Certbot renewal is unable to read acme-challenge on port 443 since 1 month (use to work before)

Except this is an HTTP host (no SNI) but agree the HOST is probably the normal request host and not the listening IP.

@ATXjl It would still be useful to know what the access and error logs show for the failed request.

Hi MikeMcQ,
I know. But that's the way Apple's Server.app VirtualHost configuration is made. And I have no possibilities to change it. Sorry.

Here is the configuration file generated for https(:443) VirtualHost

Blockquote
<VirtualHost 127.0.0.1:34543>
ServerName https://macmini.pnaf.fr:443
ServerAdmin admin@example.com
DocumentRoot "/Users/Shared/Sites/www.pnaf.fr/httpdocs"
DirectoryIndex index.html
CustomLog /var/log/apache2/access_log "%h %l %u %t "%r" %>s %b"

SSLEngine Off
SSLCipherSuite "HIGH:MEDIUM:!MD5:!RC4:!3DES"
SSLProtocol -all +TLSv1.2
SSLCertificateFile "/etc/certificates/pnaf.fr.40B02311D51EA0CD294AACBA3A5075EC94AE3668.cert.pem"
SSLCertificateKeyFile "/etc/certificates/pnaf.fr.40B02311D51EA0CD294AACBA3A5075EC94AE3668.key.pem"
SSLCertificateChainFile "/etc/certificates/pnaf.fr.40B02311D51EA0CD294AACBA3A5075EC94AE3668.chain.pem"
SSLProxyProtocol -all +TLSv1.2


DAVLockDB "/var/run/davlocks/.davlock100"
DAVMinTimeout 600


CacheEnable mem /
MCacheSize 4096


MSTEngine Off
MSTCipherSuite HIGH, MEDIUM
MSTProtocolRange TLSv1.2 TLSv1.2
MSTProxyEngine On
MSTIdentity SHA-256:c1edca6ed41cf6e3af191afff2ee37b4512231b61b3ea553d2e9234374ae6539:"pnaf.fr"
MSTProxyProtocolRange TLSv1.2 TLSv1.2

<Directory "/Users/Shared/Sites/www.pnaf.fr/httpdocs">
Options All -Indexes -ExecCGI -Includes +MultiViews
AllowOverride None

DAV Off

<IfDefine !WEBSERVICE_ON>
Require all denied
ErrorDocument 403 /customerror/websitesoff403.html



<Proxy "balancer://balancer-group">



Alias /collaboration "/usr/share/collaboration"
Alias /icons/ "/usr/share/httpd/icons/"
Alias /error/ "/usr/share/httpd/error/"
Alias /collaboration "/usr/share/collaboration"
Alias /icons/ "/usr/share/httpd/icons/"
Alias /error/ "/usr/share/httpd/error/"

LogLevel warn
ServerAlias pnaf.fr mail.pnaf.fr smtp.pnaf.fr
RewriteEngine On
RewriteCond %{HTTP_HOST} !(^localhost|^127.0.0.1|^::1)
RewriteCond %{REQUEST_URI} !^/netboot/ [NC]
RewriteRule .* https://www.pnaf.fr%{REQUEST_URI} [R]

On my next post, I gonna give you access_log things.
Thanks for your help.

Hi MikeMcQ,

Here is the log part when issuing:

sudo certbot certonly --dry-run --apache --rsa-key-size 4096 -d pnaf.fr command

/var/log/apache2/access_log

default 127.0.0.1 - - [20/Sep/2025:10:17:02 +0200] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.33 (Unix) LibreSSL/2.2.7 PHP/7.3.8 (internal dummy connection)"

127.0.0.1 - - [20/Sep/2025:10:17:05 +0200] "GET /.well-known/acme-challenge/n37JxqDyC2XIZNY9rjIR_kruP1jGkm1QN5HHKOQJ_ac: HTTP/1.1" 404 331

127.0.0.1 - - [20/Sep/2025:10:17:07 +0200] "GET /.well-known/acme-challenge/uNn3gQFydIb3AV5b9ELIGW4Pb37fegrMiGLkl6V1M4c: HTTP/1.1" 404 331

127.0.0.1 - - [20/Sep/2025:10:17:08 +0200] "GET /.well-known/acme-challenge/vkpt-NhhNsS94dPTnN7cf-MIsgv2-46m3gtdgav-MGA: HTTP/1.1" 404 331

127.0.0.1 - - [20/Sep/2025:10:17:09 +0200] "GET /.well-known/acme-challenge/2f47AYdPL1j4scHbs149lFRdLF7iMKr49yvoXBCePOY: HTTP/1.1" 404 331

127.0.0.1 - - [20/Sep/2025:10:17:10 +0200] "GET /.well-known/acme-challenge/28cA48B91_pxwu6_3yaHbVno1R6PLbpYKQEvplSJ6zU: HTTP/1.1" 404 331

default 127.0.0.1 - - [20/Sep/2025:10:17:25 +0200] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.33 (Unix) LibreSSL/2.2.7 PHP/7.3.8 (internal dummy connection)"

Hope this helps,
Thanks for your help to solve my problem.

