Certbot failed to configure

#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: mcunkelman.noip.me

I ran this command:sudo certbot --apache

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter ‘c’ to
cancel): cunkelman.matthew@gmail.com
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org


Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory


(A)gree/©ancel: A


Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let’s Encrypt project and the non-profit
organization that develops Certbot? We’d like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.


(Y)es/(N)o: Y
Starting new HTTPS connection (1): supporters.eff.org

Which names would you like to activate HTTPS for?


1: mcunkelman.com
2: www.mcunkelman.com
3: mcunkelman.noip.me
4: www.mcunkelman.noip.me
5: www.mcunkelman.zapto.org


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 3
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mcunkelman.noip.me
Enabled Apache rewrite module
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. mcunkelman.noip.me (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://mcunkelman.noip.me/.well-known/acme-challenge/L_4Vd0eDMMs6D3Cj7-0l9Ij-Q8iQ2WHTH2z3VNWz9cc [96.236.147.213]: “\n\n404 Not Found\n\n

Not Found

\n<p”

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: mcunkelman.noip.me
    Type: unauthorized
    Detail: Invalid response from
    https://mcunkelman.noip.me/.well-known/acme-challenge/L_4Vd0eDMMs6D3Cj7-0l9Ij-Q8iQ2WHTH2z3VNWz9cc
    [96.236.147.213]: “\n\n404 Not
    Found\n\n

    Not Found

    \n<p”

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.

My web server is (include version): Apache/2.4.18

The operating system my web server runs on is (include version): Ubuntu 16.04LTS

My hosting provider, if applicable, is: myself / NA

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.28.0

#2

@mcunkelman Could you please share the contents of /var/log/letsencrypt/letsencrypt.log and also your Apache configuration?

@schoen Could we please debug this apache plugin error this time? I feel we’re getting tons of Apache plugin failures, but not really any improvement to the plugin.

1 Like
#3

That’s a good point. On the other hand, @joohoi has made some recent fixes which are definitely not going to be in 0.28.0. In particular, they were included in 0.31.0 (released February 7).

  • Apache plugin now attempts to configure all VirtualHosts matching requested
    domain name instead of only a single one when answering the HTTP-01 challenge.

We hypothesize that this was the source of a significant number of these issues.

So I would say that proactive debugging of errors of this sort is currently only helpful for Certbot 0.31.0 or later. Users who can’t upgrade to 0.31.0 or later should probably use -a webroot, as @JuergenAuer has been advising a number of people to do.

#4

The topicstarter has only selected one hostname. I assume the apache plugin pre-0.31 was smart enough to have that single selected hostname as the ServerName for it’s temporary VirtualHost, correct? If so, than upgrading wouldn’t do any good.

#5

@Osiris It will not allow me to include the output you requested. I tried to upload the file and it is not a supported format, and I tried to paste the contents and it said there were more than the allowed 20 links for new users to post. How would you like me to proceed? The output is 360 lines, also, can you clarify what you mean by apache configuration?

#6

You can use sites like https://pastebin.com/ to paste stuff and link it here.

With regards to your Apache configuration: the contents of the .conf files in /etc/apache/.

#7

My understanding is that if the single selected hostname appeared in more than a single virtual host (as a ServerName or ServerAlias), Certbot would have at least a 50% chance of patching the “wrong”/ineffective virtualhost. I would estimate that the majority of threads that looked like this were some variation of that problem. 0.31 definitely fixes that.

@mcunkelman could confirm whether that’s the problem with

apachectl -t -D DUMP_VHOSTS

and looking to see if the domain appears more than once in different locations.

1 Like
#8

I’m sorry that we haven’t given this fix more publicity on the forum. I’m optimistic that it may address the majority of the 404 problems people have been having.

#9

Well, as long as many distributions are stuck at pre-0.31 versions of certbot, we’re probably going to see a lot more of these threads I’m afraid.

And beside the -a webroot-i ${webserver}` trick, I don’t see any easy solution to it.

1 Like
#10

That’s probably right, but we can suggest certbot-auto to people who don’t have good luck with -a webroot -i apache. Also, there may be a way that we can suggest reorganizing Apache virtualhost configurations for some people if we can confirm that that’s the main issue.

#11

Sorry I was away. I came back and did routine updates to my system and then just reinstalled certbot and it configured correctly this time… I appreciate all the responses, let me know if you still want to see any of the logs or anything. Not sure if it will help in other cases?

closed #12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.