Certificate renewal failure Certbot failed to authenticate some domains

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: deadchristmas.com madisonandhart.com madparkgames.com

I ran this command: certbot -v renew --dry-run

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/deadchristmas.com.conf

Certificate not due for renewal, but simulating renewal for dry run

Plugins selected: Authenticator apache, Installer apache

Simulating renewal of an existing certificate for deadchristmas.com and www.deadchristmas.com

Performing the following challenges:

http-01 challenge for deadchristmas.com

http-01 challenge for www.deadchristmas.com

Waiting for verification...

Cleaning up challenges

Dry run: skipping deploy hook command: /etc/letsencrypt/renewal-hooks/deploy/ntpsec

Processing /etc/letsencrypt/renewal/madisonandhart.com.conf

Certificate not due for renewal, but simulating renewal for dry run

Plugins selected: Authenticator apache, Installer apache

Simulating renewal of an existing certificate for madisonandhart.com and www.madisonandhart.com

Performing the following challenges:

http-01 challenge for madisonandhart.com

http-01 challenge for www.madisonandhart.com

Waiting for verification...

Challenge failed for domain www.madisonandhart.com

http-01 challenge for www.madisonandhart.com

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:

Domain: www.madisonandhart.com

Type: unauthorized

Detail: 45.79.170.199: Invalid response from https://www.deadchristmas.com/.well-known/acme-challenge/q1PUWQI17IfSbjmaRdoCLMdvYUk-7Sgp4hXvT7bmSuY: 404

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges

Failed to renew certificate madisonandhart.com with error: Some challenges have failed.

Processing /etc/letsencrypt/renewal/madparkgames.com.conf

Certificate not due for renewal, but simulating renewal for dry run

Plugins selected: Authenticator apache, Installer apache

Simulating renewal of an existing certificate for madparkgames.com and www.madparkgames.com

Performing the following challenges:

http-01 challenge for madparkgames.com

http-01 challenge for www.madparkgames.com

Waiting for verification...

Challenge failed for domain www.madparkgames.com

http-01 challenge for www.madparkgames.com

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:

Domain: www.madparkgames.com

Type: unauthorized

Detail: 45.79.170.199: Invalid response from https://www.deadchristmas.com/.well-known/acme-challenge/M0mdkzh3L4iFSb3FZm2Iz2YjfeUhZMwg-juED8BoDF4: 404

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges

Failed to renew certificate madparkgames.com with error: Some challenges have failed.

The following simulated renewals succeeded:

/etc/letsencrypt/live/deadchristmas.com/fullchain.pem (success)

The following simulated renewals failed:

/etc/letsencrypt/live/madisonandhart.com/fullchain.pem (failure)

/etc/letsencrypt/live/madparkgames.com/fullchain.pem (failure)

2 renew failure(s), 0 parse failure(s)

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):Apache/2.4.58

The operating system my web server runs on is (include version):Ubuntu 24.04.1

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 3.2.0

1 Like
2

Welcome @zaimon

A 404 error with the --apache option is usually something odd in the Apache config itself. And, since you are doing renew there was probably some kind of change since you last got a fresh cert.

Let's start by you showing us the output of this

sudo apache2ctl -t -D DUMP_VHOSTS
1 Like
3

pache2ctl -t -D DUMP_VHOSTS
VirtualHost configuration:

45.79.170.199:443      is a NameVirtualHost
         default server deadchristmas.com (/etc/apache2/sites-enabled/deadchristmas.com.conf:9)
         port 443 namevhost deadchristmas.com (/etc/apache2/sites-enabled/deadchristmas.com.conf:9)
                 alias deadchristmas.com
                 alias www.deadchristmas.com
         port 443 namevhost madisonandhart.com (/etc/apache2/sites-enabled/madisonandhart.com.conf:9)
                 alias madisonandhart.com
                 alias www.madisonandhart.com
         port 443 namevhost madparkgames.com (/etc/apache2/sites-enabled/madparkgames.com.conf:8)
                 alias madparkgames.com
                 alias www.madparkgames.com
23.239.9.208:80        infacore.com (/etc/apache2/sites-enabled/000-default.conf:1)
*:80                   is a NameVirtualHost
         default server deadchristmas.com (/etc/apache2/sites-enabled/deadchristmas.com.conf:1)
         port 80 namevhost deadchristmas.com (/etc/apache2/sites-enabled/deadchristmas.com.conf:1)
         port 80 namevhost madisonandhart.com (/etc/apache2/sites-enabled/madisonandhart.com.conf:1)
         port 80 namevhost madparkgames.com (/etc/apache2/sites-enabled/madparkgames.com.conf:1)
*:8080                 vhost1 (/etc/apache2/sites-enabled/virt-hosts.conf:1)
4

