Certificate Authority failed to verify the temporary Apache configuration

rene33 · June 16, 2021, 4:42pm

Hello,
I have exactly the same kind of problem, on a server that hosts several sites with apache and one virtualhost per site.
I have already read about the IPV6... but in my case, when I make certbot renew --dry-run, all my certificates are OK, but one.
My virtualhosts have the same architecture, so I don't understant why one of them refuse to renew.
I have checked that I can access the root directory via http, I have modified my virtualhost in any imaginable way, without success.
I have searched on internet using different parts of the error message, without anything usefull.
The server is running on Ubuntu 18.04, with Apache2.4. The site which has a problem is a site installed with docker (but other site with docker on the same server do not have the problem).
I spent hours trying to solve the problem without success. Any idea?
Thanks

griffin · June 16, 2021, 8:12pm

Welcome to the Let's Encrypt Community

Sorry you're having such trouble.

Please post the complete output of:

sudo certbot renew --dry-run

rg305 · June 16, 2021, 9:00pm

...and since you mention Apache, for good measure, please add the output of:
apachectl -S

rene33 · June 16, 2021, 9:29pm

Thank you.
Here is the output of the renew command

#certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/chat.ixeo-conseil.com.conf

Simulating renewal of an existing certificate for chat.ixeo-conseil.com

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: chat.ixeo-conseil.com
Type: unauthorized
Detail: Invalid response from Mattermost [2001:4b98:dc0:41:216:3eff:fefb:5963]: "\n\n404 Not Found\n\n<h1>Not Found\n<p"

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Failed to renew certificate chat.ixeo-conseil.com with error: Some challenges have failed.

Processing /etc/letsencrypt/renewal/dodo.ixeo-conseil.com.conf

Simulating renewal of an existing certificate for dodo.ixeo-conseil.com

Processing /etc/letsencrypt/renewal/editor.ixeo-conseil.com.conf

Simulating renewal of an existing certificate for editor.ixeo-conseil.com

Processing /etc/letsencrypt/renewal/icecream.ixeo-conseil.com.conf

Simulating renewal of an existing certificate for icecream.ixeo-conseil.com

Processing /etc/letsencrypt/renewal/projet.ixeo-conseil.com.conf

Simulating renewal of an existing certificate for projet.ixeo-conseil.com

Processing /etc/letsencrypt/renewal/visio.ixeo-conseil.com.conf

Simulating renewal of an existing certificate for visio.ixeo-conseil.com

The following simulated renewals succeeded:
/etc/letsencrypt/live/dodo.ixeo-conseil.com/fullchain.pem (success)
/etc/letsencrypt/live/editor.ixeo-conseil.com/fullchain.pem (success)
/etc/letsencrypt/live/icecream.ixeo-conseil.com/fullchain.pem (success)
/etc/letsencrypt/live/projet.ixeo-conseil.com/fullchain.pem (success)
/etc/letsencrypt/live/visio.ixeo-conseil.com/fullchain.pem (success)

The following simulated renewals failed:
/etc/letsencrypt/live/chat.ixeo-conseil.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

And my Apache config

# apachectl -S
VirtualHost configuration:
*:80 is a NameVirtualHost
default server chat.ixeo-conseil.com (/etc/apache2/sites-enabled/chat.ixeo-conseil.com.conf:2)
port 80 namevhost chat.ixeo-conseil.com (/etc/apache2/sites-enabled/chat.ixeo-conseil.com.conf:2)
alias chat.ixeo-conseil.com
port 80 namevhost dodo.ixeo-conseil.com (/etc/apache2/sites-enabled/dodo.ixeo-conseil.com.conf:1)
alias dodo.ixeo-conseil.com
port 80 namevhost editor.ixeo-conseil.com (/etc/apache2/sites-enabled/editor.ixeo-conseil.com.conf:1)
port 80 namevhost icecream.ixeo-conseil.com (/etc/apache2/sites-enabled/icecream.ixeo-conseil.com.conf:1)
alias icecream.ixeo-conseil.com
port 80 namevhost projet.ixeo-conseil.com (/etc/apache2/sites-enabled/projet.ixeo-conseil.com.conf:1)
alias projet.ixeo-conseil.com
port 80 namevhost visio.ixeo-conseil.com (/etc/apache2/sites-enabled/visio.ixeo-conseil.com.conf:1)
alias visio.ixeo-conseil.com
*:443 is a NameVirtualHost
default server chat.ixeo-conseil.com (/etc/apache2/sites-enabled/chat.ixeo-conseil.com.conf:29)
port 443 namevhost chat.ixeo-conseil.com (/etc/apache2/sites-enabled/chat.ixeo-conseil.com.conf:29)
port 443 namevhost dodo.ixeo-conseil.com (/etc/apache2/sites-enabled/dodo.ixeo-conseil.com.conf:14)
alias dodo.ixeo-conseil.com
port 443 namevhost editor.ixeo-conseil.com (/etc/apache2/sites-enabled/editor.ixeo-conseil.com.conf:15)
port 443 namevhost icecream.ixeo-conseil.com (/etc/apache2/sites-enabled/icecream.ixeo-conseil.com.conf:16)
alias icecream.ixeo-conseil.com
port 443 namevhost projet.ixeo-conseil.com (/etc/apache2/sites-enabled/projet.ixeo-conseil.com.conf:22)
alias projet.ixeo-conseil.com
port 443 namevhost visio.ixeo-conseil.com (/etc/apache2/sites-enabled/visio.ixeo-conseil.com.conf:13)
alias visio.ixeo-conseil.com
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex proxy-balancer-shm: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
Define: ENABLE_USR_LIB_CGI_BIN
User: name="www-data" id=33
Group: name="www-data" id=33

