Challenge failed 400 Bad Request

My domain is sesulabayresort.com
I ran certbot --apache

It produced this output:

Cert is due for renewal, auto-renewing...
Renewing an existing certificate for sesulabayresort.com
Performing the following challenges:
http-01 challenge for sesulabayresort.com
Waiting for verification...
Challenge failed for domain sesulabayresort.com
http-01 challenge for sesulabayresort.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: sesulabayresort.com
   Type:   unauthorized
   Detail: Invalid response from
   http://sesulabayresort.com/.well-known/acme-challenge/9El0ymOGizhWfxwuS35r1o-_4w_UFS2nZ9ciBs_-zUQ
   [78.46.72.120]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>400 Bad
   Request</title>\n</head><body>\n<h1>Bad Request</h1"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): Apache 2.4.41

The operating system my web server runs on is Ubuntu 20.04.1
My hosting provider is Hetzner

I can login to a root shell on my machine

I'm using Webmin control panel to manage my site

The version of my client is 1.15.0

I was setting up a .app domain on the server that needed HSTS, after that no other domain can do certbot renewals. The 400 Bar Request pops.
Any clues? And what config is relevant to show
Thank you very much

1 Like

Hi @Bralemili, and welcome to the LE community forum :slight_smile:

I'm a bit confused on how HSTS is breaking certbot renewals...

Let's please start by showing us the output of:
apachectl -S

[and then we can go from there to reviewing the file which controls http://sesulabayresort.com/ and then placing a test file in the webroot and in the expected challenge folder]

2 Likes

Here's the result of my trying to get to his domain - plain HTTP to the HTTPS port.


Bad Request

Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.

Apache/2.4.41 (Ubuntu) Server at admin.barberino.xyz Port 80


Your current LE cert had expired on 26 April, 2021. However... I also see the server reply is from admin.barberino.xyz (cool photo on barberino.xyz :sunglasses:). You're not trying to go through the barberino.xyz server for the cert for sesulabayresort.com, are you?

2 Likes

Thank you very much for your fast reply and help!
Since I couldn't make the HSTS domain work (.app domain has strict HSTS, cannot work on 80), I was going through the config and might changed something. All I know is that after that .app domain worked, certbot couldn't do its things on port 80

