Certbot 1.22.0 renew stopped working

vieridipaola · April 18, 2024, 10:46am

Hi,

I have a Gentoo Apache2 HTTP host with letsencrypt certificates for several domains.

I've been simply renewing certs for years with a cron job:

certbot renew -q

No issues until today, and I now have less than a month to fix this before the certs expire...

# certbot --version
certbot 1.22.0

The renewal process fails because it is unable to find the acme challenge URI (HTTP code 404).
The Gentoo host is online on tcp port 80.

I thought I'd just grab new certs with

certbot certonly --apache -d mydomainlist

but it gave me the same error (404).

So I followed the guide here: Certbot Instructions | Certbot

and ran:

certbot --apache -d mydomainlist

However, I'm still getting the same 404 errors.

Here's an example (just one, such as supranet.hmanacor.org, because there are more than 40):

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Domain: mydomain
  Type:   unauthorized
  Detail: Invalid response from http://mydomain/.well-known/acme-challenge/cwfFZPIquTk0chaC5AJjGz4gi1y3ZfvROg0JukLJ6sA: 404

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

If I run curl from the WAN side of my server I get something like this (eg. supranet.hmanacor.org):

# curl -Ii http://mydomain
HTTP/1.1 200 OK
Date: 
Server: Apache
Content-Security-Policy: frame-ancestors 'self' https://*.mydomain:*
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Type: text/html; charset=UTF-8

My conf files are in the standard location on Gentoo:
/etc/apache2/vhosts.d

I do not see any conf file changes after running the above certbot command.
Should I see them, or are they just temporary and reverted back when certbot exits?

Is my certbot version too old, and that's why it is now failing all of a sudden maybe due to a change on letsencrypt's side?

BTW, I am NOT geoblocking or WAFing. In fact, I can see that clients try to access the challenge in my Apache log:

"GET /.well-known/acme-challenge/cwfFZPIquTk0chaC5AJjGz4gi1y3ZfvROg0JukLJ6sA HTTP/1.1" 404 37

What puzzles me is that I've been renewing all these years without any trouble at all, and now all of a sudden I'm getting this odd behavior.

Any suggestions?

BTW, is there a guide somewhere to manually configure the Apache configuration files (just the certbot/acme challenge part)?

Thanks

Osiris · April 18, 2024, 12:28pm

If you're running Gentoo, then yes, your Certbot is certainly way too old, as Gentoo keeps their repository updated quite nicely. While keeping your software up to date is always important, this is probably not causing your current issue.

The changes are temporary, only during the validation attempt and afterwards they're rolled back. You can review the changes during the challenge validation (well, just before that actually) by using the --debug-challenges option. Certbot will pause after it gets the challenge in position just before the actual validation attempt.

Usually a (sudden) 404 comes from a misconfigured Apache, usually multiple virtualhosts for the same hostname.

Can you show the output of the sudo apache2ctl -t -D DUMP_VHOSTS ?

vieridipaola · April 18, 2024, 4:08pm

Thanks for the --debug-challenges option. It helped me see how the configuration was modified. At the same time, I noticed that some domains I passed with -d were not in my Apache config anymore. I fixed that.
Now I'm not getting the 404 not found errors anymore (not one).

However, when I run:

certbot -v --debug-challenges --apache -d mydomainlist

I now get an error in the secondary validation.

Just one example (they all seem to fail with the same error):

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Domain: acs.hmanacor.org
  Type:   connection
  Detail: During secondary validation: 83.61.3.216: Fetching http://acs.hmanacor.org/.well-known/acme-challenge/uOlojY6V-O5JLkbabQduryEmWlCdge21TXxDuaFPL-c: Timeout during connect (likely firewall problem)

I see this in my Apache log:

3.16.151.34 - - [18/Apr/2024:17:51:54 +0200] "GET /.well-known/acme-challenge/uOlojY6V-O5JLkbabQduryEmWlCdge21TXxDuaFPL-c HTTP/1.1" 200 87
54.244.62.108 - - [18/Apr/2024:17:51:54 +0200] "GET /.well-known/acme-challenge/uOlojY6V-O5JLkbabQduryEmWlCdge21TXxDuaFPL-c HTTP/1.1" 200 87
23.178.112.101 - - [18/Apr/2024:17:51:54 +0200] "GET /.well-known/acme-challenge/uOlojY6V-O5JLkbabQduryEmWlCdge21TXxDuaFPL-c HTTP/1.1" 200 87

Is that for the "first" validation? Why 3 connections?

In any case, I don't see what the cause of this error might be.
Like I said, there should be no geoblocking or WAFing in the way during certbot execution...

What else can I try?