I don't know if it could be useful, but I give also my virtualhost for the subdomain chat

<VirtualHost *:80>
ServerName chat.ixeo-conseil.com
ServerAlias chat.ixeo-conseil.com

ServerAdmin r****@***

DocumentRoot /var/www/empty

RewriteEngine on
# RewriteCond %{SERVER_NAME} =chat.ixeo-conseil.com
# RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
RewriteCond %{REQUEST_URI} !^/.well-known
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [R]
    CustomLog ${APACHE_LOG_DIR}/chat.access.log combined
    ErrorLog ${APACHE_LOG_DIR}/chat.error.log
</VirtualHost>

<VirtualHost *:443>
ServerName chat.ixeo-conseil.com
ServerAdmin rene.laversanne@ixeo-conseil.com

DocumentRoot /var/www/empty

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/chat.ixeo-conseil.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/chat.ixeo-conseil.com/privkey.pem

ProxyPreserveHost On
SSLProxyEngine On
SSLProxyVerify none
SSLProxyCheckPeerCN off

RewriteEngine On
RewriteCond %{REQUEST_URI} /api/v[0-9]+/(users/)?websocket [NC,OR]
RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC,OR]
RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC]
RewriteRule .* wss://127.0.0.1:8443%{REQUEST_URI} [P,QSA,L]

<Location />
Require all granted
ProxyPass https://127.0.0.1:8443/
ProxyPassReverse https://127.0.0.1:8443/
ProxyPassReverseCookieDomain 127.0.0.1 chat.ixeo-conseil.com
</Location>
   CustomLog ${APACHE_LOG_DIR}/chat.access.log combined
   ErrorLog ${APACHE_LOG_DIR}/chat.error.log
</VirtualHost>

The two lines with # are trial I have done with another syntax for redirection...
I have tried suppressing the redirection and even suppressing all the lines of the ssl virtualhost, without any success...
The /var/www/empty directory is owned by www-data. And this is the same as the one given for virtualhost editor.ixeo-conseil.com which has no problem as shown in the output.
It is reachable with Mattermost (there is a html file inside with a line of text "no site here"
My DNS zones seems to be OK as the line for chat and for editor look the same:

chat 1800 IN A 92.243.9.115
chat 1800 IN AAAA 2001:4b98:dc0:41:216:3eff:fefb:5963
editor 1800 IN A 92.243.9.115
editor 1800 IN AAAA 2001:4b98:dc0:41:216:3eff:fefb:5963

This looks (for me) rather weird... Any help would be welcomed.
René

_az · June 16, 2021, 10:55pm

Hello!

Could you please post the full contents of this file?

It does not seem to line up exactly with the output of apachectl -S.

Something else that might help would be to pause the Certbot request:

certbot certonly -d chat.ixeo-conseil.com --apache --debug-challenges --dry-run

and while it is paused, to get the contents of /etc/apache2/sites-enabled/chat.ixeo-conseil.com.conf and post it here.

rene33 · June 17, 2021, 7:13am

Hello,
Thank you for answering my post. I am not sure I have perfectly undestood what I had to do, but I tried. What I am not sure, is when to pause the certbot process...
Anyway, I did it during the rather long (few secondes) time without output:

certbot certonly -d chat.ixeo-conseil.com --apache --debug-challenges --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Simulating renewal of an existing certificate for chat.ixeo-conseil.com
^Z
[2]+ Stopped certbot certonly -d chat.ixeo-conseil.com --apache --debug-challenges --dry-run

So here is the content of the chat.ixeo-conseil.com.conf file

<VirtualHost *:80>
Include /etc/apache2/le_http_01_challenge_pre.conf
ServerName chat.ixeo-conseil.com
ServerAlias chat.ixeo-conseil.com

ServerAdmin @i**.com

DocumentRoot /var/www/empty
    <Directory /var/www/empty/>
  AllowOverride All
            Require all granted
    </Directory>

      RewriteEngine on
    RewriteCond %{REQUEST_URI} !^/\.well-known
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [R]

    CustomLog ${APACHE_LOG_DIR}/chat.access.log combined
ErrorLog ${APACHE_LOG_DIR}/chat.error.log
Include /etc/apache2/le_http_01_challenge_post.conf
</VirtualHost>

<VirtualHost *:443>
Include /etc/apache2/le_http_01_challenge_pre.conf
ServerName chat.ixeo-conseil.com
ServerAdmin rene.laversanne@ixeo-conseil.com

DocumentRoot /var/www/empty

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/chat.ixeo-conseil.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/chat.ixeo-conseil.com/privkey.pem

