Certbot: Challenge failed for domain

rg305 · October 7, 2020, 8:09am

Did I lose you?
You wrote "yes" that you have root access.
All the commands are to be run from the server (not from any other system).
[You can commands on the server once you are logged into it (via SSH or PuTTY)]

toosa · October 7, 2020, 11:40am

Hi,

I also have such a problem.
I just realized that I once had to move my domain to another Server that has a different IP.
One day, when I had to renew my SSL certificate, this problem occurred.
And now it's done using this command

thank you @rg305

Regards,

hamged · October 7, 2020, 4:32pm

My apologies rg305, I was called into meetings today and have been trying to work out why the IP address was not correct. In the end, it was frustratingly simple, the VPN was disabled and it was connected to a hotspot. I have set it up again in the configuration originally for this post and re ran all of the commands so far, just to be sure that the messages are the same. No changes to before and after rerunning curl ifconfig.me:

146.185.17.165

and after sudo certbot --version (and after following the instructions in the link you gave):

certbot 1.9.0

rg305 · October 7, 2020, 5:58pm

Now we are in a much better place

Try this (again):
sudo certbot certonly -a webroot -w /var/www/html -d cloud.lenzeta.com --dry-run

hamged · October 7, 2020, 6:10pm

After running that again, here is the output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for cloud.lenzeta.com
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Challenge failed for domain cloud.lenzeta.com
http-01 challenge for cloud.lenzeta.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: cloud.lenzeta.com
Type: unauthorized
Detail: Invalid response from
http://cloud.lenzeta.com/.well-known/acme-challenge/GtF_FRavZPiGEYbThRmYGw45DdvhZCGTk3cU0IhQ1vs
[146.185.17.165]: "<?xml version="1.0"
encoding="iso-8859-1"?>\n<!DOCTYPE html PUBLIC "-//W3C//DTD
XHTML 1.0 Transitional//EN"\n "http://www."

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

rg305 · October 7, 2020, 6:17pm

hmm...

Let's test that webroot path out.
Create a test file as follows:
echo "root test file" >> /var/www/html/test-file-1234

Then we can try to access it from the Internet with:
http://cloud.lenzeta.com/test-file-1234

rg305 · October 7, 2020, 6:19pm

and maybe triple check things with:

hamged · October 7, 2020, 6:27pm

Hmm i get permission denied on the echo command:

bash: /var/www/html/test-file-1234: Permission denied

rg305 · October 7, 2020, 6:33pm

Try instead:
echo "root test file" | sudo tee /var/www/html/test-file-1234

hamged · October 9, 2020, 6:50am

Hi @rg305, I am back in the office and thanks again for helping. I have ran the command, it echoed "root test file" but it seems that there is still a 403 Forbidden error at http://cloud.lenzeta.com/test-file-1234

rg305 · October 9, 2020, 6:52am

show:
cat /var/www/html/test-file-1234

hamged · October 9, 2020, 6:54am

message from above command:
root test file

rg305 · October 9, 2020, 6:55am

Let's not take anything for granted and begin at the beginning (again).
Please show:
curl ifconfig.me

hamged · October 9, 2020, 6:57am

Very true, given that the IP address was wrong before, curl ifconfig.me:
146.185.17.165

rg305 · October 9, 2020, 7:00am

IP: CHECK
test file placement: CHECK
test file verification: FAIL
We must have the wrong document root folder.
Please show:
grep -ERi 'server|virtual|listen|root' /etc/apache2/sites-enabled/

hamged · October 9, 2020, 7:03am

/etc/apache2/sites-enabled/000-default.conf:<VirtualHost *:80>
/etc/apache2/sites-enabled/000-default.conf:	# The ServerName directive sets the request scheme, hostname and port that
/etc/apache2/sites-enabled/000-default.conf:	# the server uses to identify itself. This is used when creating
/etc/apache2/sites-enabled/000-default.conf:	# redirection URLs. In the context of virtual hosts, the ServerName
/etc/apache2/sites-enabled/000-default.conf:	# match this virtual host. For the default virtual host (this file) this
/etc/apache2/sites-enabled/000-default.conf:	# However, you must set it for any further virtual host explicitly.
/etc/apache2/sites-enabled/000-default.conf:	ServerName cloud.lenzeta.com
/etc/apache2/sites-enabled/000-default.conf:	ServerAdmin hamish.geddes@icloud.com
/etc/apache2/sites-enabled/000-default.conf:	DocumentRoot /var/www/html
/etc/apache2/sites-enabled/000-default.conf:	# include a line for only one particular virtual host. For example the
/etc/apache2/sites-enabled/000-default.conf:</VirtualHost>
/etc/apache2/sites-enabled/000-default.conf.save:<VirtualHost *:80>
/etc/apache2/sites-enabled/000-default.conf.save:	# The ServerName directive sets the request scheme, hostname and port that
/etc/apache2/sites-enabled/000-default.conf.save:	# the server uses to identify itself. This is used when creating
/etc/apache2/sites-enabled/000-default.conf.save:	# redirection URLs. In the context of virtual hosts, the ServerName
/etc/apache2/sites-enabled/000-default.conf.save:	# match this virtual host. For the default virtual host (this file) this
/etc/apache2/sites-enabled/000-default.conf.save:	# However, you must set it for any further virtual host explicitly.
/etc/apache2/sites-enabled/000-default.conf.save:	ServerName cloud.lenzeta.com
/etc/apache2/sites-enabled/000-default.conf.save:	ServerName server.lenzeta.com
/etc/apache2/sites-enabled/000-default.conf.save:	ServerAdmin hamish.geddes@icloud.com
/etc/apache2/sites-enabled/000-default.conf.save:	DocumentRoot /var/www/html
/etc/apache2/sites-enabled/000-default.conf.save:	# include a line for only one particular virtual host. For example the
/etc/apache2/sites-enabled/000-default.conf.save:</VirtualHost>

hamged · October 9, 2020, 7:04am

Something funky going on with a .save file?

rg305 · October 9, 2020, 7:08am

I agree.
If the include statement is vague (like: include /etc/apache2/sites-enabled/*) then the .save file will be included.
That said, if included it should show up in the apachectl -S output.
What says:
apachectl -S

hamged · October 9, 2020, 7:09am

apachectl -S says:

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:80                   cloud.lenzeta.com (/etc/apache2/sites-enabled/000-default.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex watchdog-callback: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default 
Mutex mpm-accept: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

rg305 · October 9, 2020, 7:11am

OK so it isn't being included. [that's good]

OK the out put shows only one active file.
Let's have a full look at that file:
cat /etc/apache2/sites-enabled/000-default.conf