Osiris · April 18, 2024, 4:10pm

There should be 5 connections: 1 from the primary and 4 from secondary (remote) validation points from all over the world (I believe 3 US and 2 somewhere else entirely I believe). See:

If some validation points work, but not others, this usually is a sign there is some kind of geoblocking in play. Although you say that cannot be the case.. Maybe network issues then? I dunno.. LE uses AWS currently for their remote validations.

vieridipaola · April 18, 2024, 4:44pm

OK, so in the above domain example I posted I ran the following after a while:

# grep .well-known/acme-challenge/uOlojY6V-O5JLkbabQduryEmWlCdge21TXxDuaFPL-c /var/log/apache2/*_log
/var/log/apache2/access_log:3.16.151.34 - - [18/Apr/2024:17:51:54 +0200] "GET /.well-known/acme-challenge/uOlojY6V-O5JLkbabQduryEmWlCdge21TXxDuaFPL-c HTTP/1.1" 200 87
/var/log/apache2/access_log:54.244.62.108 - - [18/Apr/2024:17:51:54 +0200] "GET /.well-known/acme-challenge/uOlojY6V-O5JLkbabQduryEmWlCdge21TXxDuaFPL-c HTTP/1.1" 200 87
/var/log/apache2/access_log:23.178.112.101 - - [18/Apr/2024:17:51:54 +0200] "GET /.well-known/acme-challenge/uOlojY6V-O5JLkbabQduryEmWlCdge21TXxDuaFPL-c HTTP/1.1" 200 87
/var/log/apache2/access_log:184.105.99.36 - - [18/Apr/2024:18:08:13 +0200] "GET /.well-known/acme-challenge/uOlojY6V-O5JLkbabQduryEmWlCdge21TXxDuaFPL-c: HTTP/1.1" 404 37

As you can see I got the fourth connection (the fifth one didn't come up). However, it came way too late. At that time I think the certbot had already finished (that's why I see a 404 there).

184.105.99.36 is from Seattle, and I shouldn't have any issues on my side accepting connections from there.
Why did that connection happen so late?

[EDIT] Also, if I get the following message I guess it's because I'm being rate limited?

An unexpected error occurred:
There were too many requests of a given type :: Service busy; retry later.

If so, after how long can I retry?

rg305 · April 18, 2024, 5:55pm

Because it's NOT from LE.
See: ARIN Whois/RDAP - American Registry for Internet Numbers
And the subtle difference in the URL (see the trailing ":") creates that 404 response.

rg305 · April 18, 2024, 6:06pm

I beleive the limit is five failures within an hour.
Looking at: Rate Limits - Let's Encrypt (letsencrypt.org)
I don't see that specific error message explained in detail.
"There were too many requests of a given type"

You'll likely have to wait until there are only four within the last hour to try again.
But repeating the same request, without making any change(s), will only produce the same result.
You should use the staging environment to do as much testing as you need [and until it passes those tests].

vieridipaola · April 18, 2024, 6:36pm

After completely pulling down modsecurity, suricata, geoblocking and some BLs, certbot seems to successfully deploy certs, except when it gets to the end:

Redirecting vhost in /etc/apache2/vhosts.d/custom_extranet.conf to ssl vhost in /etc/apache2/vhosts.d/custom_extranet.conf
Failed redirect for acs.hmanacor.org
Unable to set the redirect enhancement for acs.hmanacor.org.

NEXT STEPS:
- The certificate was saved, but could not be installed (installer: apache). After fixing the error shown below, try installing it again by running:
  certbot install --cert-name hmanacor.org-0001

Unable to find corresponding HTTP vhost; Unable to create one as intended addresses conflict; Current configuration does not support automated redirection

I'm not sure if the error is for acs.hmanacor.org alone.

If it is, here's it's virtual host:

# grep --before-context=1 acs *
custom_acs.conf-<VirtualHost *:443>
custom_acs.conf:        ServerName acs.hmanacor.org
custom_acs.conf:        ServerAlias acs.hospitalmanacor.org

rg305 · April 18, 2024, 6:42pm

certbot is looking for the HTTP vhost to set the redirect.

This is usually an indication of things having NOT gone to plan:

What shows?:
sudo apachectl -t -D DUMP_VHOSTS

Osiris · April 18, 2024, 7:41pm

With Gentoo it's usually apache2ctl (as shown in the same command I already requested earlier).

catharsis · April 18, 2024, 9:52pm

Out of curiosity are you using Apache's mod_cache caching or do you have mod_cache enabled at all?

I'm currently looking into a similar issue that only started recently for me, I narrowed it down to mod_cache being the apparent source of the issue, and found that CacheDisable /.well-known/acme-challenge/ resolves/avoids the issue, I suspect this started after an Apache update as my configuration has not changed.