ProxyPreserveHost On
SSLProxyEngine On
SSLProxyVerify none
SSLProxyCheckPeerCN off

RewriteEngine On
RewriteCond %{REQUEST_URI} /api/v[0-9]+/(users/)?websocket [NC,OR]
RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC,OR]
RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC]
RewriteRule .* wss://127.0.0.1:8443%{REQUEST_URI} [P,QSA,L]

<Location />
Require all granted
ProxyPass https://127.0.0.1:8443/
ProxyPassReverse https://127.0.0.1:8443/
ProxyPassReverseCookieDomain 127.0.0.1 chat.ixeo-conseil.com
</Location>
          CustomLog ${APACHE_LOG_DIR}/chat.access.log combined
ErrorLog ${APACHE_LOG_DIR}/chat.error.log
Include /etc/apache2/le_http_01_challenge_post.conf
</VirtualHost>

Hoping it could help.

rene33 · June 17, 2021, 7:36am

I don't know whether it might help, but I copy the content of the letscencrypt log after running the command with the debug flag:

2021-06-17 09:28:33,760:DEBUG:urllib3.connectionpool:http://localhost:None "GET /v2/connections?snap=certbot&interface=content HTTP/1.1" 200 97
2021-06-17 09:28:34,173:DEBUG:certbot._internal.main:certbot version: 1.16.0
2021-06-17 09:28:34,174:DEBUG:certbot._internal.main:Location of certbot entry point: /snap/certbot/1201/bin/certbot
2021-06-17 09:28:34,174:DEBUG:certbot._internal.main:Arguments: ['-d', 'chat.ixeo-conseil.com', '--apache', '--debug-challenge', '-v', '--preconfigured-renewal']
2021-06-17 09:28:34,174:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-06-17 09:28:34,191:DEBUG:certbot._internal.log:Root logging level set at 20
2021-06-17 09:28:34,193:DEBUG:certbot._internal.plugins.selection:Requested authenticator apache and installer apache
2021-06-17 09:28:34,409:DEBUG:certbot_apache._internal.configurator:Apache version is 2.4.29
2021-06-17 09:28:34,895:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache._internal.entrypoint:ENTRYPOINT
Initialized: <certbot_apache._internal.override_debian.DebianConfigurator object at 0x7f5fd06da0a0>
Prep: True
2021-06-17 09:28:34,897:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache._internal.entrypoint:ENTRYPOINT
Initialized: <certbot_apache._internal.override_debian.DebianConfigurator object at 0x7f5fd06da0a0>
Prep: True
2021-06-17 09:28:34,897:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_apache._internal.override_debian.DebianConfigurator object at 0x7f5fd06da0a0> and installer <certbot_apache._internal.override_debian.DebianConfigurator object at 0x7f5fd06da0a0>
2021-06-17 09:28:34,897:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator apache, Installer apache
2021-06-17 09:28:34,905:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/64864045', new_authzr_uri=None, terms_of_service=None), 56d86e3729642acc606892b4575c7978, Meta(creation_dt=datetime.datetime(2019, 9, 2, 13, 46, 31, tzinfo=), creation_host='servessai', register_to_eff=None))>
2021-06-17 09:28:34,906:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2021-06-17 09:28:34,908:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2021-06-17 09:28:35,394:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
2021-06-17 09:28:35,395:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 17 Jun 2021 07:28:35 GMT
Content-Type: application/json
Content-Length: 658
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert",
"xhVk6IAsFxM": "Adding random entries to the directory"
}
2021-06-17 09:28:35,431:DEBUG:certbot._internal.plugins.selection:Requested authenticator apache and installer apache
2021-06-17 09:28:35,440:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): r3.o.lencr.org:80
2021-06-17 09:28:35,471:DEBUG:urllib3.connectionpool:http://r3.o.lencr.org:80 "POST / HTTP/1.1" 200 503
2021-06-17 09:28:35,473:DEBUG:certbot.ocsp:OCSP response for certificate /etc/letsencrypt/archive/chat.ixeo-conseil.com/cert3.pem is signed by the certificate's issuer.
2021-06-17 09:28:35,481:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/archive/chat.ixeo-conseil.com/cert3.pem is: OCSPCertStatus.GOOD
2021-06-17 09:28:35,484:DEBUG:certbot._internal.storage:Should renew, less than 30 days before certificate expiry 2021-07-12 20:06:58 UTC.
2021-06-17 09:28:35,484:INFO:certbot._internal.renewal:Certificate is due for renewal, auto-renewing...
2021-06-17 09:28:35,484:DEBUG:certbot.display.util:Notifying user: Renewing an existing certificate for chat.ixeo-conseil.com
2021-06-17 09:28:35,647:DEBUG:certbot.crypto_util:Generating RSA key (2048 bits): /etc/letsencrypt/keys/0194_key-certbot.pem
2021-06-17 09:28:35,651:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0194_csr-certbot.pem
2021-06-17 09:28:35,651:DEBUG:acme.client:Requesting fresh nonce
2021-06-17 09:28:35,651:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2021-06-17 09:28:35,774:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2021-06-17 09:28:35,775:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 17 Jun 2021 07:28:35 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 01039BuFG2X6UruPMG1TN_FHzuqdpl6XWihUPGHO1BfYJNw
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

