Cannot renew SSL (Apache)

Help
1

Hey folks, we cannot get our SSL to renew. Here's detailed description of what we're running into with screenshots, the full Config file, and history of runs: ClickUp

My domain is: portal.asnoa.com

I ran this command:

sudo certbot certonly
sudo certbot renew --dry-run
sudo certbot certonly --apache -d portal.asnoa.com
certbot certonly --force-renew -d portal.asnoa.com -d www.portal.asnoa.com
certbot run -a webroot -i apache -w /var/www/asnoa-portal-production-v2/public -d portal.asnoa.com -d www.portal.asnoa.com

It produced this output:

Domain: portal.asnoa.com
Type: unauthorized
Detail: 147.182.162.99: Invalid response from http://portal.asnoa.com/.well-known/acme-challenge/Z7bbEh974XkcN8-9HG734w5Aqb52fz7D2HDLGPbyIQI:400

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAA record(s) for that domain contain(s) the right IP address.

My web server is (include version): Apache/2.4.41

The operating system my web server runs on is (include version): Ubuntu 20.04.2 LTS

My hosting provider, if applicable, is: DigitalOcean

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Yes

The version of my client is: certbot 0.40.0

These are the two threads we've worked through to troubleshoot first, but we are still stuck at a standstill: Certbot Renew Challenge failed - #15
Certbot autorenew and renew fails - #4 by JuergenAuer

2

Welcome @dmolinero9249

Yeah, it looks like something has gone wrong with your Apache config. As shown by Let's Debug test site you have Apache requiring HTTPS for HTTP requests arriving on port 80. This is not correct :slight_smile:

Can you show result of this

sudo apache2ctl -t -D DUMP_VHOSTS
4 Likes
3

Mike,

Sure thing, here you go:

VirtualHost configuration:
147.182.162.99:443     is a NameVirtualHost
         default server portal.asnoa.com (/etc/apache2/sites-enabled/002-portal-asnoa-v2-ssl.conf:2)
         port 443 namevhost portal.asnoa.com (/etc/apache2/sites-enabled/002-portal-asnoa-v2-ssl.conf:2)
                 alias www.portal.asnoa.com
         port 443 namevhost portal.asnoa.com (/etc/apache2/sites-enabled/002-portal-asnoa-v2.conf:3)
         port 443 namevhost portal-dev.asnoa.com (/etc/apache2/sites-enabled/004-portal-asnoa-dev-ssl.conf:2)
         port 443 namevhost portal-staging.asnoa.com (/etc/apache2/sites-enabled/005-portal-asnoa-staging-ssl.conf:2)
147.182.162.99:80      is a NameVirtualHost
         default server portal.asnoa.com (/etc/apache2/sites-enabled/002-portal-asnoa-v2-ssl.conf:29)
         port 80 namevhost portal.asnoa.com (/etc/apache2/sites-enabled/002-portal-asnoa-v2-ssl.conf:29)
                 alias www.portal.asnoa.com
         port 80 namevhost portal.asnoa.com (/etc/apache2/sites-enabled/002-portal-asnoa-v2.conf:31)
         port 80 namevhost portal-dev.asnoa.com (/etc/apache2/sites-enabled/004-portal-asnoa-dev-ssl.conf:26)
         port 80 namevhost portal-staging.asnoa.com (/etc/apache2/sites-enabled/005-portal-asnoa-staging-ssl.conf:26)
*:80                   portal.asnoa.com (/etc/apache2/sites-enabled/000-default.conf:1
4

You have the same name shown twice for port 80. Once when Apache gets a request to the IP 147.182.162.99 and another for any other IP.

Can you explain why you did that? Because while it is possible and sometimes needed it is rare and needs special care to get correct.

Also, show us these two files. Please put 3 backticks before and after so we dont lose any Apache tags to the formatting in this forum. Like this

```
contents of: /etc/apache2/sites-enabled/002-portal-asnoa-v2.conf
contents of: /etc/apache2/sites-enabled/000-default.conf
```

2 Likes
5

Mike,

For the same name showing twice, I'm not sure. That was done by devs prior to me, but we've removed that since I can't see a reason we would need that.

Here are the contents of 002-portal-asnoa-v2.conf

002-portal-asnoa-v2.conf: 
    DirectoryIndex index.php
    DocumentRoot /var/www/asnoa-portal-production-v2/public
    <Directory /var/www/asnoa-portal-production-v2/public/>
            Options Indexes FollowSymLinks MultiViews
            AllowOverride All
            Order allow,deny
            allow from all
            Require all granted
    </Directory>
    LogLevel debug
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLCertificateFile /etc/letsencrypt/live/portal.asnoa.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/portal.asnoa.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
#</IfModule>
<VirtualHost portal.asnoa.com:80>
    ServerAdmin admin@asnoa.com
    ServerName portal.asnoa.com
    Redirect permanent / https://portal.asnoa.com/
    DocumentRoot /var/www/asnoa-portal-production-v2/public
    <Directory /var/www/asnoa-portal-production-v2/public/>
            Options Indexes FollowSymLinks MultiViews
            AllowOverride All
            Order allow,deny
            allow from all
            Require all granted
    </Directory>
    LogLevel debug
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    RewriteEngine on
    RewriteCond %{SERVER_NAME} =portal.asnoa.com
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

Here are the contents of 000-default.conf

        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
#</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
6

Looks like the top was truncated. Can you show the full contents

Can you show the updated result of this then

sudo apache2ctl -t -D DUMP_VHOSTS
3 Likes
7

I just realized I said you had the name twice as I was more concerned with the one in the IP-based Virtual Host while also in the Name-based Virtual host. But, I see you also had it twice in the IP-based host so a total of 3 times overall.

