Acme challenge failing on apache2 server

My domain is:

I ran this command:
certbot certonly -d "sscsu.org.uk, mail.sscsu.org.uk, test.sscsu.org.uk" --apache --dry-run

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Simulating renewal of an existing certificate for sscsu.org.uk and 2 more domains

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Domain: sscsu.org.uk
  Type:   unauthorized
  Detail: Invalid response from http://sscsu.org.uk/.well-known/acme-challenge/Jn-PlIDYQZFWhTy9fFq9lbPOI8FyqhOCswy7qHRI7JQ [198.185.159.145]: 404

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
Apache 2.4.29

The operating system my web server runs on is (include version):
Ubuntu 18.04.5 LTS

My hosting provider, if applicable, is:
Self

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.20.0

Currently unable to auto-renew the certbot certificate as the acme challenge fails every time. At the moment I have just a manually authenticated DNS certificate but I won't be in this role for much longer so need a future proof solution, hence I'd really like to get the auto-renewing certificate working.

I would start to unravel this (likely Apache mess) with the output of:
sudo apachectl -t -D DUMP_VHOSTS

VirtualHost configuration:
*:80                   mail.sscsu.org.uk (/etc/apache2/sites-enabled/roundcube.conf:1)
*:443                  mail.sscsu.org.uk (/etc/apache2/sites-enabled/roundcube.conf:59)

Are you on the right server?
[that looks like the mail server]
Please show the output of:
curl -4 ifconfig.co

The first name is operated by SquareSpace (from completely different IPs)
The next two are using the same IP, but your Apache config only serves the mail name.
You would need to add an HTTP vhost config to serve the test name.
Then retry the command (without the first name).
certbot certonly -d "mail.sscsu.org.uk, test.sscsu.org.uk" --apache --dry-run

If it's just a question of a missing vhost I don't need to worry about the test name. Running it on just the mail domain now returns a success.

You're right in saying the main domain is a SquareSpace website, although the domain is owned and DNS records run by separate external services. When I inherited the setup this local server had a certificate for the root domain despite it not being hosted by this server. Do I need to continue to worry about that, and if so can I automate the renewal for the root domain?

No.

Not form the mail server.
And I'm pretty sure SquareSpace is on top of that.
See: SSL Server Test: sscsu.org.uk (Powered by Qualys SSL Labs)

Having a look at the SSL Server test, each of the 4 IPs had to RSA 2048 bit certificates - one issued by Let's Encrypt (presumably the one I issued using certbot a week or so ago), and one issued by digicert with squarespace domain names attached - not trusted due to sscsu.org.uk not being provided as an alt name.

When the certbot certificate expires in just shy of 3 months, does that leave the sscsu.org.uk root domain without a trusted certificate? Sorry if I'm asking stupid questions, this is a volunteer role that ended up involving a lot more back-end management than I had expected.

No, that is being served via another cert.

I know exactly what you speak of - we are volunteers here too :wink:

Great, thanks very much - you're a legend :smiley:

1 Like