The server names of the main server are:
gollum.at www.gollum.at ipv4-www.gollum.at ipv6-www.gollum.at
and a second vhost runs at:
I ran this command:
certbot renew -vvv
It produced this output:
Sorry - can not reproduce because now it get:
There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently
I correctly created the certificate for all the domains. Now I got an expiration email. Then I tried to renew and always get this annoying error "The Certificate Authority failed to verify the temporary Apache configuration". Even with -vvv i was not able to understand what happens. It updated my apache configs but finally failed when it tries to fetch the acme-challenge.
Whats the corect way to debug this certbot stuff? It writes something into the config but on any error it immediately rollbacks the config so I cannot check whats really going wrong.I think it's because my hssp.config is really old (and often migrated) to the certbot just puts in some garbage. What should I do now?
Is there any other way of getting a stable cert without this crazy hacks into my http-conf. I have also almost full acces to manage my DNS - is there another way without rewriting and craching my configs every month? Maybe can it be a problem because ipv4-* has only A-records and ipv6-* only AAAA- records but the renew process fails on www.gollum.at so I think this is not the problem.
My web server is (include version):
The operating system my web server runs on is (include version):
Ubuntu 20.04.4 LTS
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
RewriteRule ^/\.well-known/acme-challenge/([A-Za-z0-9-_=]+)$ /var/lib/letsencrypt/http_challenges/$1
Require all granted
Require all granted
And for the hvost on 443 oc.gollum.at I now added also the Rewrite-rule for the acme-challenge
I created also a test file Test123 so this works: http://www.gollum.at/.well-known/acme-challenge/Test123
but of course, curl returns: Location: https://www.gollum.at/.well-known/acme-challenge/Test123
Can it be that certbot does not work correctly with the HTTP-Redirect?
As Bruce has noted, HTTP (port 80) connections are not working well. Your Apache server may be mis-configured. Can you show result of this
sudo apachectl -t -D DUMP_VHOSTS
(might be apachectl2)
I say that because I see this
www domain fails HTTP w/IPv4 but works HTTP w/IPv6
curl -4 http://www.gollum.at/.well-known/acme-challenge/Test123
curl: (7) Failed to connect to www.gollum.at port 80 after 112 ms: Connection refused
curl -6 http://www.gollum.at/.well-known/acme-challenge/Test123
apex domain works for both IPv4/6 with HTTP
curl -4 http://gollum.at/.well-known/acme-challenge/Test123
curl -6 http://gollum.at/.well-known/acme-challenge/Test123
and this showing ipv4 domain failing HTTP but ipv6 domain working
curl -I http://ipv4-www.gollum.at
curl: (7) Failed to connect to ipv4-www.gollum.at port 80 after 113 ms: Connection refused
curl -I http://ipv6-www.gollum.at
HTTP/1.1 200 OK
Date: Mon, 17 Oct 2022 19:42:11 GMT
Manually changed the SSLCertificateFile and SSLCertificateKeyFile in the configs.
Now I have a cert till January - let's see what happens next year.
Even if the problem is still not solved (that sometimes my web server is not reachable) thanks for all the help! Maybe I will ask my internet provider (which also manages the microtik-router) for analyzing the problem.
[Thu Oct 20 20:32:06.475553 2022] [so:warn] [pid 632282] AH01574: module dav_module is already loaded, skipping
AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/sites-enabled/gollum.at-ssl.conf:2
*:443 is a NameVirtualHost
default server gollum.at (/etc/apache2/sites-enabled/gollum.at-ssl.conf:3)
port 443 namevhost gollum.at (/etc/apache2/sites-enabled/gollum.at-ssl.conf:3)
port 443 namevhost oc.gollum.at (/etc/apache2/sites-enabled/owncloud-ssl.conf:2)
*:80 is a NameVirtualHost
default server gollum.at (/etc/apache2/sites-enabled/gollum.at.conf:14)
port 80 namevhost gollum.at (/etc/apache2/sites-enabled/gollum.at.conf:14)
port 80 namevhost ipv4-www.gollum.at (/etc/apache2/sites-enabled/ipv-gollum.at.conf:12)
port 80 namevhost oc.gollum.at (/etc/apache2/sites-enabled/owncloud.conf:1)
The ipv4/ipv6 is now just using the same data directory like gollum.at but not using the same vhost.
ipv6 ist the only one with an AAAA record. The AAAA records from gollum.at and www.gollum.at have been removed.
The automatic-redirection from http to https in gollum.at / www.gollum.at is now commented out.
The automatic-redirection from http to https in oc.gollum.at is still active.
gollum.at / www.gollum.at and oc.gollum.at are using the same certificate.
Have you disabled port 80 for IPv4 now? Because I can reach your apex, www, and oc domains using IPv4 and HTTPS but not with HTTP. They all fail with "connection refused". See letsdebug.net
Yet, your ipv6-www.gollum.at connects both HTTP and HTTPS over IPv6 (it only has an AAAA record). Although, it returns an invalid cert but this is expected since you did not include this name in your cert request.
And, as expected, HTTPS to ipv4-www.gollum.at fails because the cert you got did not include this name either.
UPDATE: I just realized you did not setup a VHost for your ipv4 / ipv6 domains for port 443 so the cert is just from the default server used by Apache. So, that's fine. Except that ipv4-www domain fails to connect with HTTP with "connection refused" like your others.