Certificacion creation works ok with domain name but gives handshake failure when add "www" to it

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: taskcontrol.net

I ran this command: sudo certbot --apache -d www.abc1-company.taskcontrol.net

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugin selected: Authenticator Apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.abc1-company.taskcontrol.net
waiting for verification
cleaning up challenges
failed authorization procedure. www.abc1-company.taskcontrol.net (http-01): urn:ietf:params:acme:error:tls:: The server experienced a TLS error during domain verification :: Fetching https://www.abc1-company.taskcontrol.net/.well-known/acme-challenge/030fts93....: remote error: tls: handshake failure
Important Notes:;
The following errors were reported by the server:
Domain: www.abc1-company.taskcontrol.net
Type: tls
Detail: Fetching
https://www.abc1-company.taskcontrol.net/.well-know/acme-challenge/03......
remote error: tls: handshake failure

Domain: www.abc1-company.taskcontrol.net

My web server is (include version): Apache/2.4.29 (Ubuntu)
Server built: 2021-06-18T11:06:22

The operating system my web server runs on is (include version): ubuntu 18.04 LTS

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.31.0

Important Note: Certificate creation works perfectly WITHOUT the "www" . I'm using Cloudflare, A Records for both of them (with and without www) point to the right Address in DO, no clue why is not being created with the "www". It was working perfectly with and without "www" in the previous months.

What more can I send to assist me on this issue?,
Thanks in Advance!,
TaskControl

1 Like
2

Hi @taskcontrol, and welcome to the LE community forum :slight_smile:

Did you change the name to protect the innocent?
www.abc1-mycompany.taskcontrol.net doesn't resolve to an IP.
[we can't work at our best without the actual FQDN]

I see the failed challenge request is via HTTPS; So I must assume that HTTP access was available and redirection is working.

I also see (my favorite problem child) --apache in use.
Please show the output of:

apachectl -S
[use sudo if needed]

We'll see once we have the real FQDN(s) [and their IP aaddress(es)]

1 Like
3

Hi rg305! and thanks for your fast reply.

Q: Did you change the name to protect the innocent ?
A: No. I was just following your instructions. Clear data.

The FQDN is abc1-mycompany.taskcontrol.net (the certficate was generated with that FQDN) but when I try with www.abc1-mycompany.taskcontrol.net...gives the error mentioned before.

Q:Please show the output of:
sudo apachectl -S
AH00558 apache2: Could not reliably determine the server's fully qualified domain name, using 45.55.33.224. Set the 'ServerName' directive globally to suppress this message.
VirtualHost configuration:
*443 abc1-mycompany.taskcontrol.net (/etc/apach2/sites-enabled/taskcontrol-le-ssl.conf:2)
*80 abc1-mycompany.taskcontrol.net (/etc/apach2/sites-enabled/taskcontrol.conf:2)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex default: dir = "/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh:using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
PidFile:"/var/run/apache2/apache2.pid"
Define: DUMP_VHOST
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33
-----------------------------------------------------///-----------------------------------------
I have also tried to generate the certificate with Cloudflare setting in "flexible" mode (default is always "Ful" for me), but it didn't work neither...

Cloudflare dashboard:
A abc1-company 45.55.33.224 auto proxied
A www.abc1-company 45.55.33.224 auto proxied
Both of them under the main domain ( ie. every company droplet name is a subdomain of taskcontrol.net)..

Also in DO both records are pointing to the correct IP's...is quite weird for me , 'cause I was generating certficate from LE for sites with "www" for several months without any issue at all...maybe something was changed in the middle...but I can't find it...
Awating your reply,
Thanks in Advance!,
TaskControl

1 Like
4

Are you really sure about the my?

1 Like
5

FreeNique...sorry, s/my//g
the real FQDN is: www.abc1-company.taskcontrol.net.
Sorry again,
Too many things in one head...
Thanks for pointing out!

1 Like
6

But the sudo apachectl -S v-host says abc1-mycompany as well. Is it a typo in this thread or in the Apache configuration?
*443 abc1-mycompany.taskcontrol.net (/etc/apach2/sites-enabled/taskcontrol-le-ssl.conf:2)
*80 abc1-mycompany.taskcontrol.net (/etc/apach2/sites-enabled/taskcontrol.conf:2)

1 Like
7

my error, sorry, I had to type it manually 'cause it didn't enable me to copy and paste it...
Fixed!
Thanks

1 Like
8

Global DNS can't resolve the "my" names.

Good catch @FreeNique

1 Like
9

@rg305, there is no "my" at all, it was a typo of mine ...

