Can request but not renew certificate

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: baysideheritagegroup.info

I ran this command: certbot --apache certonly -d baysideheritagegroup.info --dry-run
and also
certbot renew --apache --cert-name baysideheritagegroup.info --dry-run

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Simulating a certificate request for baysideheritagegroup.info
The dry run was successful.
and
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/baysideheritagegroup.info.conf

Simulating renewal of an existing certificate for baysideheritagegroup.info and www.baysideheritagegroup.info

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: www.baysideheritagegroup.info
Type: unauthorized
Detail: 43.239.97.207: Invalid response from https://hamptonandsouthmed.au/: "\n<html lang="en-US">\n\n\t<meta charset="UTF-8" />\n\t<meta name="viewport" content="width=device-width, initial"

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Failed to renew certificate baysideheritagegroup.info with error: Some challenges have failed.

All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/baysideheritagegroup.info/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org.

My web server is (include version):
Apache/2.4.61 (Debian)
The operating system my web server runs on is (include version):
Debian 12
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.1.0

2

Welcome @michaelsandy

Requests to your subdomain www.baysideheritagegroup.info are redirecting HTTP requests to https://hamptonandsouthmed.au

Do you recognize that name? Likely something in your Apache config is doing that. The 'hampton' domain does not know how to respond correctly to the challenge (and why would it?) which is why that cert request fails.

Your root name baysideheritagegroup.info does not do the same redirect. Maybe you are missing a ServerAlias for your www name along with your root domain VirtualHost? Just an idea.

Also, it looks like you have two cert profiles where only one should be needed. Please show output of these commands if you want help sorting that out.

sudo apache2ctl -t -D DUMP_VHOSTS
sudo certbot certificates
2 Likes
3

thanks...'hamptonandsouthmed.au' is another domain I'm hosting and the hostname is hamptonandsouthmed.au

 /sbin/apache2ctl -t -D DUMP_VHOSTS
AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/sites-enabled/000-bayside-heritage.conf:1
VirtualHost configuration:
*:80                   is a NameVirtualHost
         default server hamptonandsouthmed.com.au (/etc/apache2/sites-enabled/000-1hamptonandsouth.conf:2)
         port 80 namevhost hamptonandsouthmed.com.au (/etc/apache2/sites-enabled/000-1hamptonandsouth.conf:2)
                 alias www.hamptonandsouthmed.com.au
         port 80 namevhost baysideheritagegroup.info (/etc/apache2/sites-enabled/000-bayside-heritage.conf:2)
                 alias www.baysidheritagegroup.info
         port 80 namevhost hamptonandsouthmed.au (/etc/apache2/sites-enabled/000-hamptonandsouthmed.au.conf:2)
                 alias www.hamptonandsouthmed.au
*:443                  is a NameVirtualHost
         default server hamptonandsouthmed.com.au (/etc/apache2/sites-enabled/000-1hamptonandsouth.conf:40)
         port 443 namevhost hamptonandsouthmed.com.au (/etc/apache2/sites-enabled/000-1hamptonandsouth.conf:40)
                 alias www.hamptonandsouthmed.com.au
         port 443 namevhost baysideheritagegroup.info (/etc/apache2/sites-enabled/000-bayside-heritage.conf:23)
                 alias www.baysideheritagegroup.info
         port 443 namevhost hamptonandsouthmed.au (/etc/apache2/sites-enabled/000-hamptonandsouthmed.au.conf:23)
                 alias www.hamptonandsouthmed.au

and

Found the following certs:
  Certificate Name: baysideheritagegroup.info
    Serial Number: 3f8d978e8a4a91c6771185aa2bde5019fc6
    Key Type: ECDSA
    Domains: baysideheritagegroup.info www.baysideheritagegroup.info
    Expiry Date: 2025-01-30 11:25:51+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/baysideheritagegroup.info/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/baysideheritagegroup.info/privkey.pem
  Certificate Name: bhgroup.duckdns.org
    Serial Number: 42ea06af7b84d57a3d81c7d829a3014f9e3
    Key Type: RSA
    Domains: bhgroup.duckdns.org
    Expiry Date: 2024-09-07 13:46:25+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/bhgroup.duckdns.org/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/bhgroup.duckdns.org/privkey.pem
  Certificate Name: hamptonandsouthmed.au
    Serial Number: 336eac6c7efd3990af7f83dcf19e2f0594f
    Key Type: ECDSA
    Domains: hamptonandsouthmed.au www.hamptonandsouthmed.au
    Expiry Date: 2025-01-30 11:15:23+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/hamptonandsouthmed.au/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/hamptonandsouthmed.au/privkey.pem
  Certificate Name: hamptonandsouthmed.com.au
    Serial Number: 321d37a11776d9de02e0a0904b86daf34a1
    Key Type: ECDSA
    Domains: hamptonandsouthmed.com.au
    Expiry Date: 2024-12-13 05:16:22+00:00 (VALID: 41 days)
    Certificate Path: /etc/letsencrypt/live/hamptonandsouthmed.com.au/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/hamptonandsouthmed.com.au/privkey.pem
4

You have duplicated VirtualHost naming the same port and domain names. That won't work as you expect. For some odd reason Apache starts up anyway but it won't work well. You have a similar problem for port 443.