I still want to see an updated dump_vhosts.

3 Likes
8

Mike,

Sorry, accidentally didn't copy the whole thing for the v2 file. Here it is updated.

## NameVirtualHost *:80
#<IfModule mod_ssl.c>
<VirtualHost portal.asnoa.com:443>
    ServerAdmin admin@asnoa.com
    ServerName portal.asnoa.com

    DirectoryIndex index.php
    DocumentRoot /var/www/asnoa-portal-production-v2/public

    <Directory /var/www/asnoa-portal-production-v2/public/>
            Options Indexes FollowSymLinks MultiViews
            AllowOverride All
            Order allow,deny
            allow from all
            Require all granted
    </Directory>

    LogLevel debug
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined


SSLCertificateFile /etc/letsencrypt/live/portal.asnoa.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/portal.asnoa.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

</VirtualHost>
#</IfModule>


<VirtualHost portal.asnoa.com:80>
    ServerAdmin admin@asnoa.com
    ServerName portal.asnoa.com

    Redirect permanent / https://portal.asnoa.com/

    DocumentRoot /var/www/asnoa-portal-production-v2/public

    <Directory /var/www/asnoa-portal-production-v2/public/>
            Options Indexes FollowSymLinks MultiViews
            AllowOverride All
            Order allow,deny
            allow from all
            Require all granted
    </Directory>

    LogLevel debug
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLCertificateFile /etc/letsencrypt/live/portal.asnoa.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/portal.asnoa.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

</VirtualHost>
#</IfModule>


<VirtualHost portal.asnoa.com:80>
    ServerAdmin admin@asnoa.com
    ServerName portal.asnoa.com

    Redirect permanent / https://portal.asnoa.com/

    DocumentRoot /var/www/asnoa-portal-production-v2/public

    <Directory /var/www/asnoa-portal-production-v2/public/>
            Options Indexes FollowSymLinks MultiViews
            AllowOverride All
            Order allow,deny
            allow from all
            Require all granted
    </Directory>

    LogLevel debug
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    RewriteEngine on
    RewriteCond %{SERVER_NAME} =portal.asnoa.com
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

For the updated results of sudo apache2ctl -t -D DUMP_VHOSTS, see below:

VirtualHost configuration:
147.182.162.99:443     is a NameVirtualHost
         default server portal.asnoa.com (/etc/apache2/sites-enabled/002-portal-asnoa-v2-ssl.conf:2)
         port 443 namevhost portal.asnoa.com (/etc/apache2/sites-enabled/002-portal-asnoa-v2-ssl.conf:2)
                 alias www.portal.asnoa.com
         port 443 namevhost portal.asnoa.com (/etc/apache2/sites-enabled/002-portal-asnoa-v2.conf:3)
         port 443 namevhost portal-dev.asnoa.com (/etc/apache2/sites-enabled/004-portal-asnoa-dev-ssl.conf:2)
         port 443 namevhost portal-staging.asnoa.com (/etc/apache2/sites-enabled/005-portal-asnoa-staging-ssl.conf:2)
147.182.162.99:80      is a NameVirtualHost
         default server portal.asnoa.com (/etc/apache2/sites-enabled/002-portal-asnoa-v2-ssl.conf:29)
         port 80 namevhost portal.asnoa.com (/etc/apache2/sites-enabled/002-portal-asnoa-v2-ssl.conf:29)
                 alias www.portal.asnoa.com
         port 80 namevhost portal.asnoa.com (/etc/apache2/sites-enabled/002-portal-asnoa-v2.conf:31)
         port 80 namevhost portal-dev.asnoa.com (/etc/apache2/sites-enabled/004-portal-asnoa-dev-ssl.conf:26)
         port 80 namevhost portal-staging.asnoa.com (/etc/apache2/sites-enabled/005-portal-asnoa-staging-ssl.conf:26)
1 Like
9

Hmm. That does not look like the file
/etc/apache2/sites-enabled/002-portal-asnoa-v2-ssl.conf

Because there is no ServerAlias in it yet the DUMP_VHOSTS shows one.

Ignoring that for a moment, these 3 lines should not be in the VirtualHost for port 80.
These setup HTTPS (port 443 usually) and is probably causing the original error message.

SSLCertificateFile /etc/letsencrypt/live/portal.asnoa.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/portal.asnoa.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
4 Likes
10

Mike,

Removing those three lines did it! As soon as we did that, we were able to remove.

Thank you SO MUCH for your help!

2 Likes
11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.