1 Like
11

Please show these two files:

1 Like
12

sure, here they are:

taskcontrol.conf:

<VirtualHost *:80>
    ServerName abc1-company.taskcontrol.net
    ServerAlias www.abc1-company.taskcontrol.net 
    Redirect permanent / https://abc1-company.taskcontrol.net/ 
    ServerAdmin root@localhost
    DocumentRoot /var/www/html

    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    ##LogLevel info ssl:warn

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf
    
    <Directory /var/www/html>
        Options Indexes FollowSymLinks
        AllowOverride all
        Require all granted
    </Directory>

 RewriteEngine on
 RewriteCond %{SERVER_NAME} =abc1-company.taskcontrol.net [OR]
 RewriteCond %{SERVER_NAME} =www.abc1-company.taskcontrol.net
 RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

taskcontrol-le-ssl.conf:

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName abc1-company.taskcontrol.net
    ServerAlias www.abc1-company.taskcontrol.net 
    Redirect permanent / https://abc1-company.taskcontrol.net/ 
    ServerAdmin root@localhost
    DocumentRoot /var/www/html

    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    ##LogLevel info ssl:warn

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf
    
    <Directory /var/www/html>
        Options Indexes FollowSymLinks
        AllowOverride all
        Require all granted
    </Directory>

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/abc1-company.taskcontrol.net/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/abc1-company.taskcontrol.net/privkey.pem
</VirtualHost>
</IfModule>
13

That seems to be misconfigured.
Within the HTTPS vhost config ONLY the "www" requests should be redirected (not all requests).

14

mm I see... nevertheless it was working ok a few days ago..so how should I set it ? and where ? just in taskcontrol.conf or in both of them? (taskcontrol.conf and taskcontrol-le-ss.conf)?
Thanks in Advance!

15

Generally speaking:
In taskcontrol.conf - YES; that will send all HTTP to HTTPS
In taskcontrol-le-ssl.conf - YES*; within some sort of IF/THEN type block.
[where it only redirects when NOT the name being redirected to is heard]

BUT...
Since you are using CloufFlare, all bets are off.
[this changes everything]
You need to configure things within CloudFlare and redirections would not be required on your server; as no one should be hitting your server directly.

16

thank you rg305, I understand your point..
still is the issue in the creation process for the "www" certificate that worrying me that was working ok weeks ago...
it is related to what you explain above or there is something else I need to do to be able to generate with certbot the certificates for "www" too (as I used to do) and so to enable the user hit the subdomain with and whithout the "www"...?
(ie. www.mycompany1.taskcontrol.net and mycompany1.taskcontrol.net )...because that was the original idea that leads me to create the "www" certificate too...but something happen that now the "www" certificate can't be created.....
why? IMHO is just another name for another certificate to be issued...in fact it was working fine......I'm pulling my hair off...

1 Like
17

Start by removing:

[then restart web server and retry obtaining a cert (with both names on it)]

18

Done.
Still the same error when try to create the LE certificate for "www" portion...
Is there option in certbot or somewhere that enable to debug the certification creation process more in details? ..

19

Yes, add -v or -vv or -vvv to the certbot command line.
[the more Vs added, the more detail it provides]

20

There is a problem with the "www" at CloudFlare.
See differences between these two:
SSL Server Test: abc1-company.taskcontrol.net (Powered by Qualys SSL Labs)

SSL Server Test: www.abc1-company.taskcontrol.net (Powered by Qualys SSL Labs)

21

ok, now I have deleted the droplet and start from scratch with another one for it: jkl7-company.taskcontrol.net.
I issued the command manually: certbot --apache -d jkl7-company.taskcontrol.net
/var/log/letsencrypt/letsencrypt.log follows:

2021-07-08 08:29:38,189:DEBUG:acme.client:Storing nonce: 0101tLASJOb6qD7oV6uWzZA40ZVI4oJI_QL9VI67rwu49ns
2021-07-08 08:29:38,190:INFO:certbot.auth_handler:Performing the following challenges:
2021-07-08 08:29:38,190:INFO:certbot.auth_handler:http-01 challenge for jkl7-company.taskcontrol.net
2021-07-08 08:29:38,235:DEBUG:certbot_apache.http_01:Adding a temporary challenge validation Include for name: jkl7-company.taskcontrol.net in: /etc/apache2/sites-enabled/taskcontrol.conf
2021-07-08 08:29:38,235:DEBUG:certbot_apache.http_01:writing a pre config file with text:
         RewriteEngine on
        RewriteRule ^/\.well-known/acme-challenge/([A-Za-z0-9-_=]+)$ /var/lib/letsencrypt/http_challenges/$1 [END]
    
2021-07-08 08:29:38,236:DEBUG:certbot_apache.http_01:writing a post config file with text:
         <Directory /var/lib/letsencrypt/http_challenges>
            Require all granted
        </Directory>
        <Location /.well-known/acme-challenge>
            Require all granted
        </Location>
    
