Cert bot not creating .well-known dirs in development enviroment

I'm developing on CentOS 7 and compiled Apache (currently 2.4.41) myself. I have multiple domains with each having a virtual host.

I have a simple static website I'm trying to add https to but the .well-known dir is not being created.

To test the websites and apache in a browser on my development machine I typed at the command line:
echo "10.0.2.15 example.com" >> /etc/hosts
echo "10.0.2.15 www.example.com" >> /etc/hosts

For http websites this setup has worked perfectly. I skip the echo step when staging or releasing the website into production.

If I type the following command at the command line, the .well-known directory is not created and adding the certificate fails:
certbot --test-cert -d example.com -d www.example.com --webroot --webroot-path /home/tst/public_html -i apache --apache-server-root /usr/local/apache --apache-challenge-location /usr/local/apache/conf.d --debug-challenges

If I look in the log file, I don't see any errors about creating the webroot.

Here is what my virtual host:
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
DocumentRoot /home/tst/public_html
ServerAdmin webmaster@example.com
UseCanonicalName Off

DocumentRoot "/home/tst/public_html"

DirectoryIndex index.html

<Directory /home/tst/public_html>
Options Indexes FollowSymLinks MultiViews ExecCGI	

AllowOverride all
Require all granted
 </Directory>

ErrorLog /home/tst/logs/error.log
CustomLog /home/tst/logs/access.log combined

I change the directory permission to 777 and still have the same problem.

I've made two substitutions from the actual env:

  1. I replaced my domain name with "example.com"
  2. I replaced the beginning of the path to DocumentRoot on my server with /home/tst

How do I get certbot to create the .well-known dir? Am I missing something? Or is there a better dev setup for certbot?

Here is certbot log:
2021-01-29 10:39:35,517:DEBUG:urllib3.connectionpool:http://localhost:None "GET /v2/connections?snap=certbot&interface=content HTTP/1.1" 200 97
2021-01-29 10:39:35,981:DEBUG:certbot._internal.main:certbot version: 1.11.0
2021-01-29 10:39:35,982:DEBUG:certbot._internal.main:Location of certbot entry point: /snap/certbot/889/bin/certbot
2021-01-29 10:39:35,982:DEBUG:certbot._internal.main:Arguments: ['--test-cert', '-d', 'example.com', '-d', 'www.example.com', '--webroot', '--webroot-path', '/home/tst/public_html', '-i', 'apache', '--apache-server-root', '/usr/local/apache', '--apache-challenge-location', '/usr/local/apache/conf.d', '--debug-challenges', '--preconfigured-renewal']
2021-01-29 10:39:35,982:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-01-29 10:39:36,017:DEBUG:certbot._internal.log:Root logging level set at 20
2021-01-29 10:39:36,017:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2021-01-29 10:39:36,030:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer apache
2021-01-29 10:39:36,325:DEBUG:certbot_apache._internal.configurator:Apache version is 2.4.41
2021-01-29 10:39:37,238:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache._internal.entrypoint:ENTRYPOINT
Initialized: <certbot_apache._internal.override_centos.CentOSConfigurator object at 0x7f00913f85b0>
Prep: True
2021-01-29 10:39:37,244:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot._internal.plugins.webroot:Authenticator
Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0x7f00913f8550>
Prep: True
2021-01-29 10:39:37,245:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.webroot.Authenticator object at 0x7f00913f8550> and installer <certbot_apache._internal.override_centos.CentOSConfigurator object at 0x7f00913f85b0>
2021-01-29 10:39:37,245:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator webroot, Installer apache
2021-01-29 10:39:37,450:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-staging-v02.api.letsencrypt.org/acme/acct/17778314', new_authzr_uri=None, terms_of_service=None), 5e13be7cb11a420b94e921fcf2286697, Meta(creation_dt=datetime.datetime(2021, 1, 28, 14, 28, 54, tzinfo=), creation_host='mymemphismma.com', register_to_eff=None))>
2021-01-29 10:39:37,451:DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.
2021-01-29 10:39:37,453:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org:443
2021-01-29 10:39:37,941:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 724
2021-01-29 10:39:37,944:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 29 Jan 2021 15:39:45 GMT
Content-Type: application/json
Content-Length: 724
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"4Ckh1VXVG2A": "Adding random entries to the directory",
"keyChange": "https://acme-staging-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
"website": "Staging Environment - Let's Encrypt - Free SSL/TLS Certificates"
},
"newAccount": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order",
"revokeCert": "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert"
}
2021-01-29 10:39:37,946:DEBUG:certbot.display.util:Notifying user: Requesting a certificate for example.com and www.example.com
2021-01-29 10:39:37,976:DEBUG:certbot.crypto_util:Generating RSA key (2048 bits): /etc/letsencrypt/keys/0012_key-certbot.pem
2021-01-29 10:39:38,015:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0012_csr-certbot.pem
2021-01-29 10:39:38,016:DEBUG:acme.client:Requesting fresh nonce
2021-01-29 10:39:38,016:DEBUG:acme.client:Sending HEAD request to https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce.
2021-01-29 10:39:38,098:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2021-01-29 10:39:38,100:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 29 Jan 2021 15:39:46 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: https://acme-staging-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 0003CPQv3uIa0OOZ0tKdvPUeXwDxv7d-XbbO4atHEaYar0k
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

