I ran this command: sudo certbot certonly --apache -d hq.zajc.pl -w /var/www/owncloud --dry-run
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Cert is due for renewal, auto-renewing...
Simulating renewal of an existing certificate for hq.zajc.pl
Performing the following challenges:
http-01 challenge for hq.zajc.pl
Waiting for verification...
Challenge failed for domain hq.zajc.pl
http-01 challenge for hq.zajc.pl
Cleaning up challenges
Some challenges have failed.
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
My web server is Apache/2.4.41 (Ubuntu)
The operating system my web server runs on is Ubuntu 20.04.2
I can login to a root shell on my machine: yes.
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Certbot 1.13.0
Here are two virtual hosts I run on this machine:
1:
<IfModule mod_ssl.c>
<VirtualHost *:443>
DocumentRoot /var/www/owncloud
<------>ErrorLog ${APACHE_LOG_DIR}/error.log
<------>CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLCertificateFile /etc/letsencrypt/live/hq.zajc.pl/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/hq.zajc.pl/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
HostNameLookups off
UseCanonicalName off
ServerName hq.zajc.pl
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>
</VirtualHost>
</IfModule>
I just corrected the previous post - obviously you spotted it right, it was actually my previous attempt.
The output is:
wojtek@hq:~$ sudo certbot certonly --apache -d hq.zajc.pl -w /var/www/owncloud --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Cert is due for renewal, auto-renewing...
Simulating renewal of an existing certificate for hq.zajc.pl
Performing the following challenges:
http-01 challenge for hq.zajc.pl
Waiting for verification...
Challenge failed for domain hq.zajc.pl
http-01 challenge for hq.zajc.pl
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: hq.zajc.pl
Type: unauthorized
Detail: Invalid response from
http://hq.zajc.pl/.well-known/acme-challenge/tgM-YcjjfYSE7CcJk0ZCbOFsV5z64U5rU60aLCX5Ylk
[91.216.30.50]: 404
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
wojtek@hq:~$ sudo mc
**wojtek@hq** : **~** $ apachectl -S
AH00526: Syntax error on line 6 of /etc/apache2/sites-enabled/hq.zajc.pl-secure.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/hq.zajc.pl/cert.pem' does not exist or is empty
Action '-S' failed.
The Apache error log may have more information.
If I commented out the SSLCertificateFile line, Apache doesn't start. And the cert.pem is there.
Combining --apache and -w doesn't make sense. You're using just the apache plugin and the -w option is ignored, as you can see from Plugins selected: Authenticator apache, Installer apache
Also, for the apache plugin to work, you really need a working Apache configuration. Please fix your configuration (i.e., a working apachectl -S) before trying certbot --apache again.
The fact a symbolink link (which the files in /live/ are) doesn't mean it's actually working. It could be pointing to a non-existing destination.
I am perfectly aware it is a symlink, it points correctly to the actual file located in /archive (as does the rest of the symlinks in /live) and contains a certificate.
I read through Certbot docs and issued: chmod 0755 /etc/letsencrypt/{live,archive}
Now for the renew dry-run (I cut down the command by your suggestion, @Osiris):
wojtek@hq:/$ sudo certbot certonly --apache -d hq.zajc.pl --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Cert is due for renewal, auto-renewing...
Simulating renewal of an existing certificate for hq.zajc.pl
Performing the following challenges:
http-01 challenge for hq.zajc.pl
Waiting for verification...
Challenge failed for domain hq.zajc.pl
http-01 challenge for hq.zajc.pl
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: hq.zajc.pl
Type: unauthorized
Detail: Invalid response from
http://hq.zajc.pl/.well-known/acme-challenge/hqVRFh6WRfvZzK6p1k3RtnIvUs1Tr53DeARqx6cx5S0
[91.216.30.50]: 404
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
Plugins selected: Authenticator webroot, Installer None
Cert is due for renewal, auto-renewing...
Simulating renewal of an existing certificate for hq.zajc.pl
Performing the following challenges:
http-01 challenge for hq.zajc.pl
Using the webroot path /var/www/owncloud for all unmatched domains.
Waiting for verification...
Challenge failed for domain hq.zajc.pl
http-01 challenge for hq.zajc.pl
Cleaning up challenges
Some challenges have failed.
**IMPORTANT NOTES:**
- The following errors were reported by the server:
Domain: hq.zajc.pl
Type: unauthorized
Detail: Invalid response from
http://hq.zajc.pl/.well-known/acme-challenge/VaL34tr9h8BHUYIFSd3xe-d4m2jovZmp-ENgrD6dadk
[91.216.30.50]: 404
I can not see any issues with webroot, which is correct above.
The same error happens if I use "apache" instead of "webroot" in certbot command. No matter if I point it manually (-w /var/www/owncloud) to the webroot or if I leave the Apache plugin to do it automatically like it should do.
No, Jurgen. I do not have any additional definitions nor location definitions. I actually removed everything certbot-related and reinstalled the snap with the same effect. Whatever configuration was available I have provided it and I am happy to provide whatever else may be helpful to find out the cause.
The renewal does not work even if "standalone" module is selected and launched after Apache is stopped. As I understand it, "standalone" launches it's own webserver for verification:
**wojtek@hq** : **/** $ sudo certbot certonly --standalone -d hq.zajc.pl --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Cert is due for renewal, auto-renewing...
Simulating renewal of an existing certificate for hq.zajc.pl
Performing the following challenges:
http-01 challenge for hq.zajc.pl
Waiting for verification...
Challenge failed for domain hq.zajc.pl
http-01 challenge for hq.zajc.pl
Cleaning up challenges
Some challenges have failed.
**IMPORTANT NOTES:**
- The following errors were reported by the server:
Domain: hq.zajc.pl
Type: unauthorized
Detail: Invalid response from http://hq.zajc.pl/.well-known/acme-challenge/eYpFCUrUN3eA7vPGkPEI3H_znrp-I8cOabnLo3utj6U
[91.216.30.50]: 404
To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
I don't know what you mean by "nonsense", however the page you linked redirects to owncloud login, and indeed the sentence "your system want's expired browsers" really makes no sense in English - I regretfully have no idea what you meant.
Yes, it is my system and I am trying to fix it. Came here for constructive "community support", not for patronizing.
Unfortunately, @JuergenAuer can use some unconstructive language indeed.
That being said, the fact --standalone doesn't error out about NOT being able to bind to port 80 tells me you're not running certbot on the same host as where your webserver is running. Why? Because --standalone tries to bind to port 80 itself. This should be impossible if there is already an Apache webserver running on port 80. Or there is something very strange going on on your server which I'm not understanding. Perhaps multiple IP addresses?
Also, as @JuergenAuer also already provided: your Apache documentroot says "owncloud", but if we surf to your site, we're NOT getting an OwnCloud website. I have absolutely no idea what I'm seeing, other than that earlier quoted error message. The source doesn't tell me what the site is running as software. The <title> says "Web Viewer". There are some <div>s with id "liveSoundLineBox" and "dualtalkSoundLineBox". What am I connecting to?
I'm guessing "router" or "NAS", as I'm also seeing things like a <div> with class "popupBox" and id "reboot_prompt" in the source. So it apparently is a device which can be rebooted from the web page.
And the firmware of that device is ANCIENT! My IPU, Chrome 44 or lower? What kind of website is that?
Yep, something, that answers, so the "real webserver" isn't visible.
Looks like you have a very old component installed. We can't know that. But such a component would explain why certificate creation doesn't work. Because it's not your webserver, that answers, it's that old instance.