Apache 000-default.conf issue causing cert renewal failure?

My domain is: alice.hatters.org.uk

I ran this command: sudo certbot renew --dry-run

It produced this output:

   Domain: alice.hatters.org.uk
   Type:   unauthorized
   Detail: Invalid response from
   http://alice.hatters.org.uk/.well-known/acme-challenge/A0Axf9ky4sCodxAlUoK5_gwYQWZElaB4MAm7qq5rwCQ:
   "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

My web server is (include version): Apache2

The operating system my web server runs on is: Ubuntu 18.04

My hosting provider, if applicable, is: Jump Networks

I can login to a root shell on my machine: Yes

I’m using a control panel to manage my site: No

The version of my client is: 0.28.0

–

While the domain given is alice.hatters.org.uk, that is the canonical name of the host machine. The web server’s name is www.hatters.org.uk. I’m not sure why the canonical name is getting involved in the certificate otherwise, nor why I’m getting this error now when renewals have been happening fine until now.

There is no LE version of the Apache 000-default.conf file though - is that an issue? All other web certificates on the machine are renewing fine.

Hi @gilgongo

checked your server via https://check-your-website.server-daten.de/?q=alice.hatters.org.uk the general configuration looks ok.

http / port 80 works with your ipv4 and your ipv6 address, the server headers are the same.

So try to find your DocumentRoot / webroot. Then use it:

certbot certonly -a webroot -w yourDocumentRoot -d alice.hatters.org.uk -d www.hatters.org.uk

Your expired certificate has the same domain names.

But your www-version has a wrong certificate ( https://check-your-website.server-daten.de/?q=hatters.org.uk ):

CN=bluett.com
	16.12.2018
	16.03.2019
expires in 33 days	bluett.com, www.bluett.com - 2 entries

Thanks. When I try that with the web root I get the same error. But what does "your www-version has a wrong certificate" mean exactly?

The cert served by www.hatters.org.uk doesn't match the name:
SSL Server Test: www.hatters.org.uk (Powered by Qualys SSL Labs)

Check which certificates have been issued and which names they cover with:
certbot certificates

Then your web root is wrong or these domains have different webroots.

So find your webroot, create there the two subdirectories

/.well-known/acme-challenge

there a file (file name 1234), then try to load this file via

http://alice.hatters.org.uk/.well-known/acme-challenge/1234
http://www.hatters.org.uk/.well-known/acm-challenge/1234

If that works, we know, you have your correct webroot.

I've checked that domain with the same tool. The result ( https://check-your-website.server-daten.de/?q=hatters.org.uk ):

Two unsecure connections. And

CN=bluett.com
	16.12.2018
	16.03.2019
expires in 32 days	bluett.com, www.bluett.com - 2 entries

as the only certificate. So this domain uses the wrong certificate.

Recheck your domain to see that.

Yes, these domains (hatters.org.uk and bluett.com) have different web roots. I have no idea why they got confused. hatters.org.uk has been auto-renewing OK until now. And there is a separate cert for bluett.com that seems to be working OK for that site (on its different webroot).

What can I do to fix the problem with hatters.org.uk? I’m a bit confused as to what “certificate” means in this context and what is referring to what.

If I do certbot certificates -d www.hatters.org.uk I get:

  Certificate Name: alice.hatters.org.uk
    Domains: www.hatters.org.uk alice.hatters.org.uk
    Expiry Date: 2019-01-14 19:23:19+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/alice.hatters.org.uk/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/alice.hatters.org.uk/privkey.pem

There is no mention of bluett.com there though. That domain comes up as valid if I query it with the above command.

Should I run certbot delete -d alice.hatters.org.uk and then certbot certonly --cert-name www.hatters.org.uk -d www.hatters.org.uk,alice.hatters.org.uk to set it up again?

I’m not sure what to do.

Load

https://www.hatters.org.uk

in your browser. Then you see the wrong certificate.

Don’t delete certificates.

Your www.hatters.org.uk VirtualHost uses the wrong certificate. So check that vHost.