I may make my own thread once I know more but I'm still gathering information. I saw this thread and wondered if it might be a manifestation of the same issue.

vieridipaola · April 19, 2024, 6:14am

VirtualHost configuration:
*:80                   is a NameVirtualHost
         default server inf-gw2.hospitalmanacor.org (/etc/apache2/vhosts.d/00_default_vhost.conf:35)
         port 80 namevhost inf-gw2.hospitalmanacor.org (/etc/apache2/vhosts.d/00_default_vhost.conf:35)
                 alias dsl1.hmanacor.org
                 alias dsl2.hmanacor.org
                 alias dsl1.hospitalmanacor.org
                 alias dsl2.hospitalmanacor.org
                 alias supranet.hmanacor.org
                 alias supranet.hospitalmanacor.org
                 alias ftp.hmanacor.org
                 alias ftp.hospitalmanacor.org
                 alias communicator.hmanacor.org
                 alias communicator.hospitalmanacor.org
         port 80 namevhost appsbeta.hmanacor.org (/etc/apache2/vhosts.d/custom_appsbeta.conf:197)
         port 80 namevhost extranet.hmanacor.org (/etc/apache2/vhosts.d/custom_extranet.conf:4)
                 alias extranet.hospitalmanacor.org
                 alias fundacion.hospitalmanacor.org
                 alias www.hmanacor.org
                 alias hmanacor.org
                 alias hospitalmanacor.org
                 alias www.hospitalmanacor.org
         port 80 namevhost infranet.hmanacor.org (/etc/apache2/vhosts.d/custom_infranet.conf:4)
                 alias infranet.hospitalmanacor.org
                 alias download.hmanacor.org
         port 80 namevhost intranet.hmanacor.org (/etc/apache2/vhosts.d/custom_intranet_http.conf:4)
                 alias intranet.hospitalmanacor.org
                 alias caib.hospitalmanacor.org
                 alias intranet-dev.hospitalmanacor.org
                 alias intranet-dev.hmanacor.org
                 alias intranet-sso.hospitalmanacor.org
*:62004                inf-gw2.hospitalmanacor.org (/etc/apache2/vhosts.d/custom_ips_ssl_vhost.conf:12)
*:62000                inf-gw2.hospitalmanacor.org (/etc/apache2/vhosts.d/custom_ips_vhost.conf:5)
*:62003                inf-gw2.hospitalmanacor.org (/etc/apache2/vhosts.d/custom_ipsm_vhost.conf:12)
*:62002                inf-gw2.hospitalmanacor.org (/etc/apache2/vhosts.d/custom_out_ssl_vhost.conf:12)
*:62001                inf-gw2.hospitalmanacor.org (/etc/apache2/vhosts.d/custom_out_vhost.conf:5)
*:443                  is a NameVirtualHost
         default server inf-gw2.hospitalmanacor.org (/etc/apache2/vhosts.d/00_default_ssl_vhost.conf:12)
         port 443 namevhost inf-gw2.hospitalmanacor.org (/etc/apache2/vhosts.d/00_default_ssl_vhost.conf:12)
                 alias dsl1.hmanacor.org
                 alias dsl2.hmanacor.org
                 alias dsl1.hospitalmanacor.org
                 alias dsl2.hospitalmanacor.org
                 alias supranet.hmanacor.org
                 alias supranet.hospitalmanacor.org
                 alias ftp.hmanacor.org
                 alias ftp.hospitalmanacor.org
                 alias communicator.hmanacor.org
                 alias communicator.hospitalmanacor.org
         port 443 namevhost acs.hmanacor.org (/etc/apache2/vhosts.d/custom_acs.conf:6)
                 alias acs.hospitalmanacor.org
         port 443 namevhost aida.hmanacor.org (/etc/apache2/vhosts.d/custom_aida.conf:6)
         port 443 namevhost alcatelpbx.hmanacor.org (/etc/apache2/vhosts.d/custom_alcatelpbx.conf:6)
         port 443 namevhost apps.hmanacor.org (/etc/apache2/vhosts.d/custom_apps.conf:6)
         port 443 namevhost appsbeta.hmanacor.org (/etc/apache2/vhosts.d/custom_appsbeta.conf:6)
         port 443 namevhost extranet.hmanacor.org (/etc/apache2/vhosts.d/custom_extranet.conf:54)
                 alias extranet.hospitalmanacor.org
                 alias fundacion.hospitalmanacor.org
                 alias www.hmanacor.org
                 alias hmanacor.org
                 alias hospitalmanacor.org
                 alias www.hospitalmanacor.org
         port 443 namevhost professionals.hospitalmanacor.org (/etc/apache2/vhosts.d/custom_hmansg.conf:6)
                 alias professionals2.hospitalmanacor.org
                 alias professionals3.hospitalmanacor.org
         port 443 namevhost professionals.hmanacor.org (/etc/apache2/vhosts.d/custom_hmansg_dev.conf:6)
                 alias professionals2.hmanacor.org
                 alias professionals3.hmanacor.org
         port 443 namevhost infranet.hmanacor.org (/etc/apache2/vhosts.d/custom_infranet-le-ssl.conf:2)
                 alias infranet.hospitalmanacor.org
                 alias download.hmanacor.org
         port 443 namevhost intranet.hmanacor.org (/etc/apache2/vhosts.d/custom_intranet.conf:6)
                 alias intranet.hospitalmanacor.org
                 alias caib.hospitalmanacor.org
                 alias intranet-dev.hospitalmanacor.org
                 alias intranet-dev.hmanacor.org
                 alias intranet-sso.hospitalmanacor.org
         port 443 namevhost jabber.hospitalmanacor.org (/etc/apache2/vhosts.d/custom_jabber.conf:6)
                 alias jabber.hmanacor.org
         port 443 namevhost meet.hmanacor.org (/etc/apache2/vhosts.d/custom_meet.conf:6)
                 alias meet.hospitalmanacor.org
                 alias meet2.hospitalmanacor.org
                 alias meet3.hospitalmanacor.org
         port 443 namevhost sip.hmanacor.org (/etc/apache2/vhosts.d/custom_sip_webrtc.conf:6)
                 alias sip.hospitalmanacor.org
                 alias sip2.hospitalmanacor.org
                 alias sip2.hmanacor.org
         port 443 namevhost xmpp.hospitalmanacor.org (/etc/apache2/vhosts.d/custom_xmpp.conf:6)
                 alias xmpp.hmanacor.org