2021-06-17 09:28:35,775:DEBUG:acme.client:Storing nonce: 01039BuFG2X6UruPMG1TN_FHzuqdpl6XWihUPGHO1BfYJNw
2021-06-17 09:28:35,776:DEBUG:acme.client:JWS payload:
b'{\n "identifiers": [\n {\n "type": "dns",\n "value": "chat.ixeo-conseil.com"\n }\n ]\n}'
2021-06-17 09:28:35,778:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNjQ4NjQwNDUiLCAibm9uY2UiOiAiMDEwMzlCdUZHMlg2VXJ1UE1HMVROX0ZIenVxZHBsNlhXaWhVUEdITzFCZllKTnciLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1vcmRlciJ9",
"signature": "JNQRF3mvr1x4HiCuIVeHDavNi3uL8yv8Ts4_HvWng3Mv8Of4yvsKynCj--8_i0V-sZ2_1IZruDLjUojos8CHAt8Hz1GvKooE8uAZglpPcWqiaEWo-S-gbSJU3dzJtI5Ko6nOqiXW-qqaUYHRBCVMLg9VmfFYxOneApx0EGAEBHe0rjGMzCqYu2TaA_4N_gyxCNrQpRVEGOysr2jEUbr8vJ1X9M2k92BGy9GvkT7I11eqTbXO1R3dbWxDHZzN9qrjnhyLsky7zmshXCg_HfltcyY3WkaOBnbrFDVx0Z4yu8ikROTYHU7F5Nb7aFUaAve6VVLluwMtQLKwKlDrKrTBsA",
"payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogImNoYXQuaXhlby1jb25zZWlsLmNvbSIKICAgIH0KICBdCn0"
}
2021-06-17 09:28:35,932:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 343
2021-06-17 09:28:35,933:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Thu, 17 Jun 2021 07:28:35 GMT
Content-Type: application/json
Content-Length: 343
Connection: keep-alive
Boulder-Requester: 64864045
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/64864045/10451538920
Replay-Nonce: 0104B-Bp6X98GX2AgXNdK0IZxv_5X-794LoFpsWNxhxlYns
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"status": "pending",
"expires": "2021-06-24T07:28:35Z",
"identifiers": [
{
"type": "dns",
"value": "chat.ixeo-conseil.com"
}
],
"authorizations": [
"https://acme-v02.api.letsencrypt.org/acme/authz-v3/14048939153"
],
"finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/64864045/10451538920"
}
2021-06-17 09:28:35,933:DEBUG:acme.client:Storing nonce: 0104B-Bp6X98GX2AgXNdK0IZxv_5X-794LoFpsWNxhxlYns
2021-06-17 09:28:35,933:DEBUG:acme.client:JWS payload:
b''
2021-06-17 09:28:35,935:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/14048939153:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNjQ4NjQwNDUiLCAibm9uY2UiOiAiMDEwNEItQnA2WDk4R1gyQWdYTmRLMElaeHZfNVgtNzk0TG9GcHNXTnhoeGxZbnMiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzE0MDQ4OTM5MTUzIn0",
"signature": "mlYVI_1WLpa6egpcnS4n8nzCxEvKo8mveHDwJvzRjFbAjLTKwFgWKXMBfQJ8ToWS2zDRlCgGLZsb1DbHCIjGnRwpdbUqb6tnTa-v0ksppPp9bnz0JHB4GvpEF9l7l-ajsqLAZMmQkRVsVv5Z-RYORji-fpTiBOXVwBfS7H7kqe3n-dHpdU_hOXCI8Egn_S3NALY4oK6wowHGYbFXQ0zF6DccH_b-3iWfGn1fOXztlbNp5sAe1A3XonZToFTJGxHYC-Nm73VNpABMrEd_h2-qBK2oNneypcUYFTjVlKvOfvitX62kjtoeiyKU6dbyhr6y-EfoLTIcTvtzYBF2PuJtHw",
"payload": ""
}
2021-06-17 09:28:36,067:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/14048939153 HTTP/1.1" 200 802
2021-06-17 09:28:36,068:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 17 Jun 2021 07:28:36 GMT
Content-Type: application/json
Content-Length: 802
Connection: keep-alive
Boulder-Requester: 64864045
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 0103jPmYfx3rDJ-nsF4DqDKx3GgPMjMkmBjAEPto17wlfXc
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "chat.ixeo-conseil.com"
},
"status": "pending",
"expires": "2021-06-24T07:28:35Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/14048939153/Kthu-Q",
"token": "-tDzGeTYH7VuwLHqEW-YEOGTTC-UlwCeq3RdFJXLUJM"
},
{
"type": "dns-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/14048939153/dstNvg",
"token": "-tDzGeTYH7VuwLHqEW-YEOGTTC-UlwCeq3RdFJXLUJM"
},
{
"type": "tls-alpn-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/14048939153/lzc8ng",
"token": "-tDzGeTYH7VuwLHqEW-YEOGTTC-UlwCeq3RdFJXLUJM"
}
]
}
2021-06-17 09:28:36,068:DEBUG:acme.client:Storing nonce: 0103jPmYfx3rDJ-nsF4DqDKx3GgPMjMkmBjAEPto17wlfXc
2021-06-17 09:28:36,069:INFO:certbot._internal.auth_handler:Performing the following challenges:
2021-06-17 09:28:36,070:INFO:certbot._internal.auth_handler:http-01 challenge for chat.ixeo-conseil.com
2021-06-17 09:28:36,085:DEBUG:certbot_apache._internal.http_01:Adding a temporary challenge validation Include for name: chat.ixeo-conseil.com in: /etc/apache2/sites-enabled/chat.ixeo-conseil.com.conf
2021-06-17 09:28:36,085:DEBUG:certbot_apache._internal.http_01:Adding a temporary challenge validation Include for name: chat.ixeo-conseil.com in: /etc/apache2/sites-enabled/chat.ixeo-conseil.com.conf
2021-06-17 09:28:36,085:DEBUG:certbot_apache.internal.http_01:writing a pre config file with text:
RewriteEngine on
RewriteRule ^/.well-known/acme-challenge/([A-Za-z0-9-=]+)$ /var/lib/letsencrypt/http_challenges/$1 [END]

