Certbot renew unauthorized 404 not found on .well-known/acme-challenges

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

wolkepur.de

I ran this command:

certbot --debug-challenges -v

It produced this output:

Root logging level set at 10
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requested authenticator None and installer None
Apache version is 2.4.29
Single candidate plugin: * apache
Description: Apache Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_debian.DebianConfigurator object at 0x7ffbf4a08710>
Prep: True
Selected authenticator <certbot_apache.override_debian.DebianConfigurator object at 0x7ffbf4a08710> and installer <certbot_apache.override_debian.DebianConfigurator object at 0x7ffbf4a08710>
Plugins selected: Authenticator apache, Installer apache
Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/55952502', new_authzr_uri=None, terms_of_service=None), 1cad7025603dc2f23ed5b19d0d0f39ef, Meta(creation_dt=datetime.datetime(2019, 4, 26, 19, 47, 56, tzinfo=<UTC>), creation_host='v22019048292888368.quicksrv.de'))>
Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 658
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Sun, 14 Jul 2019 07:22:01 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 14 Jul 2019 07:22:01 GMT
Connection: keep-alive

{
  "aNIHm7Gc23E": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: v22019048292888368.quicksrv.de
2: wolkepur.de
3: www.wolkepur.de
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 2
Obtaining a new certificate
Generating key (2048 bits): /etc/letsencrypt/keys/0042_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0042_csr-certbot.pem
Requesting fresh nonce
Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
Received response:
HTTP 200
Server: nginx
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: sMNJ0KlTtKCweYJGZ6mSSf0D0nbaIIEsBf8ZaNObDNQ
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Content-Length: 0
Expires: Sun, 14 Jul 2019 07:22:11 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 14 Jul 2019 07:22:11 GMT
Connection: keep-alive


Storing nonce: sMNJ0KlTtKCweYJGZ6mSSf0D0nbaIIEsBf8ZaNObDNQ
JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "wolkepur.de"\n    }\n  ]\n}'
Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNTU5NTI1MDIiLCAibm9uY2UiOiAic01OSjBLbFR0S0N3ZVlKR1o2bVNTZjBEMG5iYUlJRXNCZjhaYU5PYkROUSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LW9yZGVyIn0",
  "signature": "K9F7igQS-3vj2jfxPMx5yHjayjpyCLsMjc9qY2O-63f4Y3oxXMm6b9V8RqIE89tJE38lYNJcnJ1YwaqOZULQ9vGR8-Aj3_tKoSyb_4MhZ3QU9zSMFB7cUu4MTwTL5VQ5dLUxhRZYNTCapE5z51WfV74AfeC3PoETUUQUllczWK7ZMNd4-oPZTjNVOIhtFiaW966muG08N7V_LfISlrTsLuQLKZeJ1q6fCQri0ySrTScRLhg4rVT73jIEWlWteYTWLqVdECkfNELb2e1vbKu59764yHdT_9o2lt5r7iV1ODFe_I21REhUxhByq4c-GSpA9WLTfPVnDd2jIehMYilJCA",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogIndvbGtlcHVyLmRlIgogICAgfQogIF0KfQ"
}
https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 370
Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 370
Boulder-Requester: 55952502
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/55952502/716416225
Replay-Nonce: oDVGKhSDSDtciyWPVGoXkZXVYBUFExW4pSN9VRmUE-I
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Sun, 14 Jul 2019 07:22:11 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 14 Jul 2019 07:22:11 GMT
Connection: keep-alive