2021-01-29 10:39:38,101:DEBUG:acme.client:Storing nonce: 0003CPQv3uIa0OOZ0tKdvPUeXwDxv7d-XbbO4atHEaYar0k
2021-01-29 10:39:38,102:DEBUG:acme.client:JWS payload:
b'{\n "identifiers": [\n {\n "type": "dns",\n "value": "example.com"\n },\n {\n "type": "dns",\n "value": "www.example.com"\n }\n ]\n}'
2021-01-29 10:39:38,106:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/new-order:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xNzc3ODMxNCIsICJub25jZSI6ICIwMDAzQ1BRdjN1SWEwT09aMHRLZHZQVWVYd0R4djdkLVhiYk80YXRIRWFZYXIwayIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctb3JkZXIifQ",
"signature": "ify-QRT2q3sGNV3_Ep6_Z_9yfN5rmMQrq6mprFwJCDcbGD6jD2H2Fo5M9gmn6i1uJ_jPpqws1nX69FQo8TlVp5fplTfpuGs1XosXbczTAgxqdchey-MDrdIByPP9yILCpW2GphL7QEvyIaw8xru54SsKp8tezr4EnJrNf4j-lT_w8wN56TXFc4GjWNL5azWemwv_UgkuNL7iNs3Dcs99xLAJl9liGz6ZsNO7gZwoEJWQY5f0ukH8f2Q_BJ9RQSVQhDg1jyTpFKLf11DpVFw5DOSZSYewAvxWVal5xSgXndmKiCeEOd_Hi9VEAE3EpvEGp8bNDVNwfXmqKfiJtHw8eA",
"payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogInN0ZWxsYXJwYXRlbnQuY29tIgogICAgfSwKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogInd3dy5zdGVsbGFycGF0ZW50LmNvbSIKICAgIH0KICBdCn0"
}
2021-01-29 10:39:38,227:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 500
2021-01-29 10:39:38,229:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Fri, 29 Jan 2021 15:39:46 GMT
Content-Type: application/json
Content-Length: 500
Connection: keep-alive
Boulder-Requester: 17778314
Cache-Control: public, max-age=0, no-cache
Link: https://acme-staging-v02.api.letsencrypt.org/directory;rel="index"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/order/17778314/230935723
Replay-Nonce: 0004UrbkuUpANfaZZqmbLhQV8Pf9MMHMoYiQTZ81p5pQSfk
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"status": "pending",
"expires": "2021-02-05T15:39:46Z",
"identifiers": [
{
"type": "dns",
"value": "example.com"
},
{
"type": "dns",
"value": "www.example.com"
}
],
"authorizations": [
"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/200389382",
"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/200389383"
],
"finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/17778314/230935723"
}
2021-01-29 10:39:38,230:DEBUG:acme.client:Storing nonce: 0004UrbkuUpANfaZZqmbLhQV8Pf9MMHMoYiQTZ81p5pQSfk
2021-01-29 10:39:38,231:DEBUG:acme.client:JWS payload:
b''
2021-01-29 10:39:38,238:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/200389382:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xNzc3ODMxNCIsICJub25jZSI6ICIwMDA0VXJia3VVcEFOZmFaWnFtYkxoUVY4UGY5TU1ITW9ZaVFUWjgxcDVwUVNmayIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8yMDAzODkzODIifQ",
"signature": "mhbzJQ9uC1N1rUtC7JlbYSZtVaOS8vCxsfLbgcHbOznslgBT3eJD5fC2tbMnXiMA93Vct50igA4qsRZo_808miBOSxYux7NIZeJluhlMmJPJSj410bqRCYIzFMG6-9JUJaRMS0wj8aeo41ykN_hJRkTxesXg5MElJMyujURsxKCFdnSDG-zNoi5ntk3tB9LLxnL3ZlONyBYmEbRVysx_xOT-o7PdOyxbmfD7UabUhNGdw0ehvyr7EfNslpIoLhDJ5syv19rVaOkESgMffkBIVF15Q-PYPOASU1mcofRhYSP7plbNTOal4UlxwrWeYihZwmKgp1vjnhgrtdlt-z_x_Q",
"payload": ""
}
2021-01-29 10:39:38,334:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/200389382 HTTP/1.1" 200 816
2021-01-29 10:39:38,336:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 29 Jan 2021 15:39:46 GMT
