Apache 000-default.conf issue causing cert renewal failure?


My domain is: alice.hatters.org.uk

I ran this command: sudo certbot renew --dry-run

It produced this output:

   Domain: alice.hatters.org.uk
   Type:   unauthorized
   Detail: Invalid response from
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

My web server is (include version): Apache2

The operating system my web server runs on is: Ubuntu 18.04

My hosting provider, if applicable, is: Jump Networks

I can login to a root shell on my machine: Yes

I’m using a control panel to manage my site: No

The version of my client is: 0.28.0

While the domain given is alice.hatters.org.uk, that is the canonical name of the host machine. The web server’s name is www.hatters.org.uk. I’m not sure why the canonical name is getting involved in the certificate otherwise, nor why I’m getting this error now when renewals have been happening fine until now.

There is no LE version of the Apache 000-default.conf file though - is that an issue? All other web certificates on the machine are renewing fine.


Hi @gilgongo

checked your server via https://check-your-website.server-daten.de/?q=alice.hatters.org.uk the general configuration looks ok.

Domainname Http-Status redirect Sec. G
http://alice.hatters.org.uk/ 200 0.060 H
2001:ba8:0:2c38::39 200 0.064 H
https://alice.hatters.org.uk/ 200 1.670 N
Certificate error: RemoteCertificateChainErrors
2001:ba8:0:2c38::39 200 1.330 N
Certificate error: RemoteCertificateChainErrors
http://alice.hatters.org.uk/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 404 0.063 A
Not Found
2001:ba8:0:2c38::39 404 0.063 A
Not Found

http / port 80 works with your ipv4 and your ipv6 address, the server headers are the same.

So try to find your DocumentRoot / webroot. Then use it:

certbot certonly -a webroot -w yourDocumentRoot -d alice.hatters.org.uk -d www.hatters.org.uk

Your expired certificate has the same domain names.

But your www-version has a wrong certificate ( https://check-your-website.server-daten.de/?q=hatters.org.uk ):

expires in 33 days	bluett.com, www.bluett.com - 2 entries


Thanks. When I try that with the web root I get the same error. But what does “your www-version has a wrong certificate” mean exactly?


The cert served by www.hatters.org.uk doesn’t match the name:

Check which certificates have been issued and which names they cover with:
certbot certificates


Then your web root is wrong or these domains have different webroots.

So find your webroot, create there the two subdirectories


there a file (file name 1234), then try to load this file via


If that works, we know, you have your correct webroot.

I’ve checked that domain with the same tool. The result ( https://check-your-website.server-daten.de/?q=hatters.org.uk ):

Domainname Http-Status redirect Sec. G
http://www.hatters.org.uk/ 301 https://www.hatters.org.uk/ 0.080 A
2001:ba8:0:2c38::39 301 https://www.hatters.org.uk/ 0.060 A
https://www.hatters.org.uk/ 200 5.626 N
Certificate error: RemoteCertificateNameMismatch
2001:ba8:0:2c38::39 200 5.280 N
Certificate error: RemoteCertificateNameMismatch

Two unsecure connections. And

expires in 32 days	bluett.com, www.bluett.com - 2 entries

as the only certificate. So this domain uses the wrong certificate.

Recheck your domain to see that.


Yes, these domains (hatters.org.uk and bluett.com) have different web roots. I have no idea why they got confused. hatters.org.uk has been auto-renewing OK until now. And there is a separate cert for bluett.com that seems to be working OK for that site (on its different webroot).

What can I do to fix the problem with hatters.org.uk? I’m a bit confused as to what “certificate” means in this context and what is referring to what.

If I do certbot certificates -d www.hatters.org.uk I get:

  Certificate Name: alice.hatters.org.uk
    Domains: www.hatters.org.uk alice.hatters.org.uk
    Expiry Date: 2019-01-14 19:23:19+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/alice.hatters.org.uk/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/alice.hatters.org.uk/privkey.pem

There is no mention of bluett.com there though. That domain comes up as valid if I query it with the above command.

Should I run certbot delete -d alice.hatters.org.uk and then certbot certonly --cert-name www.hatters.org.uk -d www.hatters.org.uk,alice.hatters.org.uk to set it up again?

I’m not sure what to do.




in your browser. Then you see the wrong certificate.

Don’t delete certificates.

Your www.hatters.org.uk VirtualHost uses the wrong certificate. So check that vHost.


Start by reviewing the certs used by the vhosts with the output of:
grep -Eri 'servername|serveralias|virtualhost|documentroot|sslcert' /etc/apache2

[feel free to post it here if you need help in understanding any of that output]


OK so from the Vhost config, I can see that the docroot is /home/hatters/html and the certificate files are in /etc/letsencrypt/live/alice.hatters.org.uk.* The docroot hasn’t been changed for that server for years. In fact none of the Apache configs have.

The Vhost config Certificate Name details that certbot reports for www.hatters.org.uk are indeed for www.hatters.org.uk and alice.hatters.org.uk, which is what the Apache host should resolve to.

Certbot doesn’t mention anything to do with www.bluett.com, yet the cert in my browser for www.hatters.org.uk says its been issued to bluett.com. That site is also a site we host, and its certificate is fine (and as far as I know its Apache config hasn’t changed).

I’m afraid I don’t understand what to do. How can I get the certificate for www.hatters.org.uk to be for that site and not bluett.com?


Your alice.hatters.org.uk has one certificate with both domain names ( https://check-your-website.server-daten.de/?q=alice.hatters.org.uk ):

31 days expired	alice.hatters.org.uk, www.hatters.org.uk - 2 entries

Your www.hatters.org.uk has the wrong certificate.

One VirtualHost can use one certificate.


