The problem I'm having is the request to the HTTPS address. Yes, my site has had a certificate before, but on a different server instance (I'm in the process of spinning up a new server.) I have seen a similar topic here, but from all the checks I can do, I am able to access the site via HTTP just fine. If I use HTTPS in a browser to access my site, of course it fails -- there's no certificate yet. I'm not sure why certbot is trying to use https at this point, or how to force it to stop. Any guidance would be appreciated.
Thanks!
My domain is: iviking.org
I ran this command: sudo certbot --apache -v
It produced this output:
Requesting a certificate for iviking.org and 4 more domains
Performing the following challenges:
http-01 challenge for iviking.org
Waiting for verification...
Challenge failed for domain iviking.org
http-01 challenge for iviking.org
Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: iviking.org
Type: connection
Detail: 155.138.244.90: Fetching https://www.iviking.org/.well-known/acme-challenge/RLuYYmo3vgslKaZqoTv9tobzTmHuUNaa6nRDcbKkXcM: Error getting validation data
Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.
Cleaning up challenges
Some challenges have failed.
My web server is (include version): Apache/2.4.61 (Ubuntu)
The operating system my web server runs on is (include version): Ubuntu 24.04 LTS
My hosting provider, if applicable, is: N/A
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.11.0
Certbot does no such thing. The validation attempt is done from the CAs validation server, acting as an HTTP client. It will start using HTTP on port 80, but apparently you already have an HTTP to HTTPS redirect present. Thus you'll see https:// in the error message from the validation server.
That said, currently Apache is serving a 500 internal server error HTTP status. Please fix your Apache so it serves either a proper HTTP website or a HTTP/HTTPS website. The CA validation server will accept self-signed or expired certificates just fine.
I'm unable to find any sort of redirect, and http://www.iviking.org/ works just fine for me. For that matter, https://letsdebug.net/www.iviking.org/2101734 shows no errors either. I'm only able to duplicate a 500 error if I manually enter HTTPS instead of HTTP in the URL. Are you seeing something different?
It is unusual to see HTTPS in the error when using the --apache plugin. It makes a temp change to your Apache config which should reply to the HTTP request without redirect. So, that indicates something unusual with your Apache config.
I get a 500 error with HTTP using a HEAD request but not for a GET. @Osiris could that have been what you saw?
I get an SSL error for HTTPS (not an HTTP error 500). Which is expected at this stage probably.
@yodarunamok Would you show output of this? We can start to look at why
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:80 is a NameVirtualHost
default server www.iviking.org (/etc/apache2/sites-enabled/001-www-iviking.conf:1)
port 80 namevhost www.iviking.org (/etc/apache2/sites-enabled/001-www-iviking.conf:1)
alias www.iviking.org
alias iviking.org
port 80 namevhost fx.iviking.org (/etc/apache2/sites-enabled/002-fx-iviking.conf:1)
alias fx.iviking.org
port 80 namevhost presidentofthe.us (/etc/apache2/sites-enabled/003-prez-site.conf:1)
alias presidentofthe.us
alias www.presidentofthe.us
I'll dig into what might be happening on a HEAD request. Thanks!
Okay, the result on the HEAD request is a result of the specific PHP library (in development) that is being used on that site. I'll have to figure out the right way to handle that. Does certbot use one or more HEAD requests as part of the process? Thanks!
Could the CA validation server have a cached result from an old 301 redirect? As noted, this domain did have a certificate before, and I believe the tweak made to the Apache config files uses a 301. Thanks!
The problem is in your DNS. You have NameCheap using a URL Redirect feature. You should disable that and set your base domain name to the public IP like you did for the www subdomain