2021-07-08 08:29:38,251:DEBUG:certbot.reverter:Creating backup of /etc/apache2/sites-enabled/taskcontrol.conf
2021-07-08 08:29:41,441:INFO:certbot.auth_handler:Waiting for verification...
2021-07-08 08:29:41,442:DEBUG:acme.client:JWS payload:
b'{\n  "resource": "challenge",\n  "type": "http-01"\n}'
2021-07-08 08:29:41,445:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/14638300853/vVop5A:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTI5NzQ4NDExIiwgIm5vbmNlIjogIjAxMDF0TEFTSk9iNnFEN29WNnVXelpBNDBaVkk0b0pJX1FMOVZJNjdyd3U0OW5zIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbC12My8xNDYzODMwMDg1My92Vm9wNUEifQ",
  "signature": "iF2cVJZLH8YnAWznhwWNFWHBJ5QVuROM6b16IzpCRK6MxXLr6zFB1W5EptlIhdXPvOmpDB66QJLUZiQdZlAn-F_sv5h9Ii72XXKyxBWCZCXElSqCchm7YqBsiJ32XttKnK1mB0A9bXXEGUrVPdQJwb5hDH4bz3dYf9ZgGOHIS1B8yA9TMhdiXmi-kNTLQQ16y66Jh8ojjkZ0cIRvZ7zZC5T1J_g2VXF4gDYdql6W4X3RWT6ZuVHf9vzp1lldsqLke7Ehq6mf6ImsyocWdT6ZDBPxQGzsGf2HWt-dDvXqWCmxDNHsAERuB7IeI83x8hyuURDe4Usd0Bjn3sYCkwOM4Q",
  "payload": "ewogICJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLAogICJ0eXBlIjogImh0dHAtMDEiCn0"
}
2021-07-08 08:29:41,515:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/14638300853/vVop5A HTTP/1.1" 200 186
2021-07-08 08:29:41,516:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 08 Jul 2021 11:29:41 GMT
Content-Type: application/json
Content-Length: 186
Connection: keep-alive
Boulder-Requester: 129748411
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz-v3/14638300853>;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/14638300853/vVop5A
Replay-Nonce: 0102X_fQOfPOWDsX_dnvK9OP_Y5XKpc6yqJRpNNryV592BY
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/14638300853/vVop5A",
  "token": "OPKSafTy7u_0QAiG7mztdiHAyrCRfvqwLWKRyf-tfkk"
}
2021-07-08 08:29:41,516:DEBUG:acme.client:Storing nonce: 0102X_fQOfPOWDsX_dnvK9OP_Y5XKpc6yqJRpNNryV592BY
2021-07-08 08:29:44,520:DEBUG:acme.client:JWS payload:
b''
2021-07-08 08:29:44,522:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/14638300853:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTI5NzQ4NDExIiwgIm5vbmNlIjogIjAxMDJYX2ZRT2ZQT1dEc1hfZG52SzlPUF9ZNVhLcGM2eXFKUnBOTnJ5VjU5MkJZIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8xNDYzODMwMDg1MyJ9",
  "signature": "Ew5me9C0m7KZzmj-PiolUgNeazbMQ1GBjbeQlVYOXNaoD8lgf1HLHZQDyXw1pVQbOWCuwJzRC3808jNQm9AOalmo8mCAPWJDT-EHgXaK9IulTzuROCfrkP6WxVrOSFy5I1vXWf12c4AEdHhUrJ3OSpiCoWD3whlzj02UgceAHj0eTQDwP6jsl_xh6zjb9VV6M48Nne8Jym7HgRYa1-vTLXJH2urbt9ccA0y_IlaXmDcZA4Nu4cmkRi7uGtrBXcey8PBD8J4yWaX_i0P1OeGsTnBLdIvwwFWPCNHhQHDParYXLwL0UPRUvEK5UsrDLr6sXorGKzni8_PyZ8XDz2NmYw",
  "payload": ""
}
2021-07-08 08:29:44,590:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/14638300853 HTTP/1.1" 200 1883
2021-07-08 08:29:44,590:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 08 Jul 2021 11:29:44 GMT
Content-Type: application/json
Content-Length: 1883
Connection: keep-alive
Boulder-Requester: 129748411
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0102hDsWT5kGYqdT8rBtK-By0ViFVDJjBrkHZvwSE1cYoKc
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "jkl7-company.taskcontrol.net"
  },
  "status": "invalid",
  "expires": "2021-07-15T11:29:38Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "Invalid response from https://jkl7-company.taskcontrol.net/.well-known/acme-challenge/OPKSafTy7u_0QAiG7mztdiHAyrCRfvqwLWKRyf-tfkk [2606:4700:3036::6815:5e0e]: \"\u003c!DOCTYPE html\u003e\\n\u003c!--[if lt IE 7]\u003e \u003chtml class=\\\"no-js ie6 oldie\\\" lang=\\\"en-US\\\"\u003e \u003c![endif]--\u003e\\n\u003c!--[if IE 7]\u003e    \u003chtml class=\\\"no-js \"",
        "status": 403
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/14638300853/vVop5A",
      "token": "OPKSafTy7u_0QAiG7mztdiHAyrCRfvqwLWKRyf-tfkk",
      "validationRecord": [
        {
          "url": "http://jkl7-company.taskcontrol.net/.well-known/acme-challenge/OPKSafTy7u_0QAiG7mztdiHAyrCRfvqwLWKRyf-tfkk",
          "hostname": "jkl7-company.taskcontrol.net",
          "port": "80",
          "addressesResolved": [
            "104.21.94.14",
            "172.67.218.55",
            "2606:4700:3036::ac43:da37",
            "2606:4700:3036::6815:5e0e"
          ],
          "addressUsed": "2606:4700:3036::ac43:da37"
        },
        {
          "url": "https://jkl7-company.taskcontrol.net/.well-known/acme-challenge/OPKSafTy7u_0QAiG7mztdiHAyrCRfvqwLWKRyf-tfkk",
          "hostname": "jkl7-company.taskcontrol.net",
          "port": "443",
          "addressesResolved": [
            "172.67.218.55",
            "104.21.94.14",
            "2606:4700:3036::6815:5e0e",
            "2606:4700:3036::ac43:da37"
          ],
          "addressUsed": "2606:4700:3036::6815:5e0e"
        }
      ],
      "validated": "2021-07-08T11:29:41Z"
    }
  ]
}
2021-07-08 08:29:44,591:DEBUG:acme.client:Storing nonce: 0102hDsWT5kGYqdT8rBtK-By0ViFVDJjBrkHZvwSE1cYoKc
2021-07-08 08:29:44,592:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: jkl7-company.taskcontrol.net
Type:   unauthorized
Detail: Invalid response from https://jkl7-company.taskcontrol.net/.well-known/acme-challenge/OPKSafTy7u_0QAiG7mztdiHAyrCRfvqwLWKRyf-tfkk [2606:4700:3036::6815:5e0e]: "<!DOCTYPE html>\n<!--[if lt IE 7]> <html class=\"no-js ie6 oldie\" lang=\"en-US\"> <![endif]-->\n<!--[if IE 7]>    <html class=\"no-js "

