5th domain setup the same exact way - error 404, blocked now after 5 tries

My domain is private.

The important details are simple. I am running apache2 on debian.

  1. Buy domain, Buy IP

  2. Tie IP and Domain to eachother on both accounts

  3. Setup hosts, add ip to server eth:N, etc

  4. Copy a config from another .conf and s/olddomain/newdomain, save

  5. Copy a directory from another domain

  6. Double check ownership, permissions, etc

  7. Visit site manually on multiple devices and through tor (to check propagation across the globe)

  8. certbot --apache -d domain.ext -d www.domain.ext -v

  9. Get an error 404. Don't understand. Try a few more times. Says I'm blocked and to check the log which contains absolutely nothing of any value.

I wish I could add more but that's exactly what I know. I've setup countless sites. I'm not posting in public. I'm certain everything is configured properly. I can visit the site via IP and domain from anywhere. Newly purchased.

Unless for some reason Let's Encrypt still can't reach it and their DNS is taking longer than other random places. I would think it would pop an error other than 404 however.

It would be helpful if there was a message to assure us it indeed connected to the proper site. I'll try in an hour I guess. This costs more than just buying certificates though at this point.

The 404 means the Let's Encrypt Server reached something at the public IP in the DNS but that it got a 404 Not Found response from that server rather than the expected validation token.

There are any number of possibilities but make sure you don't have overlapping VirtualHost names/ports. Make sure you don't have unusual IP based VHosts conflicting with name-based.

Are there multiple IP addresses in the DNS for that domain? Because all servers must be able to respond. Multiple IP won't work with the --apache authenticator (apart from one IPv4 and one IPv6).

LE walks the authoritive DNS tree and is not subject to TTL propagation

Review output of this to ensure as expected

sudo apache2ctl -t -D DUMP_VHOSTS

The --apache plugin normally works well but without more details it would be hard to debug for you.

If none of above surfaces a problem try using the --webroot authenticator. You will then have to make your own VirtualHost for port 443 but sounds like you have some earlier ones to use as a template.


You should see the 404 requests in your Apache access log.

Oh, and you can use the --dry-run option to use the Let's Encrypt staging system. The --apache authenticator and installer doesn't support it but weboot does. Or use the --apache plugin just as an authenticator like:

sudo certbot certonly --apache --dry-run -d (your domain) ...other-options...

The initial error should also have provided the IP address used to connect to the server. Nothing more can be provided from the Let's Encrypt point of view.

Please use the staging environment for testing to prevent hitting the failed authz rate limit.

For hostnames without a non-staging cert, it's possible to use the --staging option, even with the run subcommand and --apache authenticator/installer. The only "problem" with that is that Certbot would install the staging certificate actually to Apache. But that can be replaced easily enough with a working cert of course, once staging works.

That said, we don't have any clue what command OP is using :man_shrugging:t2: as they didn't follow the questionnaire...

When you opened this thread in the Help section, you should have been provided with a questionnaire. Maybe you didn't get it somehow (which is weird), or you've decided to delete it. In any case, all the answers to this questionnaire are required:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.