Yeah, I don't think you will have success using --apache with that Apache config. What does the log show for your previously working --webroot command?

Also, are you sure there is no error log? That is a normal Apache log to have

I don't think I can help you but I'll look at any logs from a Certbot --webroot try just in case.

I am not familiar with above. I am not even sure how that works. Hopefully some other volunteer with Mac experience will offer help.

Normally I would say your Apache is broken because for port 443 you have SSLEngine OFF and the SSLCertificate files are not the normal locations or names for Certbot. But, something else must be happening here because HTTPS definitely reaches you.

As an aside, the cert chain your domain uses works but is very unusual. This may not mean anything to you but for any others looking on you send out a Leaf, another Leaf, its Intermediate, and then ISRG Root X1.

Lastly, an openssl request to your domain gets a wrong signature type error. Given you have SSLEngine off whatever is handling your TLS seems faulty. I have no suggestions for your case.

It's especially odd as curl requests work. The wrong signature could be what is affecting Let's Encrypt server. I am just not sure if that is the cause or how you could fix that.

echo|openssl s_client -connect www.pnaf.fr:443 | head -20
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R13
verify return:1
depth=0 CN = pnaf.fr
verify return:1
805BBC7D867A0000:error:0A000172:
SSL routines:tls12_check_peer_sigalg:wrong signature type:../ssl/t1_lib.c:1567:
CONNECTED(00000003)
---
Certificate chain
 0 s:CN = pnaf.fr
   i:C = US, O = Let's Encrypt, CN = R13
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep 18 15:33:58 2025 GMT; NotAfter: Dec 17 15:33:57 2025 GMT
 1 s:CN = pnaf.fr
   i:C = US, O = Let's Encrypt, CN = R13
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep 18 15:33:58 2025 GMT; NotAfter: Dec 17 15:33:57 2025 GMT
 2 s:C = US, O = Let's Encrypt, CN = R13
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT
 3 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jun  4 11:04:38 2015 GMT; NotAfter: Jun  4 11:04:38 2035 GMT

Hi MikeMcQ and 9peppe,

I found a way to avoid https(:443) rerouting for acme-challenge directory (see http://www.pnaf.fr/.well-known/acme-challenge/test.txt ). On Apple's Server.app, I cancelled redirection rule for http(:80). I also checked .htaccess exemptions in advanced settings. Than I created in httpdocs root directory the following .htaccess file:

RewriteEngine On

RewriteCond %{HTTPS} !on
RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
So now, any http://www.pnaf.net//.well-known/acme-challenge/ requests won't be changed to https(:443), but all others yes.

I issued:

sudo certbot certonly --dry-run --apache --rsa-key-size 4096 -d pnaf.fr

But now, it seems that no files are generated in /.well-known/acme-challenge/ directory by certbot. Certbot produces that log:

