Acme fail on new vhost of apache2

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=astian.org), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: astian.org

I ran this command: certbot --apache

It produced this output:
``Obtaining a new certificate
Performing the following challenges:
http-01 challenge for webmin.astian.org
http-01 challenge for www.webmin.astian.org
Waiting for verification…
Challenge failed for domain webmin.astian.org
Challenge failed for domain www.webmin.astian.org
http-01 challenge for webmin.astian.org
http-01 challenge for www.webmin.astian.org
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

Domain: webmin.astian.org.org
Type: unauthorized
Detail: Invalid response from
http://webmin.astian.org/.well-known/acme-challenge/2hjUcu_5LDfKiTilHHjgPPJwq_ydYZNX5nrH45fYm-w
[5.9.70.7]: “\n<html data-bgs=“gainsboro”
class=“session_login”>\n\n
html[data-bgs=“gainsboro”] { backgr”

Domain: www.webmin.astian.org
Type: unauthorized
Detail: Invalid response from
http://www.webmin.astian.org/.well-known/acme-challenge/Rl52tjU-wzo15PH01I-KhjRXVshSJoUrcNtQdVj8cB4
[5.9.70.7]: “\n<html data-bgs=“gainsboro”
class=“session_login”>\n\n
html[data-bgs=“gainsboro”] { backgr”

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.`

My web server is (include version): apache2-2.4.33

The operating system my web server runs on is (include version): Opensuse Leap 15.1

My hosting provider, if applicable, is: dedicated server

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 1.0.0

1 Like

Did you even read the first paragraph in your post?

You hide the name, you hide the IP (presuming it doesn’t really resolve to 0.0.0.0), and you expect us to be able to help you (easily).

It is no surprise (to me) that your post hasn’t received the attention you expected.

That said, I will none-the-less try to “help” (with my hands tied behind my back and while wearing a blindfold)…

Here goes:
You are using Apache (problem #1: Apache is notorious for running at all costs and will do so even when the configuration is by all means “broken”).
Please try:
apachectl -S

You will either find that it returns “problems” or if no “problems” found, it will show you which FQDNs are handled by which vhost config files (grouped by listening ports/protocol).
If it has “problems” you will need to correct those problems before continuing.
If not, then you can begin working through the “why does it fail” and follow the validation request through the expected path and ensure that path is doing what you want/expect.

All of this, of course, (so far) has nothing to do with this forum.
For “expert” help on Apache, you might want to consult an Apache expert or an Apache forum.

Once the Apache config is “working as you would expect it”, you can begin troubleshooting any certbot client problems - but I would expect that you will not find any and by then the process will complete and you will have your cert.

Naturally this is all just my best guess at a situation I can only imagine.

1 Like

i change some values because security, i dont want to post on public the public IP of my server!, and hide subdomain.

now apachectl -S say all is fine, because i have more than 5 subdomain, but since last week to now, new certs arent working because the acme-challenge.

Hi @DevDorrejo

please: If you create a certificate, that certificate is logged.

So your domain name is public.

Everyone can query your dns entries. So all of your ip addresses are public. They must be public, if not, it’s not possible to connect your domain.

Every browser who opens your website knows your ip address.

Please use online tools to see, which informations are public visible. “Security by obscurity” doesn’t exist.

4 Likes

Ok everything is normal on the post now, with domain and ip, so everyone can help me

1 Like

Please read some required basics:

Then read your output.

Why do you think your configuration should work? So fix it.

1 Like

apachectl -S

VirtualHost configuration:
*:443 is a NameVirtualHost
default server www.analytics.astian.org (/etc/apache2/vhosts.d/analytics-le-ssl.conf:2)
port 443 namevhost www.analytics.astian.org (/etc/apache2/vhosts.d/analytics-le-ssl.conf:2)
alias analytics.astian.org
port 443 namevhost www.astian.org (/etc/apache2/vhosts.d/astian.org-le-ssl.conf:2)
alias astian.org
port 443 namevhost www.crm.astian.org (/etc/apache2/vhosts.d/crm.astian.org-le-ssl.conf:2)
alias crm.astian.org
port 443 namevhost www.mail.astian.org (/etc/apache2/vhosts.d/mail.astian.org-le-ssl.conf:2)
alias mail.astian.org
*:80 is a NameVirtualHost
default server www.analytics.astian.org (/etc/apache2/vhosts.d/analytics.conf:1)
port 80 namevhost www.analytics.astian.org (/etc/apache2/vhosts.d/analytics.conf:1)
alias analytics.astian.org
port 80 namevhost www.astian.org (/etc/apache2/vhosts.d/astian.org.conf:1)
alias astian.org
port 80 namevhost www.crm.astian.org (/etc/apache2/vhosts.d/crm.astian.org.conf:1)
alias crm.astian.org
port 80 namevhost www.mail.astian.org (/etc/apache2/vhosts.d/mail.astian.org.conf:1)
alias mail.astian.org
port 80 namevhost www.webmin.astian.org (/etc/apache2/vhosts.d/webmin.astian.org.conf:1)
alias webmin.astian.org
ServerRoot: “/srv/www”
Main DocumentRoot: “/srv/www/htdocs”
Main ErrorLog: “/var/log/apache2/error_log”
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex rewrite-map: using_defaults
PidFile: “/var/run/httpd.pid”
Define: SYSCONFIG
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“wwwrun” id=472
Group: name=“www” id=475

We should have a look at this file:
/etc/apache2/vhosts.d/webmin.astian.org.conf

<VirtualHost *:80>
#ServerAdmin webmaster@dummy-host.example.com
ServerName www.webmin.astian.org
ServerAlias webmin.astian.org

ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://localhost:10000/
ProxyPassReverse / http://localhost:10000/
#SSLProxyEngine on