{
  "status": "pending",
  "expires": "2019-07-21T07:22:11.587347137Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "wolkepur.de"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz/DHEvTHW_DNyv-nnlbsupMhC2v3NVetM8Oy2wcyGmxGY"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/55952502/716416225"
}
Storing nonce: oDVGKhSDSDtciyWPVGoXkZXVYBUFExW4pSN9VRmUE-I
JWS payload:
b''
Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz/DHEvTHW_DNyv-nnlbsupMhC2v3NVetM8Oy2wcyGmxGY:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNTU5NTI1MDIiLCAibm9uY2UiOiAib0RWR0toU0RTRHRjaXlXUFZHb1hrWlhWWUJVRkV4VzRwU045VlJtVUUtSSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHovREhFdlRIV19ETnl2LW5ubGJzdXBNaEMydjNOVmV0TThPeTJ3Y3lHbXhHWSJ9",
  "signature": "fy38Fkv0B62I0nWuFUlD7HnRYQ8VPpcKCpeKFchjUfhAZz6vTWr-MDMDdaa-irtuBKbsi-PtGHjvuTMMpzCjk4pQn69bOaxEzR3GZVde5FjM0nQxph0M7_VBDq_WXJGJpoPRkaNeKdtBnQew8JKb1caHrNvX1nxxR57rBX1mkAM2oXJphXbbZWER5bp46WjQh0bmF0hVkSW6ttvkJ7AT6JfG1J5Y1p8nzrCehCgtQL3X3FFEE4mntSD4kqdfpb3iUt1JIxRj50W6qmGV_sKyfNbGaY8ynr3pGeD0nvcSnOntjEhzAr04GenIkIPaM_FZtVi0FXy7JV1Y3gZMOUJgGw",
  "payload": ""
}
https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz/DHEvTHW_DNyv-nnlbsupMhC2v3NVetM8Oy2wcyGmxGY HTTP/1.1" 200 906
Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 906
Boulder-Requester: 55952502
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: KmUHL2J0NDRE2NWZE6v9Eee0J_Gfpu-rDB7Zhi1xUBo
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Sun, 14 Jul 2019 07:22:11 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 14 Jul 2019 07:22:11 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "wolkepur.de"
  },
  "status": "pending",
  "expires": "2019-07-21T07:22:11Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/DHEvTHW_DNyv-nnlbsupMhC2v3NVetM8Oy2wcyGmxGY/18251696689",
      "token": "S2PadhK_ohHu6RCq8orQqQpdaeAX0kiLr5zYyfVlC6s"
    },
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/DHEvTHW_DNyv-nnlbsupMhC2v3NVetM8Oy2wcyGmxGY/18251696690",
      "token": "N1Ek5gt6SUWMkcjQOh8uo8nilEvKMVFwqneQh_QhLgw"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/DHEvTHW_DNyv-nnlbsupMhC2v3NVetM8Oy2wcyGmxGY/18251696691",
      "token": "_bBvt46OiedErdfG6u1xjm3iExKWEFEx0rsWWFDLh00"
    }
  ]
}
Storing nonce: KmUHL2J0NDRE2NWZE6v9Eee0J_Gfpu-rDB7Zhi1xUBo
Performing the following challenges:
http-01 challenge for wolkepur.de
Adding a temporary challenge validation Include for name: wolkepur.de in: /etc/apache2/sites-enabled/wolkepur-ssl.conf
Adding a temporary challenge validation Include for name: None in: /etc/apache2/sites-enabled/wolkepur.conf
writing a pre config file with text:
         RewriteEngine on
        RewriteRule ^/\.well-known/acme-challenge/([A-Za-z0-9-_=]+)$ /var/lib/letsencrypt/http_challenges/$1 [END]
    
writing a post config file with text:
         <Directory /var/lib/letsencrypt/http_challenges>
            Require all granted
        </Directory>
        <Location /.well-known/acme-challenge>
            Require all granted
        </Location>
    
Creating backup of /etc/apache2/sites-enabled/wolkepur.conf
Creating backup of /etc/apache2/sites-enabled/wolkepur-ssl.conf
Waiting for verification...

