Cannot satisfy letsencrypt?

That did not work.

I see:

Processing /etc/letsencrypt/renewal/www.ingber.com.conf

Renewing an existing certificate for blog.ingber.com and 6 more domains
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Failed to renew certificate www.ingber.com with error: urn:ietf:params:acme:error:malformed :: The request message was malformed :: No such authorization

All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/www.ingber.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

That last reply was to MikeMcQ.

That's a very odd error. I don't see how an Apache config change could cause that.

Can you show the displayed output from this

sudo certbot renew --dry-run --cert-name www.ingber.com

And also this again

sudo apachectl -t -D DUMP_VHOSTS

MikeMcQ:

Here is the output of those commands:

Processing /etc/letsencrypt/renewal/www.ingber.com.conf

Simulating renewal of an existing certificate for blog.ingber.com and 6 more domains

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: blog.ingber.com
Type: unauthorized
Detail: 173.255.212.226: Invalid response from https://blog.ingber.com/.well-known/acme-challenge/qo32QT3t21p09MuCJEtOaGoK4SUaxk-VDEbMx8reemE: 403

Domain: default.ingber.com
Type: unauthorized
Detail: 173.255.212.226: Invalid response from https://default.ingber.com/.well-known/acme-challenge/dCz7atOwy9gDGN8yQ0GesZkOHuZgTMiRTmagBIFD2bo: 403

Domain: ingber.com
Type: unauthorized
Detail: 173.255.212.226: Invalid response from https://ingber.com/.well-known/acme-challenge/AdwpDGMS9Jgx9HoQsaPJS7NwxMXrUFL4wZgrsYuWY_o: 403

Domain: lester.ingber.com
Type: unauthorized
Detail: 173.255.212.226: Invalid response from https://lester.ingber.com/.well-known/acme-challenge/np05o-vTVfCeJ9Chi9wInm-ViPrt2p0q1m2IwS6Keg8: 403

Domain: lin.ingber.com
Type: unauthorized
Detail: 173.255.212.226: Invalid response from https://lin.ingber.com/.well-known/acme-challenge/yAHIL5gbw2EAKJMvkmwAqYwqIZfiudeanqU9JZhmjIo: 403

Domain: lin6.ingber.com
Type: unauthorized
Detail: 173.255.212.226: Invalid response from https://lin6.ingber.com/.well-known/acme-challenge/IeH6gQCOVnCkdZWWSrjVTe7nZlQDpcaaeydUoRpjfJA: 403

Domain: www.ingber.com
Type: unauthorized
Detail: 173.255.212.226: Invalid response from https://www.ingber.com/.well-known/acme-challenge/huNOhaUNBeOxq6QAQzIz880sBd_36xDN9_QvERjSJ6k: 403

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Failed to renew certificate www.ingber.com with error: Some challenges have failed.

All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/www.ingber.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

AND

VirtualHost configuration:
173.255.212.226:80 is a NameVirtualHost
default server www.ingber.com (/etc/apache2/sites-enabled/000-default.conf:7)
port 80 namevhost www.ingber.com (/etc/apache2/sites-enabled/000-default.conf:7)
alias ingber.com
alias www.ingber.com
port 80 namevhost creekhouse.ingber.com (/etc/apache2/sites-enabled/000-default.conf:17)
port 80 namevhost louise.ingber.com (/etc/apache2/sites-enabled/000-default.conf:26)
port 80 namevhost blog.ingber.com (/etc/apache2/sites-enabled/000-default.conf:35)
port 80 namevhost lester.ingber.com (/etc/apache2/sites-enabled/000-default.conf:44)
port 80 namevhost lin.ingber.com (/etc/apache2/sites-enabled/000-default.conf:53)
port 80 namevhost lin6.ingber.com (/etc/apache2/sites-enabled/000-default.conf:62)
173.255.212.226:443 is a NameVirtualHost
default server www.ingber.com (/etc/apache2/sites-enabled/default-ssl.conf:11)
port 443 namevhost www.ingber.com (/etc/apache2/sites-enabled/default-ssl.conf:11)
alias ingber.com
alias www.ingber.com
port 443 namevhost louise.ingber.com (/etc/apache2/sites-enabled/default-ssl.conf:40)
port 443 namevhost creekhouse.ingber.com (/etc/apache2/sites-enabled/default-ssl.conf:68)
port 443 namevhost blog.ingber.com (/etc/apache2/sites-enabled/default-ssl.conf:96)
port 443 namevhost lester.ingber.com (/etc/apache2/sites-enabled/default-ssl.conf:124)
port 443 namevhost lin.ingber.com (/etc/apache2/sites-enabled/default-ssl.conf:152)
port 443 namevhost lin6.ingber.com (/etc/apache2/sites-enabled/default-ssl.conf:180)
*:80 default.ingber.com (/etc/apache2/sites-enabled/000-default.conf:1)
*:443 default.ingber.com (/etc/apache2/sites-enabled/default-ssl.conf:1)

Does not look like you changed the VirtualHost statement as I suggested.

Do you think you did?

What is contents of this file

/etc/apache2/sites-enabled/default-ssl.conf

MikeMcQ:

I already have replied after I changed those files.

I restored those files afterwards so I can see the changes made.

I can't debug a moving target. If you are certain you modified all those places correctly it should have either failed identically to before or it may have resolved the problem. That you got what looked like a different result indicates a new problem was introduced.

Have you checked your Apache ErrorLog to explain the 403? Is it even that Apache system issuing the 403? Perhaps it is a firewall or other device in front of that server.

I'm not sure what more I can offer. Perhaps someone else will.

When I put "*" for all <VirtualHost... entries, m website FAILED.

