Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=astian.org), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.`
My web server is (include version): apache2-2.4.33
The operating system my web server runs on is (include version): Opensuse Leap 15.1
My hosting provider, if applicable, is: dedicated server
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 1.0.0
Did you even read the first paragraph in your post?
You hide the name, you hide the IP (presuming it doesn’t really resolve to 0.0.0.0), and you expect us to be able to help you (easily).
It is no surprise (to me) that your post hasn’t received the attention you expected.
That said, I will none-the-less try to “help” (with my hands tied behind my back and while wearing a blindfold)…
Here goes:
You are using Apache (problem #1: Apache is notorious for running at all costs and will do so even when the configuration is by all means “broken”).
Please try: apachectl -S
You will either find that it returns “problems” or if no “problems” found, it will show you which FQDNs are handled by which vhost config files (grouped by listening ports/protocol).
If it has “problems” you will need to correct those problems before continuing.
If not, then you can begin working through the “why does it fail” and follow the validation request through the expected path and ensure that path is doing what you want/expect.
All of this, of course, (so far) has nothing to do with this forum.
For “expert” help on Apache, you might want to consult an Apache expert or an Apache forum.
Once the Apache config is “working as you would expect it”, you can begin troubleshooting any certbot client problems - but I would expect that you will not find any and by then the process will complete and you will have your cert.
Naturally this is all just my best guess at a situation I can only imagine.
i change some values because security, i dont want to post on public the public IP of my server!, and hide subdomain.
now apachectl -S say all is fine, because i have more than 5 subdomain, but since last week to now, new certs arent working because the acme-challenge.
VirtualHost configuration:
*:443 is a NameVirtualHost
default server www.analytics.astian.org (/etc/apache2/vhosts.d/analytics-le-ssl.conf:2)
port 443 namevhost www.analytics.astian.org (/etc/apache2/vhosts.d/analytics-le-ssl.conf:2)
alias analytics.astian.org
port 443 namevhost www.astian.org (/etc/apache2/vhosts.d/astian.org-le-ssl.conf:2)
alias astian.org
port 443 namevhost www.crm.astian.org (/etc/apache2/vhosts.d/crm.astian.org-le-ssl.conf:2)
alias crm.astian.org
port 443 namevhost www.mail.astian.org (/etc/apache2/vhosts.d/mail.astian.org-le-ssl.conf:2)
alias mail.astian.org
*:80 is a NameVirtualHost
default server www.analytics.astian.org (/etc/apache2/vhosts.d/analytics.conf:1)
port 80 namevhost www.analytics.astian.org (/etc/apache2/vhosts.d/analytics.conf:1)
alias analytics.astian.org
port 80 namevhost www.astian.org (/etc/apache2/vhosts.d/astian.org.conf:1)
alias astian.org
port 80 namevhost www.crm.astian.org (/etc/apache2/vhosts.d/crm.astian.org.conf:1)
alias crm.astian.org
port 80 namevhost www.mail.astian.org (/etc/apache2/vhosts.d/mail.astian.org.conf:1)
alias mail.astian.org
port 80 namevhost www.webmin.astian.org (/etc/apache2/vhosts.d/webmin.astian.org.conf:1)
alias webmin.astian.org
ServerRoot: “/srv/www”
Main DocumentRoot: “/srv/www/htdocs”
Main ErrorLog: “/var/log/apache2/error_log”
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex rewrite-map: using_defaults
PidFile: “/var/run/httpd.pid”
Define: SYSCONFIG
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“wwwrun” id=472
Group: name=“www” id=475
<VirtualHost *:80>
#ServerAdmin webmaster@dummy-host.example.com
ServerName www.webmin.astian.org
ServerAlias webmin.astian.org
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://localhost:10000/
ProxyPassReverse / http://localhost:10000/
#SSLProxyEngine on
<Proxy *>
Require all granted
</Proxy>
#DocumentRoot /usr/libexec/webmin
# if not specified, the global error log is used
ErrorLog /var/log/apache2/astian/webmin/error_log
CustomLog /var/log/apache2/astian/webmin/access_log combined
# don't loose time with IP address lookups
HostnameLookups Off
# needed for named virtual hosts
UseCanonicalName Off
# configures the footer on server-generated documents
ServerSignature On
# Include /etc/apache2/conf.d/php5.conf
# Include /etc/apache2/conf.d/*.conf
#<Directory "/usr/libexec/webmin/">
# Options Indexes FollowSymLinks
# AllowOverride none
# <IfModule !mod_access_compat.c>
# Require all granted
# </IfModule>
# <IfModule mod_access_compat.c>
# Order allow,deny
# Allow from all
# </IfModule>
#</Directory>
</VirtualHost>
All requests (including those from LE for authentication) are being proxied to another site/service: ProxyPass / http://localhost:10000/
I’m thinking you are going to handle the cert on this system with Apache on port 80.
