Certbot is not working on apache2

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: bjoernspecker.de

I ran this command:
sudo certbot
It produced this output:
Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: bjoernspecker.de
Type: tls
Detail: xxx:: Fetching https://bjoernspecker.de/wordpress/.well-known/acme-challenge/cyqyAcB1ZI7Mge-VH1cDnUnsuwg9VK7nwyKvBNa_GGM: remote error: tls: handshake failure

Domain: www.bjoernspecker.de
Type: tls
Detail: xxx::: Fetching https://bjoernspecker.de/wordpress/.well-known/acme-challenge/efFlbj7dNl_3MLxn2UgOjKSOOMY-t8sBPQkkKBsNFOU: remote error: tls: handshake failure

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

My web server is (include version):

The operating system my web server runs on is (include version):
Raspberry Pi OS
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Terminal

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.1.0

I stopped apache2 server on my raspberry pi, but im still not able to execute certbot without errors. I need your help please.

Was that the result even with Apache stopped? Because --standalone requires exclusive use of port 80.

Also, you have both IPv4 and IPv6 addresses in your DNS. Which of them was shown in the error message (it helps to know).

Assuming Apache was stopped, then something else processed the HTTP request before Certbot --standalone ever saw it. The --standalone would never redirect to HTTPS yet we see an HTTPS URL in the error message.

If you have a working Apache server why are you using --standalone? Usually the --apache or --webroot methods are used which allows Apache to stay running. Otherwise with --standalone you need to stop it not only for the first cert but also each renewa.

Probably not looking at the /wordpress/ that has worked itself in the URL after the HTTP to HTTPS redirect.

I have tried this command: certbot --apache
This error appeard: The requested apache plugin does not appear to be installed
If I try to install the apache plugin i get this: E: Package python-certbot-apache cannot be found

What was the install command that produced that error?

The install command was: sudo apt-get install python-certbot-apache

I don't have a Pi system to check but what does this say?

sudo apt-cache search certbot | grep -Ei 'encrypt|apache'

The output is as follows:
Automatic configuration of HTTPS using Let's Encrypt
python3-certbot-apache - Apache plugin for Certbot

So, shouldn't you run? sudo apt-get install python3-certbot-apache

You ran this.

I've tried this and the installation was sucessfull, but it still does not work:
"The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet."

Would you please show the part of the error message like you did in first post? (and that I show above).

You should not be getting the same "handshake failure" with the --apache plugin. It is important to know exactly what the error is.

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.

1: bjoernspecker.de
2: www.bjoernspecker.de

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1,2
Requesting a certificate for bjoernspecker.de and www.bjoernspecker.de

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: bjoernspecker.de
Type: tls
Detail: xxx::: Fetching https://bjoernspecker.de/wordpress/.well-known/acme-challenge/MJmhWWJwYO3QJH6LRnKAJJqghqCV_r6H2qER72ahp4g: remote error: tls: handshake failure

Domain: www.bjoernspecker.de
Type: tls
Detail: xxx::: Fetching https://bjoernspecker.de/wordpress/.well-known/acme-challenge/UYENaeuEgtAQ4wbkMr7tfitZmnyy_UNvJnrTLs4E3LM: remote error: tls: handshake failure

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

I discovered that i need a txt record to verify that I am the owner of the website.
What do I have to type in the txt recorf?

No, you use that with a DNS Challenge. So far you have been trying an HTTP Challenge. Both --standalone and --apache use HTTP Challenge. The DNS Challenge is more difficult to setup.

You can see an HTTPS URL in the error message. If --apache worked correctly you would not see that. Something in your system is redirecting the original HTTP request from the Let's Encrypt server to HTTPS. And, adding a /wordpress/ to the URL too. Something is unusual in your Apache config that it could not be configured by the --apache option.

We need to study your Apache config. What does this command show?

apachectl -t -D DUMP_VHOSTS

You may need to use apache2ctl or httpd instead of apachectl. I don't remember which command the Pi uses.

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:80 is a NameVirtualHost
default server www.bjoernspecker.de (/etc/apache2/ports.conf:6)
port 80 namevhost www.bjoernspecker.de (/etc/apache2/ports.conf:6)
port 80 namevhost bjoernspecker.de (/etc/apache2/sites-enabled/bjoernspecker.de.conf:8)
alias www.bjoernspecker.de

I've set the Server name in apache2.conf, but the certbot error persists:
Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

That looks very wrong. You should not have any VirtualHost definitions in your ports.conf file. And, whatever is there overlaps domain names in your sites-enabled folder. For Apache to work correctly each port:name combination must be unique.

Please show contents of both these files

/etc/apache2/ports.conf
/etc/apache2/sites-enabled/bjoernspecker.de.conf

/etc/apache2/ports.conf:

Listen 80
<VirtualHost *:80>
    DocumentRoot "/var/www/html/wordpress"
    ServerName www.bjoernspecker.de
</VirtualHost>
<IfModule ssl_module>
        Listen 443
</IfModule>

<IfModule mod_gnutls.c>
        Listen 443
</IfModule>

/etc/apache2/sites-enabled/bjoernspecker.de.conf:

    ServerName bjoernspecker.de
    DocumentRoot /var/www/html
    ServerAlias www.bjoernspecker.de

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    <Directory /var/www/html>
        Options FollowSymLinks
        AllowOverride All
    </Directory>

    # Let's Encrypt challenge location
    Alias /.well-known/acme-challenge/ /var/www/html/.well-known/acme-challenge/

    <Location "/.well-known/acme-challenge/">
        Options None
        AllowOverride None
        ForceType text/plain
        RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
    </Location>
</VirtualHost>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

Make your ports.conf look like above by removing VirtualHost