Start by reviewing the certs used by the vhosts with the output of:
grep -Eri 'servername|serveralias|virtualhost|documentroot|sslcert' /etc/apache2

[feel free to post it here if you need help in understanding any of that output]

OK so from the Vhost config, I can see that the docroot is /home/hatters/html and the certificate files are in /etc/letsencrypt/live/alice.hatters.org.uk.* The docroot hasn't been changed for that server for years. In fact none of the Apache configs have.

The Vhost config Certificate Name details that certbot reports for www.hatters.org.uk are indeed for www.hatters.org.uk and alice.hatters.org.uk, which is what the Apache host should resolve to.

Certbot doesn't mention anything to do with www.bluett.com, yet the cert in my browser for www.hatters.org.uk says its been issued to bluett.com. That site is also a site we host, and its certificate is fine (and as far as I know its Apache config hasn't changed).

I'm afraid I don't understand what to do. How can I get the certificate for www.hatters.org.uk to be for that site and not bluett.com?

Your alice.hatters.org.uk has one certificate with both domain names ( https://check-your-website.server-daten.de/?q=alice.hatters.org.uk ):

CN=www.hatters.org.uk
	16.10.2018
	14.01.2019
31 days expired	alice.hatters.org.uk, www.hatters.org.uk - 2 entries

Your www.hatters.org.uk has the wrong certificate.

One VirtualHost can use one certificate.

So

• there is no VirtualHost with www.hatters.org.uk as ServerName or ServerAlias, then the standard VirtualHost or the first VirtualHost is used or
• there is a VirtualHost with the wrong certificate

So check your config if you have an explicit VirtualHost with www.hatters.org.uk. If not, create one (copy the alice-vHost and change the details).

Then the output should have shown that www.hatters.org.uk is not specifically included in any vhost and is therefor being served by the default vhost (or, the first vhost, if a default vhost is not defined).

But it is included in the vhost config and has been for a number of years. As far as I can tell, everything is set up OK. And indeed has been working fine ever since I set up LE on my server over two years ago... until now.

I don't have a *-le-ssl-conf version of 000-default.conf. But I don't know why that might mean Apache is serving port 443 requests for www.hatters.org.uk with the cert for bluett.com though. I assume bluett.com is the first vhost in that case - but why is this happening? And more importantly, I have no ideas about how to fix it.

Then this vHost isn't used. Or in the vHost is the wrong certificate included.

PS: Share this vHost - configuration.

And the content of this file (the public key):

SSLCertificateFile      /path-to-the-certificate

Four eyes are better than two...
Can you show the output of?:

Thanks - the vhost config is as follows:

<VirtualHost [::]:443 *:443>
         ServerName www.hatters.org.uk
         ServerName alice.hatters.org.uk
         ServerAdmin webmaster@hatters.org.uk
         DocumentRoot /home/hatters/html
 
 ... various <Directory configs...
 
        Include /etc/letsencrypt/options-ssl-apache.conf
        SSLCertificateFile /etc/letsencrypt/live/alice.hatters.org.uk/cert.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/alice.hatters.org.uk/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/alice.hatters.org.uk/chain.pem
</VirtualHost>

The SSLCertificateFile contents:

