Can't renew with apache more VirtualHosts

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.munerotto.it (wordpress) , nextmune.munerotto.it (nextcloud)

I ran this command: sudo certbot renew -v --dry-run

It produced this output:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/nextmune.munerotto.it.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Simulating renewal of an existing certificate for nextmune.munerotto.it and www.munerotto.it
Performing the following challenges:
http-01 challenge for nextmune.munerotto.it
http-01 challenge for www.munerotto.it
Waiting for verification...
Challenge failed for domain nextmune.munerotto.it
Challenge failed for domain www.munerotto.it
http-01 challenge for nextmune.munerotto.it
http-01 challenge for www.munerotto.it

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Domain: nextmune.munerotto.it
  Type:   connection
  Detail: 93.49.253.65: Fetching http://nextmune.munerotto.it/.well-known/acme-challenge/Ga8WnNd0WiHcID-0MiCF83VF-BUYE9ULygKdKwCIbqU: Timeout during connect (likely firewall problem)

  Domain: www.munerotto.it
  Type:   connection
  Detail: 93.49.253.65: Fetching http://www.munerotto.it/.well-known/acme-challenge/OBopCIVNBTIkfEQJTcC15RcsW5h8X5-SkgXozgd_DM0: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges
Failed to renew certificate nextmune.munerotto.it with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/nextmune.munerotto.it/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): apache 2.4

The operating system my web server runs on is (include version): Ubuntu 22.04

My hosting provider, if applicable, is: myself

I can login to a root shell on my machine (yes or no, or I don't know): YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot) : certbot 2.6.0

=============================================

My sites-enabled in apache has two sites

www.munerotto.it.conf:

# Begin vhost record on the default HTTP port 80
<VirtualHost *:80>
    # This is the name of the vhost.
    ServerName www.munerotto.it
    # These are alternative names for this same vhost.
    # We put the other domains here. They will all go to the same place.
    ServerAlias www.munerotto.it
    # Directory where the website code lives.
    DocumentRoot /var/www/html/www.munerotto.it

    <Directory "/">
        Options FollowSymLinks
        AllowOverride All
    </Directory>

# FM These lines are for the let's encrypt http verification process
    AliasMatch /.well-known/acme-challenge/(.*)$ /var/www/html/.well-known/acme-challenge/$1
    <directory /var/www/html/.well-known/acme-challenge>
      AllowOverride None
      Require all granted
    </directory>

###    LogLevel info ssl:warn

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    #Include conf-available/serve-cgi-bin.conf

# FM  These lines force https
#RewriteEngine on
##RewriteCond %{SERVER_NAME} =www.munerotto.it
#RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

</VirtualHost>

and

nextmune.munerotto.it.conf

# Begin vhost record on the default HTTP port 80
<VirtualHost *:80>
    # This is the name of the vhost.
    ServerName nextmune.munerotto.it 
    # These are alternative names for this same vhost.
    # We put the other domains here. They will all go to the same place.
    ServerAlias nextmune.munerotto.it
    # Directory where the website code lives.
    DocumentRoot /var/www/html/nextmune.munerotto.it

    <Directory "/">
        Options FollowSymLinks
        AllowOverride All
    </Directory>

# FM These lines are for the let's encrypt http verification process
    AliasMatch /.well-known/acme-challenge/(.*)$ /var/www/html/.well-known/acme-challenge/$1
    <directory /var/www/html/.well-known/acme-challenge>
      AllowOverride None
      Require all granted
    </directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

In the very beginning I had the NextCloud instance in a Raspberry at home and the www in a webhosting. Then I bought an used PC and I use it as server with both the hosts.

I renewed the certificates and everything was ok.

Two weeks ago I bought a Cudy: it's an appliance that if is connect via the WAN port act as router but if the connection would be missing it would connect vie LTE using cellular SIM: Cudy LT500 , connected as in this sketch

cudy-LTE+ WAN
cudy-LTE+ WAN1100×850 71.5 KB

as my landline is buggy due to an old cable that the official owner (the former Italian telephone company) is not willing to change.

I created the path /var/www/html/.well-known/acme-challenge/

Then I shared that dir in both the apache's sites conf;

# FM These lines are for the let's encrypt http verification process
    AliasMatch /.well-known/acme-challenge/(.*)$ /var/www/html/.well-known/acme-challenge/$1
    <directory /var/www/html/.well-known/acme-challenge>
      AllowOverride None
      Require all granted
    </directory>

but certbot is not working ;( and it complains that the http challenge is failing.
Do I need to work in the DNS, or there is a way to make the http verification working?

