Certbot failed to authenticate some domains (authenticator: apache)

Por favor, preencha todos os campos abaixo para que nós possamos ajudar você. Obs.: você deve indicar seu nome de domínio para receber ajuda. Os nomes de domínio dos certificados emitidos são divulgados nos logs da Transparência de Certificados (por exemplo, crt.sh | example.com). Assim, não indicar seu nome de domínio não o mantém em segredo, mas torna a nossa ajuda mais difícil.

Posso ler respostas em inglês:Sim

Meu nome de domínio é: www.marechalfloriano.es.gov.br

Executei esse comando: certbot renew

Produziu essa saída:

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/web00.marechalfloriano.es.gov.br.conf


Certificate not yet due for renewal


Processing /etc/letsencrypt/renewal/www.marechalfloriano.es.gov.br.conf


Renewing an existing certificate for www.marechalfloriano.es.gov.br

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:

Domain: www.marechalfloriano.es.gov.br

Type: unauthorized

Detail: 177.91.206.111: Invalid response from http://www.marechalfloriano.es.gov.br/.well-known/acme-challenge/xk14mBEqqalnq6_swrnSAl0YqsZn6BE960JM-Q8F2-s: 404

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Failed to renew certificate www.marechalfloriano.es.gov.br with error: Some challenges have failed.


The following certificates are not due for renewal yet:

/etc/letsencrypt/live/web00.marechalfloriano.es.gov.br/fullchain.pem expires on 2025-02-13 (skipped)

All renewals failed. The following certificates could not be renewed:

/etc/letsencrypt/live/www.marechalfloriano.es.gov.br/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Meu servidor web é (com versão): Apache/2.4.52

O sistema operacional no meu servidor web é (com versão):Ubuntu 22.04.5 LTS

O serviço de hospedagem do meu site (se aplicável) é: Sim

Posso acessar um shell root na minha máquina (sim ou não, ou não sei):Sim

Uso um painel de controle para administrar meu site (não, ou indique o nome e a versão do painel de controle): Não

Informações adicionais, no meu servidor web eu tenho duas aplicações rodando, ambas foram instadas em fevereiro e ambos os certificados atualizavam sozinhos, porem agora em novembro somente um deles renovou sozinho, já o outro não, é quando eu tento renová-lo ele exibe o erro mostrado acima. Outro ponto é que não fui eu que fiz a instalação e configuração deste servidor.

For this domain you are using the apache option. But, a Microsoft IIS server replies for requests to that domain.

Your web00 domain is using Apache. But, this www domain uses IIS.

These two domains have different IP addresses in their DNS. For Certbot, requesting certs on different machines is difficult unless using the DNS Challenge.

Did you recently setup a new and different server for your www domain?

2 Likes

No, no new server was configured for the www domain, but my www domain pointing to Microsoft IIS is very strange, how did you identify this?

Using curl and looking at the response headers. I just realize HTTP requests see IIS but HTTPS requests are Apache. You might have some network routing problem. Or some incorrect proxy active.

The HTTP response is the most important when using the HTTP Challenge for the cert. And, using --apache uses that (and needs Apache too).

curl -I http://www.marechalfloriano.es.gov.br
HTTP/1.1 404 Not Found
Server: Microsoft-IIS/10.0

# A -k is needed to bypass the expired cert 
curl -Ik https://www.marechalfloriano.es.gov.br
HTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)

Should your DNS have different IP?

dig +noall +answer www.marechalfloriano.es.gov.br
www.marechalfloriano.es.gov.br. 62 IN   A       177.91.206.111
dig +noall +answer web00.marechalfloriano.es.gov.br
web00.marechalfloriano.es.gov.br. 300 IN A      177.91.206.113
2 Likes

No, the DNS is pointing correctly to the IPs, now I'm going to check if there are any rules with a problem in the firewall or proxy. And thank you now I have a stronger direction to where the problem is.

My problem was resolved, now I'll go into details, the problem was in the firewall routing, there was a double pointer to the same IP and the same port (80), but due to the rule priority it pointed first to a service that ran on the Microsoft IIS, after correcting this rule the problem was resolved and I was able to renew my domain certificate.

2 Likes

Thank you very much MikeMcQ, I've been trying to solve the problem for almost a week and there's no resolution, but you correctly point out the source of the problem, making the search for a solution more targeted.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.