Certbot failed to authenticate some domains (authenticator: webroot)

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: savannahriverplastics.com

I ran this command: sudo certbot certonly --webroot -w /var/www/html -d savannahriverplastics.com -d www.savannahriverplastics.com --agree-tos -m support@savannahriverplastics.com

It produced this output:
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: savannahriverplastics.com
Type: unauthorized
Detail: 73.108.169.22: Invalid response from http://savannahriverplastics.com/.well-known/acme-challenge/[lots of numbers...]: 403

My web server is (include version): Apache 2.4.58

The operating system my web server runs on is (include version): linux 24.04 LTS

My hosting provider, if applicable, is: Comcast

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.9.0

Here's another part of the output: Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

So the challenge directory .../.well-known/acme-challenge$ does indeed not have any files in it. I added a text file and was able to see that from a browser.

That is a little bit outdated; but not likely having anything to do with your issue.

That is also a little bit outdated; but very likely having to do with your issue.
[Apache is notorious for running at all cost - even when misconfigured]

Please show the output of:
sudo apachectl -t -D DUMP_VHOSTS

Is this expected?

curl http://savannahriverplastics.com/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
</body></html>

curl http://www.savannahriverplastics.com/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
</body></html>

Opps, I currently have all incoming ip's blocked except mine while I develop the website. I'll open it up when I get home.

Didn't think about that, thanks

Still not working even after I allowed all ip access. Here's the result of what you asked for:

sudo apachectl -t -D DUMP_VHOSTS
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message

VirtualHost configuration:
*:80                   is a NameVirtualHost
         default server savannahrivergraphics.com (/etc/apache2/sites-enabled/savannahrivergraphics.conf:1)
         port 80 namevhost savannahrivergraphics.com (/etc/apache2/sites-enabled/savannahrivergraphics.conf:1)
                 alias www.savannahrivergraphics.com
         port 80 namevhost savannahriverplastics.com (/etc/apache2/sites-enabled/savannahriverplastics.conf:1)
                 alias www.savannahriverplastics.com

Also, the challenge directory ( var/www/savannahriverplastics/html/.well-known/acme-challenge) still has nothing written into it.

Disregard last transmission. I thought I'd cleared all of the require statements out and I did a preliminary test but it's not responding. I'll report back when I get it working...Sorry

You won't usually be able to see that. Certbot deletes the file right after the challenge is complete (successful or not). If you want to see it use --debug-challenges -v options in your command

What is the error after opening port 80 to any IP? Still a 403 or something else?

Was that the complete output?

80 was open but I've used apache access control directives like require all granted. Then looking at log files I now see many attempts to see pages. No longer 400 code but 403 when they're asking for directories/files that don't exist. The trouble is that for some annoying reason that I'm trying to debug, I can't see any pages at all, even from another computer.

I also know it's working from the outside as I used gopeeker.com to access my site and it render as it should. So given that I tried the certbot script again and got the same error.

Make that a 404 code, not 403.

That is almost always because the --webroot-path (-w) you specified to Certbot is not the same as the DocumentRoot for the VirtualHost matching that domain name.

geopeeker is fine. We often use the HTTP test here: Check website performance and response : Check host - online website monitoring

And, also: https://letsdebug.net

These two also show that connections from the public internet are fine. Just giving you more tools for future reference.

Thanks for that.

So I didn't specify the --webroot-path (-w) whatever that is. I assumed cerbot would find the correct root but apparently not. If they're different then no wonder it failed. Where/how is it specified?

Sure you did. Your first post specified -w /var/www/html

-w is the shorthand for --webroot-path

Also see: User Guide — Certbot 5.6.0.dev0 documentation

I'm an idiot. More to come; thanks

OK, progress. First, I was dealing with a flaky AP that I fixed at midnight. Anyway, to make a long story short, I reworked the ip blocks, re-ran the certbot script with the correct root path and voila, it worked, almost.

Now, the /etc/letsencrypt path is populated with the keys, I added the virtualhost 443 text block in the apache config file. Then when I did a config test it broke with the error msg: SSLCertificateFile: file '/etc/letsencrypt/live/savannahriverplastics.com/fullchain.pem' does not exist or is empty.

The file does exist and is linked to /etc/letsencrypt/archive/savannahrivergraphics.com/fullchain1.pem with permisions 644. That should work.

I'm continuing to research it... Any ideas?

Did you run the config test using sudo ?

Wow, what an obvious mistake. I actually have two websites I'm working on savannahriverplastics.com and savannahrivergraphics.com. I meant to set up the SSL cert for ...plastics but mistakenly ran the certbot script for savannahriverplastics.com. That explains it.

Now I have to either cancel the existing cert (or do I?) and rerun it with the correct URL. More to come.

Did you mistype the names? I see a cert for ...graphics which you can use when you setup that VirtualHost

Let's check what you actually have first. Please show output of this

sudo certbot certificates

Yes, I definitely typed the wrong site:

Found the following certs:
   Certificate Name: savannahrivergraphics.com
     Serial Number: 661a8de9be34f00fe5f0615347131261e58
     Key Type: ECDSA
     Domains: savannahrivergraphics.com www.savannahrivergraphics.com
     Expiry Date: 2026-07-22 12:35:18+00:00 (VALID: 89 days)
     Certificate Path: 
/etc/letsencrypt/live/savannahrivergraphics.com/fullchain.pem
     Private Key Path: 
/etc/letsencrypt/live/savannahrivergraphics.com/privkey.pem

So should I delete the existing cert? I think I'd rather do that and
start over. How to do it?