My apache has the mod_cache module, but it doesn't enable it.

So in the above listing acs.hmanacor.org is available.

rg305 · April 19, 2024, 1:05pm

Not for port 80 [HTTP].
Only for port 443 [HTTPS].

vieridipaola · April 19, 2024, 1:22pm

Yes, but why?
I mean, I never configured for port 80 before, and certbot always renewed the certs. Am I wrong to suppose that certbot's apache module should auto-configure the virtual host for port 80?

I can manually add port 80 for all virtual hosts (there's more than just the acs example above). However, it strikes me that I never had the need to do so before (and I did not change my apache vhost dir since the last time certbot renewed the certs).

I'll do that and get back to you.

Thanks!

rg305 · April 19, 2024, 1:55pm

Yes, certbot could create the HTTPS vhost from an HTTP vhost.
But not an HTTP vhost from thin air [nor from an HTTPS vhost].

linkp · April 19, 2024, 2:20pm

Why not use mod_md with Apache?

rg305 · April 19, 2024, 2:21pm

Then you should read more on what the parameters ask certbot to do:

You are using "--apache", and part of that asks it to create an HTTPS vhost [if one doesn't already exist].

vieridipaola · April 19, 2024, 7:55pm

Yes, but Certbot was leaving behind new .conf files in my apache dir even when done running. Something must have gone wrong because a subsequent run after I deleted the extra .conf file did NOT reproduce that file. I understand these modifications are temporary and the original files are restored or should be restored once certbot exits.

Anyway, here's what I get now:

