Hello! Like a dummy, I let my certificate expire and couldn't renew it. I deleted the cert, not realizing I was supposed to revoke it first. Since then, I've been unable to create a new cert
Prior to my cert snafu, the site was working via https for months. I haven't touched the apache2.conf since it was first up and running.
My domain is: fulcrum.mu
I ran this command: certbot --apache -d "www.fulcrum.mu,fulcrum.mu"
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for fulcrum.mu
http-01 challenge for www.fulcrum.mu
Waiting for verification...
Challenge failed for domain fulcrum.mu
Challenge failed for domain www.fulcrum.mu
http-01 challenge for fulcrum.mu
http-01 challenge for www.fulcrum.mu
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: fulcrum.mu
Type: unauthorized
Detail: Invalid response from
http://fulcrum.mu/.well-known/acme-challenge/CMKIf_VWRGvRzsrere1GaAJcddkwicgc--BkMY6MVvU
[143.110.234.63]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
2.0//EN\">\n<html><head>\n<title>404 Not
Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"
Domain: www.fulcrum.mu
Type: unauthorized
Detail: Invalid response from
http://www.fulcrum.mu/.well-known/acme-challenge/4YFLDjiOzWtjKez6u2MpDiDKTvSt-danB9qfqghQGCM
[143.110.234.63]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
2.0//EN\">\n<html><head>\n<title>404 Not
Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
My web server is (include version): Server Version: Apache/2.4.41 (Ubuntu) OpenSSL/1.1.1j
The operating system my web server runs on is (include version): Ubuntu 20.04
My hosting provider, if applicable, is: Digital Ocean
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no. I manage through ssh.
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.40.0
You were neither supposed to revoke it nor delete it. What made you think you were supposed to?
Well, that's interesting. It looks like you're getting validation requests from the secondary servers, but not the primary validation server. (I say this because you're supposed to get three connections from the secondary servers, and each of them to each of your two domain names (with the www. and without), and one connection from the primary server, and the error message from Let's Encrypt doesn't say "secondary" in it.)
To be honest, I'm not sure. The renewal kept failing, so I figured it'd be ok to delete the expired cert and just start over with a new one. It's quite possible the renewal failure was the same one we're seeing here with the creation of a new one.
I'm a software engineer, not a sysadmin/network admin. Definitely outside my wheelhouse on this.
From a technical perspective, there's no difference between a "renewed" certificate and a "new" certificate, in terms of what the request and response to Let's Encrypt's servers are. It's just a matter of convention of what your client software calls things, that you're making a "same" request as before so it's a renewal.
Certbot should just be automatically renewing things, so yes it's highly likely that it ran into the same problem renewing as you're seeing now. It looks like your first request was approx. 3 months ago, so this is your first "renewal". Did you have to do anything "weird" or unusual to get your initial certificate, or did it just all work straightforwardly.
Can you dig through your log files and see if your server has any entry anywhere else for the fourth expected validation request? It almost seems like some requests are going to your server but the fourth is going to some other server that isn't expecting it, but maybe it's actually going to some other virtual host or the like within your Apache config?
Killed apache as described, confirmed there were no apache processes running. Tried certbot --apache -d "www.fulcrum.mu,fulcrum.mu" and got the same failure.
Restarted apache via systemctl, re-ran certbot, same result.
I'll poke around at the redirect stuff. For now, I can have the few people that are working on the stuff on that site explicitly use HTTPS until I get the redirect thing working (eg. the example at How to redirect HTTP to HTTPS Using .htaccess isn't working after I drop a .htaccess file in /var/www/html with my proper domain name replacing the yourdomain.com example.)
My post was linked to regarding the secondary/primary servers, and since I'm not an apache guy, I don't understand the changes and output above, so I have to ask what I feel is a silly question -
Was the issue related to my post, or was the cause determined to be something else?