Can't get certbot to work successfully

My domain is:
voidcitymc.com
I ran this command:

sudo certbot --apache

It produced this output:

aving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?


1: voidcitymc.com


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for voidcitymc.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. voidcitymc.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://voidcitymc.com/.well-known/acme-challenge/jxblb5k6ZHtr0rIKJw5mStnnlgXTE4KTYMRX3UDybYU [99.45.168.151]: “\n\n404 Not Found\n\n

Not Found

\n<p”

IMPORTANT NOTES:

My web server is (include version):

Server version: Apache/2.4.38 (Raspbian)
Server built: 2019-08-18T13:34:20

The operating system my web server runs on is (include version):

raspbian buster (latest release)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

certbot 0.31.0

Thank you.

Note: I created a test text file at:
http://voidcitymc.com/.well-known/acme-challenge/test.txt

I see that your text.txt file works. That is good, but…
There must be something in the config that is tricking certbot to place the challenge file elsewhere.
OR
Apache is handling .txt files differently than . files.
Try copying the test.txt file to only test and check:
http://voidcitymc.com/.well-known/acme-challenge/test
If that works, please show the vhost config file.

http://voidcitymc.com/.well-known/acme-challenge/test
Seems to be working

Also my vhost file is empty

I’m confused…
[which is normal for me]

Because I don’t see a lock on your site nor a cert issued for that domain.
But you closed this as resolved :thinking:

I guess… you now know where the problem is!
[which is why you came here]

oh did I close this thread?
Most of done it accidentally.
Sorry, the issue is not resolved yet.

No worries.

The next step:

Because I can’t add attachments (I’m a new user) I put the file here http://voidcitymc.com/u/apache2.conf

All that is very “default” (and doesn’t show what we’re looking for).
It allows for additional code to be “included” via any of these “places”:

IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf
Include ports.conf
IncludeOptional conf-enabled/*.conf
IncludeOptional sites-enabled/*.conf

Let’s look through those locations for their 5 most recently modified/added files:

ls -lt /etc/apache2/ | tail -n 5
ls -lt /etc/apache2/mods-enabled/ | tail -n 5
ls -lt /etc/apache2/conf-enabled/ | tail -n 5
ls -lt /etc/apache2/sites-enabled/ | tail -n 5

as an example, a recently added Apache would look something like this:

user@local:/user/landing# ls -lt /etc/apache2/ | tail -n 5
drwxr-xr-x 2 root root 12288 Oct 31 09:08 mods-available
drwxr-xr-x 2 root root  4096 Oct 31 09:08 conf-available
-rw-r--r-- 1 root root  7224 Sep 16 12:58 apache2.conf
-rw-r--r-- 1 root root  1782 Jul 16 18:14 envvars
-rw-r--r-- 1 root root 31063 Jul 16 18:14 magic
user@local:/user/landing# ls -lt /etc/apache2/mods-enabled/ | tail -n 5
lrwxrwxrwx 1 root root 33 Oct 31 09:08 authn_core.load -> ../mods-available/authn_core.load
lrwxrwxrwx 1 root root 33 Oct 31 09:08 authz_core.load -> ../mods-available/authz_core.load
lrwxrwxrwx 1 root root 33 Oct 31 09:08 authz_host.load -> ../mods-available/authz_host.load
lrwxrwxrwx 1 root root 32 Oct 31 09:08 mpm_event.conf -> ../mods-available/mpm_event.conf
lrwxrwxrwx 1 root root 32 Oct 31 09:08 mpm_event.load -> ../mods-available/mpm_event.load
user@local:/user/landing# ls -lt /etc/apache2/conf-enabled/ | tail -n 5
lrwxrwxrwx 1 root root 36 Oct 31 09:08 serve-cgi-bin.conf -> ../conf-available/serve-cgi-bin.conf
lrwxrwxrwx 1 root root 31 Oct 31 09:08 security.conf -> ../conf-available/security.conf
lrwxrwxrwx 1 root root 46 Oct 31 09:08 other-vhosts-access-log.conf -> ../conf-available/other-vhosts-access-log.conf
lrwxrwxrwx 1 root root 44 Oct 31 09:08 localized-error-pages.conf -> ../conf-available/localized-error-pages.conf
lrwxrwxrwx 1 root root 30 Oct 31 09:08 charset.conf -> ../conf-available/charset.conf
user@local:/user/landing# ls -lt /etc/apache2/sites-enabled/ | tail -n 5
total 0
lrwxrwxrwx 1 root root 35 Oct 31 09:08 000-default.conf -> ../sites-available/000-default.conf

And the only file of interest there would be: 000-default.conf
But in this case, since the last 11 files all have the same date/time stamp and the first 5 are even older than them, it will not show us anything “new”.
Your output, however, should be more… alive.