2021-06-17 09:28:36,085:DEBUG:certbot_apache._internal.http_01:writing a post config file with text:
<Directory /var/lib/letsencrypt/http_challenges>
Require all granted

<Location /.well-known/acme-challenge>
Require all granted

2021-06-17 09:28:36,108:DEBUG:certbot.reverter:Creating backup of /etc/apache2/sites-enabled/chat.ixeo-conseil.com.conf
2021-06-17 09:28:39,450:DEBUG:certbot.display.util:Notifying user: Challenges loaded. Press continue to submit to CA. Pass "-v" for more info about
challenges.
2021-06-17 09:28:46,056:DEBUG:acme.client:JWS payload:
b'{}'
2021-06-17 09:28:46,063:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/14048939153/Kthu-Q:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNjQ4NjQwNDUiLCAibm9uY2UiOiAiMDEwM2pQbVlmeDNyREotbnNGNERxREt4M0dnUE1qTWttQmpBRVB0bzE3d2xmWGMiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2NoYWxsLXYzLzE0MDQ4OTM5MTUzL0t0aHUtUSJ9",
"signature": "Exg2eSJkJI3l6QQvrL5SATlPbiEJZ_a2RTAE94o8xxmq5d8rNQKawJEkM_Pj8sTA0LXdhiQKKgkvq0Cqy78mKs8BezcxZ2VBxDB1mzfKQlWuynyPK_Yiz_hW54PoyCaNxpmXIpWA9rAUjvYjwfucG2Nix1cItsvT0VOE-GsCkD6hnYX5YLWD40eEBT1fr1BrpaZb1FK1WmAuU9yFnAB74-KDDAm7LIaJWA012ti3EqcjRPaE0LowZaUaZmU-Y_xIk-FcBmPV5QgCoFJ0db3mO3V8NYB1imCpZWh7ktF8ZUSJWeZU-UboR0-ZHYupK8iUleUFxXJ_MVb600U6yPT4Gg",
"payload": "e30"
}
2021-06-17 09:28:46,199:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/14048939153/Kthu-Q HTTP/1.1" 200 186
2021-06-17 09:28:46,201:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 17 Jun 2021 07:28:46 GMT
Content-Type: application/json
Content-Length: 186
Connection: keep-alive
Boulder-Requester: 64864045
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index", https://acme-v02.api.letsencrypt.org/acme/authz-v3/14048939153;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/14048939153/Kthu-Q
Replay-Nonce: 0103kdfzosYswB2SyXZHj6t7mxMapOezWj4W2TAaiNjtyO0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"type": "http-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/14048939153/Kthu-Q",
"token": "-tDzGeTYH7VuwLHqEW-YEOGTTC-UlwCeq3RdFJXLUJM"
}
2021-06-17 09:28:46,201:DEBUG:acme.client:Storing nonce: 0103kdfzosYswB2SyXZHj6t7mxMapOezWj4W2TAaiNjtyO0
2021-06-17 09:28:46,203:INFO:certbot.internal.auth_handler:Waiting for verification...
2021-06-17 09:28:47,205:DEBUG:acme.client:JWS payload:
b''
2021-06-17 09:28:47,208:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/14048939153:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNjQ4NjQwNDUiLCAibm9uY2UiOiAiMDEwM2tkZnpvc1lzd0IyU3lYWkhqNnQ3bXhNYXBPZXpXajRXMlRBYWlOanR5TzAiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzE0MDQ4OTM5MTUzIn0",
"signature": "ntA1QqhqOWCkahthprrXdnrFPK811HYk3Mr-3JuyyQOjm4GxBGNDWOz0m3p5jxI6jNzfoQEWjymh3_bTdZDmBvWdkcvx2DUHI-DJy_ip3EJiObjEdyogRZQLIjemxrRUg6Nq9r2oUoBqX8ag80JdC4pDHSvc-fxfCrtuZ7grr15NKpyk0HnR0VhIqKYcRb6XLONtawVQiDYQovtdlRZZ-FGRTq7y52Q3L1KaS5aaU2Ak79Eunwd8F0vqPpJtP2nj8UF7YbqrvKoDGLZjFTJP8KjrkVh1HcvY7T0DqDTWqB5waPXVU2zrcAktls4j691kY4qO3A3fkHOFD9dgxTr5A",
"payload": ""
}
2021-06-17 09:28:47,339:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/14048939153 HTTP/1.1" 200 1386
2021-06-17 09:28:47,340:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 17 Jun 2021 07:28:47 GMT
Content-Type: application/json
Content-Length: 1386
Connection: keep-alive
Boulder-Requester: 64864045
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 0104UCQJ8tIroCj-6sShqyMAj9HKw4acke-taAlqj6bVKS0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "chat.ixeo-conseil.com"
},
"status": "invalid",
"expires": "2021-06-24T07:28:35Z",
"challenges": [
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "Invalid response from Mattermost [2001:4b98:dc0:41:216:3eff:fefb:5963]: "\u003c!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\"\u003e\n\u003chtml\u003e\u003chead\u003e\n\u003ctitle\u003e404 Not Found\u003c/title\u003e\n\u003c/head\u003e\u003cbody\u003e\n\u003ch1\u003eNot Found\u003c/h1\u003e\n\u003cp"",
"status": 403
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/14048939153/Kthu-Q",
"token": "-tDzGeTYH7VuwLHqEW-YEOGTTC-UlwCeq3RdFJXLUJM",
"validationRecord": [
{
"url": "Mattermost",
"hostname": "chat.ixeo-conseil.com",
"port": "80",
"addressesResolved": [
"92.243.9.115",
"2001:4b98:dc0:41:216:3eff:fefb:5963"
],
"addressUsed": "2001:4b98:dc0:41:216:3eff:fefb:5963"
}
],
"validated": "2021-06-17T07:28:46Z"
}
]
}
2021-06-17 09:28:47,340:DEBUG:acme.client:Storing nonce: 0104UCQJ8tIroCj-6sShqyMAj9HKw4acke-taAlqj6bVKS0
2021-06-17 09:28:47,341:INFO:certbot._internal.auth_handler:Challenge failed for domain chat.ixeo-conseil.com
2021-06-17 09:28:47,341:INFO:certbot._internal.auth_handler:http-01 challenge for chat.ixeo-conseil.com
2021-06-17 09:28:47,341:DEBUG:certbot.display.util:Notifying user:
Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: chat.ixeo-conseil.com
Type: unauthorized
Detail: Invalid response from Mattermost [2001:4b98:dc0:41:216:3eff:fefb:5963]: "\n\n404 Not Found\n\n
Not Found
\n<p"

