Cannot certify on Apache with HTTP 404

Help
1

Hi,

It’s the first time I ever try to use Let’s Encrypt, and I’m having a few issues.

I’m on a Debian server, and I’d like to set up a certificate on Apache.
My made-up domain is meet.mydomain.org, and my public IP address is 1.2.3.4. Please note that https://crt.sh/?q=meet.mydomain.org does NOT show any results.
My public DNS settings have an A record for meet.mydomain.org that resolves to 1.2.3.4.

# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 9.12 (stretch)
Release:        9.12
Codename:       stretch

# certbot --version
certbot 0.28.0

# certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: meet.mydomain.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for meet.mydomain.org
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. meet.mydomain.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://meet.mydomain.org/.well-known/acme-challenge/9Ft4y7YWmEMzyKZrnkEtoMXzMjTvoDQU_Z8ep0bvlIs [1.2.3.4]: 404

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: meet.mydomain.org
   Type:   unauthorized
   Detail: Invalid response from
   http://meet.mydomain.org/.well-known/acme-challenge/9Ft4y7YWmEMzyKZrnkEtoMXzMjTvoDQU_Z8ep0bvlIs
   [1.2.3.4]: 404

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.


# cat  /var/log/letsencrypt/letsencrypt.log
2020-03-28 09:56:27,483:DEBUG:certbot.main:certbot version: 0.28.0
2020-03-28 09:56:27,488:DEBUG:certbot.main:Arguments: ['--apache']
2020-03-28 09:56:27,491:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2020-03-28 09:56:27,535:DEBUG:certbot.log:Root logging level set at 20
2020-03-28 09:56:27,539:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2020-03-28 09:56:27,542:DEBUG:certbot.plugins.selection:Requested authenticator apache and installer apache
2020-03-28 09:56:27,706:DEBUG:certbot_apache.configurator:Apache version is 2.4.25
2020-03-28 09:56:28,713:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_debian.DebianConfigurator object at 0xb6bb602c>
Prep: True
2020-03-28 09:56:28,718:DEBUG:certbot.plugins.selection:Selected authenticator <certbot_apache.override_debian.DebianConfigurator object at 0xb6bb602c> and installer <certbot_apache.override_debian.DebianConfigurator object at 0xb6bb602c>
2020-03-28 09:56:28,719:INFO:certbot.plugins.selection:Plugins selected: Authenticator apache, Installer apache
2020-03-28 09:56:28,734:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(terms_of_service=None, new_authzr_uri=None, body=Registration(key=None, only_return_existing=None, status=None, terms_of_service_agreed=None, contact=(), agreement=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/81754208'), 794af27f8fa823b8c34f4bd5181f6b6b, Meta(creation_host='inf-conf.mydomain.org', creation_dt=datetime.datetime(2020, 3, 27, 14, 35, 7, tzinfo=<UTC>)))>
2020-03-28 09:56:28,740:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2020-03-28 09:56:28,758:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
2020-03-28 09:56:29,490:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
2020-03-28 09:56:29,493:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 28 Mar 2020 08:56:29 GMT
Content-Type: application/json
Content-Length: 658
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "UIWqiqFzDVs": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2020-03-28 09:56:32,712:INFO:certbot.main:Obtaining a new certificate
2020-03-28 09:56:33,192:DEBUG:certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0008_key-certbot.pem
2020-03-28 09:56:33,212:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0008_csr-certbot.pem
2020-03-28 09:56:33,214:DEBUG:acme.client:Requesting fresh nonce
2020-03-28 09:56:33,215:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2020-03-28 09:56:33,390:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2020-03-28 09:56:33,392:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 28 Mar 2020 08:56:33 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0002yHiGS_OBGleKvUVZJ9us8JfI6SYDGtCSjgvQIwqL6zs
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