Looks like you are missing a ServerAlias for the www subdomain for these two (and deadchristmas).

If so, the www subdomains all get handled by Apache default config which is deadchristmas. Which is why the www for that works.

If you are not sure what I am describing please show contents of one of these two config files.

1 Like
5

I have included ServerAlias. Is it in the wrong location?

VirtualHost *:80>
   ServerName madisonandhart.com
   #RewriteEngine On
   #RewriteCond %{HTTP_HOST} !^www\. [NC]
   #RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
   Redirect permanent / https://www.madisonandhart.com/
</VirtualHost>

<VirtualHost 45.79.170.199:443>
        ServerName madisonandhart.com
        ServerAlias madisonandhart.com  www.madisonandhart.com
        DocumentRoot /var/www/public_html/www.madisonandhart.com/html/

        RewriteEngine On
        RewriteCond %{HTTP_HOST} !^www\. [NC]
        RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

        <FilesMatch \.php$>
        SetHandler "proxy:unix:/var/run/php/php8.3-fpm.sock|fcgi://localhost"
        </FilesMatch>

        SSLEngine on
        SSLCertificateFile /etc/letsencrypt/live/madisonandhart.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/madisonandhart.com/privkey.pem
        Include /etc/letsencrypt/options-ssl-apache.conf

        <Directory "/var/www/public_html/www/madisonandhart.com/html">
                Options -Indexes +FollowSymLinks +MultiViews
                Require all granted
                AllowOverride All
        </Directory>
</VirtualHost>

<VirtualHost *:80>
   ServerName madparkgames.com
   RewriteEngine On
   RewriteCond %{HTTP_HOST} !^www\. [NC]
   RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</VirtualHost>

<VirtualHost 45.79.170.199:443>
        ServerName madparkgames.com
        ServerAlias madparkgames.com www.madparkgames.com
        DocumentRoot /var/www/public_html/www.madparkgames.com/html/

        RewriteEngine On
        RewriteCond %{HTTP_HOST} !^www\. [NC]
        RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

        SSLEngine on
        SSLCertificateFile /etc/letsencrypt/live/madparkgames.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/madparkgames.com/privkey.pem
        Include /etc/letsencrypt/options-ssl-apache.conf


        <Directory "/var/www/public_html/www.madparkgames.com/html">
                 Options -Indexes +FollowSymLinks +MultiViews
                 Require all granted
                 AllowOverride All
        </Directory>
</VirtualHost>
6

Well, yes and no. You need the same list of names in your VirtualHost for port 80 as you do for port 443.

And, you don't need to repeat the ServerName domain in the ServerAlias. And, I recommend removing the IP address from your port 443 VirtualHost. If you don't need it for port 80 you don't need it for port 443 either (and systems rarely ever need this).

So, this

<VirtualHost 45.79.170.199:443>
        ServerName madisonandhart.com
        ServerAlias madisonandhart.com  www.madisonandhart.com

Is better as below. And do similar update to the other two port 443 VirtualHosts:

<VirtualHost *:443>
        ServerName madisonandhart.com
        ServerAlias www.madisonandhart.com

Then, in port 80 VirtualHost do the same two matching lines in each respective VirtualHost. That is, not just ServerName like you have today but ServerName and ServerAlias

As example, this

<VirtualHost *:80>
   ServerName madisonandhart.com

should look like:

<VirtualHost *:80>
        ServerName madisonandhart.com
        ServerAlias www.madisonandhart.com
2 Likes
7

Got it! I will give it a try and let you know the results.

1 Like
8

Worked! Thank you!

1 Like