Content-Type: application/json
Content-Length: 816
Connection: keep-alive
Boulder-Requester: 17778314
Cache-Control: public, max-age=0, no-cache
Link: https://acme-staging-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 0004X_AWz2-3H4hSolLQlZFn4necg6wOBuWllkn_Dl_aobY
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "example.com"
},
"status": "pending",
"expires": "2021-02-05T15:39:46Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/200389382/DoVPEg",
"token": "U-WoSrjA4mJcpszgtRhsroCO5GvXJzpjdzX7KK-jbyU"
},
{
"type": "dns-01",
"status": "pending",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/200389382/ViUc8A",
"token": "U-WoSrjA4mJcpszgtRhsroCO5GvXJzpjdzX7KK-jbyU"
},
{
"type": "tls-alpn-01",
"status": "pending",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/200389382/IHeSIA",
"token": "U-WoSrjA4mJcpszgtRhsroCO5GvXJzpjdzX7KK-jbyU"
}
]
}
2021-01-29 10:39:38,337:DEBUG:acme.client:Storing nonce: 0004X_AWz2-3H4hSolLQlZFn4necg6wOBuWllkn_Dl_aobY
2021-01-29 10:39:38,338:DEBUG:acme.client:JWS payload:
b''
2021-01-29 10:39:38,344:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/200389383:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xNzc3ODMxNCIsICJub25jZSI6ICIwMDA0WF9BV3oyLTNINGhTb2xMUWxaRm40bmVjZzZ3T0J1V2xsa25fRGxfYW9iWSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8yMDAzODkzODMifQ",
"signature": "MuhdBMlalUFd5PHCHnUpMdkFBMAY0T8IC2aO4wQzHOVjbPBBAEOgQBVEfNBSxqJ_nc7uR4VTRxAnYALBkyWWq29fVmsvvX9Aq-C9PoOm2LQyDh4K9tk9yYpwDIb1mU_uil4OQjPx8dwZSO2n4bEIyNZn_C_gf6xnm4-Gaip_2vPaoORazfbq5M0OKyIr7meUM5ZsUSWfazFOBDAb9xxcYpFBFnVEaYUexe6RnfxRDN9IU7E2XPhHuuIUhbwrwZ39Nl5XDHb7esuHbLKHcHTch7RAR5dlHt7kcrGI744goJlo1EJIAzP9pB09A5O7LAWtHYLq2rzG9oIN6wMYtiFfQA",
"payload": ""
}
2021-01-29 10:39:38,438:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/200389383 HTTP/1.1" 200 820
2021-01-29 10:39:38,440:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 29 Jan 2021 15:39:46 GMT
Content-Type: application/json
Content-Length: 820
Connection: keep-alive
Boulder-Requester: 17778314
Cache-Control: public, max-age=0, no-cache
Link: https://acme-staging-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 0003x1vi0whzG-ryE0AcqrYMK3SdNv9FnkxAkTI6-YKLQ8o
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "www.example.com"
},
"status": "pending",
"expires": "2021-02-05T15:39:46Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/200389383/OxYgmw",
"token": "jcxE8v2YawfrKvtE7Kurkz5OUJh417yQpRBZ96ys2jI"
},
{
"type": "dns-01",
"status": "pending",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/200389383/Th7YPg",
"token": "jcxE8v2YawfrKvtE7Kurkz5OUJh417yQpRBZ96ys2jI"
},
{
"type": "tls-alpn-01",
"status": "pending",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/200389383/rj5B0Q",
"token": "jcxE8v2YawfrKvtE7Kurkz5OUJh417yQpRBZ96ys2jI"
}
]
}
2021-01-29 10:39:38,441:DEBUG:acme.client:Storing nonce: 0003x1vi0whzG-ryE0AcqrYMK3SdNv9FnkxAkTI6-YKLQ8o
2021-01-29 10:39:38,443:INFO:certbot._internal.auth_handler:Performing the following challenges:
2021-01-29 10:39:38,443:INFO:certbot._internal.auth_handler:http-01 challenge for example.com
2021-01-29 10:39:38,444:INFO:certbot._internal.auth_handler:http-01 challenge for www.example.com