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Challenges loaded. Press continue to submit to CA. Pass "-v" for more info about
challenges.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
JWS payload:
b'{\n  "resource": "challenge",\n  "keyAuthorization": "N1Ek5gt6SUWMkcjQOh8uo8nilEvKMVFwqneQh_QhLgw.-izklTsoJUdFcpEXCthgJicFXZ1fA9_INGyBXX6Ibbk",\n  "type": "http-01"\n}'
Sending POST request to https://acme-v02.api.letsencrypt.org/acme/challenge/DHEvTHW_DNyv-nnlbsupMhC2v3NVetM8Oy2wcyGmxGY/18251696690:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNTU5NTI1MDIiLCAibm9uY2UiOiAiS21VSEwySjBORFJFMk5XWkU2djlFZWUwSl9HZnB1LXJEQjdaaGkxeFVCbyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvY2hhbGxlbmdlL0RIRXZUSFdfRE55di1ubmxic3VwTWhDMnYzTlZldE04T3kyd2N5R214R1kvMTgyNTE2OTY2OTAifQ",
  "signature": "KNn1rHQgGBAmICb-LIyqaCQt6RgkZhyaAlxx2C6LfkeNB_tjwRk0mffPg7gliM-LKEliKvitJs5RR_99G1Ekgmd0o5LHuVm9-oy1oU8XYRRkEsXh7KyoxJqpVSGmJfPKwvpMIwa5lCZP9Uo04zCa6PbNtYi6Nrx5aBIfc6S0_DFICbJdJSkeVC_r5bd3UZ_Vit5Zx8DjOxbGa2DSv490bosLlv9XgN6AVEv6-sAaqHg6Y0BCXUvGkU52edZZJQ6zWG154YWbH0WOM4bagVtyjnPicTflWZDBI_lP8dvxoeUDAYdQnU9w1xEQbpuV31aUra0R7ID1LxbqDtbjEGN-Cg",
  "payload": "ewogICJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLAogICJrZXlBdXRob3JpemF0aW9uIjogIk4xRWs1Z3Q2U1VXTWtjalFPaDh1bzhuaWxFdktNVkZ3cW5lUWhfUWhMZ3cuLWl6a2xUc29KVWRGY3BFWEN0aGdKaWNGWFoxZkE5X0lOR3lCWFg2SWJiayIsCiAgInR5cGUiOiAiaHR0cC0wMSIKfQ"
}
https://acme-v02.api.letsencrypt.org:443 "POST /acme/challenge/DHEvTHW_DNyv-nnlbsupMhC2v3NVetM8Oy2wcyGmxGY/18251696690 HTTP/1.1" 200 224
Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 224
Boulder-Requester: 55952502
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz/DHEvTHW_DNyv-nnlbsupMhC2v3NVetM8Oy2wcyGmxGY>;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/challenge/DHEvTHW_DNyv-nnlbsupMhC2v3NVetM8Oy2wcyGmxGY/18251696690
Replay-Nonce: EQgDfcrZ0LmuDsRgsUPkZEoZbQr7EUUNlBRVFP4uhro
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Sun, 14 Jul 2019 07:22:32 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 14 Jul 2019 07:22:32 GMT
Connection: keep-alive

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/DHEvTHW_DNyv-nnlbsupMhC2v3NVetM8Oy2wcyGmxGY/18251696690",
  "token": "N1Ek5gt6SUWMkcjQOh8uo8nilEvKMVFwqneQh_QhLgw"
}
Storing nonce: EQgDfcrZ0LmuDsRgsUPkZEoZbQr7EUUNlBRVFP4uhro
JWS payload:
b''
Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz/DHEvTHW_DNyv-nnlbsupMhC2v3NVetM8Oy2wcyGmxGY:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNTU5NTI1MDIiLCAibm9uY2UiOiAiRVFnRGZjclowTG11RHNSZ3NVUGtaRW9aYlFyN0VVVU5sQlJWRlA0dWhybyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHovREhFdlRIV19ETnl2LW5ubGJzdXBNaEMydjNOVmV0TThPeTJ3Y3lHbXhHWSJ9",
  "signature": "V7ST0woq2KuR3vWXVB6hJxFXEjnxZInR9SQho0f32NnmT6knJ1VZ-M4K4Gf71x_ptjbBvwq45dS5FA4xb7qaWu7hGQOshBJ1vVGj7QlliuaqEz3ggFqTxsdRAglxBVx3cqnzVlRg6UJe2Y6iysDUozDsFgRVYbxBEvGUFTkcBn7bZof5MBfXmRsqg52t3aFk8452SFtwaKvV3Rw72-voLtD2ZoOo_FXuHVhLy6OuS5CncwZcqJza3QUmvNKi-zk-9R7M10BNmrCjvZtfwe_bDxgFMwuh1li6Ysity84_V77f55-95Up_w81QS-Gko_2VSNmQ2ybLDi2sSvB6JQLdhw",
  "payload": ""
}
https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz/DHEvTHW_DNyv-nnlbsupMhC2v3NVetM8Oy2wcyGmxGY HTTP/1.1" 200 1756
Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1756
Boulder-Requester: 55952502
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: wIc2PBlGPuc2iqh4tOy7S-GhM6HZoKPlz5Mff1f8gJc
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Sun, 14 Jul 2019 07:22:36 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 14 Jul 2019 07:22:36 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "wolkepur.de"
  },
  "status": "invalid",
  "expires": "2019-07-21T07:22:11Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "invalid",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/DHEvTHW_DNyv-nnlbsupMhC2v3NVetM8Oy2wcyGmxGY/18251696689",
      "token": "S2PadhK_ohHu6RCq8orQqQpdaeAX0kiLr5zYyfVlC6s"
    },
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "Invalid response from http://wolkepur.de/.well-known/acme-challenge/N1Ek5gt6SUWMkcjQOh8uo8nilEvKMVFwqneQh_QhLgw [213.109.161.220]: \"\u003c!DOCTYPE HTML PUBLIC \\\"-//IETF//DTD HTML 2.0//EN\\\"\u003e\\n\u003chtml\u003e\u003chead\u003e\\n\u003ctitle\u003e404 Not Found\u003c/title\u003e\\n\u003c/head\u003e\u003cbody\u003e\\n\u003ch1\u003eNot Found\u003c/h1\u003e\\n\u003cp\"",
        "status": 403
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/DHEvTHW_DNyv-nnlbsupMhC2v3NVetM8Oy2wcyGmxGY/18251696690",
      "token": "N1Ek5gt6SUWMkcjQOh8uo8nilEvKMVFwqneQh_QhLgw",
      "validationRecord": [
        {
          "url": "http://wolkepur.de/.well-known/acme-challenge/N1Ek5gt6SUWMkcjQOh8uo8nilEvKMVFwqneQh_QhLgw",
          "hostname": "wolkepur.de",
          "port": "80",
          "addressesResolved": [
            "213.109.161.220"
          ],
          "addressUsed": "213.109.161.220"
        }
      ]
    },
    {
      "type": "tls-alpn-01",
      "status": "invalid",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/DHEvTHW_DNyv-nnlbsupMhC2v3NVetM8Oy2wcyGmxGY/18251696691",
      "token": "_bBvt46OiedErdfG6u1xjm3iExKWEFEx0rsWWFDLh00"
    }
  ]
}
Storing nonce: wIc2PBlGPuc2iqh4tOy7S-GhM6HZoKPlz5Mff1f8gJc
Reporting to user: The following errors were reported by the server:

Domain: wolkepur.de
Type:   unauthorized
Detail: Invalid response from http://wolkepur.de/.well-known/acme-challenge/N1Ek5gt6SUWMkcjQOh8uo8nilEvKMVFwqneQh_QhLgw [213.109.161.220]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 168, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 239, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. wolkepur.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://wolkepur.de/.well-known/acme-challenge/N1Ek5gt6SUWMkcjQOh8uo8nilEvKMVFwqneQh_QhLgw [213.109.161.220]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

Calling registered functions
Cleaning up challenges
Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1119, in run
    certname, lineage)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 121, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 410, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 353, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 389, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 168, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 239, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. wolkepur.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://wolkepur.de/.well-known/acme-challenge/N1Ek5gt6SUWMkcjQOh8uo8nilEvKMVFwqneQh_QhLgw [213.109.161.220]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"
Failed authorization procedure. wolkepur.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://wolkepur.de/.well-known/acme-challenge/N1Ek5gt6SUWMkcjQOh8uo8nilEvKMVFwqneQh_QhLgw [213.109.161.220]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: wolkepur.de
   Type:   unauthorized
   Detail: Invalid response from
   http://wolkepur.de/.well-known/acme-challenge/N1Ek5gt6SUWMkcjQOh8uo8nilEvKMVFwqneQh_QhLgw
   [213.109.161.220]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version):

Apache/2.4.29 (Ubuntu)

The operating system my web server runs on is (include version):

Ubuntu 18.04.2

My hosting provider, if applicable, is:

Netcup GmbH, Karlsruhe, Germany

I can login to a root shell on my machine (yes or no, or I don’t know):

yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

certbot 0.31.0

Notice
As you can see there are three sites enabled, all of them with permanent redirections to https. While two of them work (numbers #1 and #3), the third one (number #2) does not.

Unfortunately I cannot find any differences in underlying configurations. Do you?

Are you aware that visiting wolkepur.de results in the default unsecured Ubuntu Apache welcome page?

You might not be able to replicate this in a browser due to cached HSTS policy causing implicit redirection to HTTPS, but you can replicate it on the command line or a fresh browser (screenshot).

This isn’t necessarily a reason that Certbot wouldn’t work in itself, but it is somewhere to start. It is an indication that you may have overlapping unsecured virtual hosts.