Thank in adance

PS I put the file hello.html which contains just the text "HELLO WORLD" in /var/www/html/.well-known/acme-challenge and wget http://nextmune.munerotto.it/.well-known/acme-challenge/hello.html works only if nextmune is set to 127.0.0.1 in /etc/hosts

PPS Forgot to say that /var/www/html/www.munerotto.it and /var/www/html/nextmune.munerotto.it are just two placeholders as I moved them away and their are just teo fresh foolders.

2

Hello @mune, welcome to the Let's Encrypt community. :slightly_smiling_face:

Let's Debug shows both domain names have issues reaching Port 80.

$ nmap -Pn -p80,443 www.munerotto.it
Starting Nmap 7.80 ( https://nmap.org ) at 2023-07-02 09:54 PDT
Nmap scan report for www.munerotto.it (93.49.253.65)
Host is up (0.19s latency).
rDNS record for 93.49.253.65: 93-49-253-65.ip329.fastwebnet.it

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp open     https

Nmap done: 1 IP address (1 host up) scanned in 4.07 seconds

$ nmap -Pn -p80,443 nextmune.munerotto.it
Starting Nmap 7.80 ( https://nmap.org ) at 2023-07-02 09:55 PDT
Nmap scan report for nextmune.munerotto.it (93.49.253.65)
Host is up (0.19s latency).
rDNS record for 93.49.253.65: 93-49-253-65.ip329.fastwebnet.it

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp open     https

Nmap done: 1 IP address (1 host up) scanned in 3.63 seconds
3 Likes
3

Probably forgot to portmap port 80 in one of your devices too.

3 Likes
4

In the DNS panel in my internet domain seller i set

Name munerotto.it. | Type A | Value 93.49.253.65
Name nextmune.munerotto.it. | Type CNAME | Value nextmune.ddns.net.
Name www.munerotto.it. | Type CNAME | Value nextmune.ddns.net.

(I use the ddns service because the server would have a different address upons it is connected via the landline or via LTE.

The main_router (192.168.2.254) forwards ports 80,443 to 192.168.2.253 (which is MAC bound to the cudy (LTE/WAN capable modem)) , it is connected with an ethernet (RJ11) cable. In turn the Cudy (wit IP 192.168.1.253) forwards the ports 80 and 443 to 192.168.1.44 (the server, which is bound via MAC to that IP).

"Probably forgot to portmap port 80 in one of your devices too."

I don't understand: everything looks in place.

5

What you describe sounds good but it doesn't work. (see @linkp comment below)

It is not just Let's Encrypt that is affected. I cannot reach your "home" page from my own test server in the US.

The Let's Debug test site (https://letsdebug.net) still cannot see your domain.

Right now it looks like both ports 80 and 443 are "filtered" which usually means actively blocked by a firewall. But, it could be other reason.

Often with setups like yours someone made a mistake with their port forwarding. That was why it was suggested to look there.

If you use a mobile phone with wifi turned off can you see your site?
http://nextmune.ddns.net

3 Likes
6

Your Cudy port forward does not look right. You indicate that you are forwarding from the Cudy LAN interface to a Cudy LAN host. Your forward needs to go from the Cudy WAN interface at 192.168.2.253 to your Cudy LAN host.

4 Likes
7

Not reacheable :frowning:

8

I'm sorry I wasn't clear. about the wiring

main_router/modem
PORT for vADSL
4 LAN PORTS
PORT 1 -> connected to the Cudy's WAN port.
PORT 2-4 unused

Cudy
WAN PORT connected to one of the LANs of the main_router/modem
LAN PORT connected to 192.168.1.44 via the hub.

(I don't think you can forward froa net 192.168.2.x to 192.168.1.y )

9

At least you now have an easy way to test your network. Once you can reach your Apache server you could try getting a cert again.

Don't keep trying to get a cert until your mobile works and Let's Debug test says it work (letsdebug.net)

Trying and failing too often can cause a temporary rate limit from Let's Encrypt

5 Likes
10

Moreover the server won't function when using the LTE

11

Maybe not, but routing should be possible.

2 Likes
12

You will need to figure out how if you expect to reach any hosts behind your Double-NAT setup.

4 Likes
13

I have just written to the Cudy support: they'll tell me, it doesn't seem a let's encrypt issue

3 Likes
14

The support hasn't given a solution so I got annoyed.
I decide to move the computer with the webserver directly connected to the ISP modem as it was months ago:
cudy-LTE+WAN-simple_webserver
but renewing the certificate, with my big surprise, did not work, again.