2021-01-29 10:39:38,444:INFO:certbot._internal.plugins.webroot:Using the webroot path /home/tst/public_html for all unmatched domains.
2021-01-29 10:39:38,444:DEBUG:certbot._internal.plugins.webroot:Creating root challenges validation dir at /home/tst/public_html/.well-known/acme-challenge
2021-01-29 10:39:38,445:DEBUG:certbot._internal.plugins.webroot:Creating root challenges validation dir at /home/tst/public_html/.well-known/acme-challenge
2021-01-29 10:39:38,447:DEBUG:certbot._internal.plugins.webroot:Attempting to save validation to /home/tst/public_html/.well-known/acme-challenge/U-WoSrjA4mJcpszgtRhsroCO5GvXJzpjdzX7KK-jbyU
2021-01-29 10:39:38,450:DEBUG:certbot._internal.plugins.webroot:Attempting to save validation to /home/tst/public_html/.well-known/acme-challenge/jcxE8v2YawfrKvtE7Kurkz5OUJh417yQpRBZ96ys2jI
2021-01-29 10:39:38,450:INFO:certbot._internal.auth_handler:Waiting for verification...
2021-01-29 10:39:38,451:DEBUG:certbot.display.util:Notifying user: Challenges loaded. Press continue to submit to CA. Pass "-v" for more info about
challenges.
2021-01-29 10:39:43,937:DEBUG:acme.client:JWS payload:
b'{}'
2021-01-29 10:39:43,939:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/200389382/DoVPEg:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xNzc3ODMxNCIsICJub25jZSI6ICIwMDAzeDF2aTB3aHpHLXJ5RTBBY3FyWU1LM1NkTnY5Rm5reEFrVEk2LVlLTFE4byIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbC12My8yMDAzODkzODIvRG9WUEVnIn0",
"signature": "Bf8swjNj7uWfucakxmN36OR2oTzZ5cFEhMiMAE66__RvWwn75lrZQbreuiVoMEtHe8yIqghH_e1Ws3To1H54AeDLLHvpeDJVbXz1u_nsQIND5cBblqSk0z8GDBHR6yJMERYKt6EPA9geUeOZIbmregXyYyGuh61-AUGKwRjM6aGIoVqpiy5ZVJ00PcNAP6XSHsUANRMDjx_wlUH-fl-8e5uf5EMauhskYOez6rZ8C1FjLkGK7_zUENxQpT3tbZoK6sRYPlNjPzl1M6XS3ZO1k9ge72bgMBNw5RQW463WOChb048vWG3UUzdJbI11MiQ2Exi6TuhCy6veMG9O1GbglQ",
"payload": "e30"
}
2021-01-29 10:39:44,034:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/200389382/DoVPEg HTTP/1.1" 200 192
2021-01-29 10:39:44,036:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 29 Jan 2021 15:39:52 GMT
Content-Type: application/json
Content-Length: 192
Connection: keep-alive
Boulder-Requester: 17778314
Cache-Control: public, max-age=0, no-cache
Link: https://acme-staging-v02.api.letsencrypt.org/directory;rel="index", https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/200389382;rel="up"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/200389382/DoVPEg
Replay-Nonce: 0003bCHsLyfXtEp5C5QZ-agyoCG6BrrF9V6YXAtfpaVG1vs
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"type": "http-01",
"status": "pending",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/200389382/DoVPEg",
"token": "U-WoSrjA4mJcpszgtRhsroCO5GvXJzpjdzX7KK-jbyU"
}
2021-01-29 10:39:44,036:DEBUG:acme.client:Storing nonce: 0003bCHsLyfXtEp5C5QZ-agyoCG6BrrF9V6YXAtfpaVG1vs
2021-01-29 10:39:44,038:DEBUG:acme.client:JWS payload:
b'{}'
2021-01-29 10:39:44,042:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/200389383/OxYgmw:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xNzc3ODMxNCIsICJub25jZSI6ICIwMDAzYkNIc0x5Zlh0RXA1QzVRWi1hZ3lvQ0c2QnJyRjlWNllYQXRmcGFWRzF2cyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbC12My8yMDAzODkzODMvT3hZZ213In0",