2025-09-20 12:05:18,462:DEBUG:certbot._internal.main:certbot version: 2.5.0
2025-09-20 12:05:18,462:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/local/homebrew/bin/certbot
2025-09-20 12:05:18,462:DEBUG:certbot._internal.main:Arguments: ['--dry-run', '--apache', '--rsa-key-size', '4096', '-d', 'pnaf.fr']
2025-09-20 12:05:18,463:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2025-09-20 12:05:18,553:DEBUG:certbot._internal.log:Root logging level set at 30
2025-09-20 12:05:18,554:DEBUG:certbot._internal.plugins.selection:Requested authenticator apache and installer apache
2025-09-20 12:05:18,751:DEBUG:certbot_apache._internal.configurator:Apache version is 2.4.33
2025-09-20 12:05:19,144:WARNING:certbot_apache._internal.configurator:Could not find ssl_module; not disabling session tickets.
2025-09-20 12:05:19,145:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin
Interfaces: Authenticator, Installer, Plugin
Entry point: apache = certbot_apache._internal.entrypoint:ENTRYPOINT
Initialized: <certbot_apache._internal.override_darwin.DarwinConfigurator object at 0x10a6da350>
Prep: True
2025-09-20 12:05:19,146:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin
Interfaces: Authenticator, Installer, Plugin
Entry point: apache = certbot_apache._internal.entrypoint:ENTRYPOINT
Initialized: <certbot_apache._internal.override_darwin.DarwinConfigurator object at 0x10a6da350>
Prep: True
2025-09-20 12:05:19,146:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_apache._internal.override_darwin.DarwinConfigurator object at 0x10a6da350> and installer <certbot_apache._internal.override_darwin.DarwinConfigurator object at 0x10a6da350>
2025-09-20 12:05:19,146:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator apache, Installer apache
2025-09-20 12:05:19,153:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-staging-v02.api.letsencrypt.org/acme/acct/15177778', new_authzr_uri=None, terms_of_service=None), 003860acfc28c2b89804358d575a2244, Meta(creation_dt=datetime.datetime(2020, 8, 16, 5, 29, 36, tzinfo=), creation_host='macmini.tinynet.org', register_to_eff=None))>
2025-09-20 12:05:19,167:DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.
2025-09-20 12:05:19,194:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org:443
2025-09-20 12:05:19,599:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 1069
2025-09-20 12:05:19,600:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 20 Sep 2025 10:05:19 GMT
Content-Type: application/json
Content-Length: 1069
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"NS-hqnEldnc": "Adding random entries to the directory",
"keyChange": "https://acme-staging-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"profiles": {
"classic": "Profiles - Let's Encrypt",
"shortlived": "Profiles - Let's Encrypt (not yet generally available)",
"tlsserver": "Profiles - Let's Encrypt"
},
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf",
"website": "Staging Environment - Let's Encrypt"
},
"newAccount": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order",
"renewalInfo": "https://acme-staging-v02.api.letsencrypt.org/acme/renewal-info",
"revokeCert": "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert"
}
2025-09-20 12:05:19,612:DEBUG:certbot._internal.display.obj:Notifying user: Simulating a certificate request for pnaf.fr
2025-09-20 12:05:19,614:DEBUG:acme.client:Requesting fresh nonce
2025-09-20 12:05:19,614:DEBUG:acme.client:Sending HEAD request to https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce.
2025-09-20 12:05:19,746:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2025-09-20 12:05:19,746:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 20 Sep 2025 10:05:19 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: https://acme-staging-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: FqG-2UqKP1WKRlzfQEsjO9uNuI-afwYYWVOWcN_D1-4tqZJMjn4
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

