Hope someone can help me figure out what I am doing wrong, as I have used let’s Encrypt for about 3 years without problems and it always worked wonderfully until my last renewal.

I have searched and try different solution in this forum but I cannot get it to work.
Port 80 is enabled in my router, IPv6 should be disabled (help me to verify if I did it correctly thus), I have created this directory and put a test file in it and it shows correctly on my website path:

my.website/.well-known/acme-challenge/test

I have no idea why it doens’t work.

I cannot renew or create a new certificate, I keep getting this error:

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: excloud.ddns.net
  Type: unauthorized
  Detail: Invalid response from
  https://excloud.ddns.net/.well-known/acme-challenge/FMsgS5VXO87n11nKp1DzojgZI76SWRh_DxAOlJ9AuJQ
  [126.11.184.241]: “\n\n404 Not
  Found\n\n

  Not Found

  \n<p”

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address.

There are the latest logs:

2019-06-09 13:43:56,994:DEBUG:certbot.error_handler:Calling registered functions
2019-06-09 13:43:56,994:INFO:certbot.auth_handler:Cleaning up challenges
2019-06-09 13:43:57,267:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 11, in
load_entry_point(‘certbot==0.31.0’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1365, in main
return config.func(config, plugins)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1119, in run
certname, lineage)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 121, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 410, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 353, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 389, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 168, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 239, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. excloud.ddns.net (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://excloud.ddns.net/.well-known/acme-challenge/a19IeSzsqIWy2C31ncXiY4qTwen6qqpFomaetAsPoD0 [126.11.184.241]: “\n\n404 Not Found\n\n

Not Found

My domain is:
https://excloud.ddns.net

I ran this command:
sudo certbot --apache -d excloud.ddns.net and also tried sudo certbot --apache

It produced this output:

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: excloud.ddns.net
  Type: unauthorized
  Detail: Invalid response from
  https://excloud.ddns.net/.well-known/acme-challenge/FMsgS5VXO87n11nKp1DzojgZI76SWRh_DxAOlJ9AuJQ
  [126.11.184.241]: “\n\n404 Not
  Found\n\n

  Not Found

  \n<p”

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address.
  My web server is (include version):
  latest apache2 version

The operating system my web server runs on is (include version):
Ubuntu Server 18.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
Not sure what is a control panel

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.31.0

Hi @ExMM

there is a check of your domain ( https://check-your-website.server-daten.de/?q=excloud.ddns.net ):

That looks good:

Port 80 is open, checking a file in /.well-known/acme-challenge there is a redirect http -> https, that's ok, Letsencrypt follows these redirects.

So try to find your DocumentRoot of your port 443 vHost and use it:

certbot run -a webroot -i apache -w yourDocumentRoot -d excloud.ddns.net

Thank you very much for your quick reply!

I ran your command and at first seems like it worked:

IMPORTANT NOTES:

• Congratulations! Your certificate and chain have been saved at:
  /etc/letsencrypt/live/excloud.ddns.net/fullchain.pem
  Your key file has been saved at:
  /etc/letsencrypt/live/excloud.ddns.net/privkey.pem
  Your cert will expire on 2019-09-07. To obtain a new or tweaked
  version of this certificate in the future, simply run certbot again
  with the “certonly” option. To non-interactively renew all of
  your certificates, run “certbot renew”

• Some rewrite rules copied from
  /etc/apache2/sites-enabled/nextcloud.conf were disabled in the
  vhost for your HTTPS site located at
  /etc/apache2/sites-available/nextcloud-le-ssl.conf because they
  have the potential to create redirection loops.

• If you like Certbot, please consider supporting our work by:

  Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
  Donating to EFF: https://eff.org/donate-le

But when I test it on https://www.ssllabs.com/ssltest/analyze.html?d=excloud.ddns.net, I have a name certificate mismatch, https is not enabled yet.

What configuration should I change?

You have created a new certificate, so that part works ( https://check-your-website.server-daten.de/?q=excloud.ddns.net ):

But you don't use it:

Instead, there is a self signed certificate:

CN=extreme
	11.07.2018
	08.07.2028
expires in 3317 days	extreme - 1 entry

Looks like Certbot doesn't understand your configuration, so the wrong vHost is changed. Did you restart your Apache?

