Certbot: "Some challenges have failed."

My domain is:

I ran this command:
sudo certbot -v --apache

It produced this output:

Challenge failed for domain discourse.bluebottlefly.com
http-01 challenge for discourse.bluebottlefly.com

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: discourse.bluebottlefly.com
Type: unauthorized
Detail: Invalid response from http://discourse.bluebottlefly.com/.well-known/acme-challenge/CRP-XaSRU2_LLb_pzEGVHl2GMvQ97B-TnRwXokzm6L0 []: 404

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
Apache/2.4.41 (Ubuntu)

The operating system my web server runs on is (include version):
Linux discourse.bluebottlefly.com 5.13.0-1021-oracle #26~20.04.1-Ubuntu SMP Mon Mar 7 14:30:17 UTC 2022 aarch64

My hosting provider, if applicable, is:
Oracle Cloud

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.25.0

I suspect at least part of the issue is that I created the subdomain on another server (Dreamhost) and have a Let's Encrypt cert for that. But now I am trying to redirect the subdomain to the above-described cloud server. My goal is to run a Discourse server. I ran the installation per instructions at that link, but I can neither redirect my subdomain from Dreamhost nor see the Discourse server or get a Certbot cert on the target server here.


1 Like

Welcome to the community @spamless

Yeah, your DNS is pointing to the Dreamhost server which is responding fine with the cert you got yesterday.

I am not sure how you want to "redirect" to the new server but couldn't you just update your DNS to point to it?


Thanks, Mike. That is exactly what I have been trying to do for two days. I am stuck in a loop. I put a new A-record in DNS at Dreamhost. But I don't have authority to delete the original A-record there, or change any of the auto-generated DNS entries there; I can only edit, add, or remove entries that I created.

There is a Dreamhost FAQ about what to do here. I have gone back and forth with that for hours. It says I should use this (screenshot) form to set up subdomain forwarding.

But that errors out, because (per the FAQ I've linked to) I can only redirect an https-enabled subdomain if the target is also https-enabled.

A workaround is hinted at, of disabling the cert at Dreamhost. I tried that. I uninstalled it. I still couldn't invoke the redirect. (I also tried taking out the A-record I created at Dreamhost yesterday. When that didn't help, I put it back.)

My impression is that I first need to disable hosting there on Dreamhost. But I can't do that, because my MX records and mailbox are integrated with the Dreamhost instance of the subdomain -- which I created there yesterday in accordance with the instructions for how to get a Discourse server running. I don't have a mail server on the cloud server that I'm trying to get certified.

I also tried a redirect in the .htaccess file on Dreamhost. When that didn't work, I tried mod_rewrite. Also a no-go.

Basically, I want my mail server on Dreamhost but the subdomain on the Oracle cloud server I'm trying to get certified.



My guess would be that you should delete the subdomain on Dreamhost side.

This should allow you to create a DNS A record for discourse.bluebottlefly.com that points directly to your Oracle Cloud server.

Dreamhost doesn't need to know about the subdomain in the context of your hosting services, other than you creating the A record per https://help.dreamhost.com/hc/en-us/articles/360035516812-Adding-custom-DNS-records.

Could you use the mail services of your main domain, not of the Discourse subdomain? Then you would not be affected by this restriction.

I don't think there's any way you could avoid creating an A record that points to your Oracle server, if you want this to work.


These are good thoughts. I might be getting somewhere with my original idea about it anyway: I just found this hidden gem (FAQ) at Dreamhost.

It's further instructions to set the domain to DNS only. It has a couple of conflicting bits of information, however. Well, but so far I think I got this part working. And it disabled or deleted my cert on Dreamhost, which I seem to need have happen.

But now I've got a new problem: I hit the Let's Encrypt rate limit! Darn. So either I can wait a week or I can change the name of the subdomain, I guess. :unamused:

Thanks. I'll have to see. With that new info from the Dreamhost FAQ, I might be able to proceed. I wish I'd known about the rate limit before. I thought I had waited out DNS changes …



@_az, this is a postscript to say it somehow flew past me that you ended up locating the very same article I did and you posted it for me. I do appreciate it! It was a coincidence -- we might call it a race condition -- :melting_face: that I had just found the same thing.

In any case, I very much appreciate all the good help! I'll post how it all turns out later on. I still have to decide whether to change the subdomain name or not, or delete the one at Dreamhost.



It does not look like you hit the rate limit that requires waiting a week. That is when you create 5 certs with the same name(s). You only created 1 that I see.

Your rate limit was probably related to failed attempts. Those can be retried after an hour.

There is a Failed Validation limit of 5 failures per account, per hostname, per hour. This limit is higher on our staging environment, so you can use that environment to debug connectivity problems. Exceeding the Failed Validations limit is reported with the error message too many failed authorizations recently.


Thanks, @MikeMcQ. That's a relief on the rate limit.

Well, my conflicting-cert problem is over -- I canceled the cert at Dreamhost. And cerbtot is working again. But I still can't get my domain certified:

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: discourse.bluebottlefly.com
Type: dns
Detail: no valid A records found for discourse.bluebottlefly.com; no valid AAAA records found for discourse.bluebottlefly.com

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.

This is with an A-record added to the subdomain at Dreamhost, which is now officially "DNS-only" per them, and with a DNS entry also attempted in the root domain. No need to delete the subdomain that I can see now (as discussed with @_az above), because things on Dreamhost look the way the info pages referenced to above describe them. But still no A-record in sight for certbot.

Also, the Dreamhost "forward-this-domain" form still doesn't work and has never worked for me in any of these attempts. I'm not sure what one would have to do to get it to work, except maybe the answer is "get a ssh cert on the target." Am I running in circles again?

Am I supposed to add an A-record to the target site itself? (If so, I don't yet now how; it would presumably be in Oracle's cloud-management area.)



I see an A record for the apex domain but not for your discourse subdomain. You can see that using a tool like this (or many others).

I would avoid the "forward this domain" feature. I did not study this one but generally those are like URL redirects and often don't work right for Let's Encrypt or even for all cases of regular use.

In summary, I think your problem is still simply getting the DNS at Dreamhost right.


Wow, this post of yours led me to twig onto what was going wrong. I have my cert! Thanks to all; everyone posting here was really helpful!

It turns out I had the wrong syntax in the A-record I created on Dreamhost. I was misled by the "helpful" (not-so) prompt that I will replicate here:

I thought that shadow text was a suggestion for what an entry might look like! And that's what I wanted, so that's what I typed in.

But it turns out that's only an identifying marker reminding me what domain or subdomain DNS record I am editing!

Not seeing the entry in dig despite its having been in the DNS record overnight was the a-ha moment for me. "Criminy, the syntax is wrong!" I suddenly realized. All they want is discourse, nothing more.

That "hint" text sure looks purty, doesn't it? But it's misleading, or it was to me, anyway. Also, that is from the subdomain's DNS record, but @_az was of course right that I wanted it in the apex domain's DNS record instead.

I also added www.discourse in there now in case somebody types in the www.

This headache of mine is over. On to the next! Thanks very much, guys.

Side-question: can I direct a second subdomain there too? What will happen?



Maybe just try it :slight_smile: (should be fine but ...)


Yes, that works too. Thanks again!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.