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

2021-06-17 09:28:47,342:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/snap/certbot/1201/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 93, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/snap/certbot/1201/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 181, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2021-06-17 09:28:47,343:DEBUG:certbot._internal.error_handler:Calling registered functions
2021-06-17 09:28:47,343:INFO:certbot._internal.auth_handler:Cleaning up challenges
2021-06-17 09:28:47,815:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/snap/certbot/1201/bin/certbot", line 8, in
sys.exit(main())
File "/snap/certbot/1201/lib/python3.8/site-packages/certbot/main.py", line 15, in main
return internal_main.main(cli_args)
File "/snap/certbot/1201/lib/python3.8/site-packages/certbot/_internal/main.py", line 1552, in main
return config.func(config, plugins)
File "/snap/certbot/1201/lib/python3.8/site-packages/certbot/_internal/main.py", line 1414, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File "/snap/certbot/1201/lib/python3.8/site-packages/certbot/_internal/main.py", line 117, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File "/snap/certbot/1201/lib/python3.8/site-packages/certbot/_internal/renewal.py", line 333, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File "/snap/certbot/1201/lib/python3.8/site-packages/certbot/_internal/client.py", line 375, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/snap/certbot/1201/lib/python3.8/site-packages/certbot/_internal/client.py", line 425, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
File "/snap/certbot/1201/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 93, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/snap/certbot/1201/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 181, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2021-06-17 09:28:47,817:ERROR:certbot._internal.log:Some challenges have failed.

_az · June 17, 2021, 8:36am

Thanks for your responses. They're very helpful but unfortunately your config just works for me, so far.

Two ideas to try exclude some possibilities:

Try dry-run renew the problematic certificate only. I really hope this isn't the problem, but we'll see.
```
certbot renew --cert-name chat.ixeo-conseil.com --dry-run
```
Try temporarily remove the IPv6 AAAA record and then do a dry-run renewal. I want to see whether you still get the 404 when Let's Encrypt is only using the IPv4 address for that domain.

