2017
Some challenges have failed Help	3	93	October 21, 2024
SOME CHALLENGES HAVE FAILED /// pls help Help	44	674	September 15, 2023

404 challenge Ubuntu 18, Apache2

Related topics