Certbot error: unauthorized; invalid response

My domain is:
mail.webserv.me
I ran this command:
certbot
It produced this output:
IMPORTANT NOTES:

  • The following errors were reported by the server:
 Domain: mail.webserv.me
   Type:   unauthorized
   Detail: Invalid response from
   http://mail.webserv.me/.well-known/acme-challenge/zUxNfmZdXUodzaB4YhmZXPnosHXScJcHAYY01AKxi4k
   [202.61.253.133]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version):
Apache/2.4.38 (Debian)
The operating system my web server runs on is (include version):
Debian GNU/Linux 10 (buster)
My hosting provider, if applicable, is:
netcup
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.31.0

Every http-request to this subdomain (any (sub-)domain is working fine, except for this) is redirected to a https-version of it. But because there is no ssl certificate, the error is reported. My apache-conf:

<VirtualHost *:80>
    ServerAdmin serversupport@design-webserv.de
    ServerName mail.webserv.me
    ServerAlias www.mail.webserv.me
    DocumentRoot /var/www/webserv.me/mail.webserv.me
</VirtualHost>

Thy syntax test of Apache returns "OK".
There is no .htaccess etc. which can cause a redirection.
DNS: wsdrive
Do you need more information to help me or give me an hint?

Best regards, Ben

There's no redirect to HTTPS for your hostname.

No, that's not it. There's no certificate error what so ever. The Let's Encrypt validation server doesn't care about invalid certificates, but in this case there was no HTTPS connection established.

I'm missing some information though. You say you run certbot. And you're giving us the error. But I'm missing the steps between the certbot command and the error! I.e.: what options are you inputting into certbot?

1 Like

Thanks for your answer.
I typed certbot and than I chose the numbers 23 27. Next, the error was reported. This was the output between it:

Select the appropriate numbers separated by commas and/or spaces, or leave input

blank to select all options shown (Enter 'c' to cancel): 23 27

Obtaining a new certificate

Performing the following challenges:

http-01 challenge for mail.webserv.me

Waiting for verification...

Cleaning up challenges

Running post-hook command: systemctl restart postfix

Failed authorization procedure. mail.webserv.me (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mail.webserv.me/.well-known/acme-challenge/zUxNfmZdXUodzaB4YhmZXPnosHXScJcHAYY01AKxi4k [202.61.253.133]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

The site that opens when you try to open https://mail.webserv.me is the domain which is sent when the domain is invalid --> error screen.

Please show the output of:
apachectl -S
if needed, use sudo:
sudo apachectl -S

apachectl -S

VirtualHost configuration:
*:443                  is a NameVirtualHost
         *default server mail.webserv.me (/etc/apache2/sites-enabled/111aaaa.conf:1)*
         port 80 namevhost mail.webserv.me (/etc/apache2/sites-enabled/111aaaa.conf:1)
         port 80 namevhost mail.webserv.me (/etc/apache2/sites-enabled/mailserver.conf:1)
                 alias www.mail.webserv.me
         port 80 namevhost webmail.webserv.me (/etc/apache2/sites-enabled/mailserver.conf:8)
                 alias www.webmail.webserv.me
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default 
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

I deleted some content. There were domains of my customers.
The line default server mail.webserv.me (/etc/apache2/sites-enabled/111aaaa.conf:1) is a bit strange. This configline is redirecting every "unknown" page to an unavoidable page. Like mail.webserv.me is directed too. mailserver.conf is the right file.

Please show these two files:

/etc/apache2/sites-enabled/111aaaa.conf

<VirtualHost *:80>
        DocumentRoot /var/www/unav
</VirtualHost>

/etc/apache2/sites-enabled/mailserver.conf

<VirtualHost *:80>
    ServerAdmin serversupport@design-webserv.de
    ServerName mail.webserv.me
    ServerAlias www.mail.webserv.me
    DocumentRoot /var/www/webserv.me/mail.webserv.me
</VirtualHost>

(There was a damaged slink to a file called mailconfig-le-ssl.conf. I removed it now but cerbot is still reporting the error.)

111aaaa.conf probably uses the default hostname as "ServerName" and has a completely different DocumentRoot than the virtualhost in mailserver.conf.

What's the purpose of 111aaaa.conf? Can you disable it and see what happens when you re-run certbot?

1 Like

Now, I was able to create a ssl certificate.
The purpose of this file is that every Domain which is not configured in the Apache configs but is redirected via DNS to our server gets the response, that the site is temporary unavailable. That's the page you've probably seen, with a ws. in the middle.
Thank you so much! How can I active this config again without having the error?

Its probably the default virtualhost. That means every non-configured hostname ends up in that virtualhost, just as you want to. However, by not having a ServerName, it competes with the other virtualhost and as this 111aaa vhost takes precedence, the other vhost does nothing. However, if you do set a ServerName in the 111aaa vhost, this latter issue would be gone and because of the priority given to the 111aaa vhost, its catch-all function would still exist.

I recommend setting the ServerName to something like localhost. That should do the trick.

1 Like

Allright, I will set it up.
Thanks for your help.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.