2025-09-20 12:05:19,747:DEBUG:acme.client:Storing nonce: FqG-2UqKP1WKRlzfQEsjO9uNuI-afwYYWVOWcN_D1-4tqZJMjn4
2025-09-20 12:05:19,747:DEBUG:acme.client:JWS payload:
b'{\n "identifiers": [\n {\n "type": "dns",\n "value": "pnaf.fr"\n }\n ]\n}'
2025-09-20 12:05:19,750:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/new-order:
{
"protected": "eyJh.........ZGVyIn0",
"signature": "sdaR.........fd3rUIw",
"payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogInBuYWYuZnIiCiAgICB9CiAgXQp9"
}
2025-09-20 12:05:19,892:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 351
2025-09-20 12:05:19,893:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Sat, 20 Sep 2025 10:05:19 GMT
Content-Type: application/json
Content-Length: 351
Connection: keep-alive
Boulder-Requester: 15177778
Cache-Control: public, max-age=0, no-cache
Link: https://acme-staging-v02.api.letsencrypt.org/directory;rel="index"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/order/15177778/27378256324
Replay-Nonce: FqG-2UqKdjgeZFbKqa15h0vcyHWCdQI9_48aILdQFtzTffWDVII
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"status": "pending",
"expires": "2025-09-27T10:05:19Z",
"identifiers": [
{
"type": "dns",
"value": "pnaf.fr"
}
],
"authorizations": [
"https://acme-staging-v02.api.letsencrypt.org/acme/authz/15177778/19407498674"
],
"finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/15177778/27378256324"
}
2025-09-20 12:05:19,893:DEBUG:acme.client:Storing nonce: FqG-2UqKdjgeZFbKqa15h0vcyHWCdQI9_48aILdQFtzTffWDVII
2025-09-20 12:05:19,893:DEBUG:acme.client:JWS payload:
b''
2025-09-20 12:05:19,895:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz/15177778/19407498674:
{
"protected": "eyJh...Tg2NzQifQ",
"signature": "OOL9...MisHoxEog",
"payload": ""
}
2025-09-20 12:05:20,028:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz/15177778/19407498674 HTTP/1.1" 200 830
2025-09-20 12:05:20,028:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 20 Sep 2025 10:05:19 GMT
Content-Type: application/json
Content-Length: 830
Connection: keep-alive
Boulder-Requester: 15177778
Cache-Control: public, max-age=0, no-cache
Link: https://acme-staging-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: o8w5VylS0agmu1oHEzcCJQfmTHqqadvpDnICz_FLFgCAzqVMJdU
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "pnaf.fr"
},
"status": "pending",
"expires": "2025-09-27T10:05:19Z",
"challenges": [
{
"type": "http-01",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/15177778/19407498674/Z18TXw",
"status": "pending",
"token": "ythMlbp8nve5ivVAFYN2A0ZhVb6gvwiTFbwwawVXBlw"
},
{
"type": "tls-alpn-01",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/15177778/19407498674/Z9Hwow",
"status": "pending",
"token": "ythMlbp8nve5ivVAFYN2A0ZhVb6gvwiTFbwwawVXBlw"
},
{
"type": "dns-01",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/15177778/19407498674/A909MQ",
"status": "pending",
"token": "ythMlbp8nve5ivVAFYN2A0ZhVb6gvwiTFbwwawVXBlw"
}
]
}
2025-09-20 12:05:20,028:DEBUG:acme.client:Storing nonce: o8w5VylS0agmu1oHEzcCJQfmTHqqadvpDnICz_FLFgCAzqVMJdU
2025-09-20 12:05:20,029:INFO:certbot._internal.auth_handler:Performing the following challenges:
2025-09-20 12:05:20,029:INFO:certbot._internal.auth_handler:http-01 challenge for pnaf.fr
2025-09-20 12:05:20,038:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/usr/local/homebrew/Cellar/certbot/2.5.0/libexec/lib/python3.11/site-packages/certbot/_internal/auth_handler.py", line 88, in handle_authorizations
resps = self.auth.perform(achalls)
^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/homebrew/Cellar/certbot/2.5.0/libexec/lib/python3.11/site-packages/certbot_apache/_internal/configurator.py", line 2474, in perform
http_response = http_doer.perform()
^^^^^^^^^^^^^^^^^^^
File "/usr/local/homebrew/Cellar/certbot/2.5.0/libexec/lib/python3.11/site-packages/certbot_apache/_internal/http_01.py", line 66, in perform
self._mod_config()
File "/usr/local/homebrew/Cellar/certbot/2.5.0/libexec/lib/python3.11/site-packages/certbot_apache/_internal/http_01.py", line 102, in _mod_config
selected_vhosts += self._relevant_vhosts()
^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/homebrew/Cellar/certbot/2.5.0/libexec/lib/python3.11/site-packages/certbot_apache/_internal/http_01.py", line 145, in _relevant_vhosts
raise errors.PluginError(
certbot.errors.PluginError: Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.

2025-09-20 12:05:20,038:DEBUG:certbot._internal.error_handler:Calling registered functions
2025-09-20 12:05:20,038:INFO:certbot._internal.auth_handler:Cleaning up challenges
2025-09-20 12:05:20,360:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/local/homebrew/bin/certbot", line 33, in
sys.exit(load_entry_point('certbot==2.5.0', 'console_scripts', 'certbot')())
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/homebrew/Cellar/certbot/2.5.0/libexec/lib/python3.11/site-packages/certbot/main.py", line 19, in main
return internal_main.main(cli_args)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/homebrew/Cellar/certbot/2.5.0/libexec/lib/python3.11/site-packages/certbot/_internal/main.py", line 1864, in main
return config.func(config, plugins)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/homebrew/Cellar/certbot/2.5.0/libexec/lib/python3.11/site-packages/certbot/_internal/main.py", line 1597, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/homebrew/Cellar/certbot/2.5.0/libexec/lib/python3.11/site-packages/certbot/_internal/main.py", line 141, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/homebrew/Cellar/certbot/2.5.0/libexec/lib/python3.11/site-packages/certbot/_internal/client.py", line 516, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/homebrew/Cellar/certbot/2.5.0/libexec/lib/python3.11/site-packages/certbot/_internal/client.py", line 428, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/homebrew/Cellar/certbot/2.5.0/libexec/lib/python3.11/site-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/homebrew/Cellar/certbot/2.5.0/libexec/lib/python3.11/site-packages/certbot/_internal/auth_handler.py", line 88, in handle_authorizations
resps = self.auth.perform(achalls)
^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/homebrew/Cellar/certbot/2.5.0/libexec/lib/python3.11/site-packages/certbot_apache/_internal/configurator.py", line 2474, in perform
http_response = http_doer.perform()
^^^^^^^^^^^^^^^^^^^
File "/usr/local/homebrew/Cellar/certbot/2.5.0/libexec/lib/python3.11/site-packages/certbot_apache/_internal/http_01.py", line 66, in perform
self._mod_config()
File "/usr/local/homebrew/Cellar/certbot/2.5.0/libexec/lib/python3.11/site-packages/certbot_apache/_internal/http_01.py", line 102, in _mod_config
selected_vhosts += self._relevant_vhosts()
^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/homebrew/Cellar/certbot/2.5.0/libexec/lib/python3.11/site-packages/certbot_apache/_internal/http_01.py", line 145, in _relevant_vhosts
raise errors.PluginError(
certbot.errors.PluginError: Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.
2025-09-20 12:05:20,364:ERROR:certbot._internal.log:Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.