That is very strange as that is the most common syntax used today by far. Only very unusual server setups require IP:port

Also, your Default VirtualHost uses the asterisk:port syntax

Please make the appropriate changes (that is, change all 173.255.212.226 in a VirtualHost directive to a *) and afterwards please show the contents of 000-default.conf and default-ssl.conf again. Please put three backticks (```) above and below the contents when you post them.

I cannot! When I make those changes, my website FAILS. It does not come up at all.

Well, then I guess you're on your own? Changing that IP address to a * should not destroy your Apache, so my guess is you did it incorrectly. But if you're not able to show the resulting file contents, we cannot debug what is going wrong.

For another debugging route, please show the contents of the files in /etc/letsencrypt/renewal/.

There is one file:
10:58:15 ingber@linode# /etc/letsencrypt/renewal: ls -l
total 4
-rw------- 1 root root 722 Aug 23 17:48 www.ingber.com.conf

OK, I'll rephrase my request:

Please show the contents of the file in /etc/letsencrypt/renewal/.

DING!

ingber@linode# /etc/letsencrypt/renewal: cat www.ingber.com.conf
# renew_before_expiry = 30 days
version = 2.11.0
archive_dir = /etc/letsencrypt/archive/www.ingber.com
cert = /etc/letsencrypt/live/www.ingber.com/cert.pem
privkey = /etc/letsencrypt/live/www.ingber.com/privkey.pem
chain = /etc/letsencrypt/live/www.ingber.com/chain.pem
fullchain = /etc/letsencrypt/live/www.ingber.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = b139721d5f80230538a8c742772bc7f7
authenticator = webroot
webroot_path = /var/www-ssl,
server = https://acme-v02.api.letsencrypt.org/directory
key_type = rsa
[[webroot_map]]
default.ingber.com = /var/www-ssl
ingber.com = /var/www-ssl
lin.ingber.com = /var/www-ssl
lin6.ingber.com = /var/www-ssl
www.ingber.com = /var/www-ssl

Please use Markdown formatting for your posts.

These do not match with:

and

That said, it does match for:

(ingber.com and www.ingber.com)

default.ingber.com should NOT have a working website, as there is NO DocumentRoot configured. The only thing that vhost has, is a Require all denied. But still, your website is showing.

Thus your Apache is grossly misconfigured. The _default_ does NOT do its work as the default, due to the usage of IP addresses of the other virtualhosts. Therefore, you see that the actual default virtualhosts are not the ones at the TOP of the configuration files (000-default.conf:1 and default-ssl.conf:1), but at the first virtualhost using the IP address (000-default.conf:7 and default-ssl.conf:7).

OK:

# renew_before_expiry = 30 days
version = 2.11.0
archive_dir = /etc/letsencrypt/archive/www.ingber.com
cert = /etc/letsencrypt/live/www.ingber.com/cert.pem
privkey = /etc/letsencrypt/live/www.ingber.com/privkey.pem
chain = /etc/letsencrypt/live/www.ingber.com/chain.pem
fullchain = /etc/letsencrypt/live/www.ingber.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = b139721d5f80230538a8c742772bc7f7
authenticator = webroot
webroot_path = /var/www-ssl,
server = https://acme-v02.api.letsencrypt.org/directory
key_type = rsa
[[webroot_map]]
default.ingber.com = /var/www-ssl
ingber.com = /var/www-ssl
lin.ingber.com = /var/www-ssl
lin6.ingber.com = /var/www-ssl
www.ingber.com = /var/www-ssl

What does your error.log show when you try to request a certificate and get those 403 error? (As requested by Mike earlier already.) Please use the staging environment using --dry-run for testing.

I see:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.ingber.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for blog.ingber.com and 6 more domains

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: blog.ingber.com
  Type:   unauthorized
  Detail: 173.255.212.226: Invalid response from https://blog.ingber.com/.well-known/acme-challenge/mWyZTsbaGx0b3gDyiEGmaPGILEpUfUxoIpgipPfF8ZM: 403

  Domain: default.ingber.com
  Type:   unauthorized
  Detail: 173.255.212.226: Invalid response from https://default.ingber.com/.well-known/acme-challenge/T8A9ZEaC1tgz6GFGwvSbRg_aVwP9umaMohblni3p2V0: 403

  Domain: ingber.com
  Type:   unauthorized
  Detail: 173.255.212.226: Invalid response from https://ingber.com/.well-known/acme-challenge/WQakCvjum3lfmShQdFyvbG1uZBb6px92lUPXfKYqI_U: 403

  Domain: lester.ingber.com
  Type:   unauthorized
  Detail: 173.255.212.226: Invalid response from https://lester.ingber.com/.well-known/acme-challenge/e6ssuar4Ep2uIoBILpFmqK35HnqFgfBxbsgOnqyEl4o: 403

  Domain: lin.ingber.com
  Type:   unauthorized
  Detail: 173.255.212.226: Invalid response from https://lin.ingber.com/.well-known/acme-challenge/iAIVOdtX_lUKMfNghhVPCXfG1tpu8zvNefX_AGuztpE: 403

  Domain: lin6.ingber.com
  Type:   unauthorized
  Detail: 173.255.212.226: Invalid response from https://lin6.ingber.com/.well-known/acme-challenge/kOfecm5Xta3W3QlNbB4mssX1mw5njehkm3Gv5uIpSAE: 403

  Domain: www.ingber.com
  Type:   unauthorized
  Detail: 173.255.212.226: Invalid response from https://www.ingber.com/.well-known/acme-challenge/gpinYlGkS_nZ93FKArLFAp1nQgQYZ-YCIu-4kfUToJ8: 403

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Failed to renew certificate www.ingber.com with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/www.ingber.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.