Certbot --apache error

Hello! i have a nextcloud server that i am trying to get updated to the newest release. i have worked through various updates and now i am trying to get a certificate by using 'sudo certbot --apache'. my output is posted below. i am not sure how to make the /.well-known/acme-challenge/ folder visible for the authentication. thank you!

My domain is: snstegalmjlnext.ddns.net

I ran this command: sudo certbot --apache

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.

1: snstegalmjlnext.ddns.net

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for snstegalmjlnext.ddns.net

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: snstegalmjlnext.ddns.net
Type: unauthorized
Detail: 192.230.211.66: Invalid response from http://snstegalmjlnext.ddns.net/.well-known/acme-challenge/YUz3PA-1grAmo0RtOSrlb85mcILgFI6x9MimbUQ-I9U: 404

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Nextcloud 20.0.14

The operating system my web server runs on is (include version): ubuntu 24.04.1 LTS/

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.11.0

I'm getting a login screen for a Luma device. Not Apache nor Nextcloud.

i thought that was fixed on my end. luma is supposed to be on snstegalmjl.ddns.net.

@Osiris i can see the maintenance mode screen when i try with https. https://snstegalmjlnext.ddns.net/

Let's Encrypt validation servers need to be able to reach your ACME client on port 80. Connections to port 80 are currently terminating on your Luma login screen. You will need to fix that before you will be able to successfully complete your HTTP-01 challenge.

Looks like both hostnames are resolving to the same IP address, but you have port 80 NAT portmapped to your Luma device and port 443 NAT portmapped to your Nextcloud host.

You might want to portmap 80 as wel as 443 to the same webserver and depending on the hostname for which is being connected (using virtual hosts), reverse proxy the requests for snstegalmjl.ddns.net to your Luma device and requests for snstegalmjlnext.ddns.net to your Nextcloud.

And have that reverse proxy webserver (which can be Apache, see Reverse Proxy Guide - Apache HTTP Server Version 2.4) serve the certificates.

thank you both! earlier today I tried to work around this by changing nextcloud ports to: http to port 77, apache to 80 and https to 443. i see it was unsuccessful now.

I shut off Luma for the time being. i think i may have screwed something up worse trying to fix it.
:
I recieved the cert but now i get this error:

This certificate expires on 2025-01-16.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for snstegalmjlnext.ddns.net to /etc/apache2/sites-available/nextcloud-le-ssl.conf
Error while running apache2ctl graceful.
httpd not running, trying to start

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:443
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:443
no listening sockets available, shutting down
AH00015: Unable to open logs

Unable to restart apache using ['apache2ctl', 'graceful']
Error while running apache2ctl graceful.
httpd not running, trying to start

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:443
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:443
no listening sockets available, shutting down
AH00015: Unable to open logs

Unable to restart apache using ['apache2ctl', 'graceful']
An error occurred and we failed to restore your config and restart your server. Please post to Help - Let's Encrypt Community Support with details about your configuration and this error you received.
Encountered exception during recovery: certbot.errors.MisconfigurationError: Error while running apache2ctl graceful.
httpd not running, trying to start

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:443
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:443
no listening sockets available, shutting down
AH00015: Unable to open logs

NEXT STEPS:

• The certificate was saved, but could not be installed (installer: apache). After fixing the error shown below, try installing it again by running:
  certbot install --cert-name snstegalmjlnext.ddns.net

Error while running apache2ctl graceful.
httpd not running, trying to start

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:443
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:443
no listening sockets available, shutting down
AH00015: Unable to open logs

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

If it wasn't Apache listening on port 443, what is?

r610@r610:~$ sudo lsof -i :443
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
httpd 31755 root 6u IPv6 75877 0t0 TCP *:https (LISTEN)
httpd 31756 root 6u IPv6 75877 0t0 TCP *:https (LISTEN)
httpd 31757 root 6u IPv6 75877 0t0 TCP *:https (LISTEN)
httpd 31758 root 6u IPv6 75877 0t0 TCP *:https (LISTEN)
httpd 31859 root 6u IPv6 75877 0t0 TCP *:https (LISTEN)

httpd.. That's Apache, right? Weird..

Yeah, im not sure whats going on. Thank you so much for your help.

You could try installing the certificate manually into Apache.

@Osiris I ran the sudo certbot install --cert-name snstegalmjlnext.ddns.net with the same result. could it have to do with this issue i get when running sudo apt upgrade?

mariadb-client : Breaks: mariadb-server (< 1:10.11.8-0ubuntu0.24.04.1) but 1:10.6.18-0ubuntu0.22.04.1 is installed
mariadb-plugin-provider-bzip2 : Depends: mariadb-server (>= 1:10.11.1-1) but 1:10.6.18-0ubuntu0.22.04.1 is installed
mariadb-plugin-provider-lz4 : Depends: mariadb-server (>= 1:10.11.1-1) but 1:10.6.18-0ubuntu0.22.04.1 is installed
mariadb-plugin-provider-lzma : Depends: mariadb-server (>= 1:10.11.1-1) but 1:10.6.18-0ubuntu0.22.04.1 is installed
mariadb-plugin-provider-lzo : Depends: mariadb-server (>= 1:10.11.1-1) but 1:10.6.18-0ubuntu0.22.04.1 is installed
mariadb-plugin-provider-snappy : Depends: mariadb-server (>= 1:10.11.1-1) but 1:10.6.18-0ubuntu0.22.04.1 is installed
mariadb-server : Depends: mariadb-server-10.6 (>= 1:10.6.18-0ubuntu0.22.04.1) but it is not installable

I have no idea why mariadb or problems with apt would interfer with Apache/port 443.

@Osiris Do you know what is the best way to install manually?

Thinking more about it, I dont even use mariadb, the Nextcloud runs mysql.

Manually edit the Apache configuration file.

There's already an older Let's Encrypt certificate installed in Apache. You just need to replace that older reference to the new one.

Certbot seems to have determined that your certificate needs to end up in /etc/apache2/sites-available/nextcloud-le-ssl.conf.

Although I'm still puzzled why Certbot would give those errors when it's trying to restart Apache while httpd, which is Apache, is running.. Could there be 2 different instances of Apache run on your system perhaps?

Also, what's the output of sudo certbot certificates?

@Osiris The response says it found the valid cert in a different location. I know its the valid one because it says so and 89 days left which would be issued yesterday! Woohoo!

In resonse to apache. I ran ' ps aux | grep apache2' it only shows that one instance is running....

finally got to where i could post the output after 'sudo certbot certificates' shown below. I looked at the README.TXT in /etc/letsencrypt/live/snstegalmjlnext.ddns.net/ where the below cert says its located, saying not to move or rename the files...

Found the following certs:
Certificate Name: snstegalmjlnext.ddns.net
Serial Number: 3cfaf36a02daca4bfc835aa460aa19e8bc5
Key Type: ECDSA
Domains: snstegalmjlnext.ddns.net
Expiry Date: 2025-01-16 19:57:15+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/snstegalmjlnext.ddns.net/fullchain.pem
Private Key Path: /etc/letsencrypt/live/snstegalmjlnext.ddns.net/privkey.pem