So, my problem is still there. Thanks.

Oh, I see your deleted posts that you are able to stop redirecting the ACME Challenge. That's terrific. Your original --webroot command should work as long as the -w directory matches the directory in your port 80 VirtualHost.

Please stop trying --apache option. It won't work with your non-standard Apache syntax.

Let us know how --webroot works out. Then we don't need to figure out that unusual openssl signature error :slight_smile:

Hi MikeMcQ,

By performing:

sudo certbot certonly --dry-run --rsa-key-size 4096 -v --webroot-path / -d pnaf.fr

I get:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Could not find ssl_module; not disabling session tickets.

How would you like to authenticate with the ACME CA?


1: Apache Web Server plugin (apache)
2: Runs an HTTP server locally which serves the necessary validation files under
the /.well-known/acme-challenge/ request path. Suitable if there is no HTTP
server already running. HTTP challenge only (wildcards not supported).
(standalone)
3: Saves the necessary validation files to a .well-known/acme-challenge/
directory within the nominated webroot path. A seperate HTTP server must be
running and serving files from the webroot path. HTTP challenge only (wildcards
not supported). (webroot)


Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 3
Plugins selected: Authenticator webroot, Installer None
Simulating a certificate request for pnaf.fr
Performing the following challenges:
http-01 challenge for pnaf.fr
Using the webroot path / for all unmatched domains.
Waiting for verification...
Challenge failed for domain pnaf.fr
http-01 challenge for pnaf.fr

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: pnaf.fr
Type: unauthorized
Detail: 82.65.30.178: Invalid response from http://pnaf.fr/.well-known/acme-challenge/5CvZe7Jn0Pw62pxw8d-bj1eEAAJqjO6VL0DtxhSDzmQ: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Same kind of output for /var/log/letsencrypt/letsencrypt.log than the one given before.
Thanks.

And Looking in /var/log/apache2/access_log shows:

127.0.0.1 - - [20/Sep/2025:13:43:17 +0200] "GET /.well-known/acme-challenge/5CvZe7Jn0Pw62pxw8d-bj1eEAAJqjO6VL0DtxhSDzmQ HTTP/1.1" 404 325

So no file is generated :thinking:. That's why things goes wrong.

You forgot the --webroot option and are you sure that is the correct --webroot-path ?

The option you chose '3' creates a standalone server for port 80. That won't work on your system and is not using your Apache server.

Just use the original Certbot command you always used except make sure the webroot path is correct. I don't remember if your port 80 and port 443 VirtualHosts use the same path so make sure it matches port 80's.

Wow! Good guess MikeMcQ.

certbot certonly --dry-run --rsa-key-size 4096 --webroot -v --webroot-path /Users/Shared/www.pnaf.fr/httpdocs -d pnaf.fr

Gives:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Simulating a certificate request for pnaf.fr
Performing the following challenges:
http-01 challenge for pnaf.fr
Using the webroot path /Users/Shared/Sites/www.pnaf.fr/httpdocs for all unmatched domains.
Waiting for verification...
Cleaning up challenges
The dry run was successful.

So do you think my future certbot renewal will work? If so I can rely again on my deamon + renewal-hooks to deploy my fresh certificates. Hope this works, I will see by the late November, as my current certificates are ending on December, 17th.

Thank you very much for helping me solving my issue so quickly.

Well, that isn't the command you actually used - was it?

Because you can see below the webroot path has a /sites/ directory in it.

And, yes, that should renew fine as long as you do not redirect HTTP to HTTPS

The Certbot renewal config options you showed earlier match this --dry-run result.

Test, sure. The issued command was with /Sites/ :

certbot certonly --dry-run --rsa-key-size 4096 --webroot -v --webroot-path /Users/Shared/Sites/www.pnaf.fr/httpdocs -d pnaf.fr

Thanks MikeMcQ!