Cannot Create a new certificate

Hope someone can help me figure out what I am doing wrong, as I have used let’s Encrypt for about 3 years without problems and it always worked wonderfully until my last renewal.

I have searched and try different solution in this forum but I cannot get it to work.
Port 80 is enabled in my router, IPv6 should be disabled (help me to verify if I did it correctly thus), I have created this directory and put a test file in it and it shows correctly on my website path:

I have no idea why it doens’t work.

I cannot renew or create a new certificate, I keep getting this error:


There are the latest logs:

2019-06-09 13:43:56,994:DEBUG:certbot.error_handler:Calling registered functions
2019-06-09 13:43:56,994:INFO:certbot.auth_handler:Cleaning up challenges
2019-06-09 13:43:57,267:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 11, in
load_entry_point(‘certbot==0.31.0’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python3/dist-packages/certbot/”, line 1365, in main
return config.func(config, plugins)
File “/usr/lib/python3/dist-packages/certbot/”, line 1119, in run
certname, lineage)
File “/usr/lib/python3/dist-packages/certbot/”, line 121, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File “/usr/lib/python3/dist-packages/certbot/”, line 410, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File “/usr/lib/python3/dist-packages/certbot/”, line 353, in obtain_certificate
orderr = self._get_order_and_authorizations(, self.config.allow_subset_of_names)
File “/usr/lib/python3/dist-packages/certbot/”, line 389, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/usr/lib/python3/dist-packages/certbot/”, line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File “/usr/lib/python3/dist-packages/certbot/”, line 168, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File “/usr/lib/python3/dist-packages/certbot/”, line 239, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from []: “\n\n404 Not Found\n\n

Not Found


My domain is:

I ran this command:
sudo certbot --apache -d and also tried sudo certbot --apache

It produced this output:


The operating system my web server runs on is (include version):
Ubuntu Server 18.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
Not sure what is a control panel

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.31.0

Hi @ExMM

there is a check of your domain ( ):

That looks good:

Domainname Http-Status redirect Sec. G 301 0.587 A 200 2.557 N
Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors 301 0.567 A
Visible Content: Moved Permanently The document has moved here . Apache/2.4.29 (Ubuntu) Server at Port 80 404 2.290 N
Not Found
Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors
Visible Content: Not Found The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server. Apache/2.4.29 (Ubuntu) Server at Port 443

Port 80 is open, checking a file in /.well-known/acme-challenge there is a redirect http -> https, that's ok, Letsencrypt follows these redirects.

So try to find your DocumentRoot of your port 443 vHost and use it:

certbot run -a webroot -i apache -w yourDocumentRoot -d
1 Like

Thank you very much for your quick reply!

I ran your command and at first seems like it worked:


  • Congratulations! Your certificate and chain have been saved at:
    Your key file has been saved at:
    Your cert will expire on 2019-09-07. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the “certonly” option. To non-interactively renew all of
    your certificates, run “certbot renew”

  • Some rewrite rules copied from
    /etc/apache2/sites-enabled/nextcloud.conf were disabled in the
    vhost for your HTTPS site located at
    /etc/apache2/sites-available/nextcloud-le-ssl.conf because they
    have the potential to create redirection loops.

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt:
    Donating to EFF:

But when I test it on, I have a name certificate mismatch, https is not enabled yet.

What configuration should I change?

You have created a new certificate, so that part works ( ):

CertSpotter-Id Issuer not before not after Domain names LE-Duplicate next LE
958507659 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2019-06-09 13:28:20 2019-09-07 13:28:20 - 1 entries duplicate nr. 1

But you don't use it:

Domainname Http-Status redirect Sec. G 301 0.537 A 200 2.597 N
Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors

Instead, there is a self signed certificate:

expires in 3317 days	extreme - 1 entry

Looks like Certbot doesn't understand your configuration, so the wrong vHost is changed. Did you restart your Apache?

What says

apachectl -S

After typing your command I got this:

AH00526: Syntax error on line 32 of /etc/apache2/sites-enabled/default-ssl.conf:
SSLCertificateKeyFile: file ‘/etc/ssl/private/ssl-cert-snakeoil.key’ does not exist or is empty
Action ‘-S’ failed.
The Apache error log may have more information.
user@myname:~$ sudo apachectl -S
VirtualHost configuration:
*:443 is a NameVirtualHost
default server (/etc/apache2/sites-enabled/default-ssl.conf:1)
port 443 namevhost (/etc/apache2/sites-enabled/default-ssl.conf:1)
port 443 namevhost (/etc/apache2/sites-enabled/nextcloud-le-ssl.conf:2)
*:80 is a NameVirtualHost
default server (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost (/etc/apache2/sites-enabled/nextcloud.conf:1)
ServerRoot: “/etc/apache2”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/var/log/apache2/error.log”
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
PidFile: “/var/run/apache2/”
User: name=“www-data” id=33
Group: name=“www-data” id=33

I have noticed that I forgot to uncomment the line /etc/ssl/private/ssl-cert-snakeoil.key in my apache configuration (I went through a few changes in my configuration last week to make cerbot working, and I ended up to set everything back like it was, I must have forgotten this line thus), but if I uncomment it, apache won’t start.

I guess there is some missconfiguration also with nexcloud, I don’t know how it happened thus.

1 Like


you see the problem.

You have duplicated combinations port + domain name.

Every combination of port and domain name should be unique.

So Certbot may have picked the wrong vHost.

Cleanup your installation and merge the two 443 to one, same with the two 80.

apachectl -T

should always work. If not, your installation is buggy.

1 Like

Thank you for your help, I guess I modified something along the line and I messed up the apache configuration.
I have ran the other command you gave me same output I got before:

AH00526: Syntax error on line 32 of /etc/apache2/sites-enabled/default-ssl.conf:
SSLCertificateKeyFile: file ‘/etc/ssl/private/ssl-cert-snakeoil.key’ does not exist or is empty
Action ‘-T’ failed.
The Apache error log may have more information.

But if I don’t enable the line line 32 of /etc/apache2/sites-enabled/default-ssl.conf, apache won’t start.

Anyway thank you so much to help me set up the certificate, at least it worked.

I’ll try to troubleshoot my self the apache configuration issue.

Thanks again.

1 Like

Disable that config file, you don't need it, if you have a config file with a domain name.

I have disable the default-ssl.conf, now the certificate is enable on my webserver but somehow it redirects me to my nextcloud folder, my main webpage disappeared.

I need to check also my nextcloud configuration, seems like we are almost there…

Oh, sorry, if there is another website, the idea of deactivating was wrong.

Then you should enable it again, but add correct ServerNames / ServerAlias.

So every combination of port and domain name has only one vHost that answers.

Multiple vHosts -> Certbot picks the wrong vHost.

No worries, enabled it back, I’ll have to look carefully to this config and figure it out:

port 443 namevhost (/etc/apache2/sites-enabled/default-ssl.conf:1)
port 443 namevhost (/etc/apache2/sites-enabled/nextcloud-le-ssl.conf:2)
*:80 is a NameVirtualHost
default server (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost (/etc/apache2/sites-enabled/nextcloud.conf:1)

I know this is not your concerning but any tips/links how to do that?

Never mind finally fixed!

I just added these lines in the /etc/apache2/sites-enabled/default-ssl.conf file:

ServerName mydomain
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/mydomain/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain/privkey.pem

Thanks again for your help!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.