  • there is no VirtualHost with www.hatters.org.uk as ServerName or ServerAlias, then the standard VirtualHost or the first VirtualHost is used or
  • there is a VirtualHost with the wrong certificate

So check your config if you have an explicit VirtualHost with www.hatters.org.uk. If not, create one (copy the alice-vHost and change the details).


Then the output should have shown that www.hatters.org.uk is not specifically included in any vhost and is therefor being served by the default vhost (or, the first vhost, if a default vhost is not defined).


But it is included in the vhost config and has been for a number of years. As far as I can tell, everything is set up OK. And indeed has been working fine ever since I set up LE on my server over two years ago… until now.

I don’t have a *-le-ssl-conf version of 000-default.conf. But I don’t know why that might mean Apache is serving port 443 requests for www.hatters.org.uk with the cert for bluett.com though. I assume bluett.com is the first vhost in that case - but why is this happening? And more importantly, I have no ideas about how to fix it.


Then this vHost isn’t used. Or in the vHost is the wrong certificate included.


PS: Share this vHost - configuration.

And the content of this file (the public key):

SSLCertificateFile      /path-to-the-certificate


Four eyes are better than two…
Can you show the output of?:


Thanks - the vhost config is as follows:

<VirtualHost [::]:443 *:443>
         ServerName www.hatters.org.uk
         ServerName alice.hatters.org.uk
         ServerAdmin webmaster@hatters.org.uk
         DocumentRoot /home/hatters/html
 ... various <Directory configs...
        Include /etc/letsencrypt/options-ssl-apache.conf
        SSLCertificateFile /etc/letsencrypt/live/alice.hatters.org.uk/cert.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/alice.hatters.org.uk/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/alice.hatters.org.uk/chain.pem

The SSLCertificateFile contents:


The output of grep -Eri ‘servername|serveralias|virtualhost|documentroot|sslcert’ for the servers in question is:

/etc/apache2/sites-available/000-default.conf:<VirtualHost *:80 [::]:80>
/etc/apache2/sites-available/000-default.conf:# DocumentRoot /var/www
/etc/apache2/sites-available/000-default.conf:    DocumentRoot /var/www/error/
/home/conf/hatters/apache/www.hatters.org.uk-le-ssl.conf:<VirtualHost [::]:443 *:443>
/home/conf/hatters/apache/www.hatters.org.uk-le-ssl.conf:       ServerName www.hatters.org.uk
/home/conf/hatters/apache/www.hatters.org.uk-le-ssl.conf:       ServerName alice.hatters.org.uk
/home/conf/hatters/apache/www.hatters.org.uk-le-ssl.conf:       DocumentRoot /home/hatters/html
/home/conf/hatters/apache/www.hatters.org.uk-le-ssl.conf:  SSLCertificateFile /etc/letsencrypt/live/alice.hatters.org.uk/cert.pem
/home/conf/hatters/apache/www.hatters.org.uk-le-ssl.conf:  SSLCertificateKeyFile /etc/letsencrypt/live/alice.hatters.org.uk/privkey.pem
/home/conf/hatters/apache/www.hatters.org.uk-le-ssl.conf:  SSLCertificateChainFile /etc/letsencrypt/live/alice.hatters.org.uk/chain.pem
/home/conf/hatters/apache/www.hatters.org.uk.conf:<VirtualHost [::]:80 *:80>
/home/conf/hatters/apache/www.hatters.org.uk.conf:      ServerName www.hatters.org.uk
/home/conf/hatters/apache/www.hatters.org.uk.conf:      ServerAlias alice.hatters.org.uk
/home/conf/michael/apache/bluett.com.conf:<VirtualHost [::]:80 *:80>
/home/conf/michael/apache/bluett.com.conf:ServerAlias bluett.com
/home/conf/michael/apache/www.bluett.com.20160612.conf:<VirtualHost [::]:80 *:80>
/home/conf/michael/apache/www.bluett.com.20160612.conf:DocumentRoot /home/michael/html/michael/bluett/
/home/conf/michael/apache/www.bluett.com.20160612.conf:ServerName www.bluett.com
/home/conf/michael/apache/www.bluett.com.20160612.conf:ServerAlias *.bluett.com
/home/conf/michael/apache/bluett.com-le-ssl.conf:<VirtualHost [::]:443 *:443>
/home/conf/michael/apache/bluett.com-le-ssl.conf:DocumentRoot /home/michael/html/michael/bluett/
/home/conf/michael/apache/bluett.com-le-ssl.conf:ServerName bluett.com
/home/conf/michael/apache/bluett.com-le-ssl.conf:SSLCertificateFile /etc/letsencrypt/live/bluett.com/cert.pem
/home/conf/michael/apache/bluett.com-le-ssl.conf:SSLCertificateKeyFile /etc/letsencrypt/live/bluett.com/privkey.pem
/home/conf/michael/apache/bluett.com-le-ssl.conf:SSLCertificateChainFile /etc/letsencrypt/live/bluett.com/chain.pem

Seems to be duplicate configs for bluett.com, and I don’t know if that ServerAlias *.bluett.com is causing a problem?


The certificate is the expired certificate with


So this vHost isn’t used.


Do you mean Apache isn’t serving www.hatters.org.uk when a request is made for it on port 443 and is instead serving www.bluett.com with an expired certificate for www.hatters.org.uk? If so, why is that happening and what can I do about it? The DNS is correct, the vhost appears to be set up correctly, but I don’t know where in the chain the request is going wrong.



No. You see that


there is the bluett.com - certificate.


OK I think the problem is in the inclusion statement.
Even thou you have a file (/home/conf/hatters/apache/www.hatters.org.uk-le-ssl.conf), it might not actually be used :frowning:

Please show which file/folders are being included in the config:
grep -i include /etc/apache2/*.conf