Certbot using https before certificate present

The problem I'm having is the request to the HTTPS address. Yes, my site has had a certificate before, but on a different server instance (I'm in the process of spinning up a new server.) I have seen a similar topic here, but from all the checks I can do, I am able to access the site via HTTP just fine. If I use HTTPS in a browser to access my site, of course it fails -- there's no certificate yet. I'm not sure why certbot is trying to use https at this point, or how to force it to stop. Any guidance would be appreciated.

Thanks!

My domain is: iviking.org

I ran this command: sudo certbot --apache -v

It produced this output:

Requesting a certificate for iviking.org and 4 more domains
Performing the following challenges:
http-01 challenge for iviking.org
Waiting for verification...
Challenge failed for domain iviking.org
http-01 challenge for iviking.org

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Domain: iviking.org
  Type:   connection
  Detail: 155.138.244.90: Fetching https://www.iviking.org/.well-known/acme-challenge/RLuYYmo3vgslKaZqoTv9tobzTmHuUNaa6nRDcbKkXcM: Error getting validation data

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.

My web server is (include version): Apache/2.4.61 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 24.04 LTS

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.11.0

Certbot does no such thing. The validation attempt is done from the CAs validation server, acting as an HTTP client. It will start using HTTP on port 80, but apparently you already have an HTTP to HTTPS redirect present. Thus you'll see https:// in the error message from the validation server.

That said, currently Apache is serving a 500 internal server error HTTP status. Please fix your Apache so it serves either a proper HTTP website or a HTTP/HTTPS website. The CA validation server will accept self-signed or expired certificates just fine.

2 Likes

I'm unable to find any sort of redirect, and http://www.iviking.org/ works just fine for me. For that matter, https://letsdebug.net/www.iviking.org/2101734 shows no errors either. I'm only able to duplicate a 500 error if I manually enter HTTPS instead of HTTP in the URL. Are you seeing something different?

It is unusual to see HTTPS in the error when using the --apache plugin. It makes a temp change to your Apache config which should reply to the HTTP request without redirect. So, that indicates something unusual with your Apache config.

I get a 500 error with HTTP using a HEAD request but not for a GET. @Osiris could that have been what you saw?

I get an SSL error for HTTPS (not an HTTP error 500). Which is expected at this stage probably.

@yodarunamok Would you show output of this? We can start to look at why

sudo apache2ctl -t -D DUMP_VHOSTS
2 Likes

Probably, I usually use the -I option (captial i) to use HEAD indeed.

2 Likes

Here's the requested output:

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:80                   is a NameVirtualHost
         default server www.iviking.org (/etc/apache2/sites-enabled/001-www-iviking.conf:1)
         port 80 namevhost www.iviking.org (/etc/apache2/sites-enabled/001-www-iviking.conf:1)
                 alias www.iviking.org
                 alias iviking.org
         port 80 namevhost fx.iviking.org (/etc/apache2/sites-enabled/002-fx-iviking.conf:1)
                 alias fx.iviking.org
         port 80 namevhost presidentofthe.us (/etc/apache2/sites-enabled/003-prez-site.conf:1)
                 alias presidentofthe.us
                 alias www.presidentofthe.us

I'll dig into what might be happening on a HEAD request. Thanks!

1 Like

Okay, the result on the HEAD request is a result of the specific PHP library (in development) that is being used on that site. I'll have to figure out the right way to handle that. Does certbot use one or more HEAD requests as part of the process? Thanks!

No. And as mentioned before: Certbot does not perform the validation.

1 Like

Could the CA validation server have a cached result from an old 301 redirect? As noted, this domain did have a certificate before, and I believe the tweak made to the Apache config files uses a 301. Thanks!

1 Like

No, it does not cache prior redirects

The problem is in your DNS. You have NameCheap using a URL Redirect feature. You should disable that and set your base domain name to the public IP like you did for the www subdomain

nslookup iviking.org
Address: 192.64.119.167

nslookup www.iviking.org
Address: 155.138.244.90

The NameCheap service sends the challenge to HTTPS which doesn't reply correctly

curl -i http://iviking.org/.well-known/acme-challenge/Test404
HTTP/1.1 302 Found
Location: https://www.iviking.org/.well-known/acme-challenge/Test404
X-Served-By: Namecheap URL Forward
Server: namecheap-nginx
4 Likes

That got it. Thank you!

5 Likes