Also, if you feel like just giving up, you can try:

certbot renew --cert-name chat.ixeo-conseil.com -i apache -a webroot -w /var/www/empty --dry-run

rene33 · June 17, 2021, 10:08am

Thanks for the advices. I tried the 3 methods:

I did try before, it didn't work, and it doesn't work again...
I deleted the AAAA entry for chat.ixeo-conseil.com, checked that it was not anymore active (DNS Checker). And tried again. No success !
With AAAA on:

Type: unauthorized
Detail: Invalid response from http://chat.ixeo-conseil.com/.well-known/acme-challenge/Cs-S2Iz4nsekKwEeVHGP8ye6OZLicW-79q_riPVC8Gw [2001:4b98:dc0:41:216:3eff:fefb:5963]: "\n\n404 Not Found\n\n<\h1>Not Found\n<p"

With AAAA off:

Type: unauthorized
Detail: Invalid response from Mattermost [92.243.9.115]: "\n\n404 Not Found\n\n<\h1>Not Found\n<p"

same thing, same error message.

My certificate expire on July 12. So I still have a couple of days to solve the issue. At the end, if it's not solved, I wll renew manually with a DNS challenge (if I remember how to do so...)
Anyway, the only hypothesis I see, is that this service is inside a docker container. Could it be that this interfere with certbot ?

_az · June 17, 2021, 10:26am

Do you mean the service you are proxying? it shouldn't matter at all no.

Do you mean the webroot method did not work either? I am very surprised to hear that.

If you create a file like so:

echo hello > /var/www/empty/.well-known/test.txt

it should be accessible via http://chat.ixeo-conseil.com/.well-known/test.txt, right? According to how your config is written?

rene33 · June 17, 2021, 12:04pm

Exact, the webroot method fails too!
In fact I had a file index.html with "no site here" inside. I put one at each level in var/www, in va/www/empty, in var/www/empty/.well-known, and in var/www/empty/.well-known/acme-challenge, with the name of the directory in each of them. I can join each of them from my browser. And if I only type http://chat.ixeo-conseil.com, I do get the right text ("no site here in empty")
But whatever I do, I always got the same error:

# certbot renew --cert-name chat.ixeo-conseil.com -i apache -a webroot -w /var/www/empty --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/chat.ixeo-conseil.com.conf

Simulating renewal of an existing certificate for chat.ixeo-conseil.com

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: chat.ixeo-conseil.com
Type: unauthorized
Detail: Invalid response from http://chat.ixeo-conseil.com/.well-known/acme-challenge/2i5dVwtttxieJ9KCnr51VzryNPsmpEJCsnQ2i2W9Ero [92.243.9.115]: "\n\n404 Not Found\n\n<÷h1>Not Found\n<p"

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Failed to renew certificate chat.ixeo-conseil.com with error: Some challenges have failed.

All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/chat.ixeo-conseil.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

_az · June 17, 2021, 12:18pm

That's just bizarre. I guess you could try the Ctrl-Z trick again, but with webroot. Check that the file is created by Certbot in the expected location and whether maybe it's a permission problem.

rene33 · June 17, 2021, 12:38pm

Yes it is, and it makes me crazy!
I plaid with the ctrl-Z trick... not easy to hit at the right time. But I finally found the right file:

root@servessai:/var/www/empty/.well-known/acme-challenge# ll
total 16
drwxr-xr-x 2 www-data www-data 4096 Jun 17 14:27 ./
drwxr-xr-x 3 www-data www-data 4096 Jun 17 13:45 ../
-rw-r--r-- 1 www-data www-data 33 Jun 17 13:53 index.html
-rw-r--r-- 1 root root 87 Jun 17 14:27 WqI1Vedzf18lf4oUOvn_ixNfK-K7h0D4kyOodkLty8k

By the way, all these directory have www-data as owner, and you can see the permission wxr-xr-r... and the file is readable. But the file is owned by root. Do you think I should run the renew from another user without the root rights?
I tried to run the command with sudo -u www-data... no way :cannot create user data directory: /var/www/snap/certbot/1201: Permission denied

rene33 · June 17, 2021, 3:20pm

I think my problem is linked to Apache. I notice a weird behaviour.
As said before, I have put a file index.html in each of the directories "/var/www", "/var/www/empty", "/var/www/empty/.well-known", and "/var/www/empty/.well-known/acme-challenge". And in each of them I have written "no site here name of the directory". So here is the listing of what is in www, recursively:

root@servessai:/var/www# ll
total 28
drwxr-xr-x 6 www-data www-data 4096 Jun 17 16:43 ./
drwxr-xr-x 14 root root 4096 Sep 1 2020 ../
drwxr-xr-x 3 www-data www-data 4096 Jun 17 16:43 empty/
drwxr-xr-x 2 www-data www-data 4096 Jun 15 23:15 html/
-rw-r--r-- 1 root root 21 Jun 17 16:43 index.html
drwxr-xr-x 5 root root 4096 Mar 18 2020 onlyoffice/
drwxr-xr-x 3 www-data www-data 4096 Jun 17 14:40 snap/
root@servessai:/var/www# cat index.html
No site here in www
root@servessai:/var/www# cd empty
root@servessai:/var/www/empty# ll
total 16
drwxr-xr-x 3 www-data www-data 4096 Jun 17 16:43 ./
drwxr-xr-x 6 www-data www-data 4096 Jun 17 16:43 ../
-rw-r--r-- 1 www-data www-data 22 Jun 17 16:43 index.html
drwxr-xr-x 3 www-data www-data 4096 Jun 17 16:42 .well-known/
root@servessai:/var/www/empty# cat index.html
No site here in empty
root@servessai:/var/www/empty# cd .well-known
root@servessai:/var/www/empty/.well-known# ll
total 16
drwxr-xr-x 3 www-data www-data 4096 Jun 17 16:42 ./
drwxr-xr-x 3 www-data www-data 4096 Jun 17 16:43 ../
drwxr-xr-x 2 www-data www-data 4096 Jun 17 16:42 acme-challenge/
-rw-r--r-- 1 www-data www-data 28 Jun 17 16:42 index.html
root@servessai:/var/www/empty/.well-known# cat index.html
No site here in well-known
root@servessai:/var/www/empty/.well-known# cd acme-challenge
root@servessai:/var/www/empty/.well-known/acme-challenge# ll
total 12
drwxr-xr-x 2 www-data www-data 4096 Jun 17 16:42 ./
drwxr-xr-x 3 www-data www-data 4096 Jun 17 16:42 ../
-rw-r--r-- 1 www-data www-data 31 Jun 17 16:42 index.html
root@servessai:/var/www/empty/.well-known/acme-challenge# cat index.html
No site here in acme-challenge