"signature": "wZoCBaGQjkJSWK0s4TugKVlR_PbtrL-pLaHkO6_O7n22NC21f8T6lISWdLvlHj5b-PFoxOvA81OxY9_gLwo6t-miZdV6Cy-cwjbJTWgauUVBzqZu3w8LQkqLtyCLjUlFPTinHbGVEFMDkRevTbrVs504fXqUDjSy6YehZzr0gmjRFYPP_WyJXCMh8kmtl6RdCh_OWXrwG9XIsDz0txiaBWx9uNk-nyGjUAg2l1fEzXjFJo7qopZ6bA9xC2vO-1k8lK0q8CqSIVJCpBq7CVTChC9r08B8EtjJzLZAlLpOyeOFtZKCHHmDkYFCxxJpVpJ020Emx3KSagO1Ogeqqi74tA",
"payload": "e30"
}
2021-01-29 10:39:44,136:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/200389383/OxYgmw HTTP/1.1" 200 192
2021-01-29 10:39:44,138:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 29 Jan 2021 15:39:52 GMT
Content-Type: application/json
Content-Length: 192
Connection: keep-alive
Boulder-Requester: 17778314
Cache-Control: public, max-age=0, no-cache
Link: https://acme-staging-v02.api.letsencrypt.org/directory;rel="index", https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/200389383;rel="up"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/200389383/OxYgmw
Replay-Nonce: 0004CrQm0Fh8monqrgE1Y7DkFdndxQ-Sr--bdcxBZ70pbEU
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"type": "http-01",
"status": "pending",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/200389383/OxYgmw",
"token": "jcxE8v2YawfrKvtE7Kurkz5OUJh417yQpRBZ96ys2jI"
}
2021-01-29 10:39:44,139:DEBUG:acme.client:Storing nonce: 0004CrQm0Fh8monqrgE1Y7DkFdndxQ-Sr--bdcxBZ70pbEU
2021-01-29 10:39:45,141:DEBUG:acme.client:JWS payload:
b''
2021-01-29 10:39:45,149:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/200389382:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xNzc3ODMxNCIsICJub25jZSI6ICIwMDA0Q3JRbTBGaDhtb25xcmdFMVk3RGtGZG5keFEtU3ItLWJkY3hCWjcwcGJFVSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8yMDAzODkzODIifQ",
"signature": "Os6mwj6m8KDp7Gzi0nI1EkWpYBoS8g2UoJT0gggpHGL2nXo859YjiI21Ka5cUz1ZtoryYIBLK2EY-rF35SRlDSRTQXEJaJi74S3ynH8T3f8vqY52q_QBuhiDNAm1R4qRohTIpCJ8wqLcS7dHMHiT0omfnXdXMfEfFQY1ajDxx3BotZfV9bR5BdJIQw8ls-hdyAVUQ8Gt8InHT3AoyNLTuPdPywYGZbQ6cjE8iihMuG1iumcfVh5g0Qo8G-3VNJYLiyg-Hv5zsW7bOQsFyU3jbdcArP2QMTBndrffvKjgrb0wA6CZfRS6AwSbWpQxlNrc9U3dnD5afqv9jAfjkbGCVw",
"payload": ""
}
2021-01-29 10:39:45,244:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/200389382 HTTP/1.1" 200 1233
2021-01-29 10:39:45,246:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 29 Jan 2021 15:39:53 GMT
Content-Type: application/json
Content-Length: 1233
Connection: keep-alive
Boulder-Requester: 17778314
Cache-Control: public, max-age=0, no-cache
Link: https://acme-staging-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 0003KK8U8jFyRYCjGwTaWIbaILv7ABTrtWDPlMKU3t9fXQ0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "example.com"
},
"status": "invalid",
"expires": "2021-02-05T15:39:46Z",
"challenges": [
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "Invalid response from http://example.com/.well-known/acme-challenge/U-WoSrjA4mJcpszgtRhsroCO5GvXJzpjdzX7KK-jbyU [3.218.36.80]: "\u003c!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\"\u003e\n\u003chtml\u003e\u003chead\u003e\n\u003ctitle\u003e404 Not Found\u003c/title\u003e\n\u003c/head\u003e\u003cbody\u003e\n\u003ch1\u003eNot Found\u003c/h1\u003e\n\u003cp"",
"status": 403
},
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/200389382/DoVPEg",
