Certificate Authority failed to verify the temporary Apache configuration

rene33 · June 16, 2021, 9:29pm

Thank you.
Here is the output of the renew command

#certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/chat.ixeo-conseil.com.conf

Simulating renewal of an existing certificate for chat.ixeo-conseil.com

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: chat.ixeo-conseil.com
Type: unauthorized
Detail: Invalid response from Mattermost [2001:4b98:dc0:41:216:3eff:fefb:5963]: "\n\n404 Not Found\n\n<h1>Not Found\n<p"

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Failed to renew certificate chat.ixeo-conseil.com with error: Some challenges have failed.

Processing /etc/letsencrypt/renewal/dodo.ixeo-conseil.com.conf

Simulating renewal of an existing certificate for dodo.ixeo-conseil.com

Processing /etc/letsencrypt/renewal/editor.ixeo-conseil.com.conf

Simulating renewal of an existing certificate for editor.ixeo-conseil.com

Processing /etc/letsencrypt/renewal/icecream.ixeo-conseil.com.conf

Simulating renewal of an existing certificate for icecream.ixeo-conseil.com

Processing /etc/letsencrypt/renewal/projet.ixeo-conseil.com.conf

Simulating renewal of an existing certificate for projet.ixeo-conseil.com

Processing /etc/letsencrypt/renewal/visio.ixeo-conseil.com.conf

Simulating renewal of an existing certificate for visio.ixeo-conseil.com

The following simulated renewals succeeded:
/etc/letsencrypt/live/dodo.ixeo-conseil.com/fullchain.pem (success)
/etc/letsencrypt/live/editor.ixeo-conseil.com/fullchain.pem (success)
/etc/letsencrypt/live/icecream.ixeo-conseil.com/fullchain.pem (success)
/etc/letsencrypt/live/projet.ixeo-conseil.com/fullchain.pem (success)
/etc/letsencrypt/live/visio.ixeo-conseil.com/fullchain.pem (success)

The following simulated renewals failed:
/etc/letsencrypt/live/chat.ixeo-conseil.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

And my Apache config

# apachectl -S
VirtualHost configuration:
*:80 is a NameVirtualHost
default server chat.ixeo-conseil.com (/etc/apache2/sites-enabled/chat.ixeo-conseil.com.conf:2)
port 80 namevhost chat.ixeo-conseil.com (/etc/apache2/sites-enabled/chat.ixeo-conseil.com.conf:2)
alias chat.ixeo-conseil.com
port 80 namevhost dodo.ixeo-conseil.com (/etc/apache2/sites-enabled/dodo.ixeo-conseil.com.conf:1)
alias dodo.ixeo-conseil.com
port 80 namevhost editor.ixeo-conseil.com (/etc/apache2/sites-enabled/editor.ixeo-conseil.com.conf:1)
port 80 namevhost icecream.ixeo-conseil.com (/etc/apache2/sites-enabled/icecream.ixeo-conseil.com.conf:1)
alias icecream.ixeo-conseil.com
port 80 namevhost projet.ixeo-conseil.com (/etc/apache2/sites-enabled/projet.ixeo-conseil.com.conf:1)
alias projet.ixeo-conseil.com
port 80 namevhost visio.ixeo-conseil.com (/etc/apache2/sites-enabled/visio.ixeo-conseil.com.conf:1)
alias visio.ixeo-conseil.com
*:443 is a NameVirtualHost
default server chat.ixeo-conseil.com (/etc/apache2/sites-enabled/chat.ixeo-conseil.com.conf:29)
port 443 namevhost chat.ixeo-conseil.com (/etc/apache2/sites-enabled/chat.ixeo-conseil.com.conf:29)
port 443 namevhost dodo.ixeo-conseil.com (/etc/apache2/sites-enabled/dodo.ixeo-conseil.com.conf:14)
alias dodo.ixeo-conseil.com
port 443 namevhost editor.ixeo-conseil.com (/etc/apache2/sites-enabled/editor.ixeo-conseil.com.conf:15)
port 443 namevhost icecream.ixeo-conseil.com (/etc/apache2/sites-enabled/icecream.ixeo-conseil.com.conf:16)
alias icecream.ixeo-conseil.com
port 443 namevhost projet.ixeo-conseil.com (/etc/apache2/sites-enabled/projet.ixeo-conseil.com.conf:22)
alias projet.ixeo-conseil.com
port 443 namevhost visio.ixeo-conseil.com (/etc/apache2/sites-enabled/visio.ixeo-conseil.com.conf:13)
alias visio.ixeo-conseil.com
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex proxy-balancer-shm: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
Define: ENABLE_USR_LIB_CGI_BIN
User: name="www-data" id=33
Group: name="www-data" id=33

I don't know if it could be useful, but I give also my virtualhost for the subdomain chat

<VirtualHost *:80>
ServerName chat.ixeo-conseil.com
ServerAlias chat.ixeo-conseil.com

ServerAdmin r****@***

DocumentRoot /var/www/empty

RewriteEngine on
# RewriteCond %{SERVER_NAME} =chat.ixeo-conseil.com
# RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
RewriteCond %{REQUEST_URI} !^/.well-known
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [R]
    CustomLog ${APACHE_LOG_DIR}/chat.access.log combined
    ErrorLog ${APACHE_LOG_DIR}/chat.error.log
</VirtualHost>

<VirtualHost *:443>
ServerName chat.ixeo-conseil.com
ServerAdmin rene.laversanne@ixeo-conseil.com

DocumentRoot /var/www/empty

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/chat.ixeo-conseil.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/chat.ixeo-conseil.com/privkey.pem

ProxyPreserveHost On
SSLProxyEngine On
SSLProxyVerify none
SSLProxyCheckPeerCN off

RewriteEngine On
RewriteCond %{REQUEST_URI} /api/v[0-9]+/(users/)?websocket [NC,OR]
RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC,OR]
RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC]
RewriteRule .* wss://127.0.0.1:8443%{REQUEST_URI} [P,QSA,L]

<Location />
Require all granted
ProxyPass https://127.0.0.1:8443/
ProxyPassReverse https://127.0.0.1:8443/
ProxyPassReverseCookieDomain 127.0.0.1 chat.ixeo-conseil.com
</Location>
   CustomLog ${APACHE_LOG_DIR}/chat.access.log combined
   ErrorLog ${APACHE_LOG_DIR}/chat.error.log
</VirtualHost>

The two lines with # are trial I have done with another syntax for redirection...
I have tried suppressing the redirection and even suppressing all the lines of the ssl virtualhost, without any success...
The /var/www/empty directory is owned by www-data. And this is the same as the one given for virtualhost editor.ixeo-conseil.com which has no problem as shown in the output.
It is reachable with Mattermost (there is a html file inside with a line of text "no site here"
My DNS zones seems to be OK as the line for chat and for editor look the same:

chat 1800 IN A 92.243.9.115
chat 1800 IN AAAA 2001:4b98:dc0:41:216:3eff:fefb:5963
editor 1800 IN A 92.243.9.115
editor 1800 IN AAAA 2001:4b98:dc0:41:216:3eff:fefb:5963

This looks (for me) rather weird... Any help would be welcomed.
René

Topic		Replies	Views
The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot Help	10	133	January 22, 2025
Certbot Renew Fails The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet Help	8	2122	May 18, 2024
"The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot" error Help	6	1639	August 28, 2021
Unable to renew certificate (The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot.) Help	10	636	April 22, 2023
Certbot renew doesnt work , creates this error Help	16	987	August 14, 2021

Certificate Authority failed to verify the temporary Apache configuration

Related topics