503 error when performing the challenge

arnoldbird · November 11, 2019, 5:04pm

I ran the command:

/usr/local/bin/certbot-auto certonly --apache

I am getting a 503 error, even though the site is up and running:

Domain: education.mei.edu
Type: unauthorized
Detail: Invalid response from
http://education.mei.edu/.well-known/acme-challenge/QGncld_7RLnN2a4UbOoYK7-edsJM3-HzSQS7IvEdmgE
[74.207.228.46]: “\n <!DOCTYPE html>\n <html>\n <head>\n
<title>503 Service Unavailable</title>\n <style
type=“text/css”>\n #page {w”

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

I have made the .well-known directory writable by apache, but the acme-challenge directory isn’t created when I run the certonly command.

JuergenAuer · November 11, 2019, 6:11pm

Hi @arnoldbird

checking that url I see the expected result http status 404 - Not Found. Not a 503.

But the page is terrible slow - 5 - 10 seconds, that's critical.

rg305 · November 11, 2019, 6:17pm

Agreed; the site is way too slow.
Is it running low on resources (memory)?
Is it trying to do too much (CPU)?

arnoldbird · November 11, 2019, 6:33pm

There is a 404 at that URL because there is nothing there. Certbot is not able to create the acme-challenge directory, apparently.

The site itself is not slow. You can quickly access this page: http://education.mei.edu/.well-known/test.html
It loads instantly.

rg305 · November 11, 2019, 7:29pm

Try adding a file (that doesn’t end in .html) in the full challenge location:
http://education.mei.edu/.well-known/acme-challenge/testfile

arnoldbird · November 11, 2019, 7:58pm

Please see http://education.mei.edu/.well-known/acme-challenge/some-file

rg305 · November 11, 2019, 8:00pm

Try again:

Show all that happens next.
Or/also show the Letsencrypt log file.
[it is likely that certbot is unable to properly locate where to place the challenge files]

JuergenAuer · November 11, 2019, 8:01pm

What says

apachectl -S

arnoldbird · November 11, 2019, 8:43pm

VirtualHost configuration:
127.0.0.1:8080 is a NameVirtualHost
default server mei.edu (/etc/httpd/conf.d/1-mei-edu.conf:4)
port 8080 namevhost mei.edu (/etc/httpd/conf.d/1-mei-edu.conf:4)
alias www.mei.edu
alias education.mei.edu
wildcard NameVirtualHosts and default servers:
*:80 mei.edu (/etc/httpd/conf.d/1-mei-edu.conf:26)
*:443 is a NameVirtualHost
default server mei.edu (/etc/httpd/conf.d/1-mei-edu.conf:34)
port 443 namevhost mei.edu (/etc/httpd/conf.d/1-mei-edu.conf:34)
alias www.mei.edu
alias education.mei.edu
port 443 namevhost webster.mei.edu (/etc/httpd/conf.d/ssl.conf:74)
Syntax OK

arnoldbird · November 11, 2019, 8:44pm

[root@webster public]# /usr/local/bin/certbot-auto certonly --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?

1: mei.edu
2: education.mei.edu
3: www.mei.edu

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 2
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for education.mei.edu
Waiting for verification…
Challenge failed for domain education.mei.edu
http-01 challenge for education.mei.edu
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: education.mei.edu
Type: unauthorized
Detail: Invalid response from
http://education.mei.edu/.well-known/acme-challenge/FxTDNFB3yw4h3xppZIBbGj6YdbSqMvsC7Pu5XMq8pjQ
[74.207.228.46]: "\n \n \n \n
503 Service Unavailable\n \n #page {w"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

JuergenAuer · November 11, 2019, 8:45pm

You don't have a port 80 vHost with education.mei.edu as domain name.

That's required to create a certificate via http validation.

If you use --apache with a not working configuration, that may break your config -> http status 500.

rg305 · November 11, 2019, 8:48pm

Or don't tell certbot to try and figure out your Apache config...
And use certonly with --webroot -w /path/to/your/files

arnoldbird · November 11, 2019, 8:51pm

I just made the following change to my Apache config…

<VirtualHost *:80>
   ServerAdmin webmaster@mei.edu
   DocumentRoot /opt/prod/mei.edu/public
  # ServerName mei.edu
  # ServerAlias www.mei.edu
  # ServerAlias education.mei.edu
   ServerName education.mei.edu
</VirtualHost>

I commented out the three lines above and added the new ServerName and restarted Apache. I still get the same response when I run the certonly command. Something else I need to do in the Apache config? Thanks.

JuergenAuer · November 11, 2019, 8:52pm

That looks good.

Again: What says

apachectl -S

arnoldbird · November 11, 2019, 8:53pm

127.0.0.1:8080 is a NameVirtualHost
default server mei.edu (/etc/httpd/conf.d/1-mei-edu.conf:4)
port 8080 namevhost mei.edu (/etc/httpd/conf.d/1-mei-edu.conf:4)
alias www.mei.edu
alias education.mei.edu
wildcard NameVirtualHosts and default servers:
*:80 education.mei.edu (/etc/httpd/conf.d/1-mei-edu.conf:26)
*:443 is a NameVirtualHost
default server mei.edu (/etc/httpd/conf.d/1-mei-edu.conf:35)
port 443 namevhost mei.edu (/etc/httpd/conf.d/1-mei-edu.conf:35)
alias www.mei.edu
alias education.mei.edu
port 443 namevhost webster.mei.edu (/etc/httpd/conf.d/ssl.conf:74)
Syntax OK

arnoldbird · November 12, 2019, 1:33pm

Thanks. That did it. The full command that worked for me…

/usr/local/bin/certbot-auto certonly --webroot -w /path/to/my/public_html -d education.mei.edu

system · December 12, 2019, 1:33pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.