Certbot: Challenge failed for domain

I am trying to run a server for remote access from a device connected to a university network, hence no access to the router settings. I am using a VPN to obtain a public IP address for this purpose and I am struggling to find support for the error I am receiving when setting up HTTPS certification. Thank you for any help you can provide.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: cloud.lenzeta.com

I ran this command: certbot --apache

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?

1: cloud.lenzeta.com

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for cloud.lenzeta.com
Enabled Apache rewrite module
Waiting for verification...
Challenge failed for domain cloud.lenzeta.com
http-01 challenge for cloud.lenzeta.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: cloud.lenzeta.com
  Type: unauthorized
  Detail: Invalid response from
  http://cloud.lenzeta.com/.well-known/acme-challenge/xmGvDSwNQ6HXiVD8ASeVErNEIskldz1ppbZ3dj3Kth0
  [146.185.17.165]: "<?xml version="1.0"
  encoding="iso-8859-1"?>\n<!DOCTYPE html PUBLIC "-//W3C//DTD
  XHTML 1.0 Transitional//EN"\n "http://www."

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address.

My web server is (include version): Apache/2.4.41

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is: Squarespace

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.40.0

Welcome to the Let's Encrypt Community

Currently http://cloud.lenzeta.com/.well-known/acme-challenge/test is returning 403 Forbidden instead of 404 Not Found. Did you change your configuration since you last ran certbot?

Thanks for the welcome griffin! I have yet to see a 404 Not Found, have only encountered 403 Forbidden throughout the tests. I haven't changed anything just yet in the configuration since copying that message.

You're very welcome. Let's take a look...

What says sudo apachectl -S?

Just some (potentially relevant) info:

curl -Iki http://cloud.lenzeta.com/.well-known/acme-challenge/test-file-1234
HTTP/1.1 403 Forbidden
Content-Type: text/html
Content-Length: 345
Date: Mon, 05 Oct 2020 13:55:37 GMT
Server: lighttpd/1.4.47

In case it wasn't obvious:
Apache/2.4.41 <> lighttpd/1.4.47

Thanks guys, unfortunately I only have access to the office every second day of the week due to the circumstances, but this will be the first thing I try on Wednesday morning and I’ll post the message once I see. Thanks for the quick responses too!

This is the message I got when using sudo apachectl -S:

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:80 cloud.lenzeta.com (/etc/apache2/sites-enabled/000-default.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

OK
Please show the file:

Or maybe just the output of this will do:

grep -ERi 'server|virtual|listen|root' /etc/apache2/sites-enabled/

<VirtualHost *:80>
    # The ServerName directive sets the request scheme, hostname and port t>
    # the server uses to identify itself. This is used when creating
    # redirection URLs. In the context of virtual hosts, the ServerName
    # specifies what hostname must appear in the request's Host: header to
    # match this virtual host. For the default virtual host (this file) this
    # value is not decisive as it is used as a last resort host regardless.
    # However, you must set it for any further virtual host explicitly.
    ServerName cloud.lenzeta.com

#       <IfModule mod_headers.c>
#               Header always set Strict-Transport-Security "max-age=15552000; >
#       </IfModule>

#       <Directory /var/www/html/>
#               Options +FollowSymlinks
#               AllowOverride All
#       </Directory>

   ServerAdmin hamish.geddes@icloud.com
   DocumentRoot /var/www/html

# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
</VirtualHost>

    # vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Try this:
sudo certbot run -i apache -a webroot -w /var/www/html -d cloud.lenzeta.com

It seems an error occurred on that command:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer apache
An unexpected error occurred:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 156, in _new_conn
conn = connection.create_connection(
File "/usr/lib/python3/dist-packages/urllib3/util/connection.py", line 61, in create_connection
for res in socket.getaddrinfo(host, port, family, socket.SOCK_STREAM):
File "/usr/lib/python3.8/socket.py", line 918, in getaddrinfo
for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
socket.gaierror: [Errno -3] Temporary failure in name resolution

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 665, in urlopen
httplib_response = self._make_request(
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 376, in _make_request
self._validate_conn(conn)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 996, in _validate_conn
conn.connect()
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 300, in connect
conn = self._new_conn()
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 168, in _new_conn
raise NewConnectionError(
urllib3.exceptions.NewConnectionError: <urllib3.connection.VerifiedHTTPSConnection object at 0x7f9da89c4250>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 439, in send
resp = conn.urlopen(
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 719, in urlopen
retries = retries.increment(
File "/usr/lib/python3/dist-packages/urllib3/util/retry.py", line 436, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f9da89c4250>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution'))

During handling of the above exception, another exception occurred:

requests.exceptions.ConnectionError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f9da89c4250>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution'))
Please see the logfiles in /var/log/letsencrypt for more details.

Please show the output of:
curl -Iki https://acme-v02.api.letsencrypt.org/

and:
cat /etc/resolv.conf

for curl:

HTTP/2 200
server: nginx
date: Wed, 07 Oct 2020 07:41:53 GMT
content-type: text/html
content-length: 2174
last-modified: Mon, 25 Feb 2019 19:57:39 GMT
etag: "5c7448b3-87e"
x-frame-options: DENY
strict-transport-security: max-age=604800

and for cat:

# This file is managed by man:systemd-resolved(8). Do not edit.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "resolvectl status" to see details about the uplink DNS servers
# currently in use.
#
# Third party programs must not access this file directly, but only through the
# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
# replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

nameserver 127.0.0.53
options edns0

Try this:
sudo certbot certonly -a webroot -w /var/www/html -d cloud.lenzeta.com --dry-run

And show this:
nslookup acme-v02.api.letsencrypt.org
dig +short acme-v02.api.letsencrypt.org

For certbot:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for cloud.lenzeta.com
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Challenge failed for domain cloud.lenzeta.com
http-01 challenge for cloud.lenzeta.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: cloud.lenzeta.com
  Type: unauthorized
  Detail: Invalid response from
  http://cloud.lenzeta.com/.well-known/acme-challenge/FzIW8GFo5uDfb6mSVU49_37pYuhKzLVN3_IkZ-ERkrs
  [146.185.17.165]: "<?xml version="1.0"
  encoding="iso-8859-1"?>\n<!DOCTYPE html PUBLIC "-//W3C//DTD
  XHTML 1.0 Transitional//EN"\n "http://www."

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address.

and for nslookup:

Server: 127.0.0.53
Address: 127.0.0.53#53

Non-authoritative answer:
acme-v02.api.letsencrypt.org canonical name = prod.api.letsencrypt.org.
prod.api.letsencrypt.org canonical name = ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com.
Name: ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com
Address: 172.65.32.248
Name: ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com
Address: 2606:4700:60:0:f53d:5624:85c7:3a2c

and for dig:

prod.api.letsencrypt.org.
ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com.
172.65.32.248

hmm...

How about the outputs of:
curl ifconfig.me
sudo certbot --version

213.205.241.210

and

certbot 0.40.0

This IP:

Does NOT equal the IP for the domain you are trying to get a cert for.
cloud.lenzeta.com
As seen in the request from LE:

The IP tried is 146.185.17.165
Which matches what DNS shows:

Name:    cloud.lenzeta.com
Address:  146.185.17.165

You are NOT on the cloud.lenzeta.com system and are trying to get a cert for it.

As for the certbot version 0.40.0, if you can run snapd, I would remove that certbot and install it from here: