Certbot not creating .well-known/acme-challenges file


#1

My domain is:
monxas.ninja
I ran this command:
sudo certbot --apache --debug-challenges
It produced this output:

    Obtaining a new certificate
/usr/lib/python3/dist-packages/josepy/jwa.py:107: CryptographyDeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.
  signer = key.signer(self.padding, self.hash)
Performing the following challenges:
http-01 challenge for monxas.ninja
Waiting for verification...

-------------------------------------------------------------------------------
Challenges loaded. Press continue to submit to CA. Pass "-v" for more info about
challenges.
-------------------------------------------------------------------------------
Press Enter to Continue
/usr/lib/python3/dist-packages/josepy/jwa.py:107: CryptographyDeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.
  signer = key.signer(self.padding, self.hash)
Cleaning up challenges
Failed authorization procedure. monxas.ninja (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://monxas.ninja/.well-known/acme-challenge/Wt_CvapZhIJt3EDdoIjop4Lun7V4B_JpWmnpyMxz7es: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: monxas.ninja
   Type:   unauthorized
   Detail: Invalid response from
   http://monxas.ninja/.well-known/acme-challenge/Wt_CvapZhIJt3EDdoIjop4Lun7V4B_JpWmnpyMxz7es:
   "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

My web server is (include version):
Apache version 2.4.25
The operating system my web server runs on is (include version):
Raspbian GNU/Linux 9

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

the dns records are

A *.monxas.ninja 83.56.8.166 300

A monxas.ninja 83.56.8.166 300

and i don’t use AAAA

Also, manually created the well known path, it’s accesible as you can see here:

http://monxas.ninja/.well-known/acme-challenge/


#2

Please show the vhost config file(s).


#5

this is my vhost

   <VirtualHost monxas.ninja:*>
    DocumentRoot "/var/www/html"
    ServerName monxas.ninja
    <Directory "/var/www/html">
    allow from all
    Options None
    Require all granted
    </Directory>
    RewriteEngine on
    RewriteCond %{SERVER_NAME} =monxas.ninja
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
    </VirtualHost>

#6

This vhost is missing some things…
Like a listen statement.
How it handles the /.well-known/acme-challenge/ requests.
It redirects to https; but where is that being handled?
And using an * like this will eventually create a problem:

If this is the http block then use:
<VirtualHost monxas.ninja:80> # or whichever port your router forwards inbound 80 requests to.


#7

What version of Certbot are you using?

While it’s paused, can you check what changes it’s made to the Apache configuration?


#8

Hi @monxas

please add a file without extension in this directory.

https://monxas.ninja/.well-known/acme-challenge/1234

looks good, sends a 404, but redirects may change that. So if the directory works, the file don’t need to work.

If you can load this file via browser, you have found your correct webroot. Perhaps try to use the webroot authentication:

sudo certbot run -a webroot -i apache -w /var/www/html -d monxas.ninja --debug-challenges

“Combining plugins”


#9

thanks! that worked for me


#10

Can you be more specific - for those who may read this post after we have long forgotten…


#11

But your solution is incomplete.

You have two dns-entries - monxas.ninja + www.monxas.ninja.

So using https://www.monxas.ninja/ doesn’t work, because the certificate has only one name.

So create one certificate with two domain names:

sudo certbot run -a webroot -i apache -w /var/www/html -d monxas.ninja -d www.monxas.ninja --debug-challenges

Or remove the www dns entry. But the better solution is a certificate with both names.