Cannot install letsencrypt, 404

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: arqls.com.br

I ran this command:
sudo certbot --apache
It produced this output:
Which names would you like to activate HTTPS for?


1: arqls.com.br


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): Obtaining a new certificate

Performing the following challenges:
http-01 challenge for arqls.com.br
Enabled Apache rewrite module
Waiting for verification...
Challenge failed for domain arqls.com.br
http-01 challenge for arqls.com.br
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: arqls.com.br
    Type: unauthorized
    Detail: Invalid response from
    http://arqls.com.br/.well-known/acme-challenge/2fhcA9EkSUaj-T3Z2fwelNNv9ailv0yQsHj7Y13TaC4
    [72.167.40.139]: "\n\n403
    Forbidden\n\n

    Forbidden

    \n<p"

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.
    My web server is (include version):
    Apache 2
    The operating system my web server runs on is (include version):
    Ubuntu 20.04
    My hosting provider, if applicable, is:
    Godaddy
    I can login to a root shell on my machine (yes or no, or I don't know):
    yes
    I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
    no
    The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot .40.0

Hi there!
Here some infos:
apachectl -S
VirtualHost configuration:
*:80 arqls.com.br (/etc/apache2/sites-enabled/000-default.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex proxy: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex watchdog-callback: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33 not_used
Group: name="www-data" id=33 not_used

Im running on spring application, so Im using proxypass(I dont know if this can related)
ProxyPass / ajp://localhost:9090/
ProxyPassReverse / ajp://localhost:9090/

Hi @BrunoMarek, welcome to the LE community forum :slight_smile:

Please show this file:

And you should also include the "www" in the file and cert.

Name:    arqls.com.br
Address: 72.167.40.139
Aliases: www.arqls.com.br

Good Morning!

GNU nano 4.8 /etc/apache2/sites-enabled/000-default.conf

<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName arqls.com.br

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html
        ServerName arqls.com.br
        ServerAlias www.arqls.com.br
        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
        ProxyPass / ajp://localhost:9090/
        ProxyPassReverse / ajp://localhost:9090/

</VirtualHost>

Try using this instead:
[I removed all the unused lines and added a challenge location]

<VirtualHost *:80>
  ServerAdmin webmaster@localhost
  DocumentRoot /var/www/html
  ServerName arqls.com.br
  ServerAlias www.arqls.com.br
  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined
  <Location /.well-known/acme-challenge/>
   DocumentRoot /var/www/html
  </Location>
  ProxyPass / ajp://localhost:9090/
  ProxyPassReverse / ajp://localhost:9090/
</VirtualHost>

Thanks for the fast reply, but is still not working, Im getting this errors:

root@ip-72-167-40-139 : ~ $ sudo apachectl configtest

AH00526: Syntax error on line 9 of /etc/apache2/sites-enabled/000-default.conf:

DocumentRoot not allowed in context

Action 'configtest' failed.

The Apache error log may have more information.

root@ip-72-167-40-139:~# service apache2 status
● apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2021-09-09 16:04:48 UTC; 22h ago
Docs: Apache HTTP Server Version 2.4 Documentation - Apache HTTP Server Version 2.4
Process: 24902 ExecReload=/usr/sbin/apachectl graceful (code=exited, status=1/FAILURE)
Main PID: 654 (apache2)
Tasks: 55 (limit: 1136)
Memory: 7.2M
CGroup: /system.slice/apache2.service
├─ 654 /usr/sbin/apache2 -k start
├─24407 /usr/sbin/apache2 -k start
└─24408 /usr/sbin/apache2 -k start

Sep 10 13:49:26 ip-72-167-40-139.ip.secureserver.net systemd[1]: Reloaded The Apache HTTP Server.
Sep 10 14:01:54 ip-72-167-40-139.ip.secureserver.net systemd[1]: Reloading The Apache HTTP Server.
Sep 10 14:01:54 ip-72-167-40-139.ip.secureserver.net systemd[1]: Reloaded The Apache HTTP Server.
Sep 10 14:17:21 ip-72-167-40-139.ip.secureserver.net systemd[1]: Reloading The Apache HTTP Server.
Sep 10 14:17:21 ip-72-167-40-139.ip.secureserver.net apachectl[24905]: AH00526: Syntax error on line 9 of /etc/apache2/sites-enabled/000-default.conf:
Sep 10 14:17:21 ip-72-167-40-139.ip.secureserver.net apachectl[24905]: DocumentRoot not allowed in context
Sep 10 14:17:21 ip-72-167-40-139.ip.secureserver.net apachectl[24902]: Action 'graceful' failed.
Sep 10 14:17:21 ip-72-167-40-139.ip.secureserver.net apachectl[24902]: The Apache error log may have more information.
Sep 10 14:17:21 ip-72-167-40-139.ip.secureserver.net systemd[1]: apache2.service: Control process exited, code=exited, status=1/FAILURE
Sep 10 14:17:21 ip-72-167-40-139.ip.secureserver.net systemd[1]: Reload failed for The Apache HTTP Server.

