Certbot fails (bought by Cloudflare?_

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
ingber.com

I ran this command:

It produced this output:
10:56:24 ingber@linode# ~: /usr/bin/certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/www.ingber.com.conf

Simulating renewal of an existing certificate for blog.ingber.com and 6 more domains

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: blog.ingber.com
Type: unauthorized
Detail: 173.255.212.226: Invalid response from https://blog.ingber.com/.well-known/acme-challenge/GfmlIpfTDag_6vWs0RoAHHk0YgY63ypTrYWyhW-zq-8: 403

Domain: default.ingber.com
Type: unauthorized
Detail: 173.255.212.226: Invalid response from https://default.ingber.com/.well-known/acme-challenge/CHehIQso_2uuMgjyyXSF_xAIRn5SSXHt5MgGCRWSflw: 403

Domain: ingber.com
Type: unauthorized
Detail: 173.255.212.226: Invalid response from https://ingber.com/.well-known/acme-challenge/UwjfAjXdlR11qlP7LyytfxC002vDOaLGJqi6NwDGbQQ: 403

Domain: lester.ingber.com
Type: unauthorized
Detail: 173.255.212.226: Invalid response from https://lester.ingber.com/.well-known/acme-challenge/9H5MH9ivfyfNq0EGuE0XeUlXVn0EvIcX1NEoV0Uc160: 403

Domain: lin.ingber.com
Type: unauthorized
Detail: 173.255.212.226: Invalid response from https://lin.ingber.com/.well-known/acme-challenge/chCDfUYzLattAkbQ8_sjbHj434rVgSXMrEFuWw9RN0k: 403

Domain: lin6.ingber.com
Type: unauthorized
Detail: 173.255.212.226: Invalid response from https://lin6.ingber.com/.well-known/acme-challenge/QaYjIka7gIb8y8fQNjjJ-gZSP8omp4LTrl6eWqShafM: 403

Domain: www.ingber.com
Type: unauthorized
Detail: 173.255.212.226: Invalid response from https://www.ingber.com/.well-known/acme-challenge/wtiBiO1jP264e3gLkOTSIystumNulvkEbbPSGKNk1Hs: 403

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Failed to renew certificate www.ingber.com with error: Some challenges have failed.

All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/www.ingber.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
/usr/bin/certbot renew --dry-run
Version: certbot 2.11.0

The operating system my web server runs on is (include version):
apache

My hosting provider, if applicable, is:
Linode.com

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.11.0

Welcome back again @lingber

I don't know why you think Cloudflare is involved.

You are using webroot which is an HTTP Challenge. The Let's Encrypt server sends your domain an HTTP request like this for that challenge

curl -i http://blog.ingber.com/.well-known/acme-challenge/Test404
HTTP/1.1 302 Found
Server: Apache/2.4.58 (Ubuntu)
Location: https://blog.ingber.com/.well-known/acme-challenge/Test404

You redirect that to HTTPS. Ideally you would not and just reply with the correct challenge token. But, redirects are supported by Let's Encrypt so it follows it

curl -i https://blog.ingber.com/.well-known/acme-challenge/Test404
HTTP/1.1 403 Forbidden
Server: Apache/2.4.58 (Ubuntu)

You reject that request with a 403.

You need to fix your port 443 (HTTPS) VirtualHost or, better, adjust your port 80 VirtualHosts so they do not redirect.

I did not study all your past threads but if this isn't enough to help you resolve this start by showing output of this

sudo apache2ctl -t -D DUMP_VHOSTS

(Use httpd or apachectl if needed instead of apache2ctl)

Sorry I asked! By way of explanation, By way of explanation, please note that on 3 October 2023, I had to go the Intensive Care Unit of the local hospital in Astoria Oregon due to a severe case of Covid.

On 11 Jan 2024 (yesterday) I had a Cardioversion procedure by Dr. Morse at Providence in Seaside Oregon, for a Heart Flutter due to Covid. The consensus is that this was rooted from a severe bout with Covid I suffered on that 3 Oct 2023. I was fully vaccinated and current with all possible vaccinations, but I probably caught Covid from movers to our new home in Warrenton Oregon.

My Concentration has been off quite a bit, but slowly I am getting my health back. My memory is still shot, especially short-term memory.

Covid has seriously affected my Research, a bummer. I barely managed to win a Grant for CPU time for my work in July 2024, but implementing the work is hard.

Lester

Sorry to hear about all your health problems.

Managing your own servers can be very involved. Your history on this forum dates back a number of years. Given the history have you considered using a full-featured hosting service instead?

I spot-checked a couple of your sites and they look like good candidates for a WordPress hosting site or similar. If so it would allow you to focus on the content of your sites and not all these fussy technical bits.

Of course the volunteers here will continue to help. I am just offering friendly advice that might work better for you. Especially if you are not operating 100%

That all said, if you want help debugging your Apache config please show output of the command I posted earlier.