In my virtualhost, I have

<VirtualHost *:80>
ServerName chat.ixeo-conseil.com
ServerAlias chat.ixeo-conseil.com

ServerAdmin xxx@xxx.com

DocumentRoot /var/www/empty
<location /var/www/empty>
Require all granted
</location>

<Directory /var/www/empty/>
Require all granted
</Directory>
    CustomLog ${APACHE_LOG_DIR}/chat.access.log combined
    ErrorLog ${APACHE_LOG_DIR}/chat.error.log
</VirtualHost>

In my browser, when I writte
http://chat.ixeo-conseil.com/index.html
I obtain
No site here in empty
which looks fine
for
http://chat.ixeo-conseil.com/.well-known/index.html
I obtain
No site here in well-known
still OK
but for
http://chat.ixeo-conseil.com/.well-known/acme-challenge/index.html
I obtain
No site here
What is funny, is that I do not have any file "index.html" on my server which contains only "no site here". I should have obtained "no site here in acme-challenge" !
I don't understand where this message comes from. There is not anymore any file with that in it. May be a cache?
And other funny thing, the preview of this forum says
http://chat.ixeo-conseil.com/.well-known/acme-challenge/index.html
Sorry, we were unable to generate a preview for this web page, because the web server returned an error code of 404. Instead of a preview, only a link will appear in your post. cry

And more strange, for the one where I got the right fine
http://chat.ixeo-conseil.com/.well-known/index.html
Sorry, we were unable to generate a preview for this web page, because the following oEmbed / OpenGraph tags could not be found: description, image

I am really lost!

rene33 · June 17, 2021, 4:33pm

I think I found a clue for the solution (but not the solution). It seems it comes from Apache.
And it seems it come from the dot in .well-known.
I have copied my directory (and its content) .well-known in well-known. So I have both .well-known and well-known in the directory /var/www/empty
When I browse for http://chat.ixeo-conseil.com/.well-known/acme-challenge/index.html
I got an error 404 not found.
When I browse for http://chat.ixeo-conseil.com/well-known/acme-challenge/index.html
(without the dot) I got the right answer "No file in acme-challenge"
Why? I don't know
How to solve? I don't know.
I think I am going to see an Apache forum to see if I find an answer...

rene33 · June 17, 2021, 8:42pm

I finally found the solution (or at least a solution which works), here

and in fact from here

Here is my virtualhost
<VirtualHost *:80>
ServerName chat.ixeo-conseil.com
ServerAlias chat.ixeo-conseil.com
ServerAdmin xxxx@xxxx.com
DocumentRoot /var/www/empty

     Alias /.well-known/acme-challenge/ /var/www/empty/.well-known/acme-challenge/
    <Directory "/var/www/empty/.well-known/acme-challenge/">
             Options None
             AllowOverride None
             ForceType text/plain
             RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
    </Directory>

     RewriteEngine on
     RewriteCond %{REQUEST_URI} !^/\.well-known
     RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [R]

     CustomLog ${APACHE_LOG_DIR}/chat.access.log combined
     ErrorLog ${APACHE_LOG_DIR}/chat.error.log

</VirtualHost>

However, the file I have put in /var/www/empty/.well-known/acme-challenge is not found from a browser.
I don't try to understand... It works and that's it.
Thank you
Regards,
PS. May be somebody could mark this post as solved and close it. I don't know how to do it.

rg305 · June 18, 2021, 1:03am

Repetitive redundancy:

rene33 · June 18, 2021, 6:21am

Yes, you are right... remaining of old trials.. I will correct that.
But I come back on my solution. I did work with the webroot method, but not with the apache method... So I need to renew it manually until the problem is fixed.

griffin · June 18, 2021, 7:58am

The webroot authenticator will work with autorenewal. You just need to be sure to add:

--deploy-hook "apachectl -k graceful"

so that your apache webserver will be automatically reloaded after a new certificate is acquired.

rene33 · June 18, 2021, 7:06pm

Thank you for the info. I will try to implement.
But it remains surprising that the Apache method doesn't work.