OK let me rework that... in the opposite direction.

Try this instead:

<VirtualHost *:80>
  ServerAdmin webmaster@localhost
  DocumentRoot /var/www/html
  ServerName arqls.com.br
  ServerAlias www.arqls.com.br
  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined
  <LocationMatch "^/(?!\.well-known)">
    #send all other requests to proxy
    ProxyPass / ajp://localhost:9090/
    ProxyPassReverse / ajp://localhost:9090/
  </LocationMatch>
</VirtualHost>

Got this error!

AH00526: Syntax error on line 10 of /etc/apache2/sites-enabled/000-default.conf:

ProxyPass|ProxyPassMatch can not have a path when defined in a location.

Action 'configtest' failed.

The Apache error log may have more information.

hmm...
Try modifying those two lines as:

    ProxyPass ajp://localhost:9090/
    ProxyPassReverse ajp://localhost:9090/

If that fails...

<VirtualHost *:80>
  ServerAdmin webmaster@localhost
  DocumentRoot /var/www/html
  ServerName arqls.com.br
  ServerAlias www.arqls.com.br
  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined
  <Location ~ /.well-known/acme-challenge/>
   #do nothing special
  </Location>
  <Location />
    ProxyPass / ajp://localhost:9090/
    ProxyPassReverse / ajp://localhost:9090/
  </Location>
</VirtualHost>

The first one
" ProxyPass ajp://localhost:9090/
ProxyPassReverse ajp://localhost:9090/ " gave me syntax ok, but failed on:
root@ip-72-167-40-139:/etc/apache2/sites-available# sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?


1: arqls.com.br
2: www.arqls.com.br


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for arqls.com.br
http-01 challenge for www.arqls.com.br
Enabled Apache rewrite module
Waiting for verification...
Challenge failed for domain arqls.com.br
Challenge failed for domain www.arqls.com.br
http-01 challenge for arqls.com.br
http-01 challenge for www.arqls.com.br
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

The second one gave me this error:

root@ip-72-167-40-139:/etc/apache2/sites-available# sudo apachectl configtest

AH00526: Syntax error on line 12 of /etc/apache2/sites-enabled/000-default.conf:

ProxyPass|ProxyPassMatch can not have a path when defined in a location.

Action 'configtest' failed.

The Apache error log may have more information.

Ok, my last try:

<VirtualHost *:80>
  ServerAdmin webmaster@localhost
  DocumentRoot /var/www/html
  ServerName arqls.com.br
  ServerAlias www.arqls.com.br
  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined
  ProxyPass /.well-known/acme-challenge !
  ProxyPass / ajp://localhost:9090/
  ProxyPassReverse / ajp://localhost:9090/
</VirtualHost>

Thanks for keep trying!
Syntax ok
I double checked the DNS route,
but sudo certbot --apache still giving me errors...

Ok please show the complete command used and the error(s) returned.

root@ip-72-167-40-139:/etc/apache2/sites-available# sudo apachectl configtest
Syntax OK
root@ip-72-167-40-139:/etc/apache2/sites-available# sudo systemctl reload apache2
root@ip-72-167-40-139:/etc/apache2/sites-available# sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?


1: arqls.com.br
2: www.arqls.com.br


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for arqls.com.br
http-01 challenge for www.arqls.com.br
Enabled Apache rewrite module
Waiting for verification...
Challenge failed for domain arqls.com.br
Challenge failed for domain www.arqls.com.br
http-01 challenge for arqls.com.br
http-01 challenge for www.arqls.com.br
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

OK forget using --apache for authentication.
Try:
certbot -i apache --webroot -w /var/www/html -d 'arqls.com.br,www.arqls.com.br'

MADE IT, THANK YOU!
I was struggling for 2 days, but now its working!,
I Appreciate that!

1 Like

Glad to have helped :slight_smile:
Cheers from Miami :beers:

#FreeCUBA :cuba:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.