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the certificate (may be subject to CA rate limits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate
Deploying certificate
Deploying Certificate to VirtualHost /etc/apache2/vhosts.d/custom_extranet.conf
Successfully deployed certificate for hmanacor.org to /etc/apache2/vhosts.d/custom_extranet.conf
Deploying Certificate to VirtualHost /etc/apache2/vhosts.d/custom_acs.conf
Successfully deployed certificate for acs.hmanacor.org to /etc/apache2/vhosts.d/custom_acs.conf
Deploying Certificate to VirtualHost /etc/apache2/vhosts.d/custom_acs.conf
Successfully deployed certificate for acs.hospitalmanacor.org to /etc/apache2/vhosts.d/custom_acs.conf
Deploying Certificate to VirtualHost /etc/apache2/vhosts.d/custom_aida.conf
Successfully deployed certificate for aida.hmanacor.org to /etc/apache2/vhosts.d/custom_aida.conf
Deploying Certificate to VirtualHost /etc/apache2/vhosts.d/custom_alcatelpbx.conf
Successfully deployed certificate for alcatelpbx.hmanacor.org to /etc/apache2/vhosts.d/custom_alcatelpbx.conf
Deploying Certificate to VirtualHost /etc/apache2/vhosts.d/custom_apps.conf
Successfully deployed certificate for apps.hmanacor.org to /etc/apache2/vhosts.d/custom_apps.conf
Deploying Certificate to VirtualHost /etc/apache2/vhosts.d/custom_appsbeta.conf
Successfully deployed certificate for appsbeta.hmanacor.org to /etc/apache2/vhosts.d/custom_appsbeta.conf
Deploying Certificate to VirtualHost /etc/apache2/vhosts.d/00_default_ssl_vhost.conf
Successfully deployed certificate for communicator.hospitalmanacor.org to /etc/apache2/vhosts.d/00_default_ssl_vhost.conf
Deploying Certificate to VirtualHost /etc/apache2/vhosts.d/00_default_ssl_vhost.conf
Successfully deployed certificate for communicator.hmanacor.org to /etc/apache2/vhosts.d/00_default_ssl_vhost.conf
Created an SSL vhost at /etc/apache2/vhosts.d/custom_infranet-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/vhosts.d/custom_infranet-le-ssl.conf
Successfully deployed certificate for download.hmanacor.org to /etc/apache2/vhosts.d/custom_infranet-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/vhosts.d/00_default_ssl_vhost.conf
Successfully deployed certificate for dsl1.hmanacor.org to /etc/apache2/vhosts.d/00_default_ssl_vhost.conf
Deploying Certificate to VirtualHost /etc/apache2/vhosts.d/00_default_ssl_vhost.conf
Successfully deployed certificate for dsl2.hmanacor.org to /etc/apache2/vhosts.d/00_default_ssl_vhost.conf
Deploying Certificate to VirtualHost /etc/apache2/vhosts.d/custom_extranet.conf
Successfully deployed certificate for extranet.hmanacor.org to /etc/apache2/vhosts.d/custom_extranet.conf
Deploying Certificate to VirtualHost /etc/apache2/vhosts.d/custom_infranet-le-ssl.conf
Successfully deployed certificate for infranet.hmanacor.org to /etc/apache2/vhosts.d/custom_infranet-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/vhosts.d/custom_intranet.conf
Successfully deployed certificate for intranet.hmanacor.org to /etc/apache2/vhosts.d/custom_intranet.conf
Deploying Certificate to VirtualHost /etc/apache2/vhosts.d/custom_intranet.conf
Successfully deployed certificate for intranet.hospitalmanacor.org to /etc/apache2/vhosts.d/custom_intranet.conf
Deploying Certificate to VirtualHost /etc/apache2/vhosts.d/custom_jabber.conf
Successfully deployed certificate for jabber.hmanacor.org to /etc/apache2/vhosts.d/custom_jabber.conf
Deploying Certificate to VirtualHost /etc/apache2/vhosts.d/custom_jabber.conf
Successfully deployed certificate for jabber.hospitalmanacor.org to /etc/apache2/vhosts.d/custom_jabber.conf
Deploying Certificate to VirtualHost /etc/apache2/vhosts.d/custom_hmansg_dev.conf
Successfully deployed certificate for professionals.hmanacor.org to /etc/apache2/vhosts.d/custom_hmansg_dev.conf
Deploying Certificate to VirtualHost /etc/apache2/vhosts.d/custom_hmansg_dev.conf
Successfully deployed certificate for professionals2.hmanacor.org to /etc/apache2/vhosts.d/custom_hmansg_dev.conf
Deploying Certificate to VirtualHost /etc/apache2/vhosts.d/00_default_ssl_vhost.conf
Successfully deployed certificate for dsl1.hospitalmanacor.org to /etc/apache2/vhosts.d/00_default_ssl_vhost.conf
Deploying Certificate to VirtualHost /etc/apache2/vhosts.d/00_default_ssl_vhost.conf
Successfully deployed certificate for dsl2.hospitalmanacor.org to /etc/apache2/vhosts.d/00_default_ssl_vhost.conf