"token": "U-WoSrjA4mJcpszgtRhsroCO5GvXJzpjdzX7KK-jbyU",
"validationRecord": [
{
"url": "http://example.com/.well-known/acme-challenge/U-WoSrjA4mJcpszgtRhsroCO5GvXJzpjdzX7KK-jbyU",
"hostname": "example.com",
"port": "80",
"addressesResolved": [
"3.218.36.80"
],
"addressUsed": "3.218.36.80"
}
]
}
]
}
2021-01-29 10:39:45,247:DEBUG:acme.client:Storing nonce: 0003KK8U8jFyRYCjGwTaWIbaILv7ABTrtWDPlMKU3t9fXQ0
2021-01-29 10:39:45,249:DEBUG:acme.client:JWS payload:
b''
2021-01-29 10:39:45,252:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/200389383:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xNzc3ODMxNCIsICJub25jZSI6ICIwMDAzS0s4VThqRnlSWUNqR3dUYVdJYmFJTHY3QUJUcnRXRFBsTUtVM3Q5ZlhRMCIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8yMDAzODkzODMifQ",
"signature": "A36b5Bo-xsbRn8Gl3zG1Vaft0UtB0Wvw5LPhpGnZ5RvNAvzzQySXYc-a0Wm6f7XYTK5Nmi1as9UCFDatWyBJ_LPqxoSBZvTtQ4n_dSSRPkcB0tmpNUheSIxRceYLmq92XD_taF0yFM0O0xqDUBZuUmBLF9lUah3c3-4JO6zXzOn19_fKPat5-1UYRMFQU3rNNvyIp6psmaea9C-DF3V8f3X-duS_IAttSpUDfr9hKtekBjgUMEQ7OHxvzCJC_5o0LARkd4Pz1QLbaL0waud7ym1HuZdBhAdpSyA1Oox56-LA6wa_Nbl2j80auM4Lsbr3OLQWfhjuWqF9bUSHo_jgiA",
"payload": ""
}
2021-01-29 10:39:45,345:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/200389383 HTTP/1.1" 200 1249
2021-01-29 10:39:45,347:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 29 Jan 2021 15:39:53 GMT
Content-Type: application/json
Content-Length: 1249
Connection: keep-alive
Boulder-Requester: 17778314
Cache-Control: public, max-age=0, no-cache
Link: https://acme-staging-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 00030zx4ukT7xPBaW7E4Q7z6e-Q5xW_bU21sZGYNdNRPwwo
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "www.example.com"
},
"status": "invalid",
"expires": "2021-02-05T15:39:46Z",
"challenges": [
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "Invalid response from http://www.example.com/.well-known/acme-challenge/jcxE8v2YawfrKvtE7Kurkz5OUJh417yQpRBZ96ys2jI [3.218.36.80]: "\u003c!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\"\u003e\n\u003chtml\u003e\u003chead\u003e\n\u003ctitle\u003e404 Not Found\u003c/title\u003e\n\u003c/head\u003e\u003cbody\u003e\n\u003ch1\u003eNot Found\u003c/h1\u003e\n\u003cp"",
"status": 403
},
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/200389383/OxYgmw",
"token": "jcxE8v2YawfrKvtE7Kurkz5OUJh417yQpRBZ96ys2jI",
"validationRecord": [
{
"url": "http://www.example.com/.well-known/acme-challenge/jcxE8v2YawfrKvtE7Kurkz5OUJh417yQpRBZ96ys2jI",
"hostname": "www.example.com",
"port": "80",
"addressesResolved": [
"3.218.36.80"
],
"addressUsed": "3.218.36.80"
}
]
}
]
}
2021-01-29 10:39:45,348:DEBUG:acme.client:Storing nonce: 00030zx4ukT7xPBaW7E4Q7z6e-Q5xW_bU21sZGYNdNRPwwo
2021-01-29 10:39:45,350:WARNING:certbot._internal.auth_handler:Challenge failed for domain example.com
2021-01-29 10:39:45,350:WARNING:certbot._internal.auth_handler:Challenge failed for domain www.example.com
2021-01-29 10:39:45,350:INFO:certbot._internal.auth_handler:http-01 challenge for example.com
2021-01-29 10:39:45,350:INFO:certbot._internal.auth_handler:http-01 challenge for www.example.com
2021-01-29 10:39:45,351:DEBUG:certbot._internal.reporter:Reporting to user: The following errors were reported by the server:

Domain: example.com
Type: unauthorized
Detail: Invalid response from http://example.com/.well-known/acme-challenge/U-WoSrjA4mJcpszgtRhsroCO5GvXJzpjdzX7KK-jbyU [3.218.36.80]: "\n\n404 Not Found\n\n

Not Found

\n<p"

Domain: www.example.com
Type: unauthorized
Detail: Invalid response from http://www.example.com/.well-known/acme-challenge/jcxE8v2YawfrKvtE7Kurkz5OUJh417yQpRBZ96ys2jI [3.218.36.80]: "\n\n404 Not Found\n\n

Not Found

\n<p"

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
2021-01-29 10:39:45,352:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/var/lib/snapd/snap/certbot/889/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/var/lib/snapd/snap/certbot/889/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 180, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2021-01-29 10:39:45,352:DEBUG:certbot._internal.error_handler:Calling registered functions
2021-01-29 10:39:45,353:INFO:certbot._internal.auth_handler:Cleaning up challenges
2021-01-29 10:39:45,353:DEBUG:certbot._internal.plugins.webroot:Removing /home/tst/public_html/.well-known/acme-challenge/U-WoSrjA4mJcpszgtRhsroCO5GvXJzpjdzX7KK-jbyU
2021-01-29 10:39:45,353:DEBUG:certbot._internal.plugins.webroot:Removing /home/tst/public_html/.well-known/acme-challenge/jcxE8v2YawfrKvtE7Kurkz5OUJh417yQpRBZ96ys2jI
2021-01-29 10:39:45,353:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2021-01-29 10:39:45,354:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/snap/certbot/889/bin/certbot", line 8, in
sys.exit(main())
File "/var/lib/snapd/snap/certbot/889/lib/python3.8/site-packages/certbot/main.py", line 15, in main
return internal_main.main(cli_args)
File "/var/lib/snapd/snap/certbot/889/lib/python3.8/site-packages/certbot/_internal/main.py", line 1421, in main
return config.func(config, plugins)
File "/var/lib/snapd/snap/certbot/889/lib/python3.8/site-packages/certbot/_internal/main.py", line 1155, in run
new_lineage = _get_and_save_cert(le_client, config, domains,
File "/var/lib/snapd/snap/certbot/889/lib/python3.8/site-packages/certbot/_internal/main.py", line 135, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/var/lib/snapd/snap/certbot/889/lib/python3.8/site-packages/certbot/_internal/client.py", line 441, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "/var/lib/snapd/snap/certbot/889/lib/python3.8/site-packages/certbot/_internal/client.py", line 374, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/var/lib/snapd/snap/certbot/889/lib/python3.8/site-packages/certbot/_internal/client.py", line 421, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File "/var/lib/snapd/snap/certbot/889/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/var/lib/snapd/snap/certbot/889/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 180, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2021-01-29 10:39:45,358:ERROR:certbot._internal.log:Some challenges have failed.

1 Like

Although I can't see it in the logs, I do believe it does create, and deletes, any neccessary folders.
