Certbot failed to configure

mcunkelman · February 27, 2019, 7:25pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: mcunkelman.noip.me

I ran this command:sudo certbot --apache

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter ‘c’ to
cancel): cunkelman.matthew@gmail.com
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory

(A)gree/©ancel: A

Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let’s Encrypt project and the non-profit
organization that develops Certbot? We’d like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.

(Y)es/(N)o: Y
Starting new HTTPS connection (1): supporters.eff.org

Which names would you like to activate HTTPS for?

1: mcunkelman.com
2: www.mcunkelman.com
3: mcunkelman.noip.me
4: www.mcunkelman.noip.me
5: www.mcunkelman.zapto.org

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 3
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mcunkelman.noip.me
Enabled Apache rewrite module
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. mcunkelman.noip.me (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://mcunkelman.noip.me/.well-known/acme-challenge/L_4Vd0eDMMs6D3Cj7-0l9Ij-Q8iQ2WHTH2z3VNWz9cc [96.236.147.213]: “\n\n404 Not Found\n\n

Not Found

\n<p”

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: mcunkelman.noip.me
Type: unauthorized
Detail: Invalid response from
https://mcunkelman.noip.me/.well-known/acme-challenge/L_4Vd0eDMMs6D3Cj7-0l9Ij-Q8iQ2WHTH2z3VNWz9cc
[96.236.147.213]: “\n\n404 Not
Found\n\n

Not Found
\n<p”
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.

My web server is (include version): Apache/2.4.18

The operating system my web server runs on is (include version): Ubuntu 16.04LTS

My hosting provider, if applicable, is: myself / NA

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.28.0

Osiris · February 27, 2019, 7:31pm

@mcunkelman Could you please share the contents of /var/log/letsencrypt/letsencrypt.log and also your Apache configuration?

@schoen Could we please debug this apache plugin error this time? I feel we’re getting tons of Apache plugin failures, but not really any improvement to the plugin.

schoen · February 27, 2019, 7:47pm

That's a good point. On the other hand, @joohoi has made some recent fixes which are definitely not going to be in 0.28.0. In particular, they were included in 0.31.0 (released February 7).

Apache plugin now attempts to configure all VirtualHosts matching requested
domain name instead of only a single one when answering the HTTP-01 challenge.

We hypothesize that this was the source of a significant number of these issues.

So I would say that proactive debugging of errors of this sort is currently only helpful for Certbot 0.31.0 or later. Users who can't upgrade to 0.31.0 or later should probably use -a webroot, as @JuergenAuer has been advising a number of people to do.

Osiris · February 27, 2019, 8:06pm

The topicstarter has only selected one hostname. I assume the apache plugin pre-0.31 was smart enough to have that single selected hostname as the ServerName for it's temporary VirtualHost, correct? If so, than upgrading wouldn't do any good.

mcunkelman · February 27, 2019, 8:54pm

@Osiris It will not allow me to include the output you requested. I tried to upload the file and it is not a supported format, and I tried to paste the contents and it said there were more than the allowed 20 links for new users to post. How would you like me to proceed? The output is 360 lines, also, can you clarify what you mean by apache configuration?

Osiris · February 27, 2019, 9:39pm

You can use sites like https://pastebin.com/ to paste stuff and link it here.

With regards to your Apache configuration: the contents of the .conf files in /etc/apache/.

_az · February 27, 2019, 9:53pm

My understanding is that if the single selected hostname appeared in more than a single virtual host (as a ServerName or ServerAlias), Certbot would have at least a 50% chance of patching the "wrong"/ineffective virtualhost. I would estimate that the majority of threads that looked like this were some variation of that problem. 0.31 definitely fixes that.

@mcunkelman could confirm whether that's the problem with

apachectl -t -D DUMP_VHOSTS

and looking to see if the domain appears more than once in different locations.

schoen · February 27, 2019, 9:54pm

I’m sorry that we haven’t given this fix more publicity on the forum. I’m optimistic that it may address the majority of the 404 problems people have been having.

Osiris · February 27, 2019, 10:07pm

Well, as long as many distributions are stuck at pre-0.31 versions of certbot, we’re probably going to see a lot more of these threads I’m afraid.

And beside the -a webroot-i ${webserver}` trick, I don’t see any easy solution to it.

schoen · February 27, 2019, 10:16pm

That’s probably right, but we can suggest certbot-auto to people who don’t have good luck with -a webroot -i apache. Also, there may be a way that we can suggest reorganizing Apache virtualhost configurations for some people if we can confirm that that’s the main issue.

mcunkelman · March 13, 2019, 4:07pm

Sorry I was away. I came back and did routine updates to my system and then just reinstalled certbot and it configured correctly this time… I appreciate all the responses, let me know if you still want to see any of the logs or anything. Not sure if it will help in other cases?

system · April 12, 2019, 4:07pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Certbot error instead of ssl Help	8	845	December 22, 2020
Site not responding after adding certbot Help	23	2409	August 5, 2021
Can't connect to website after installing certbot on apache Help	42	672	December 7, 2023
Error installing certificate Help	5	736	September 4, 2020
New HTTPS activation failed Help	9	1471	March 1, 2020

Certbot failed to configure

Not Found

Not Found

Related topics