[that would be the simplest way to do it]
If so, you will need to exclude the LE authentication requests from such proxy.
Try updating that section as follows:
ProxyRequests Off
ProxyPreserveHost On
ProxyPass /.well-known/acme-challenge !
ProxyPass / http://localhost:10000/
ProxyPassReverse / http://localhost:10000/
You will also need a document root location for the LE requests to go to.
For sanity and security reasons, I would make that a dedicated path.
Like: /ACME-challenges/
Then you can create the full LE authentication path and place a test file to see if indeed it can be reached from the Internet: mkdir /ACME-challenges/.well-known/ mkdir /ACME-challenges/.well-known/acme-challenge/ echo "just a test" >> /ACME-challenges/.well-known/acme-challenge/test-file-1234
then try: http://webmin.astian.org/.well-known/acme-challenge/test-file-1234
and/or http://www.webmin.astian.org/.well-known/acme-challenge/test-file-1234
Once that file is accessible, you should be able to run certbot to obtain a cert.
http://webmin.astian.org/.well-known/acme-challenge/test-file-1234 not work because webmin redirecct, but this is my new vhost now:
<VirtualHost *:80>
#ServerAdmin webmaster@dummy-host.example.com
ServerName www.webmin.astian.org
ServerAlias webmin.astian.org
ProxyRequests Off
ProxyPreserveHost On
ProxyPass /.well-known/acme-challenge !
ProxyPass / http://localhost:10000/
ProxyPassReverse / http://localhost:10000/
#SSLProxyEngine on
<Proxy *>
Require all granted
</Proxy>
#DocumentRoot /usr/libexec/webmin
DocumentRoot /usr/libexec/webmin/ACME-challenges
<Directory /usr/libexec/webmin/ACME-challenges>
AllowOverride None
Require all granted
</Directory>
# if not specified, the global error log is used
ErrorLog /var/log/apache2/astian/webmin/error_log
CustomLog /var/log/apache2/astian/webmin/access_log combined
# don't loose time with IP address lookups
HostnameLookups Off
# needed for named virtual hosts
UseCanonicalName Off
# configures the footer on server-generated documents
ServerSignature On
# Include /etc/apache2/conf.d/php5.conf
# Include /etc/apache2/conf.d/*.conf
#<Directory "/usr/libexec/webmin/">
# Options Indexes FollowSymLinks
# AllowOverride none
# <IfModule !mod_access_compat.c>
# Require all granted
# </IfModule>
# <IfModule mod_access_compat.c>
# Order allow,deny
# Allow from all
# </IfModule>
#</Directory>
</VirtualHost>
` ``
<VirtualHost *:80>
ServerAdmin contact@astian.org
ServerName www.abc.astian.org
ServerAlias abc.astian.org
DocumentRoot /opt/services/webs/abc/
ErrorLog /var/log/apache2/astian/abc/error_log
CustomLog /var/log/apache2/astian/abc/access_log combined
# don't loose time with IP address lookups
HostnameLookups Off
# needed for named virtual hosts
UseCanonicalName Off
# configures the footer on server-generated documents
ServerSignature On
# Include /etc/apache2/conf.d/php7.conf
# Include /etc/apache2/conf.d/*.conf
<Directory "/opt/services/webs/abc/">
Options Indexes FollowSymLinks
AllowOverride All
<IfModule !mod_access_compat.c>
Require all granted
</IfModule>
<IfModule mod_access_compat.c>
Order allow,deny
Allow from all
</IfModule>
</Directory>
</VirtualHost>
other vhost that have the same problem, but this is a moodle, was on other server and move to a new one that i am using now.
Did you create the expected challenge path? mkdir /usr/libexec/webmin/ACME-challenges/.well-known/ mkdir /usr/libexec/webmin/ACME-challenges/.well-known/acme-challenge/
Did you put the test file in the expected challenge path?
echo "just a test" >> /usr/libexec/webmin/ACME-challenges/.well-known/acme-challenge/test-file-1234