Here is my output:

pi@WebSite : /etc/apache2 $ ls -lt /etc/apache2/ | tail -n 5

drwxr-xr-x 2 root root 4096 Sep 13 22:22 conf-enabled

-rw-r–r-- 1 root root 7224 Aug 18 06:34 apache2.conf

-rw-r–r-- 1 root root 1782 Apr 2 2019 envvars

-rw-r–r-- 1 root root 31063 Apr 2 2019 magic

-rw-r–r-- 1 root root 320 Apr 2 2019 ports.conf

pi@WebSite : /etc/apache2 $ ls -lt /etc/apache2/mods-enabled/ | tail -n 5

lrwxrwxrwx 1 root root 36 Sep 13 22:22 access_compat.load -> …/mods-available/access_compat.load

lrwxrwxrwx 1 root root 33 Sep 13 22:22 auth_basic.load -> …/mods-available/auth_basic.load

lrwxrwxrwx 1 root root 33 Sep 13 22:22 authn_core.load -> …/mods-available/authn_core.load

lrwxrwxrwx 1 root root 33 Sep 13 22:22 authz_host.load -> …/mods-available/authz_host.load

lrwxrwxrwx 1 root root 33 Sep 13 22:22 authz_core.load -> …/mods-available/authz_core.load

pi@WebSite : /etc/apache2 $ ls -lt /etc/apache2/conf-enabled/ | tail -n 5

lrwxrwxrwx 1 root root 36 Sep 13 22:22 serve-cgi-bin.conf -> …/conf-available/serve-cgi-bin.conf

lrwxrwxrwx 1 root root 31 Sep 13 22:22 security.conf -> …/conf-available/security.conf

lrwxrwxrwx 1 root root 46 Sep 13 22:22 other-vhosts-access-log.conf -> …/conf-available/other-vhosts-access-log.conf

lrwxrwxrwx 1 root root 44 Sep 13 22:22 localized-error-pages.conf -> …/conf-available/localized-error-pages.conf

lrwxrwxrwx 1 root root 30 Sep 13 22:22 charset.conf -> …/conf-available/charset.conf

pi@WebSite : /etc/apache2 $ ls -lt /etc/apache2/sites-enabled/ | tail -n 5

total 0

lrwxrwxrwx 1 root root 35 Sep 13 22:22 000-default.conf -> …/sites-available/000-default.conf

pi@WebSite : /etc/apache2 $

OK so it’s pretty much a plain vanilla install.

Let’s have a look at the default conf - maybe we can alter it to ensure we can use --apache option or failsafe option with the --webroot option to get you a cert.
Please show file:
/etc/apache2/sites-enabled/000-default.conf

http://voidcitymc.com/u/000-default.conf

As expected, a very plain vanilla file.
And yet

fails...

Let's try this:
[make a dedicated challenges location and use mod Alias to ensure all challenges go there & test]

Step(s) 1. Make dedicated folders and place test files in them:

mkdir /ACME-challenges/
echo 'successful test-file @ /ACME-challenges/' > /ACME-challenges/test-file
mkdir /ACME-challenges/.well-known/
mkdir /ACME-challenges/.well-known/acme-challenge/
echo 'successful test-file @ /ACME-challenges/.well-known/acme-challenge/' > /ACME-challenges/.well-known/acme-challenge/test-file

Verify files were created with:
ls -l /ACME-challenges/
ls -l /ACME-challenges/.well-known/acme-challenge/

Step(s) 2. Enable mod Alias and insert code to use it:
#ensure Alias module is enable
sudo a2enmod alias

#append these two lines /etc/apache2/apache.conf
[insert at the very bottom]

#send all ACME challenges to this dedicated location
Alias /.well-known/acme-challenge/ /ACME-challenges/

[save file]

Step 3. Restart Apache
systemctl restart apache2

Step 4. TEST
http://voidcitymc.com/.well-known/acme-challenge/test-file

While we wait…
Let’s all look at this Pi in my hand:

Everyone loves Pi!

And this neat 3A power adapter complete with on/off switch:


Pi POWER!

Thinking about Pi made me hungry!

OK this:


has turned… to this:
20191106_035408

I’ll check back on this topic later.
[Hopefully the test files work and you can now issue a cert with: certbot --apache]

I did everything you said but I get this forbidden error. (Even after I set the permission to 777)

You leave a lot of detail out of things…

I’m guessing that Apache now has no access to the test-file.
Or the Internet requester has no access…
That makes sense.
Let’s add to the /etc/apache2/apache.conf file:
[at the bottom again]

<Directory /ACME-challenges/>
        AllowOverride None
        Require all granted
</Directory>

[save file + restart apache + retest from Internet]

Sorry for the lack of detail.
The test file was successful, but running certbot --apache was not. (same error as before)

Ok, my assumption was wrong - but you can leave the directory entry..
I do see:
successful test-file @ /ACME-challenges/
Which means the longer folders are not needed:
Lets tidy up a bit...
rm -R /ACME-challenges/.well-known/
rm /ACME-challenges/.well-known/test-file


And now we think...
Please show the letsencrypt.log file (or, at least, the tail of it)

tail -n 40 /var/log/letsencrypt/letsencrypt.log

here’s the log: voidcitymc.com/u/letsencrypt.log