Deploying Certificate to VirtualHost /etc/apache2/vhosts.d/custom_extranet.conf
Successfully deployed certificate for extranet.hospitalmanacor.org to /etc/apache2/vhosts.d/custom_extranet.conf
Deploying Certificate to VirtualHost /etc/apache2/vhosts.d/custom_extranet.conf
Successfully deployed certificate for fundacion.hospitalmanacor.org to /etc/apache2/vhosts.d/custom_extranet.conf
Deploying Certificate to VirtualHost /etc/apache2/vhosts.d/custom_infranet-le-ssl.conf
Successfully deployed certificate for infranet.hospitalmanacor.org to /etc/apache2/vhosts.d/custom_infranet-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/vhosts.d/custom_intranet.conf
Successfully deployed certificate for intranet-dev.hospitalmanacor.org to /etc/apache2/vhosts.d/custom_intranet.conf
Deploying Certificate to VirtualHost /etc/apache2/vhosts.d/custom_intranet.conf
Successfully deployed certificate for intranet-sso.hospitalmanacor.org to /etc/apache2/vhosts.d/custom_intranet.conf
Deploying Certificate to VirtualHost /etc/apache2/vhosts.d/custom_meet.conf
Successfully deployed certificate for meet.hospitalmanacor.org to /etc/apache2/vhosts.d/custom_meet.conf
Deploying Certificate to VirtualHost /etc/apache2/vhosts.d/custom_hmansg.conf
Successfully deployed certificate for professionals.hospitalmanacor.org to /etc/apache2/vhosts.d/custom_hmansg.conf
Deploying Certificate to VirtualHost /etc/apache2/vhosts.d/custom_hmansg.conf
Successfully deployed certificate for professionals2.hospitalmanacor.org to /etc/apache2/vhosts.d/custom_hmansg.conf
Deploying Certificate to VirtualHost /etc/apache2/vhosts.d/00_default_ssl_vhost.conf
Successfully deployed certificate for supranet.hmanacor.org to /etc/apache2/vhosts.d/00_default_ssl_vhost.conf
Deploying Certificate to VirtualHost /etc/apache2/vhosts.d/00_default_ssl_vhost.conf
Successfully deployed certificate for supranet.hospitalmanacor.org to /etc/apache2/vhosts.d/00_default_ssl_vhost.conf
Deploying Certificate to VirtualHost /etc/apache2/vhosts.d/custom_sip_webrtc.conf
Successfully deployed certificate for sip.hmanacor.org to /etc/apache2/vhosts.d/custom_sip_webrtc.conf
Deploying Certificate to VirtualHost /etc/apache2/vhosts.d/custom_sip_webrtc.conf
Successfully deployed certificate for sip.hospitalmanacor.org to /etc/apache2/vhosts.d/custom_sip_webrtc.conf
Deploying Certificate to VirtualHost /etc/apache2/vhosts.d/custom_sip_webrtc.conf
Successfully deployed certificate for sip2.hmanacor.org to /etc/apache2/vhosts.d/custom_sip_webrtc.conf
Deploying Certificate to VirtualHost /etc/apache2/vhosts.d/custom_sip_webrtc.conf
Successfully deployed certificate for sip2.hospitalmanacor.org to /etc/apache2/vhosts.d/custom_sip_webrtc.conf
Deploying Certificate to VirtualHost /etc/apache2/vhosts.d/custom_meet.conf
Successfully deployed certificate for meet2.hospitalmanacor.org to /etc/apache2/vhosts.d/custom_meet.conf
Deploying Certificate to VirtualHost /etc/apache2/vhosts.d/custom_extranet.conf
Successfully deployed certificate for www.hmanacor.org to /etc/apache2/vhosts.d/custom_extranet.conf
Deploying Certificate to VirtualHost /etc/apache2/vhosts.d/custom_extranet.conf
Successfully deployed certificate for www.hospitalmanacor.org to /etc/apache2/vhosts.d/custom_extranet.conf
Deploying Certificate to VirtualHost /etc/apache2/vhosts.d/custom_xmpp.conf
Successfully deployed certificate for xmpp.hospitalmanacor.org to /etc/apache2/vhosts.d/custom_xmpp.conf
Deploying Certificate to VirtualHost /etc/apache2/vhosts.d/custom_xmpp.conf
Successfully deployed certificate for xmpp.hmanacor.org to /etc/apache2/vhosts.d/custom_xmpp.conf
Deploying Certificate to VirtualHost /etc/apache2/vhosts.d/custom_intranet.conf
Successfully deployed certificate for caib.hospitalmanacor.org to /etc/apache2/vhosts.d/custom_intranet.conf
Deploying Certificate to VirtualHost /etc/apache2/vhosts.d/00_default_ssl_vhost.conf
Successfully deployed certificate for ftp.hmanacor.org to /etc/apache2/vhosts.d/00_default_ssl_vhost.conf
Deploying Certificate to VirtualHost /etc/apache2/vhosts.d/00_default_ssl_vhost.conf
Successfully deployed certificate for ftp.hospitalmanacor.org to /etc/apache2/vhosts.d/00_default_ssl_vhost.conf
Redirecting vhost in /etc/apache2/vhosts.d/custom_extranet.conf to ssl vhost in /etc/apache2/vhosts.d/custom_extranet.conf
Failed redirect for acs.hmanacor.org
Unable to set the redirect enhancement for acs.hmanacor.org.

