Certbot failed to authenticate some domains (authenticator: webroot)

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: nc.kempcloud.net

I ran these commands:
sudo mkdir -p /var/lib/letsencrypt/.well-known
sudo chgrp www-data /var/lib/letsencrypt
sudo chmod g+s /var/lib/letsencrypt
sudo a2enmod ssl rewrite headers
sudo systemctl restart apache2
sudo vim /etc/apache2/conf-available/well-known.conf

Alias /.well-known/acme-challenge/ "/var/lib/letsencrypt/.well-known/acme-challenge/"
<Directory "/var/lib/letsencrypt/">
AllowOverride None
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
Require method GET POST OPTIONS

sudo ln -s /etc/apache2/conf-available/well-known.conf /etc/apache2/conf-enabled/
sudo apachectl configtest
sudo systemctl restart apache2

sudo certbot certonly --agree-tos --email <elided_email> --webroot -w /var/lib/letsencrypt/ -d nc.kempcloud.net


sudo certbot renew --dry-run (to test it)

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/nc.kempcloud.net.conf

Simulating renewal of an existing certificate for nc.kempcloud.net

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: nc.kempcloud.net
Type: unauthorized
Detail: 2606:4700:3035::6815:45b1: Invalid response from http://nc.kempcloud.net/.well-known/acme-challenge/p-J03K_hQEz4DqpI8bR0WrN5He4hztNTRNuzOd3rZFc: 502

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Failed to renew certificate nc.kempcloud.net with error: Some challenges have failed.

All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/nc.kempcloud.net/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Apache/2.4.57

The operating system my web server runs on is (include version): Debian 12

My hosting provider, if applicable, is: Cloudflare (domain and tunnel)

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.1.0

I'm following the article How to Install Nextcloud on Debian 11
to setup Nextcloud on a Raspberry PI.
I'm using Cloudflare tunnel to allow public access to my server.
If I set the tunnel to point to http://<local_ip>:443 and comment out "SSLEngine On" in /etc/apache2/sites-available/nextcloud.conf file, it generates the certificate without issues, however, if I change the tunnel to point to https://<local_ip>:443 and uncomment SSLEngine On, it fails with the mentioned unauthorized error message.
I can see the certificates in /etc/letsencrypt/live/nc.kempcloud.net but they only seem to work with HTTP, not HTTPS.
Any idea what might be the issue? (I've setup another server in the same way before and it worked, I'm not sure why it's not working this time).

Certificates can't "work" with HTTP.
[I don't get what your saying]

As with all things Apache [in this forum], let's start with the output of:
sudo apachectl -t -D DUMP_VHOSTS

certbot certificates

1 Like

Sure, thanks. Here are the results:

sudo apachectl -t -D DUMP_VHOSTS
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:80 nc.kempcloud.net (/etc/apache2/sites-enabled/nextcloud.conf:1)
*:443 nc.kempcloud.net (/etc/apache2/sites-enabled/nextcloud.conf:10)

sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: nc.kempcloud.net
Serial Number: 3429480864e7dab0b53715d5e27a2c30e30
Key Type: ECDSA
Domains: nc.kempcloud.net
Expiry Date: 2024-05-10 21:26:11+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/nc.kempcloud.net/fullchain.pem
Private Key Path: /etc/letsencrypt/live/nc.kempcloud.net/privkey.pem

1 Like

Questions about Cloudflare Tunnels is best directed to the Cloudflare community.

I'm puzzled though ... why do you even need a Let's Encrypt cert of your own? Doesn't the Tunnel encrypt data between your Origin and the Cloudflare Edge? Requests sent to your domain name are first handled by their Edge and the initial HTTP(S) requests handled there. It then uses the Tunnel to talk securely to your Origin. Isn't that how it works?

Right now I don't think your tunnel is working at all because I get a 502 error for your "home page" for both HTTP and HTTPS requests.


It's not an issue with the tunnel, know it works, because if I change the tunnel request to http, instead of https, and change the apache .conf file to not use SSL engine, it works, so the tunnel is able to reach the server.
So are you saying that I should leave the tunnel request as http, and no certificate on my server?

This is my .conf file
nextcloud.conf.txt (1.2 KB)

The reason why both http and https requests fail is because my apache .conf file is set to redirect http to https.

PS.: I have another server setup the same way with the Cloudflare tunnel/Apache/SSL certificate and everything works fine.

I think you should post that question on the cloudflare community. You don't have a problem getting certificates in fact you got 6 of them yesterday. Your problem is in properly configuring cloudflare to connect with your origin server.

A key element is to know where your cloudflared tunnel daemon is running. If it is on the same machine as your Apache why would you need HTTPS between the daemon and Apache?


The IP shown is from CloudFlare CDN.
The 502 means that CF can't reach your site.

  1. Why are you trying to use :443 for HTTP and HTTPS?
  2. Why are you asking CF to connect to your site securely via an IP?
    [that will never match the name on the cert you have]

Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"

1 Like

Yes, it's on the same server.

I'm doing this because it worked when I setup another server, but anyways.
I'll just use HTTP and port 80, which works.

Thanks for all the help.