Certificate issued but ACME challenge file not created

I recently installed a Linux virtual machine (Ubuntu 18.04) with a MS Azure account. It runs Apache/2.4.29 (Ubuntu) and I installed certbot 1.13.0 with Snap. It creates the correct certificates, changes the configuration files stored in /etc/apache2/sites-available/my-domain.com.conf and my-domain.com-le-ssl.conf
I noticed that it does not create the challenge for my application (under /var/www/html/jmqap/.well-known/acme-challenge).
I checked the paths, the firewall configuration (ufw is disabled), the port 80 and 443, but I cannot figure out why the website is not loading. More details below.
Any idea?
Thanks in advance

  • Domain: jmqap.com (the web server will also hosts some other domains once the issue I am experiencing will be solved)
  • I ran this command: sudo certbot --apache
  • It produced the output shown below:

Requesting a certificate for jmqap.com and www.jmqap.com
Created an SSL vhost at /etc/apache2/sites-available/jmqap.com-le-ssl.conf
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate to VirtualHost /etc/apache2/sites-available/jmqap.com-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/jmqap.com-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/jmqap.com-le-ssl.conf
Redirecting vhost in /etc/apache2/sites-enabled/jmqap.com.conf to ssl vhost in /etc/apache2/sites-available/jmqap.com-le-ssl.conf

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/jmqap.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/jmqap.com/privkey.pem
Your certificate will expire on 2021-06-14. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again with the "certonly" option. To non-interactively
renew all of your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

*My web server is Apache/2.4.29

  • OS: Ubuntu 18.04
  • Hosting provider: MS Azure VM
  • I can login to a root shell on my machine
  • I'm not using a control panel to manage my site
  • The version of my client is certbot 1.13.0 from Certbot Project (installed via snap)
  • the ufw status is inactive
  • I launched the command lsof -iTCP -sTCP:LISTEN -P and the port 443 is working (see below).

systemd-r 895 systemd-resolve 13u IPv4 18063 0t0 TCP localhost:53 (LISTEN)
sshd 1094 root 3u IPv4 22599 0t0 TCP *:22 (LISTEN)
sshd 1094 root 4u IPv6 22601 0t0 TCP *:22 (LISTEN)
mysqld 1129 mysql 32u IPv6 24687 0t0 TCP *:33060 (LISTEN)
mysqld 1129 mysql 37u IPv6 24691 0t0 TCP *:3306 (LISTEN)
apache2 3345 root 4u IPv6 44557 0t0 TCP *:80 (LISTEN)
apache2 3345 root 6u IPv6 44561 0t0 TCP *:443 (LISTEN)
apache2 3350 www-data 4u IPv6 44557 0t0 TCP *:80 (LISTEN)
apache2 3350 www-data 6u IPv6 44561 0t0 TCP *:443 (LISTEN)
apache2 3351 www-data 4u IPv6 44557 0t0 TCP *:80 (LISTEN)
apache2 3351 www-data 6u IPv6 44561 0t0 TCP *:443 (LISTEN)
apache2 3352 www-data 4u IPv6 44557 0t0 TCP *:80 (LISTEN)
apache2 3352 www-data 6u IPv6 44561 0t0 TCP *:443 (LISTEN)
apache2 3353 www-data 4u IPv6 44557 0t0 TCP *:80 (LISTEN)
apache2 3353 www-data 6u IPv6 44561 0t0 TCP *:443 (LISTEN)
apache2 3356 www-data 4u IPv6 44557 0t0 TCP *:80 (LISTEN)
apache2 3356 www-data 6u IPv6 44561 0t0 TCP *:443 (LISTEN)

  • Finally, this is the /etc/apache2/sites-available/jmqap.com.conf content

<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com

    ServerAdmin claudio.oriani@gmail.com
    ServerName jmqap.com
    ServerAlias www.jmqap.com
    DocumentRoot /var/www/html/jmqap

    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf

<Directory /var/www/html/jmqap>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Require all granted

RewriteEngine on
RewriteCond %{SERVER_NAME} =www.jmqap.com [OR]
RewriteCond %{SERVER_NAME} =jmqap.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

  • And this is the jmqap.com-le-ssl.conf content:
# The ServerName directive sets the request scheme, hostname and port that # the server uses to identify itself. This is used when creating # redirection URLs. In the context of virtual hosts, the ServerName # specifies what hostname must appear in the request's Host: header to # match this virtual host. For the default virtual host (this file) this # value is not decisive as it is used as a last resort host regardless. # However, you must set it for any further virtual host explicitly. #ServerName www.example.com
    ServerAdmin claudio.oriani@gmail.com
    ServerName jmqap.com
    ServerAlias www.jmqap.com
    DocumentRoot /var/www/html/jmqap
    #set the default action for all other requests

    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf

<Directory /var/www/html/jmqap>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Require all granted

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/jmqap.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/jmqap.com/privkey.pem



<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com

    ServerAdmin claudio.oriani@gmail.com
    ServerName jmqap.com
    ServerAlias www.jmqap.com
    DocumentRoot /var/www/html/jmqap

    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf

<Directory /var/www/html/jmqap>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Require all granted

RewriteEngine on
#Some rewrite rules in this file were disabled on your HTTPS site,
#because they have the potential to create redirection loops.

#RewriteCond %{SERVER_NAME} =www.jmqap.com [OR]
#RewriteCond %{SERVER_NAME} =jmqap.com
#RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

RewriteCond %{SERVER_NAME} =jmqap.com [OR]
RewriteCond %{SERVER_NAME} =www.jmqap.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

1 Like

Hi @claujazz

if you use --apache, your configuration is temporary changed, without a physical validation file.

Validation has worked, there are some new certificates - crt.sh | jmqap.com - don't create the next.

http works - a redirect to https. https has a timeout.

First step: Works https internal, from that machine?

curl https://jmqap.com/

If yes, it's a firewall / routing problem. If not, what says

apachectl -S
1 Like

Thank you for your reply,
I forgot to mention that I launched a cURL command to https://jmqap.com from that machine but the response is
curl: (7) Failed to connect to jmqap.com port 443: Connection timed out

I also launched $ sudo apachectl -S and this is the result:

VirtualHost configuration:
*:443 jmqap.com (/etc/apache2/sites-enabled/jmqap.com-le-ssl.conf:2)
*:80 is a NameVirtualHost
default server calibermachine.internal.cloudapp.net (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost calibermachine.internal.cloudapp.net (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost jmqap.com (/etc/apache2/sites-enabled/jmqap.com-le-ssl.conf:46)
alias www.jmqap.com
port 80 namevhost jmqap.com (/etc/apache2/sites-enabled/jmqap.com.conf:1)
alias www.jmqap.com
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

1 Like

Hi,
Just to confirm that we found the root cause.
The inbound traffic through the port 443 was blocked on MS Azure. An inbound port rule has been added and this action solved the issue.
I attach a screenshot for future reference.
Thank you for your assistance.
Regards

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.