2020-03-28 09:56:33,392:DEBUG:acme.client:Storing nonce: 0002yHiGS_OBGleKvUVZJ9us8JfI6SYDGtCSjgvQIwqL6zs
2020-03-28 09:56:33,394:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "meet.mydomain.org"\n    }\n  ]\n}'
2020-03-28 09:56:33,415:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogIm1lZXQuaG9zcGl0YWxtYW5hY29yLm9yZyIKICAgIH0KICBdCn0",
  "signature": "az-PsXahN2SMyMAKQEXOu34Bd-4uPplvuJtOr7HYpDsXbPjMBLLojcs8g6FfhIWHsDwfjNg_ZY93AOC16L76HWKHehccxj0MVVHfIIjbx7uIVI4lU7-3WmW0Bli5_RRsYDwyyrTwLDnESgbmNJ1JeitZ0Dz5AExfuN2UcwPglZIlcdf1MHUqEv4tttq5ooJI888kHUfFGNeJ5VgHH6ev8ykTJMoOeEMOD5KR2VWSLd-vFJc3r2OoP8Rr7FV2X56UH3keDQU6eg9N1MvSP431yoj5El-QPhV_oDGYHEM8o4qbFQE6Jkab3h3bfTwpw8C99EW06Yo4NFZj6dGIhojwFQ",
  "protected": "eyJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LW9yZGVyIiwgImtpZCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzgxNzU0MjA4IiwgImFsZyI6ICJSUzI1NiIsICJub25jZSI6ICIwMDAyeUhpR1NfT0JHbGVLdlVWWko5dXM4SmZJNlNZREd0Q1NqZ3ZRSXdxTDZ6cyJ9"
}
2020-03-28 09:56:33,731:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 354
2020-03-28 09:56:33,734:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Sat, 28 Mar 2020 08:56:33 GMT
Content-Type: application/json
Content-Length: 354
Connection: keep-alive
Boulder-Requester: 81754208
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/81754208/2807199315
Replay-Nonce: 00027eEmd7s0ZER1frWeJQ1HNVu3OnrEP1D8m6kT3uOeD2E
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2020-04-04T08:56:33.632416702Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "meet.mydomain.org"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/3611398378"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/81754208/2807199315"
}
2020-03-28 09:56:33,734:DEBUG:acme.client:Storing nonce: 00027eEmd7s0ZER1frWeJQ1HNVu3OnrEP1D8m6kT3uOeD2E
2020-03-28 09:56:33,735:DEBUG:acme.client:JWS payload:
b''
2020-03-28 09:56:33,752:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/3611398378:
{
  "payload": "",
  "signature": "WelEO90vbRSu-DVCQiPgUh7fa1sQKYbBbItukWlwXeABKoK3ZW5DbmYMaBtdv2SNL5khafO8ccinv5uvOoz9u9IwN3h4GAgSz0ieFt52accAIi9Lm2IQCd5TYsWm7e6v184QVxSgmwehy7BWef6H90xLxIBDlEhPWTjCVLtYOv9kSoTyJ244QOd1Wn92VSYIRlLbzTGnH7w0g5HgUfvurqIkW1z1yijw6a6N0d9DfZGrHzrDSubJb4nj6o8PQ0tde4oygVrBGvd7zQTOo9IlLc_04JGmfQHumJ4CVdsl5DgUB-Ybv3yFYRPW_iPjW06h42ClsNJiq_AxDAzzOujdYQ",
  "protected": "eyJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvMzYxMTM5ODM3OCIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC84MTc1NDIwOCIsICJhbGciOiAiUlMyNTYiLCAibm9uY2UiOiAiMDAwMjdlRW1kN3MwWkVSMWZyV2VKUTFITlZ1M09uckVQMUQ4bTZrVDN1T2VEMkUifQ"
}
2020-03-28 09:56:33,944:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/3611398378 HTTP/1.1" 200 802
2020-03-28 09:56:33,947:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 28 Mar 2020 08:56:33 GMT
Content-Type: application/json
Content-Length: 802
Connection: keep-alive
Boulder-Requester: 81754208
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0001HMi0pMT4_KiGXSoipEiPk9mDjDM3bFMAjO-yp16J_LY
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "meet.mydomain.org"
  },
  "status": "pending",
  "expires": "2020-04-04T08:56:33Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/3611398378/gnyYPQ",
      "token": "_ZAJ4PUGcavNXUUd4sSs3SWwb9OpbMWicGF9b3GIEgc"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/3611398378/cgYhLQ",
      "token": "_ZAJ4PUGcavNXUUd4sSs3SWwb9OpbMWicGF9b3GIEgc"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/3611398378/8PHAAg",
      "token": "_ZAJ4PUGcavNXUUd4sSs3SWwb9OpbMWicGF9b3GIEgc"
    }
  ]
}
2020-03-28 09:56:33,948:DEBUG:acme.client:Storing nonce: 0001HMi0pMT4_KiGXSoipEiPk9mDjDM3bFMAjO-yp16J_LY
2020-03-28 09:56:33,950:INFO:certbot.auth_handler:Performing the following challenges:
2020-03-28 09:56:33,951:INFO:certbot.auth_handler:http-01 challenge for meet.mydomain.org
2020-03-28 09:56:34,103:DEBUG:certbot_apache.http_01:Adding a temporary challenge validation Include for name: meet.mydomain.org in: /etc/apache2/sites-enabled/meet.mydomain.org.conf
2020-03-28 09:56:34,105:DEBUG:certbot_apache.http_01:writing a pre config file with text:
         RewriteEngine on
        RewriteRule ^/\.well-known/acme-challenge/([A-Za-z0-9-_=]+)$ /var/lib/letsencrypt/http_challenges/$1 [END]

