Certificate renewal fails

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: x4.eec.de

I ran this command: via Virtualmin Let's Encrypt certificate renewal interface

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate for x4.eec.de

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: x4.eec.de
Type: unauthorized
Detail: 2a01:4f8:151:601b::2: Invalid response from http://x4.eec.de/.well-known/acme-challenge/nRJjsitZx-Z57-Cl0H7KmyqHxNFBgs6tVxaFxbEuvXo: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Apache 2.4.52-1

The operating system my web server runs on is (include version): Ubuntu Linux 22.04.4

My hosting provider, if applicable, is: me

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Webmin/Virtualmin

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): cerbot 1.21.0

When I did the setup of my server a year ago, I were able to retrieve a certificate as well for one virtual domain that is residing on the server. When it was time to renew the certificate, the process failed. I checked my DNS entries and they seem to be correct. When checking the web site, I am getting the expected page, therefore I conclude that Apache is working fine. I also (re)installed the allegedly needed components with apt install certbot python3-certbot-apache.

And now I am lost and would highly appreciate every step that could bring me closer to a functional certbot installation.

Thank you very much in advance!

2 Likes

The 404 is a Not Found. When using the --webroot option it means the webroot folder Certbot is using does not match the DocumentRoot in Apache for this domain / URL.

I don't know VirtualMin at all. But, do you run Certbot yourself or does VirtualMin run it?

The /var/log/letsencrypt/letsencrypt.log file would show the folder Certbot was configured to use. If you cannot interpret that just upload it to this forum. You probably need to copy it to a .txt file to upload it.

Once you know that folder check your VirtualHost and see if the folders match.

4 Likes

So Hi @Vince42 the last time we saw you was 2019!

And there is a common thread here.
What is new, Whats has changed?
There were some path issues if I am not mistaken...
I am not a rocket scientist, but is this issue in any way similar to your former issue?

I am learning too. Just checking.

3 Likes

Well observed! :slight_smile:

What is new? The issue is now on a new server.

My hurdles with Let's Encrypt are usually like this:

  • Find a problem
  • Dive deep into understanding how everything works
  • Read log files and try to understand
  • Ask help here
  • Get the issue (somehow) fixed
  • Let it rest ...
  • Repeat - after forgetting everything - months later with the first step and iterate through

Both servers are currently running in parallel (server1.domain.tld and server2.domain.tld). server2 has been able to request a certificate in the beginning, nowadays it refuses to refresh the certificate. And I have no idea whether the software has changed or the logs reveal something that I do not interpret as important or the DNS might have some hickup or whatever the reason might be.

This being said, I am thankful for every step towards a solution ... :slight_smile:

1 Like

Virtualmin is running certbot.

I uploaded the log file as I were not able to find the information in the plethora of entries. :wink:
letsencrypt.log.txt (1.2 MB)

The web folder for virtual servers is /home/xxx/public_html where xxx is the name of the virtual domain.

Thank you very much in advance for your help!

2 Likes

The log shows Certbot using this webroot path. Is that correct to just have x4 for the virtual domain part?

DEBUG:certbot._internal.main:Arguments: ['-a', 'webroot', '-d', 'x4.eec.de', '--webroot-path', '/home/x4/public_html'

If not you should fix that in the panel. Otherwise, let's check the Apache config. Please show output of this

sudo apache2ctl -t -D DUMP_VHOSTS
3 Likes

Yes, the path /home/x4/public_html is correct.

The dump of virtual hosts looks as follows:

VirtualHost configuration:
[2a01:4f8:151:601b::2]:80 nodez.org (/etc/apache2/sites-enabled/nodez.org.conf:1)
[2a01:4f8:151:601b::2]:443 nodez.org (/etc/apache2/sites-enabled/nodez.org.conf:44)
176.9.110.23:80        is a NameVirtualHost
         default server nodez.org (/etc/apache2/sites-enabled/nodez.org.conf:1)
         port 80 namevhost nodez.org (/etc/apache2/sites-enabled/nodez.org.conf:1)
                 alias www.nodez.org
                 alias mail.nodez.org
                 alias webmail.nodez.org
                 alias admin.nodez.org
                 alias autoconfig.nodez.org
                 alias autodiscover.nodez.org
         port 80 namevhost x4.eec.de (/etc/apache2/sites-enabled/x4.eec.de.conf:1)
                 alias www.x4.eec.de
                 alias mail.x4.eec.de
                 alias webmail.x4.eec.de
                 alias admin.x4.eec.de
                 alias autoconfig.x4.eec.de
                 alias autodiscover.x4.eec.de
176.9.110.23:443       is a NameVirtualHost
         default server nodez.org (/etc/apache2/sites-enabled/nodez.org.conf:44)
         port 443 namevhost nodez.org (/etc/apache2/sites-enabled/nodez.org.conf:44)
                 alias www.nodez.org
                 alias webmail.nodez.org
                 alias admin.nodez.org
                 alias autoconfig.nodez.org
                 alias autodiscover.nodez.org
         port 443 namevhost x4.eec.de (/etc/apache2/sites-enabled/x4.eec.de.conf:45)
                 alias www.x4.eec.de
                 alias mail.x4.eec.de
                 alias webmail.x4.eec.de
                 alias admin.x4.eec.de
                 alias autoconfig.x4.eec.de
                 alias autodiscover.x4.eec.de

And the directive DocumentRoot in /etc/apache2/sites-enabled/x4.eec.de.conf is set to /home/x4/public_html, which is supposed to work as expected.
x4.eec.de.conf.txt (4.2 KB)

Oh, you are mixing IP-based and Name-Based VirtualHosts

But, you only have an IPv6 VirtualHost for nodez.org and not x4.eec.de

Let's Encrypt uses IPv6 when present instead of IPv4. Your IP-based nodez config for IPv6 will grab all incoming requests on IPv6 since that is the only one defined for it. And nodez DocumentRoot is not the same as for x4 - right? Compare the IPv6 VirtualHost to the IPv4 ones in your dump_vhosts output.

There is rarely a good reason to use IP addresses in your VirtualHost statement. But, I don't know how VirtualMin works best.

Ideally you should change it so Apache uses just Named-based VHosts. If that's not practical then make sure IPv6 is also configured for x4

A purely name-based VirtualHost statement looks like below and you would use that format for all VirtualHost statements in the same Apache config. Don't mix/match IP and Name-based

<VirtualHost *:80>
ServerName x4.eec.de
ServerAlias ...

And the same for *:443

3 Likes

Thank you for analyzing it and coming up with such great findings!

I am not intentionally using IP-based and name-based VirtualHosts, I guess that the server itlself will be configured IP-based and the virtual domains will be configured name-based by Webmin/Virtualmin - but I will cross-check that.

I will do that and add IPv6 for the x4, so that the requests will go through.

DocumentRoot is different for x4 (/home/x4/public_html) and nodez.org (/home/nodez.org/public_html).

I am not sure, whether Webmin/Virtualmin requires the server itself being IP-based and the virtual hosts / virtual domains being name-based, but I will also try to scrutinize this. I am glad that I have my old server x3 still running—I will peek there for some configuration files. :wink:

Thank you VERY MUCH so far!!! hugs

2 Likes

You were totally right, thank you so much!!!

I just added the missing IPv6 statements and the new certificate has been refreshed in the background and everything is working like charm ... keep fingers crossed.

And as I got currently only the IP-based variant working, I will ask the Webmin/Virtualmin guys, how to switch everything to name-based only.

Thank you very much again! I would (if ever) have searched for weeks and months to find this problem!

2 Likes