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
2021-07-08 08:29:44,593:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 168, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 239, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. jkl7-company.taskcontrol.net (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://jkl7-company.taskcontrol.net/.well-known/acme-challenge/OPKSafTy7u_0QAiG7mztdiHAyrCRfvqwLWKRyf-tfkk [2606:4700:3036::6815:5e0e]: "<!DOCTYPE html>\n<!--[if lt IE 7]> <html class=\"no-js ie6 oldie\" lang=\"en-US\"> <![endif]-->\n<!--[if IE 7]>    <html class=\"no-js "

2021-07-08 08:29:44,593:DEBUG:certbot.error_handler:Calling registered functions
2021-07-08 08:29:44,593:INFO:certbot.auth_handler:Cleaning up challenges
2021-07-08 08:29:44,855:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1119, in run
    certname, lineage)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 121, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 410, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 353, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 389, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 168, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 239, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. jkl7-company.taskcontrol.net (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://jkl7-company.taskcontrol.net/.well-known/acme-challenge/OPKSafTy7u_0QAiG7mztdiHAyrCRfvqwLWKRyf-tfkk [2606:4700:3036::6815:5e0e]: "<!DOCTYPE html>\n<!--[if lt IE 7]> <html class=\"no-js ie6 oldie\" lang=\"en-US\"> <![endif]-->\n<!--[if IE 7]>    <html class=\"no-js "

leaving me with no clues at all..
confused for me...I even can read "nginx"... I don't use nginx...
authorization failed ...why? ...etc..I didn't change nothing just create another droplet and request a new certificate...
Again, A RECORD IP ADDRESS correct in both Cloudflare and DO....

taskcontrol.conf follows:

<VirtualHost *:80>
    ServerName jkl7-company.taskcontrol.net
    ## ServerName localhost
    ServerAlias www.jkl7-company.taskcontrol.net 
    ## Redirect permanent / https://jkl7-company.taskcontrol.net/ 
    ServerAdmin root@localhost
    DocumentRoot /var/www/html

    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    ##LogLevel info ssl:warn

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf
    
    <Directory /var/www/html>
        Options Indexes FollowSymLinks
        AllowOverride all
        Require all granted
    </Directory>

</VirtualHost>

driving me foolish boys...