-----BEGIN CERTIFICATE-----
MIIGJTCCBQ2gAwIBAgISBOKTOU6YbgqfcN4ZYbgtk4yBMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODEwMTYxOTIzMTlaFw0x
OTAxMTQxOTIzMTlaMB0xGzAZBgNVBAMTEnd3dy5oYXR0ZXJzLm9yZy51azCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANJmmb847kMZ+fREdzEdlcRBe+6X
A5xDJ1J+tJerNNYpe+obxXsABgT00DcBmY1ylYu416kM4tmEf05JYbhH54Ty5QtK
3uuXRe6MYz2nlZacmUG7xghltoox+RlEIDym03Pa5yeYB+bfqZxkbLE6D8ws9Hgl
dYd8k9Z2O3iy/wd6tYxs8/oa5rdtpxFYJiQRVdRxOdiiywH7UvMg0GNVvI/h+rym
0UkG3V4Ud5QKc+Ygbakgq57W6b6iOHqsjg9YsCdjTmlgIVEp4UyNPhH9apUQswdQ
orPKhxL5p91ZqqrkK6NxdjkLsKcrxFMdFHmJt0NB1jQAHlu704dUX1Hw3D8CAwEA
AaOCAzAwggMsMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUFWRzKU6jCaD0Hn49yaGY
quOGvW4wHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYBBQUH
AQEEYzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5
cHQub3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5
cHQub3JnLzAzBgNVHREELDAqghRhbGljZS5oYXR0ZXJzLm9yZy51a4ISd3d3Lmhh
dHRlcnMub3JnLnVrMIH+BgNVHSAEgfYwgfMwCAYGZ4EMAQIBMIHmBgsrBgEEAYLf
EwEBATCB1jAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcw
gasGCCsGAQUFBwICMIGeDIGbVGhpcyBDZXJ0aWZpY2F0ZSBtYXkgb25seSBiZSBy
ZWxpZWQgdXBvbiBieSBSZWx5aW5nIFBhcnRpZXMgYW5kIG9ubHkgaW4gYWNjb3Jk
YW5jZSB3aXRoIHRoZSBDZXJ0aWZpY2F0ZSBQb2xpY3kgZm91bmQgYXQgaHR0cHM6
Ly9sZXRzZW5jcnlwdC5vcmcvcmVwb3NpdG9yeS8wggEEBgorBgEEAdZ5AgQCBIH1
BIHyAPAAdgApPFGWVMg5ZbqqUPxYB9S3b79Yeily3KTDDPTlRUf0eAAAAWZ+jA65
AAAEAwBHMEUCIDcXBUqPcpH0eH++AzIozsd3PUUni8xbiZUqwAsFG9HbAiEAp9dy
M+pvTTwDxx0Z6Wj9Q7LcsCLLpfjGWxhAmXm85LkAdgBvU3asMfAxGdiZAKRRFf93
FRwR2QLBACkGjbIImjfZEwAAAWZ+jA93AAAEAwBHMEUCIQCXgTyScydYmsLUrprh
XRNxXnkxH0mpXyO0xrO5/YUdiwIgeMcNq/13ty9NcKjT/Yx311VsOABP/4ljdypI
BQU93SkwDQYJKoZIhvcNAQELBQADggEBAFOmx17u+MZD/tkF6HvjxF/DBoiCzsUJ
miLcjmL4gjyVBFuNeO4mfEWhvJV0LFDQzq3fu07MxMSIMlXm6r2GjbbhhsGgfpFu
SeTfq1upab7yXGRWqfN2m3Dl/QpqV89i1QSdOnT2nJ76gRc02KDom+7+JIYVwWyW
oo3zdLOqFUVsmBoS/GtMmSRK4AF457Yjns3JMOdyvlc0VLIigTJfBAlDS/5c1ifR
1pzfCBkqZFT+kSAzphAzRlMtrL/UmuVsq8xuCxRu+ugSouiDuuVk+0zRn+JqODMm
HVh/J5tLo8vL0LmLP29VBfa/w8+9Xo6vxSVTtCSAGj55oJDS/dNulNE=
-----END CERTIFICATE-----

The output of grep -Eri ‘servername|serveralias|virtualhost|documentroot|sslcert’ for the servers in question is:

/etc/apache2/sites-available/000-default.conf:<VirtualHost *:80 [::]:80>
/etc/apache2/sites-available/000-default.conf:# DocumentRoot /var/www
/etc/apache2/sites-available/000-default.conf:    DocumentRoot /var/www/error/
/etc/apache2/sites-available/000-default.conf:</VirtualHost>
/home/conf/hatters/apache/www.hatters.org.uk-le-ssl.conf:<VirtualHost [::]:443 *:443>
/home/conf/hatters/apache/www.hatters.org.uk-le-ssl.conf:       ServerName www.hatters.org.uk
/home/conf/hatters/apache/www.hatters.org.uk-le-ssl.conf:       ServerName alice.hatters.org.uk
/home/conf/hatters/apache/www.hatters.org.uk-le-ssl.conf:       DocumentRoot /home/hatters/html
/home/conf/hatters/apache/www.hatters.org.uk-le-ssl.conf:  SSLCertificateFile /etc/letsencrypt/live/alice.hatters.org.uk/cert.pem
/home/conf/hatters/apache/www.hatters.org.uk-le-ssl.conf:  SSLCertificateKeyFile /etc/letsencrypt/live/alice.hatters.org.uk/privkey.pem
/home/conf/hatters/apache/www.hatters.org.uk-le-ssl.conf:  SSLCertificateChainFile /etc/letsencrypt/live/alice.hatters.org.uk/chain.pem
/home/conf/hatters/apache/www.hatters.org.uk-le-ssl.conf:</VirtualHost>
/home/conf/hatters/apache/www.hatters.org.uk.conf:<VirtualHost [::]:80 *:80>
/home/conf/hatters/apache/www.hatters.org.uk.conf:      ServerName www.hatters.org.uk
/home/conf/hatters/apache/www.hatters.org.uk.conf:      ServerAlias alice.hatters.org.uk
/home/conf/hatters/apache/www.hatters.org.uk.conf:</VirtualHost>
/home/conf/michael/apache/bluett.com.conf:<VirtualHost [::]:80 *:80>
/home/conf/michael/apache/bluett.com.conf:ServerAlias bluett.com
/home/conf/michael/apache/bluett.com.conf:</VirtualHost>
/home/conf/michael/apache/www.bluett.com.20160612.conf:<VirtualHost [::]:80 *:80>
/home/conf/michael/apache/www.bluett.com.20160612.conf:DocumentRoot /home/michael/html/michael/bluett/
/home/conf/michael/apache/www.bluett.com.20160612.conf:ServerName www.bluett.com
/home/conf/michael/apache/www.bluett.com.20160612.conf:ServerAlias *.bluett.com
/home/conf/michael/apache/www.bluett.com.20160612.conf:</VirtualHost>
/home/conf/michael/apache/bluett.com-le-ssl.conf:<VirtualHost [::]:443 *:443>
/home/conf/michael/apache/bluett.com-le-ssl.conf:DocumentRoot /home/michael/html/michael/bluett/
/home/conf/michael/apache/bluett.com-le-ssl.conf:ServerName bluett.com
/home/conf/michael/apache/bluett.com-le-ssl.conf:SSLCertificateFile /etc/letsencrypt/live/bluett.com/cert.pem
/home/conf/michael/apache/bluett.com-le-ssl.conf:SSLCertificateKeyFile /etc/letsencrypt/live/bluett.com/privkey.pem
/home/conf/michael/apache/bluett.com-le-ssl.conf:SSLCertificateChainFile /etc/letsencrypt/live/bluett.com/chain.pem

Seems to be duplicate configs for bluett.com, and I don’t know if that ServerAlias *.bluett.com is causing a problem?

The certificate is the expired certificate with

DNS-Name=alice.hatters.org.uk
DNS-Name=www.hatters.org.uk

So this vHost isn't used.

Do you mean Apache isn't serving www.hatters.org.uk when a request is made for it on port 443 and is instead serving www.bluett.com with an expired certificate for www.hatters.org.uk? If so, why is that happening and what can I do about it? The DNS is correct, the vhost appears to be set up correctly, but I don't know where in the chain the request is going wrong.

Yes.

No. You see that

https://www.hatters.org.uk/

there is the bluett.com - certificate.

OK I think the problem is in the inclusion statement.
Even thou you have a file (/home/conf/hatters/apache/www.hatters.org.uk-le-ssl.conf), it might not actually be used

Please show which file/folders are being included in the config:
grep -i include /etc/apache2/*.conf