It just might happen too quickly for you to notice OR you didn't realize that it would cleanup after itself and delete whatever files and folders it created.

Either way you might be able to slow it down by using --manual so that you can confirm if it is or isn't making new files and folders.

1 Like

OP should check the actual location of the directories while certbot is waiting for the user input at the "Challenges loaded. Press continue to submit to CA. Pass "-v" for more info about
challenges." step.

3 Likes

Welcome to the Let's Encrypt Community :slightly_smiling_face:

Is 3.218.36.80 the correct public IPv4 address of your webserver (as reflected by the A record in the DNS zone for your domain name)?

Try using this to test:

sudo certbot certonly --webroot -w /home/tst/public_html -d "example.com,www.example.com" -vv --dry-run --debug-challenges

If that works, try this:

sudo certbot run -a webroot -w /home/tst/public_html -d "example.com,www.example.com" -i apache --keep

1 Like

With the -v option, I can see the .well-known dir is being created. In a browser, I can open up the files cerbot created.

I'm wondering if certbot is doing the validation on the real domain instead of my development version. I wonder if this is causing the problem and if it is, how to get around it:

2 Likes

Let's Encrypt will pull the A record from the DNS zone of your domain name when checking for the challenge files. Let's Encrypt will not check private IP addresses.

1 Like

@ griffin
I have this setup in a VirtualBox. This is my development version. I'm not sure if I'm going down the right path with setting up the dev env.

1 Like

Of course it is.
If you don't own the name you can't get a cert for it.
[not even a staging cert]

You need a real "test" FQDN.
One that can be resolved to and reach your system.

OR

Switch authentication methods - use DNS auth and LE won't try to reach you box, it will then reach your real DNS zone and ask it for the TXT record associated with "TEST.YOUR.DOMAIN".

1 Like

@ rg305
I own the domain but I want to keep the production setup separate from the dev. Is there a work around or do I need to setup another domain like dev.example.com to use it and use the real name.

1 Like

Certbot isn't doing the validation at all, that's the Let's Encrypt validation server.. Please start with some basics:

1 Like

You must own the domain.

You are free to use any subdomain of it.
Like:
dev2.your.domain
testdev.your.domain
dev.test.your.domain

1 Like

It looks like certbot is the wrong tool to use in development. It looks like a self signed cert is best for local development and let's encrypt is best brought in during staging: Certificates for localhost - Let's Encrypt - Free SSL/TLS Certificates. I was able to use dns verification and get it to work on a local version but I'm going to switch to self signed in the future.

@rg305 cleared up my confusion

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.