Certbot failed to authenticate (lets debug is green)

My domain is: mttblueprint.de

I ran this command: sudo certbot --apache -d mttblueprint.de -d www.mttblueprint.de

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for mttblueprint.de and www.mttblueprint.de

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: mttblueprint.de
Type: unauthorized
Detail: 85.13.130.146: Invalid response from http://mttblueprint.de/.well-known/acme-challenge/HjYx8pTmo7UWUKB4IUEWAxDt_nb7otJYX4mA8MTR8kY: 404

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Apache/2.4.52 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 22.04 (LTS) x64

My hosting provider, if applicable, is: digitalocean.com

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): not sure what is meant here, so no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.21.0

I also checked the domain w/ & w/o www. and I checked it with HTTP-01, DNS-01.
On the page, I always got a green message saying that everything is looking good and I was routed here.

Please let me know if you need additional infos and many thanks in advance for your support!

2 Likes

Hi @s7Fn, and welcome to the LE community forum :slight_smile:

Let's review your Apache config, with:
sudo apachectl -t -D DUMP_VHOSTS

3 Likes

Thank you for that lightning fast reply!

This is my output:

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:80 is a NameVirtualHost
default server 127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost 127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost mttblueprint.de (/etc/apache2/sites-enabled/mttblueprint.conf:1)
alias www.mttblueprint.de

1 Like

Well I get this

$ curl -Ii http://mttblueprint.de/.well-known/acme-challenge/sometestfile
HTTP/1.1 404 Not Found
Date: Mon, 06 Feb 2023 19:02:36 GMT
Server: nginx
Content-Type: text/html
Content-Length: 12624
ETag: "4c220bde-3150"
Vary: User-Agent

Yet you said

nginx NOT EQUAL Apache

2 Likes

This starts to explain that:

curl -Ii4 http://mttblueprint.de/
HTTP/1.1 301 Moved Permanently
Date: Mon, 06 Feb 2023 19:06:06 GMT
Server: Apache
Location: http://164.92.166.230/
Content-Type: text/html; charset=iso-8859-1
3 Likes

Thanks @Bruce5051! That is strange, I am sure I have installed Apache (it was the output copied from the terminal). I will check it again.

2 Likes

I am sorry @rg305. I am not able to follow :frowning:

2 Likes

More explanation ...

Name:    mttblueprint.de
Address: 85.13.130.146

Name:    www.mttblueprint.de
Address: 164.92.166.230
4 Likes

What is the IP of the system you are on that requires a cert?
Show:
curl ifconfig.io

4 Likes

164.92.166.230

It seems like the DNS might not yet be updated? 85.13.130.146 is the IP of my webspace account where I purchased the domain... I have pointed that domain to 164.92.166.230, though

Then you have two choices:

  • only get a cert [using HTTP-01 authentication] that covers the name that resolves to that IP.
  • change the IP on the name that doesn't resolve to that IP
    then get a cert for both names.

There a third [less useful] option:

  • update:
HTTP/1.1 301 Moved Permanently
Location: http://164.92.166.230/
to
HTTP/1.1 301 Moved Permanently
Location: http://www.mttblueprint.de/

But, although that would help produce a cert with both names on it, that won't actually work for anyone trying [directly]:
https://www.mttblueprint.de/

3 Likes

Here is a list of issued certificates crt.sh | mttblueprint.de

$ nslookup
> server ns5.kasserver.com.
Default server: ns5.kasserver.com.
Address: 85.13.128.3#53
> mttblueprint.de
Server:         ns5.kasserver.com.
Address:        85.13.128.3#53

Name:   mttblueprint.de
Address: 85.13.130.146
> www.mttblueprint.de
Server:         ns5.kasserver.com.
Address:        85.13.128.3#53

Name:   www.mttblueprint.de
Address: 164.92.166.230
>

Let's Encrypt needs to Domain Validate each of those domain names.

2 Likes

Although their TTL is one hour and that time may have already passed, the authoritative nameservers have not yet made the IP change. You need to recheck on that IP change.

Note: LE will only follow the authoritative DNS tree path. So, the TTL is not relevant.

3 Likes

With this online tool https://unboundtest.com/
The results for both mttblueprint.de and www.mttblueprint.de DNS A record is 85.13.130.146
Results here:

1 Like

Thank you both @Bruce5051 and @rg305! I have changed it in the DNS settings so I probably need to wait some time....

What is strange is that going to the domain in incognito has the correct remote address according to the DevTools

3 Likes

Only need to wait until all authoritative DNS server show the new IP [not any longer than that].

But they both still show no change:
nslookup -q=a mttblueprint.de ns5.kasserver.com
nslookup -q=a mttblueprint.de ns6.kasserver.com

4 Likes

The DNS A records for both mttblueprint.de & www.mttblueprint.de

$ nslookup -q=a mttblueprint.de ns5.kasserver.com
Server:         ns5.kasserver.com
Address:        85.13.128.3#53

Name:   mttblueprint.de
Address: 85.13.130.146
$ nslookup -q=a mttblueprint.de ns6.kasserver.com
Server:         ns6.kasserver.com
Address:        85.13.159.101#53

Name:   mttblueprint.de
Address: 85.13.130.146
$ nslookup -q=a www.mttblueprint.de ns5.kasserver.com
Server:         ns5.kasserver.com
Address:        85.13.128.3#53

Name:   www.mttblueprint.de
Address: 164.92.166.230
$ nslookup -q=a www.mttblueprint.de ns6.kasserver.com
Server:         ns6.kasserver.com
Address:        85.13.159.101#53

Name:   www.mttblueprint.de
Address: 164.92.166.230
2 Likes

I have managed to set everything correctly. All your answers were the solution but was only able to select one (sorry). many thanks for all the guidance!

3 Likes

Now they all say the same IPv4 Address :slight_smile:

$ nslookup -q=a mttblueprint.de ns5.kasserver.com
Server:         ns5.kasserver.com
Address:        85.13.128.3#53

Name:   mttblueprint.de
Address: 164.92.166.230
$ nslookup -q=a mttblueprint.de ns6.kasserver.com
Server:         ns6.kasserver.com
Address:        85.13.159.101#53

Name:   mttblueprint.de
Address: 164.92.166.230
$ nslookup -q=a www.mttblueprint.de ns5.kasserver.com
Server:         ns5.kasserver.com
Address:        85.13.128.3#53

Name:   www.mttblueprint.de
Address: 164.92.166.230
$ nslookup -q=a www.mttblueprint.de ns6.kasserver.com
Server:         ns6.kasserver.com
Address:        85.13.159.101#53

Name:   www.mttblueprint.de
Address: 164.92.166.230
2 Likes