Could you post:

apachectl -t -D DUMP_VHOSTS

Hi @martinschniewind

additional: One redirect is missing, the other redirect is wrong ( https://check-your-website.server-daten.de/?q=wolkepur.de ):

Domainname Http-Status redirect Sec. G
http://www.wolkepur.de/
213.109.161.220 301 https://www.wolkepur.de 0.043 A
http://wolkepur.de/
213.109.161.220 200 0.050 H
https://wolkepur.de/
213.109.161.220 302 https://wolkepur.de/index.php/login 0.597 A
https://www.wolkepur.de/
213.109.161.220 200 0.516 I
https://www.wolkepur.de 200 0.220 I
https://wolkepur.de/index.php/login 200 0.304 A
http://www.wolkepur.de/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
213.109.161.220 301 https://www.wolkepur.de.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.044 A
Visible Content: Moved Permanently The document has moved here . Apache/2.4.29 (Ubuntu) Server at www.wolkepur.de Port 80
http://wolkepur.de/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
213.109.161.220 404 0.044 A
Not Found
Visible Content: Not Found The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server. Apache/2.4.29 (Ubuntu) Server at wolkepur.de Port 80
https://www.wolkepur.de.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de -1 0.030 R NameResolutionFailure - The remote name could not be resolved: ‘www.wolkepur.de.well-known’

There is only a redirect http + www -> https.

But the “/” is missing.

Result: The redirect of http + www + /.well-known/acme-challenge doesn’t have a “/”, so it’s redirected to

www.wolkepur.de.well-known

Add a slash between your Server/Hostname and the additional variable.

Hi _az,

thanks for your reply. Some people told me so, but I could not reproduce it, certainly for the reason you mentioned.

*:443                  is a NameVirtualHost
         default server v22019048292888368.quicksrv.de (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
         port 443 namevhost v22019048292888368.quicksrv.de (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
         port 443 namevhost wolkepur.de (/etc/apache2/sites-enabled/wolkepur-ssl.conf:1)
         port 443 namevhost www.wolkepur.de (/etc/apache2/sites-enabled/www.wolkepur-ssl.conf:1)
*:80                   is a NameVirtualHost
         default server wolkepur.de (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost wolkepur.de (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost wolkepur.de (/etc/apache2/sites-enabled/wolkepur.conf:1)
                 alias wolkepur.de
         port 80 namevhost wolkepur.de (/etc/apache2/sites-enabled/www.wolkepur.conf:1)
                 alias www.wolkepur.de

Hi JuergenAuer,

thanks a lot for your investigation.

I’ll have to check that tomorrow - going to work now :-/

That’s probably the issue right there. Your domain (exactly wolkepur.de) appears as a ServerName or ServerAlias in three different virtual hosts.

This is a nonsensical configuration, since it can only effectively apply to a single virtual host and the other two get ignored.

I would give a try to remove wolkepur.de's appearance from www.wolkepur.conf and 000-default.conf, so that those virtual hosts only match www.wolkepur.de and v22019048292888368.quicksrv.de, respectively.

I think that will fix the problem.

Hi _az,

I fixed the ServerName problem by adding ServerName directives to each of the non-ssl configs. There had been ServerAlias directives before, which obviously has been sufficient up to the moment, when I changed the system’s hostname to ‘wolkepur.de’. Thanks to your explanation I understand, that this was a silly misconfiguration.

Anyway, this was one part of the trick… see my reply to JuergenAuers post.

Hi JuergenAuer,

adding the slash at the end of my “Redirect permanent” directives did the trick.

But why? There are two other servers without slashes at the end of redirect urls with no complaints when renewing certificates…

Well, I see my lack of skills in webserver configuration. Thank you (both of you) for your efforts helping me out.

It’s probably not usually an issue for Let’s Encrypt: when using Certbot’s Apache plugin, the validation happens entirely over HTTP, avoiding the redirect to HTTPS.

The redirect only causes problems for other software, or when using Certbot’s webroot plugin.

You should still fix the other virtual hosts.

1 Like

It’s an additional problem, not directly your error message, but visible after the check.

And it’s a critical “hidden error”: You don’t see it, because your browser caches redirects.

But users without such a cache and a subfolder http://yourdomain.com/subfolder are redirected to https://yourdomain.comsubfolder, a not existing domain.