2020-03-28 09:56:34,106:DEBUG:certbot_apache.http_01:writing a post config file with text:
         <Directory /var/lib/letsencrypt/http_challenges>
            Require all granted
        </Directory>
        <Location /.well-known/acme-challenge>
            Require all granted
        </Location>

2020-03-28 09:56:34,188:DEBUG:certbot.reverter:Creating backup of /etc/apache2/sites-enabled/meet.mydomain.org.conf
2020-03-28 09:56:37,537:INFO:certbot.auth_handler:Waiting for verification...
2020-03-28 09:56:37,539:DEBUG:acme.client:JWS payload:
b'{\n  "type": "http-01",\n  "resource": "challenge"\n}'
2020-03-28 09:56:37,557:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/3611398378/gnyYPQ:
{
  "payload": "ewogICJ0eXBlIjogImh0dHAtMDEiLAogICJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiCn0",
  "signature": "hAoBpHxedcJ3BL6-6cInAY693B26x94xFvP-pB0zFbgJhSi-n8b-aKIfgK4o3xAHjdgD3k3B7K3jk3kJeIpBHkYfY09359s5MsCpVnHRezvaSaA2cW1600gMABak1djTXlW9ZLldlR8JoaAy1B50h-04fppqu2Iu6EsrUxqmcycVEFztdlp7gK14ubp3KhLmsagsdlRhs90r9UduPPGcUMqjyhej33RD2uHTbmVRKETqmCsIW8a0raa_MvyHyIy6E4fpLrj2d52wiIE7hRVEWqwCptlQ3vKskhaAHdHwDxy99uy3o6DH4Sr-NjkkF-lAkJxB6pmstm8gx55Tw7uJFw",
  "protected": "eyJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvY2hhbGwtdjMvMzYxMTM5ODM3OC9nbnlZUFEiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvODE3NTQyMDgiLCAiYWxnIjogIlJTMjU2IiwgIm5vbmNlIjogIjAwMDFITWkwcE1UNF9LaUdYU29pcEVpUGs5bURqRE0zYkZNQWpPLXlwMTZKX0xZIn0"
}
2020-03-28 09:56:37,750:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/3611398378/gnyYPQ HTTP/1.1" 200 185
2020-03-28 09:56:37,753:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 28 Mar 2020 08:56:37 GMT
Content-Type: application/json
Content-Length: 185
Connection: keep-alive
Boulder-Requester: 81754208
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz-v3/3611398378>;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/3611398378/gnyYPQ
Replay-Nonce: 0001JOqsU6wM0p5bvFeMdFrJAS2h0iCLQRNespc3LnkGqPo
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/3611398378/gnyYPQ",
  "token": "_ZAJ4PUGcavNXUUd4sSs3SWwb9OpbMWicGF9b3GIEgc"
}
2020-03-28 09:56:37,753:DEBUG:acme.client:Storing nonce: 0001JOqsU6wM0p5bvFeMdFrJAS2h0iCLQRNespc3LnkGqPo
2020-03-28 09:56:40,758:DEBUG:acme.client:JWS payload:
b''
