Cannot update or create a new certificate: 404

m9quattro · November 25, 2021, 10:03pm

Hello,
A couple of days ago I received the email reminding me of the upcoming expiration of my certificate. In the last 6-8 months, the renewal was carried out automatically. Probably wanting to add a second domain will have corrupted some files.
Currently the certificate still works and is used for a nextcloud server on raspberry pi4 with raspbian and apache2, but it will expire in less than 10 days. I tried to renew it, also adding a second domain (used for access on an RPi 3B with HomeAssistantOS that shares the same public IP with the Pi4), but I keep getting 404 error.
I have tried reading some posts with similar errors, but without success.

My domains is: m9quattro.hopto.org, m9quattro.duckdns.org, m9assistant.hopto.org

I ran these commands: 1) sudo certbot --apache -d m9quattro.hopto.org -d m9quattro.duckdns.org -d m9assistant.hopto.org

sudo certbot renew --force-renewal

It produced this output:
1)
Domain: m9quattro.duckdns.org
Type: unauthorized
Detail: Invalid response from http://m9quattro.duckdns.org/.well-known/acme-challenge/Iq_47T1Y60ztl1bs1_5s6xAVsjSS6bTXPRVRYghogDc [xx.xx.xx.xx]: 404

Domain: m9quattro.hopto.org
Type: unauthorized
Detail: Invalid response from http://m9quattro.hopto.org/.well-known/acme-challenge/i4CRRhSsZZnU3m7P9Zd2OIpGEpF1K4mxUXeVEu1teMQ [xx.xx.xx.xx]: 404

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority
reported these problems:
Domain: m9quattro.hopto.org
Type: unauthorized
Detail: Invalid response from http://m9quattro.hopto.org/.well-known/acme-
challenge/vMyruY4GlNgNN_aTdWxdcj4h2YJUSvLzG3mP9e6hnbU [xx.xx.xx.xx]: 404

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes
made by Certbot. Ensure that the listed domains point to this Apache server and that it is
accessible from the internet.

Failed to renew certificate m9quattro.hopto.org with error: Some challenges have failed.

All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/m9quattro.hopto.org/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile
/var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Apache/2.4.38 (Raspbian)
Server built: 2021-09-30T03:50:49

My hosting providers, if applicable, is: Noip and duckdns

I can login to a root shell on my machine (yes or no, or I don't know): Yes

The version of my client is: certbot 1.21.0

Thank's.

_az · November 25, 2021, 10:07pm

Hi there,

When connecting to your domain, I see a Python webserver, rather than Apache:

$ curl -X GET -I m9quattro.duckdns.org
HTTP/1.1 404 Not Found
Content-Type: text/plain; charset=utf-8
Content-Length: 14
Date: Thu, 25 Nov 2021 22:05:42 GMT
Server: Python/3.9 aiohttp/3.7.4.post0

For your Certbot command to succeed, Apache needs to be the webserver that is being hosted at this domain.

One way to organize things could be to always run Apache on port 80, having your Python application running on a separate port, and configuring Apache to forward traffic to your Python application, as a reverse proxy.

m9quattro · November 26, 2021, 8:58am

Thanks I hadn't noticed. Trying to shut down the server with HomeAssistantOS it is now back on apache, but it gives me the following error (if I digit this command: certbot - v) :

Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.

Could it be due to the fact that when I first configured it a few months ago, I forced it to always go to port 443 for https, when my domain was typed in? For example, even if I write http it sends me to https and maybe it doesn't find port 80 for that.

_az · November 26, 2021, 9:30am

This will be happening due to Strict-Transport-Security, but it wouldn't interfere with the certificate renewal process.

Apache does need at least one port 80 virtual host configured, for certbot --apache to function.

On this server, what you can try is to add a port 80 virtual host, something like:

<VirtualHost *:80>
    ServerName m9quattro.hopto.org
    ServerAlias m9quattro.duckdns.org m9assistant.hopto.org

    RewriteEngine on
    RewriteCond %{HTTPS} off
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</VirtualHost>

and save it as /etc/apache2/sites-enabled/default.conf or something. It doesn't need to do anything useful, it just needs to exist.

Then try Certbot again.

m9quattro · November 26, 2021, 3:27pm

I tried updating the default.conf file and after restarting apache I verified that certbot was working. It actually worked. I had made some changes to the ports (I had put 85 instead of 80) thinking so, to be able to make both nextcloud and home assistant work with the same certificate, but creating only other problems. Both domains are now working correctly.
Thank you for your precious help.

system · December 26, 2021, 3:27pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.