Another Apache Certbot Configuration Issue

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: whatsupgoose.org

I ran this command: certbot --apache

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.

1: whatsupgoose.org

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for whatsupgoose.org

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: whatsupgoose.org
Type: unauthorized
Detail: 2606:4700:3035::6815:54d9: Invalid response from http://whatsupgoose.org/.well-known/acme-challenge/o4WbxaaQpUIcXEzCKE9FTEgxttVmRbSreopOvF9Gcvc: 522

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): apache

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: cloudflare

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.1.0

Welcome @upgoose

Your domain is proxied at Cloudflare. Nothing wrong with that but it does take special care to get a cert on your Origin server with a CDN in front of it.

The 522 is an HTTP error code. That means the Cloudflare CDN edge could not communicate with your Origin server. See: Error 522 · Cloudflare Support docs

That's the first thing to sort out. I couldn't repeat that error now so let us know if you are getting different results now.

The second thing I'd suggest is seeing if the Cloudflare Origin CA certificate would work for you. If so, you wouldn't need Certbot at all. Instead, you get a self-signed cert from Cloudflare which you can set with a very long expiration. It allows encrypted comms between the Cloudflare edge and your Origin.

See: Cloudflare origin CA · Cloudflare SSL/TLS docs

i am unsure how to resolve the 522 error. I can adjust whether the A record in cloudflare is proxied, but that just changes the error from 522 to "Timeout during connect (likely firewall problem)"

I'd start by unsetting the proxy for your A and AAAA records just to simplify.

Can you explain more about how your Apache server is hosted? Things like is this a residential ISP and are there any firewalls or other comms gear you are using?

I can connect to your domain with HTTP and HTTPS but not for the /.well-known/acme-challenge path

That suggests that something is interfering on your end. A firewall may be blocking that path. Or, some other device wants to handle those kinds of challenge requests itself but is failing. Or, maybe a router is sending such requests to the wrong local IP at your location.

Cloudflare just adds complications to the debug process at this stage.

The Let's Debug site is often helpful with new setups. https://letsdebug.net

Making repeated failures against the LE production system will get you temporarily blocked. That isn't the cause of your 522 or timeout problem but could happen with repeated attempts.

Or, at least use the LE staging system like this

sudo certbot certonly --dry-run --apache -d whatsupgoose.org

I am self-hosting apache using a debian-based container through proxmox. There shouldnt be any firewalls between the container, node, or the router. My ISP is residential, and i'm currently using a TP-Link router. I am not exactly sure of the IPv6 address, and may possibly just start over from container creation, ensuring to create static IP addresses for both IPv4 and IPv6 and linking them to the A and AAAA records on cloudflare.
If the router is sending to the incorrect local IP, I would check that through the router's web interface?

I think this is not likely a problem since requests to your "home" page get through as well as other requests getting a 404 Not Found. Your router would have to be handling the .well-known path uniquely.

From your local network does this work?

curl -i http://(localIP)/.well-known/acme-challenge/TestLocal404

Replace (localIP) with the actual IP that would reach Apache

Doesn't Proxmox have a built-in ACME Client for getting certs? Could that be grabbing these inbound requests instead of your Apache?

Then I wouldn't be making an AAAA record with it until you know it can work.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.