<Proxy *>
Require all granted
</Proxy>

#DocumentRoot /usr/libexec/webmin

# if not specified, the global error log is used
ErrorLog /var/log/apache2/astian/webmin/error_log
CustomLog /var/log/apache2/astian/webmin/access_log combined

# don't loose time with IP address lookups
HostnameLookups Off
# needed for named virtual hosts
UseCanonicalName Off
# configures the footer on server-generated documents
ServerSignature On

# Include /etc/apache2/conf.d/php5.conf
# Include /etc/apache2/conf.d/*.conf

#<Directory "/usr/libexec/webmin/">
#    Options Indexes FollowSymLinks
#    AllowOverride none
#    <IfModule !mod_access_compat.c>
#        Require all granted
#    </IfModule>
#    <IfModule mod_access_compat.c>
#        Order allow,deny
#        Allow from all
#   </IfModule>
#</Directory>

</VirtualHost>

Please add a line above and below your post with these three back ticks (so we can read it properly):
```

example:

```
your post
```

have edited the post.

All requests (including those from LE for authentication) are being proxied to another site/service:
ProxyPass / http://localhost:10000/

I’m thinking you are going to handle the cert on this system with Apache on port 80.
[that would be the simplest way to do it]

If so, you will need to exclude the LE authentication requests from such proxy.
Try updating that section as follows:

ProxyRequests Off
ProxyPreserveHost On
ProxyPass /.well-known/acme-challenge !
ProxyPass / http://localhost:10000/
ProxyPassReverse / http://localhost:10000/

You will also need a document root location for the LE requests to go to.
For sanity and security reasons, I would make that a dedicated path.
Like:
/ACME-challenges/

[but I’m the super paranoid type]

i love paranoid on security, so how can i do that?

added the proxypass, but still challenge failed

You need to create the path:
mkdir /ACME-challenges

Then give everyone access to it:
[no fear this is intentionally a separate public space]
chmod +777 /ACME-challenges

Then include it in your apache config:
DocumentRoot /ACME-challenges/

And also allow the HTTP requests access to that directory:
[this may vary depending on the version of Apache - start with this sample]

<Directory /ACME-challenges/> 
 AllowOverride None 
 Require all granted
</Directory> 

Then you can create the full LE authentication path and place a test file to see if indeed it can be reached from the Internet:
mkdir /ACME-challenges/.well-known/
mkdir /ACME-challenges/.well-known/acme-challenge/
echo "just a test" >> /ACME-challenges/.well-known/acme-challenge/test-file-1234

then try:
http://webmin.astian.org/.well-known/acme-challenge/test-file-1234
and/or
http://www.webmin.astian.org/.well-known/acme-challenge/test-file-1234

Once that file is accessible, you should be able to run certbot to obtain a cert.

http://webmin.astian.org/.well-known/acme-challenge/test-file-1234 not work because webmin redirecct, but this is my new vhost now:

<VirtualHost *:80>
#ServerAdmin webmaster@dummy-host.example.com
ServerName www.webmin.astian.org
ServerAlias webmin.astian.org

ProxyRequests Off
ProxyPreserveHost On
ProxyPass /.well-known/acme-challenge !
ProxyPass / http://localhost:10000/
ProxyPassReverse / http://localhost:10000/
#SSLProxyEngine on

<Proxy *>
Require all granted
</Proxy>

#DocumentRoot /usr/libexec/webmin
DocumentRoot /usr/libexec/webmin/ACME-challenges
<Directory /usr/libexec/webmin/ACME-challenges>
AllowOverride None
Require all granted
</Directory>



# if not specified, the global error log is used
ErrorLog /var/log/apache2/astian/webmin/error_log
CustomLog /var/log/apache2/astian/webmin/access_log combined

# don't loose time with IP address lookups
HostnameLookups Off
# needed for named virtual hosts
UseCanonicalName Off
# configures the footer on server-generated documents
ServerSignature On

# Include /etc/apache2/conf.d/php5.conf
# Include /etc/apache2/conf.d/*.conf

#<Directory "/usr/libexec/webmin/">
#    Options Indexes FollowSymLinks
#    AllowOverride none
#    <IfModule !mod_access_compat.c>
#        Require all granted
#    </IfModule>
#    <IfModule mod_access_compat.c>
#        Order allow,deny
#        Allow from all
#   </IfModule>
#</Directory>

</VirtualHost>
` ``

challenge still fail.

<VirtualHost *:80>
ServerAdmin contact@astian.org
ServerName www.abc.astian.org
ServerAlias abc.astian.org

DocumentRoot /opt/services/webs/abc/

ErrorLog /var/log/apache2/astian/abc/error_log
CustomLog /var/log/apache2/astian/abc/access_log combined

# don't loose time with IP address lookups
HostnameLookups Off

# needed for named virtual hosts
UseCanonicalName Off

# configures the footer on server-generated documents
ServerSignature On

# Include /etc/apache2/conf.d/php7.conf
# Include /etc/apache2/conf.d/*.conf

<Directory "/opt/services/webs/abc/">
Options Indexes FollowSymLinks
AllowOverride All
<IfModule !mod_access_compat.c>
Require all granted
</IfModule>
<IfModule mod_access_compat.c>
Order allow,deny
Allow from all
</IfModule>
</Directory>

</VirtualHost>

other vhost that have the same problem, but this is a moodle, was on other server and move to a new one that i am using now.

Did you create the expected challenge path?
mkdir /usr/libexec/webmin/ACME-challenges/.well-known/
mkdir /usr/libexec/webmin/ACME-challenges/.well-known/acme-challenge/

Did you put the test file in the expected challenge path?

echo "just a test" >> /usr/libexec/webmin/ACME-challenges/.well-known/acme-challenge/test-file-1234