NEXT STEPS:
- The certificate was saved, but could not be installed (installer: apache). After fixing the error shown below, try installing it again by running:
  certbot install --cert-name hmanacor.org-0001

Unable to find corresponding HTTP vhost; Unable to create one as intended addresses conflict; Current configuration does not support automated redirection
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

# apache2ctl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:80                   is a NameVirtualHost
         default server inf-gw2.hospitalmanacor.org (/etc/apache2/vhosts.d/00_default_vhost.conf:35)
         port 80 namevhost inf-gw2.hospitalmanacor.org (/etc/apache2/vhosts.d/00_default_vhost.conf:35)
                 alias dsl1.hmanacor.org
                 alias dsl2.hmanacor.org
                 alias dsl1.hospitalmanacor.org
                 alias dsl2.hospitalmanacor.org
                 alias supranet.hmanacor.org
                 alias supranet.hospitalmanacor.org
                 alias ftp.hmanacor.org
                 alias ftp.hospitalmanacor.org
                 alias communicator.hmanacor.org
                 alias communicator.hospitalmanacor.org
                 alias acs.hmanacor.org
                 alias acs.hospitalmanacor.org
                 alias aida.hmanacor.org
                 alias alcatelpbx.hmanacor.org
                 alias apps.hmanacor.org
                 alias appsbeta.hmanacor.org
                 alias professionals.hmanacor.org
                 alias professionals2.hmanacor.org
                 alias professionals3.hmanacor.org
                 alias professionals.hospitalmanacor.org
                 alias professionals2.hospitalmanacor.org
                 alias professionals3.hospitalmanacor.org
                 alias jabber.hmanacor.org
                 alias jabber.hospitalmanacor.org
                 alias meet.hmanacor.org
                 alias meet.hospitalmanacor.org
                 alias meet2.hospitalmanacor.org
                 alias meet3.hospitalmanacor.org
                 alias xmpp.hmanacor.org
                 alias xmpp.hospitalmanacor.org
                 alias sip.hmanacor.org
                 alias sip.hospitalmanacor.org
                 alias sip2.hmanacor.org
                 alias sip2.hospitalmanacor.org
         port 80 namevhost appsbeta.hmanacor.org (/etc/apache2/vhosts.d/custom_appsbeta.conf:197)
         port 80 namevhost extranet.hmanacor.org (/etc/apache2/vhosts.d/custom_extranet.conf:4)
                 alias extranet.hospitalmanacor.org
                 alias fundacion.hospitalmanacor.org
                 alias www.hmanacor.org
                 alias hmanacor.org
                 alias hospitalmanacor.org
                 alias www.hospitalmanacor.org
         port 80 namevhost infranet.hmanacor.org (/etc/apache2/vhosts.d/custom_infranet.conf:4)
                 alias infranet.hospitalmanacor.org
                 alias download.hmanacor.org
         port 80 namevhost intranet.hmanacor.org (/etc/apache2/vhosts.d/custom_intranet_http.conf:4)
                 alias intranet.hospitalmanacor.org
                 alias caib.hospitalmanacor.org
                 alias intranet-dev.hospitalmanacor.org
                 alias intranet-dev.hmanacor.org
                 alias intranet-sso.hospitalmanacor.org
*:62004                inf-gw2.hospitalmanacor.org (/etc/apache2/vhosts.d/custom_ips_ssl_vhost.conf:12)
*:62000                inf-gw2.hospitalmanacor.org (/etc/apache2/vhosts.d/custom_ips_vhost.conf:5)
*:62003                inf-gw2.hospitalmanacor.org (/etc/apache2/vhosts.d/custom_ipsm_vhost.conf:12)
*:62002                inf-gw2.hospitalmanacor.org (/etc/apache2/vhosts.d/custom_out_ssl_vhost.conf:12)
*:62001                inf-gw2.hospitalmanacor.org (/etc/apache2/vhosts.d/custom_out_vhost.conf:5)
*:443                  is a NameVirtualHost
         default server inf-gw2.hospitalmanacor.org (/etc/apache2/vhosts.d/00_default_ssl_vhost.conf:12)
         port 443 namevhost inf-gw2.hospitalmanacor.org (/etc/apache2/vhosts.d/00_default_ssl_vhost.conf:12)
                 alias dsl1.hmanacor.org
                 alias dsl2.hmanacor.org
                 alias dsl1.hospitalmanacor.org
                 alias dsl2.hospitalmanacor.org
                 alias supranet.hmanacor.org
                 alias supranet.hospitalmanacor.org
                 alias ftp.hmanacor.org
                 alias ftp.hospitalmanacor.org
                 alias communicator.hmanacor.org
                 alias communicator.hospitalmanacor.org
         port 443 namevhost acs.hmanacor.org (/etc/apache2/vhosts.d/custom_acs.conf:6)
                 alias acs.hospitalmanacor.org
         port 443 namevhost aida.hmanacor.org (/etc/apache2/vhosts.d/custom_aida.conf:6)
         port 443 namevhost alcatelpbx.hmanacor.org (/etc/apache2/vhosts.d/custom_alcatelpbx.conf:6)
         port 443 namevhost apps.hmanacor.org (/etc/apache2/vhosts.d/custom_apps.conf:6)
         port 443 namevhost appsbeta.hmanacor.org (/etc/apache2/vhosts.d/custom_appsbeta.conf:6)
         port 443 namevhost extranet.hmanacor.org (/etc/apache2/vhosts.d/custom_extranet.conf:54)
                 alias extranet.hospitalmanacor.org
                 alias fundacion.hospitalmanacor.org
                 alias www.hmanacor.org
                 alias hmanacor.org
                 alias hospitalmanacor.org
                 alias www.hospitalmanacor.org
         port 443 namevhost professionals.hospitalmanacor.org (/etc/apache2/vhosts.d/custom_hmansg.conf:6)
                 alias professionals2.hospitalmanacor.org
                 alias professionals3.hospitalmanacor.org
         port 443 namevhost professionals.hmanacor.org (/etc/apache2/vhosts.d/custom_hmansg_dev.conf:6)
                 alias professionals2.hmanacor.org
                 alias professionals3.hmanacor.org
         port 443 namevhost infranet.hmanacor.org (/etc/apache2/vhosts.d/custom_infranet-le-ssl.conf:2)
                 alias infranet.hospitalmanacor.org
                 alias download.hmanacor.org
         port 443 namevhost intranet.hmanacor.org (/etc/apache2/vhosts.d/custom_intranet.conf:6)
                 alias intranet.hospitalmanacor.org
                 alias caib.hospitalmanacor.org
                 alias intranet-dev.hospitalmanacor.org
                 alias intranet-dev.hmanacor.org
                 alias intranet-sso.hospitalmanacor.org
         port 443 namevhost jabber.hospitalmanacor.org (/etc/apache2/vhosts.d/custom_jabber.conf:6)
                 alias jabber.hmanacor.org
         port 443 namevhost meet.hmanacor.org (/etc/apache2/vhosts.d/custom_meet.conf:6)
                 alias meet.hospitalmanacor.org
                 alias meet2.hospitalmanacor.org
                 alias meet3.hospitalmanacor.org
         port 443 namevhost sip.hmanacor.org (/etc/apache2/vhosts.d/custom_sip_webrtc.conf:6)
                 alias sip.hospitalmanacor.org
                 alias sip2.hospitalmanacor.org
                 alias sip2.hmanacor.org
         port 443 namevhost xmpp.hospitalmanacor.org (/etc/apache2/vhosts.d/custom_xmpp.conf:6)
                 alias xmpp.hmanacor.org