2020-03-28 09:56:40,775:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/3611398378:
{
  "payload": "",
  "signature": "I_XE9QpNu1weV-oJS_aPeckF0yZI66zeXZjfOAhZ2xnNY5ozzOaluattCjHqgiPBgfTLWVmynwOKiAeQPTM52QaWq1SQPvp2tXkA27rhnhYABmRH4otx0fxT9bYF6OBKwKmozYxR2_VsbEMNkpgmnwucgGE606RS3X6R9Cw1t_koVGD4DDpNFOfeLX2-tTPmf8FmY_00TUCl_eXWnXFGPIaxx-hutygcQBcH-eM-BgejvkiUKJIykGVEYc03xWQ2NBE-lKwcu0hkhONlawYfScJ-FF9htz46oLXSwR3-SwOZZNXhIqGdqJaucg89lvpDuj0Dv2hphlPzPiIVsWByeg",
  "protected": "eyJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvMzYxMTM5ODM3OCIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC84MTc1NDIwOCIsICJhbGciOiAiUlMyNTYiLCAibm9uY2UiOiAiMDAwMUpPcXNVNndNMHA1YnZGZU1kRnJKQVMyaDBpQ0xRUk5lc3BjM0xua0dxUG8ifQ"
}
2020-03-28 09:56:40,958:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/3611398378 HTTP/1.1" 200 1023
2020-03-28 09:56:40,960:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 28 Mar 2020 08:56:40 GMT
Content-Type: application/json
Content-Length: 1023
Connection: keep-alive
Boulder-Requester: 81754208
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0002VqSPiCDZ0vXwumsiIN-sFGcEYtCU-e--BJAXR59wZbw
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "meet.mydomain.org"
  },
  "status": "invalid",
  "expires": "2020-04-04T08:56:33Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "Invalid response from http://meet.mydomain.org/.well-known/acme-challenge/_ZAJ4PUGcavNXUUd4sSs3SWwb9OpbMWicGF9b3GIEgc [1.2.3.4]: 404",
        "status": 403
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/3611398378/gnyYPQ",
      "token": "_ZAJ4PUGcavNXUUd4sSs3SWwb9OpbMWicGF9b3GIEgc",
      "validationRecord": [
        {
          "url": "http://meet.mydomain.org/.well-known/acme-challenge/_ZAJ4PUGcavNXUUd4sSs3SWwb9OpbMWicGF9b3GIEgc",
          "hostname": "meet.mydomain.org",
          "port": "80",
          "addressesResolved": [
            "1.2.3.4"
          ],
          "addressUsed": "1.2.3.4"
        }
      ]
    }
  ]
}
2020-03-28 09:56:40,961:DEBUG:acme.client:Storing nonce: 0002VqSPiCDZ0vXwumsiIN-sFGcEYtCU-e--BJAXR59wZbw
2020-03-28 09:56:40,963:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: meet.mydomain.org
Type:   unauthorized
Detail: Invalid response from http://meet.mydomain.org/.well-known/acme-challenge/_ZAJ4PUGcavNXUUd4sSs3SWwb9OpbMWicGF9b3GIEgc [1.2.3.4]: 404