What says

apachectl -S

After typing your command I got this:

AH00526: Syntax error on line 32 of /etc/apache2/sites-enabled/default-ssl.conf:
SSLCertificateKeyFile: file ‘/etc/ssl/private/ssl-cert-snakeoil.key’ does not exist or is empty
Action ‘-S’ failed.
The Apache error log may have more information.
user@myname:~$ sudo apachectl -S
VirtualHost configuration:
*:443 is a NameVirtualHost
default server excloud.ddns.net (/etc/apache2/sites-enabled/default-ssl.conf:1)
port 443 namevhost excloud.ddns.net (/etc/apache2/sites-enabled/default-ssl.conf:1)
port 443 namevhost excloud.ddns.net (/etc/apache2/sites-enabled/nextcloud-le-ssl.conf:2)
alias excloud.ddns.net
*:80 is a NameVirtualHost
default server excloud.ddns.net (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost excloud.ddns.net (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost excloud.ddns.net (/etc/apache2/sites-enabled/nextcloud.conf:1)
alias excloud.ddns.net
ServerRoot: “/etc/apache2”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/var/log/apache2/error.log”
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
PidFile: “/var/run/apache2/apache2.pid”
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“www-data” id=33
Group: name=“www-data” id=33

I have noticed that I forgot to uncomment the line /etc/ssl/private/ssl-cert-snakeoil.key in my apache configuration (I went through a few changes in my configuration last week to make cerbot working, and I ended up to set everything back like it was, I must have forgotten this line thus), but if I uncomment it, apache won’t start.

I guess there is some missconfiguration also with nexcloud, I don’t know how it happened thus.

There

you see the problem.

You have duplicated combinations port + domain name.

Every combination of port and domain name should be unique.

So Certbot may have picked the wrong vHost.

Cleanup your installation and merge the two 443 to one, same with the two 80.

apachectl -T

should always work. If not, your installation is buggy.

Thank you for your help, I guess I modified something along the line and I messed up the apache configuration.
I have ran the other command you gave me same output I got before:

AH00526: Syntax error on line 32 of /etc/apache2/sites-enabled/default-ssl.conf:
SSLCertificateKeyFile: file ‘/etc/ssl/private/ssl-cert-snakeoil.key’ does not exist or is empty
Action ‘-T’ failed.
The Apache error log may have more information.

But if I don’t enable the line line 32 of /etc/apache2/sites-enabled/default-ssl.conf, apache won’t start.

Anyway thank you so much to help me set up the certificate, at least it worked.

I’ll try to troubleshoot my self the apache configuration issue.

Thanks again.

Disable that config file, you don't need it, if you have a config file with a domain name.

I have disable the default-ssl.conf, now the certificate is enable on my webserver but somehow it redirects me to my nextcloud folder, my main webpage disappeared.

I need to check also my nextcloud configuration, seems like we are almost there…

Oh, sorry, if there is another website, the idea of deactivating was wrong.

Then you should enable it again, but add correct ServerNames / ServerAlias.

So every combination of port and domain name has only one vHost that answers.

Multiple vHosts -> Certbot picks the wrong vHost.

No worries, enabled it back, I’ll have to look carefully to this config and figure it out:

port 443 namevhost excloud.ddns.net (/etc/apache2/sites-enabled/default-ssl.conf:1)
port 443 namevhost excloud.ddns.net (/etc/apache2/sites-enabled/nextcloud-le-ssl.conf:2)
alias excloud.ddns.net
*:80 is a NameVirtualHost
default server excloud.ddns.net (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost excloud.ddns.net (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost excloud.ddns.net (/etc/apache2/sites-enabled/nextcloud.conf:1)

I know this is not your concerning but any tips/links how to do that?

Never mind finally fixed!

I just added these lines in the /etc/apache2/sites-enabled/default-ssl.conf file:

ServerName mydomain
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/mydomain/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain/privkey.pem

Thanks again for your help!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.