Certbot failed to authenticate some domains

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: acupunctureclassique.duckdns.org

I ran this command: sudo certbot --apache

It produced this output:

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Domain: acupunctureclassique.duckdns.org
  Type:   unauthorized
  Detail: 119.74.38.81: Invalid response from http://acupunctureclassique.duckdns.org/.well-known/acme-challenge/hD0yA6XWpIR2FgjW1RgDCuT_ge7tPJJBiYBPe8ZtoVw: 404

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
Distributor ID: Ubuntu
Description: Ubuntu Noble Numbat (development branch)
Release: 24.04
Codename: noble

The operating system my web server runs on is (include version):
Ubuntu 24.04 (linux)

My hosting provider, if applicable, is:
homeserver

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.8.0

Your domain has an HTTPS connection but using a self-signed Traefik cert

Can you explain how Traefik is involved here?

Which of their instructions are you following to setup HTTPS (TLS)?

I was running a matrix home server with matrix-docker-ansible-deploy
on a separate proxmox VM.

Didn't expect Traefik configurations in that VM to be system-wide.

Here are part of the Traefik setup

For that to work your Apache server must reply to the HTTP request coming from the Let's Encrypt server. Certbot requests the cert but the LE server validates your domain by sending it a request.

It looks like it is. I don't see Apache replying to HTTP (port 80) in any case.

We are not Traefik experts here. Well, I am not anyway. Traefik has a built-in way to get certs. Does that work for you (link here)?

The setup link you show also describes this built-in method.

Maybe someone else here will help but you might try asking on a Traefik forum. Or that github you linked to if you are following those docs.

Port 80 (the external port) is already taken up by my matrix server. So I probably need to use a different port for this project. My conf is currently pointing the virtualhost to port 8080.

<VirtualHost *:8080>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	#ServerName www.example.com

	ServerName acupunctureclassique.duckdns.org
	ServerAdmin webmaster@localhost
	DocumentRoot /home/sati/acu

Port 80 is currently open on the vm server.

netstat -tulpn
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.54:53           0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   
tcp6       0      0 :::443                  :::*                    LISTEN      -                   
tcp6       0      0 :::8080                 :::*                    LISTEN      -         

I can access my site through the port if I run it on localhost.

The --apache method assumes that Apache directly uses port 80:

https://eff-certbot.readthedocs.io/en/stable/using.html#getting-certificates-and-choosing-plugins

You might be able to modify your Traefik configuration to make this work, but certbot --apache might not realize what you're trying to do.

Which services in your configuration use certificates, and which ones obtain their own certificates automatically?

Presently, on the VM, I only have the matrix homeserver which obtain's its own certificate automatically.

Tried this command which specifies the port:

sudo certbot certonly --webroot -w /home/sati/acu -d acupunctureclassique.duckdns.org --http-01-port 8080
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for acupunctureclassique.duckdns.org

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: acupunctureclassique.duckdns.org
  Type:   unauthorized
  Detail: 119.74.38.81: Invalid response from http://acupunctureclassique.duckdns.org/.well-known/acme-challenge/uHL64T2aOEDBG1Mm2OP4E9YQ-LdTshGGPGjqf-73DJs: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

In order to provide port 80 access [to more than just one server], you would have to use a proxy.

I tried stopping my matrix homeserver and running certbot on port 80. It worked. But my matrix server's original SSL certification got messed up.

Now, I am thinking of either 1 or 2 solutions:

1. Use reverse proxy on apache and share certificates with my matrix server.
2. Configure Certbot to work on ports other than 80 and 443.

I would go with 2, but I am not sure how to keep the two systems separate and independent of one another.

The two systems have both been disrupted by SSL configurations on the other side.

Certbot requests a cert from the Let's Encrypt server and the LE Server sends an HTTP request to your domain to validate it. Your server must handle that request on port 80.

You can proxy it or port-forward to something running on a different port. As one example you could proxy/forward to Certbot running with --standalone --http-01-port 8081. But, you can't change the port LE Server uses.

You could also consider using a DNS Challenge. This relies solely on the DNS so avoids your port overlap problem. See the Certbot docs for how to use it with duckdns

TXT record cannot be updated.

sudo certbot certonly --staging  --non-interactive   --agree-tos   --email myemail@gmail.com   --preferred-challenges dns   --authenticator dns-duckdns   --dns-duckdns-token ./duckdns.ini   --dns-duckdns-propagation-seconds 180   -d "acupunctureclassique.duckdns.org"  --http-01-port 8080 --dns-duckdns-no-txt-restore

Encountered exception during recovery: certbot.errors.PluginError: The clearing of the TXT record for domain "acupunctureclassique.duckdns.org" was not successful.
Request status code: 200
Request response text: KO
The TXT update "58HupoSj-0dPFMAM-DiUCjUmN4Ztm6wvIguww5zdHJo" for domain "acupunctureclassique.duckdns.org" could not be set.
Request status code: 200
Request response text: KO

But I could set manually with this URL
https://www.duckdns.org/update?domains={YOURVALUE}&token={YOURVALUE}&txt={YOURVALUE}

Have you tried using the absolute path?

How was the plugin installed?

You should configure your traefik to proxy to both matrix and apache. It can do so, and it should be able to do it pretty easily, but I haven't yet tried to do it for myself.

Being that you are using a layer 7 reverse proxy, traefik will obtain a certificate for your apache website and then proxy apache, that can have its own certificate but probably shouldn't.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.