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
2020-03-28 09:56:40,965:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 161, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 232, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. meet.mydomain.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://meet.mydomain.org/.well-known/acme-challenge/_ZAJ4PUGcavNXUUd4sSs3SWwb9OpbMWicGF9b3GIEgc [1.2.3.4]: 404

2020-03-28 09:56:40,966:DEBUG:certbot.error_handler:Calling registered functions
2020-03-28 09:56:40,966:INFO:certbot.auth_handler:Cleaning up challenges
2020-03-28 09:56:41,491:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.28.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1340, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1094, in run
    certname, lineage)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 121, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 392, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 335, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 371, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 161, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 232, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. meet.mydomain.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://meet.mydomain.org/.well-known/acme-challenge/_ZAJ4PUGcavNXUUd4sSs3SWwb9OpbMWicGF9b3GIEgc [1.2.3.4]: 404

This is my Apache config file after running the script (which the script apparently restores from backup):

# cat /etc/apache2/sites-enabled/meet.mydomain.org.conf

<VirtualHost *:80>
    ServerName meet.mydomain.org
    Redirect permanent / https://meet.mydomain.org/
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</VirtualHost>

<VirtualHost *:443>

  ServerName meet.mydomain.org

  SSLProtocol TLSv1 TLSv1.1 TLSv1.2
  SSLEngine on
  SSLProxyEngine on
  SSLCertificateFile /etc/ssl/meet.mydomain.org.crt
  SSLCertificateKeyFile /etc/ssl/meet.mydomain.org.key
  SSLCipherSuite "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED"
  SSLHonorCipherOrder on
  Header set Strict-Transport-Security "max-age=31536000"

  DocumentRoot "/usr/share/jitsi-meet"
  <Directory "/usr/share/jitsi-meet">
    Options Indexes MultiViews Includes FollowSymLinks
    AddOutputFilter Includes html
    AllowOverride All
    Order allow,deny
    Allow from all
  </Directory>

  ErrorDocument 404 /static/404.html

  Alias "/config.js" "/etc/jitsi/meet/meet.mydomain.org-config.js"
  <Location /config.js>
    Require all granted
  </Location>

  Alias "/external_api.js" "/usr/share/jitsi-meet/libs/external_api.min.js"
  <Location /external_api.js>
    Require all granted
  </Location>

  ProxyPreserveHost on
  ProxyPass /http-bind http://localhost:5280/http-bind/
  ProxyPassReverse /http-bind http://localhost:5280/http-bind/

  RewriteEngine on
  RewriteRule ^/([a-zA-Z0-9]+)$ /index.html
</VirtualHost>

What can I try?

Regards,

Vieri

2

you can try with

certbot --webroot -w /usr/share/jitsi-meet --dry-run

if it works, remove --dry-run

(I suspect --apache doesn’t work because mod_rewrite is not enabled, but this doesn’t look like a good reason to enable it. Does your http-> https redirect work?)

3

Interestingly enough, that redirect isn't triggered at all when I surf to your hostname (yes, your hostname isn't hidden in all the data you've posted and no, you shouldn't have hidden it in the first place).

Also, why do you have a Redirect directive and a RewriteRule to redirect to HTTPS?

Anyway, both aren't working at all, so I'm guessing your Apache configuration isn't working properly. On your HTTP site, I'm getting a nice "Hospital Manacor - Servicios Informáticos" greeting, no redirect at all. But if you look at the configuration you've posted, I shouldn't be getting that info at all! I should be seeing a redirect. The :80 virtualhost doesn't even contain a DocumentRoot nor Proxy-directives.