With even bigger surprise pointing a web browser to the page http://www.munerotto.it/index.html it doesn't serve the page but a blank one.

my apache-conf site is:

mune@fedehome:~$ cat /etc/apache2/sites-enabled/www.munerotto.it.conf 
# Begin vhost record on the default HTTP port 80
<VirtualHost *:80>
    # This is the name of the vhost.
    ServerName www.munerotto.it
    # These are alternative names for this same vhost.
    # We put the other domains here. They will all go to the same place.
    ServerAlias www.munerotto.it
    # Directory where the website code lives.
    DocumentRoot /var/www/html/www.munerotto.it

    <Directory "/">
        Options FollowSymLinks
	AllowOverride All
    </Directory>

# FM These lines are for the let's encrypt http verification process
    AliasMatch /.well-known/acme-challenge/(.*)$ /var/www/html/.well-known/acme-challenge/$1
    <directory /var/www/html/.well-known/acme-challenge>
      AllowOverride None
      Require all granted
    </directory>

###    LogLevel info ssl:warn

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    #Include conf-available/serve-cgi-bin.conf


# FM  These lines force https
#RewriteEngine on
##RewriteCond %{SERVER_NAME} =www.munerotto.it
#RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

I guess the problem is here. Of course I can't have a certificate if even the simplest thing doesn't work.

Please help

15

I can't reach your site using HTTP (port 80) at all. It shows as "filtered" which usually means is blocked by a firewall.

I can reach you domain using HTTPS (port 443) but it fails due to invalid config on your end. That is maybe expected but just shows general connectivity is fine just port 80 is a problem.

5 Likes
16

I have the same
BUT

  1. the modem/router forwards the ports 80 and 443 to the server;
  2. the server's firewall is down (for the moment)
    $ sudo ufw status Status: inactive;
  3. Apache hasn't any blocking module:
    $ ls /etc/apache2/mods-enabled/ ccess_compat.load autoindex.conf mime.conf reqtimeout.load alias.conf autoindex.load mime.load rewrite.load alias.load deflate.conf mpm_prefork.conf setenvif.conf auth_basic.load deflate.load mpm_prefork.load setenvif.load authn_core.load dir.conf negotiation.conf socache_shmcb.load authn_file.load dir.load negotiation.load ssl.conf authz_core.load env.load php8.1.conf ssl.load authz_host.load filter.load php8.1.load status.conf authz_user.load headers.load reqtimeout.conf status.load .

What can be? I don't see anything blocking port 80.

17

If you are sure there is no firewall in the router and that the router is setup properly then you should ask your ISP if they block port 80 to you.

5 Likes
18

Do you see any requests reaching your web server in the Apache logs?
Have you rebooted the firewall?
Are you 100% certain the firewall is forwarding to the new IP?

4 Likes
19

Now I do that, even I think they haven't changed in the last month: before it was working.

20

I restarted the web server

$ sudo service apache2 restart

and the log file /var/log/apache2/error.log confirm it:

[Mon Jul 24 12:33:06.575775 2023] [mpm_prefork:notice] [pid 166077] AH00163: Apache/2.4.52 (Ubuntu) OpenSSL/3.0.2 configured -- resuming normal operations
[Mon Jul 24 12:33:06.575816 2023] [core:notice] [pid 166077] AH00094: Command line: '/usr/sbin/apache2'
[Mon Jul 24 18:27:30.101964 2023] [mpm_prefork:notice] [pid 166077] AH00170: caught SIGWINCH, shutting down gracefully
[Mon Jul 24 18:27:30.203184 2023] [mpm_prefork:notice] [pid 167570] AH00163: Apache/2.4.52 (Ubuntu) OpenSSL/3.0.2 configured -- resuming normal operations
[Mon Jul 24 18:27:30.203306 2023] [core:notice] [pid 167570] AH00094: Command line: '/usr/sbin/apache2'

Then I used the browser to have the page http://www.munerotto.itbut i received a blank page and the log file /var/log/apache2/error.log is unchanged while/var/log/apache2/access.log` add the lines

8.2.210/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0"
::1 - - [24/Jul/2023:18:37:07 +0200] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.52 (Ubuntu) OpenSSL/3.0.2 (internal dummy connection)"
::1 - - [24/Jul/2023:18:37:27 +0200] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.52 (Ubuntu) OpenSSL/3.0.2 (internal dummy connection)"