Selecting option 2 leads to the same:

[...]
Redirecting vhost in /etc/apache2/vhosts.d/custom_extranet.conf to ssl vhost in /etc/apache2/vhosts.d/custom_extranet.conf
Failed redirect for acs.hmanacor.org
Unable to set the redirect enhancement for acs.hmanacor.org.

I'm a bit confused now because acs.hmanacor.org is defined in /etc/apache2/vhosts.d/00_default_vhost.conf.
It can't get any more verbose, but I still don't quite understand the error message.

rg305 · April 19, 2024, 11:10pm

I think the cert must match all the names in the vhost.
When the cert has only a few names and the vhost has many more names/aliases, then certbot can't redirect that [entire] vhost and will complain about not being able to find a matching HTTP vhost to place the redirection.

That said, do you really even need certbot to create a redirection for you?

vieridipaola · April 19, 2024, 11:26pm

No.
At this point, what can I do?
Running the same command without --apache yields the same failure message.

Topic		Replies	Views
Certbot failed to authenticate, Invalid response Help	15	6714	December 17, 2022
Certbot - Hard Coded URL Rewrite Means HTTP-01 Challenge Fails on Apache Server	25	8014	June 11, 2017
Certbot - Troubleshooting HTTP-01 Challenge Related Issues Help	23	12324	July 6, 2017
Suddenly acme-challenge Invalid response Help	27	7727	June 25, 2020
Certbot Updates - Not Able to Renew Cert Help	37	4754	May 31, 2021

Certbot 1.22.0 renew stopped working

Related Topics