So, please go through your Apache configuration and figure out what virtualhost is being used and which not. Fix the configuration file(s) and try certbot again.

1 Like
4

OK, so the real FQDN is https://meet.hospitalmanacor.org/.
If I go to http://meet.hospitalmanacor.org/ it redirects to https.
I’ll try the explicit certbot command line.

5

Nope, just like I said: it doesn't from my end.

What is the output of apache2ctl -S?

6

I see this: (with no redirect)

immagine
immagine1526×903 121 KB

If you’re trying to get a certificate for a virtualhost that’s not reachable from the public internet, you need to use the dns-01 challenge. (Or configure the public virtualhost to satisfy the http-01 challenge, then use the certificate on the internal virtualhost too.)

1 Like
7

I am accessing http://meet.hospitalmanacor.org from the internet, and it is redirecting to https showing me a different web site (the Jitsi-Meet conferencing system).
There might be a firewall/IPS/geoip system wrongly forcing you to see the other page.
I’ll have to check that out.
If that’s the case then sorry for the noise. I’ve installed this system really quickly to allow for isolated hospitalized patients (covid-19) to communicate with their families or with nurses or doctors.
I’m sure that in the rush I’m making a lot of dumb mistakes.

Thanks

8

Since you need it right now, remove

    Redirect permanent / https://meet.mydomain.org/
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

from the http virtualhost, and try again (then let certbot add a redirect)

please be aware that any firewall blocking us can block the validation servers as well, open it. (I can see the jitsi instance if I go manually on https)

if you need it even sooner, there are some public instances here: https://iorestoacasa.work/ (is Italian a problem? GDPR might be.)

9

Hi @vieridipaola

that's your browser. Browsers cache redirects, so you should use online tools or command line tools to check such things.

See https://check-your-website.server-daten.de/?q=meet.hospitalmanacor.org#url-checks

Domainname Http-Status redirect Sec. G
http://meet.hospitalmanacor.org/ 212.170.94.168 No GZip used - 2898 / 8929 - 32,46 % possible 200 Html is minified: 137,79 % 0.143 H
https://meet.hospitalmanacor.org/ 212.170.94.168 -14 10.020 T
Timeout - The operation has timed out
http://meet.hospitalmanacor.org/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 212.170.94.168 No GZip used - 2898 / 8929 - 32,46 % possible Inline-JavaScript (∑/total): 0/0 Inline-CSS (∑/total): 0/0 200 Html is minified: 137,79 % 0.134

There is no redirect http -> https. https has a timeout.

And http + /.well-known/acme-challenge/random-filename has a wrong http status 200. A http status 404 - Not Found is expected.

The online tool sees:

Visible Content: Streaming Remote Access File Share Speed Test IT (admin) Web Filter Routing Shield VPN Browser Softphone Speed Test   Acceso Denegado El acceso al Hospital de Manacor ha sido denegado porque se ha detectado trafico no autorizado. Ver Detalles El Servicio de Informática puede gestionar los accesos desde aquí. Gestionar (IT) Hospital de Manacor About HMAN Intranet HMAN Extranet SSIB Intranet CAIB Intranet CAIB Extranet Address Ctra. Manacor-Alcudia, 07500, Manacor, Spain + 34 971 84 70 00 Follow Us 2019 Copyright: Hospital Manacor Web UI

My browser sees:

Hospital de Manacor (error inffwacc2)

10

Finally working. It was a firewall misconfiguration.
Thank you all so much.

One last thing. The script ends with:

Configuring apache2

What does this do exactly?
I don’t think it includes the newly-generated certificates:

root@inf-conf:/etc/apache2# grep -r letsencrypt *

I’ll include them manually then.
Thanks again,

Vieri

11

It's supposed to install the certificates into the right virtualhosts, but it hasn't. Can you show us the full output?

You can tell certbot to install the certificates with certbot install

12

certbot install did the trick.

Huge thanks to everyone, really.

1 Like
13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.