That doesn't explain the faulty redirect for requests to your bayside domain though. You need to review your VirtualHost for stray redirects naming hampton. Or check any .htaccess or other ways you might be redirecting.

I will try to come back to the "extra" hampton cert later.

3 Likes
5

thanks, hamptonandsouthmed.com.au is permanently redirecting to hamptonandsouthmed.au but I thought I needed certificates for both...
.htaccess for baysideheritagegroup.info contains:

# RewriteCond %{HTTPS} off [OR]
# RewriteCond %{HTTP_HOST} ^www\.baysideheritagegroup\.info [NC]
# RewriteRule (.*) https://baysideheritagegroup.info/$1 [L,R=301]
#
# change to below due to problem error msg when renewing certificate, but without resolution
 RewriteEngine On
 RewriteCond %{HTTPS} off
 RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
#
#
# BEGIN WordPress
# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress
1 Like
6

My bad. I missed the '.com.au' part.

Keep looking for that redirect. Something is doing that. You can see the "wrong" domain in the error message for your cert request. That only happens if your system redirects.

2 Likes
7

thanks...will keep looking...might have to find a coding detective...

1 Like
8

Can you post contents of this. Often it is here

Note the faulty redirect is also mis-directing HTTP requests for your "home" page

curl -i http://www.baysideheritagegroup.info
HTTP/1.1 301 Moved Permanently
Server: Apache/2.4.61 (Debian)
Location: https://hamptonandsouthmed.com.au/
3 Likes
9

thanks...I can't understand a reason for the curl output; here is the .conf file:

NameVirtualHost *:80 
<VirtualHost *:80>
#
    DocumentRoot /var/www/html/baysideheritage    
	ServerName baysideheritagegroup.info
    ServerAlias www.baysidheritagegroup.info
      <Directory /var/www/html/baysideheritage>
        # AllowOverride all <-- per chatgpt 14.07.24
        # Order Allow,Deny  <-- per chatgpt 14.07.24
        # Allow from all  <-- per chatgpt 14.07.24
        # Options +FollowSymlinks +Indexes <-- changed to below due to 'Really simple ssl' warning when used wordpress on another site though it not work so did this via the   .htaccess (in /var/www/html/deakinthomas2/)
	# Options +FollowSymlinks -Indexes <-- problems when testing 14.07.24 - modified below per chat gpt advice
	Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
#
    </Directory>
# Redirect permanent / https://baysideheritagegroup.info/
  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

<VirtualHost *:443> 

  DocumentRoot /var/www/html/baysideheritage
  ServerName baysideheritagegroup.info
ServerAlias www.baysideheritagegroup.info
  SSLEngine on


   SSLProtocol all -SSLv2 -SSLv3
   SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
  SSLHonorCipherOrder on
  SSLCompression off
  SSLOptions +StrictRequire

  <Directory /var/www/html/baysideheritage>
    Options FollowSymLinks
    AllowOverride All
  </Directory>

  #ErrorLog /var/log/apache2/443-error-baysideheritage.log
  #CustomLog /var/log/apache2/443-access-baysideheritage.log common
  ErrorLog ${APACHE_LOG_DIR}/443-error.log
  CustomLog ${APACHE_LOG_DIR}/443-access.log combined


Include /etc/letsencrypt/options-ssl-apache.conf
# SSLCertificateFile /etc/letsencrypt/live/hamptonandsouthmed.au/fullchain.pem
# SSLCertificateKeyFile /etc/letsencrypt/live/hamptonandsouthmed.au/privkey.pem

SSLCertificateFile /etc/letsencrypt/live/baysideheritagegroup.info/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/baysideheritagegroup.info/privkey.pem
</VirtualHost>
1 Like
10

Maybe try restarting your server or at least Apache?

Yeah, I don't see any active redirects in that VirtualHost. But, something is doing it.

I see your WordPress is redirecting HTTPS requests. Maybe it is doing HTTP too but not saying so? I am very much guessing.

Or, maybe you need to un-comment the first 3 lines in that .htaccess you showed? Not sure why that would mis-direct as it is but ... (also another wild guess)

curl -i http://www.baysideheritagegroup.info
HTTP/1.1 301 Moved Permanently
Server: Apache/2.4.61 (Debian)
Location: https://hamptonandsouthmed.com.au/

curl -i https://www.baysideheritagegroup.info
HTTP/1.1 301 Moved Permanently
Server: Apache/2.4.61 (Debian)
X-Redirect-By: WordPress
Location: https://baysideheritagegroup.info/
2 Likes
11

thanks+++ for the clues Mike...have restarted apache supernumerous times!
I might try a different dns service other than the usual one
will update when hopefully solved...

2 Likes
12

No, it is not a DNS problem. I am confident it is Apache related. You can see the "Server" response header to the HTTP request.

2 Likes
13

eureka..!:
(ChatGPT) ....looks mostly correct. However, there are a few points to review and clarify:
Observations:
ServerAlias Typo:
ServerAlias www.baysidheritagegroup.info is missing an e in baysideheritagegroup.info. It should be:

        apache

ServerAlias www.baysideheritagegroup.info
2 Likes
14

I was so close :slight_smile: Glad you found the typo

2 Likes
15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.