VirtualHost configuration:
[2a01:4f8:120:5026::2]:80 is a NameVirtualHost
         default server admin.barberino.xyz (/etc/apache2/sites-enabled/admin.barberino.xyz.conf:1)
         port 80 namevhost admin.barberino.xyz (/etc/apache2/sites-enabled/admin.barberino.xyz.conf:1)
         port 80 namevhost admin.iturizam.hr (/etc/apache2/sites-enabled/admin.iturizam.hr.conf:1)
         port 80 namevhost adriaticwaves.com (/etc/apache2/sites-enabled/adriaticwaves.com.conf:1)
                 alias www.adriaticwaves.com
         port 80 namevhost apt-katarina.com (/etc/apache2/sites-enabled/apt-katarina.com.conf:1)
         port 80 namevhost barberino.xyz (/etc/apache2/sites-enabled/barberino.xyz.conf:1)
                 alias wwww.barberino.xyz
         port 80 namevhost cromag.tv (/etc/apache2/sites-enabled/cromag.conf:1)
                 alias www.cromag.tv
         port 80 namevhost feg.adriaticwaves.com (/etc/apache2/sites-enabled/feg.adriaticwaves.com.conf:1)
         port 80 namevhost fegswap.com (/etc/apache2/sites-enabled/fegswap.com.conf:1)
         port 80 namevhost fegtrack.app (/etc/apache2/sites-enabled/fegtrack.app.conf:1)
                 alias www.fegtrack.app
         port 80 namevhost filip.homeadriatic.com (/etc/apache2/sites-enabled/filip.homeadriatic.com.conf:1)
         port 80 namevhost homeadriatic.com (/etc/apache2/sites-enabled/homeadriatic.com.conf:1)
                 alias www.homeadriatic.com
         port 80 namevhost iturizam.hr (/etc/apache2/sites-enabled/iturizam.hr.conf:1)
                 alias www.iturizam.hr
         port 80 namevhost nevera.hr (/etc/apache2/sites-enabled/nevera.hr.conf:1)
                 alias www.nevera.hr
         port 80 namevhost rovinjvillas.com (/etc/apache2/sites-enabled/rovinjvillas.com.conf:1)
         port 80 namevhost static.adriaticwaves.com (/etc/apache2/sites-enabled/static.adriaticwaves.com.conf:1)
         port 80 namevhost static.iturizam.hr (/etc/apache2/sites-enabled/static.iturizam.hr.conf:1)
         port 80 namevhost templates.adriaticwaves.com (/etc/apache2/sites-enabled/templates.adriaticwaves.com.conf:1)
         port 80 namevhost villa-golubica.com (/etc/apache2/sites-enabled/villa-golubica.com.conf:1)
                 alias www.villa-golubica.com
         port 80 namevhost villajulia-brac.com (/etc/apache2/sites-enabled/villajulia-brac.com.conf:1)
                 alias www.villajulia-brac.com
         port 80 namevhost villamrovinj.com (/etc/apache2/sites-enabled/villamrovinj.com.conf:1)
                 alias www.villamrovinj.com
[2a01:4f8:120:5026::2]:443 is a NameVirtualHost
         default server admin.barberino.xyz (/etc/apache2/sites-enabled/admin.barberino.xyz.conf:12)
         port 443 namevhost admin.barberino.xyz (/etc/apache2/sites-enabled/admin.barberino.xyz.conf:12)
         port 443 namevhost admin.iturizam.hr (/etc/apache2/sites-enabled/admin.iturizam.hr.conf:12)
         port 443 namevhost adriaticwaves.com (/etc/apache2/sites-enabled/adriaticwaves.com.conf:11)
                 alias www.adriaticwaves.com
         port 443 namevhost apt-katarina.com (/etc/apache2/sites-enabled/apt-katarina.com.conf:10)
         port 443 namevhost barberino.xyz (/etc/apache2/sites-enabled/barberino.xyz.conf:13)
                 alias www.barberino.xyz
         port 443 namevhost cromag.tv (/etc/apache2/sites-enabled/cromag.conf:13)
                 alias www.cromag.tv
         port 443 namevhost fegswap.com (/etc/apache2/sites-enabled/fegswap.com.conf:10)
         port 443 namevhost fegtrack.app (/etc/apache2/sites-enabled/fegtrack.app.conf:13)
                 alias www.fegtrack.app
         port 443 namevhost filip.homeadriatic.com (/etc/apache2/sites-enabled/filip.homeadriatic.com.conf:12)
         port 443 namevhost homeadriatic.com (/etc/apache2/sites-enabled/homeadriatic.com.conf:13)
                 alias www.homeadriatic.com
         port 443 namevhost iturizam.hr (/etc/apache2/sites-enabled/iturizam.hr.conf:13)
                 alias www.iturizam.hr
         port 443 namevhost nevera.hr (/etc/apache2/sites-enabled/nevera.hr.conf:13)
                 alias www.nevera.hr
         port 443 namevhost static.adriaticwaves.com (/etc/apache2/sites-enabled/static.adriaticwaves.com.conf:12)
         port 443 namevhost static.iturizam.hr (/etc/apache2/sites-enabled/static.iturizam.hr.conf:12)
         port 443 namevhost templates.adriaticwaves.com (/etc/apache2/sites-enabled/templates.adriaticwaves.com.conf:12)
         port 443 namevhost villa-golubica.com (/etc/apache2/sites-enabled/villa-golubica.com.conf:13)
                 alias www.villa-golubica.com
         port 443 namevhost villajulia-brac.com (/etc/apache2/sites-enabled/villajulia-brac.com.conf:13)
                 alias www.villajulia-brac.com
         port 443 namevhost villamrovinj.com (/etc/apache2/sites-enabled/villamrovinj.com.conf:13)
                 alias www.villamrovinj.com
         port 443 namevhost feg.adriaticwaves.com (/etc/apache2/sites-enabled/webmin.1612718826.conf:1)
78.46.72.120:80        is a NameVirtualHost
         default server admin.barberino.xyz (/etc/apache2/sites-enabled/admin.barberino.xyz.conf:1)
         port 80 namevhost admin.barberino.xyz (/etc/apache2/sites-enabled/admin.barberino.xyz.conf:1)
         port 80 namevhost admin.iturizam.hr (/etc/apache2/sites-enabled/admin.iturizam.hr.conf:1)
         port 80 namevhost adriaticwaves.com (/etc/apache2/sites-enabled/adriaticwaves.com.conf:1)
                 alias www.adriaticwaves.com
         port 80 namevhost apt-katarina.com (/etc/apache2/sites-enabled/apt-katarina.com.conf:1)
         port 80 namevhost barberino.xyz (/etc/apache2/sites-enabled/barberino.xyz.conf:1)
                 alias wwww.barberino.xyz
         port 80 namevhost cromag.tv (/etc/apache2/sites-enabled/cromag.conf:1)
                 alias www.cromag.tv
         port 80 namevhost feg.adriaticwaves.com (/etc/apache2/sites-enabled/feg.adriaticwaves.com.conf:1)
         port 80 namevhost fegswap.com (/etc/apache2/sites-enabled/fegswap.com.conf:1)
         port 80 namevhost fegtrack.app (/etc/apache2/sites-enabled/fegtrack.app.conf:1)
                 alias www.fegtrack.app
         port 80 namevhost filip.homeadriatic.com (/etc/apache2/sites-enabled/filip.homeadriatic.com.conf:1)
         port 80 namevhost homeadriatic.com (/etc/apache2/sites-enabled/homeadriatic.com.conf:1)
                 alias www.homeadriatic.com
         port 80 namevhost iturizam.hr (/etc/apache2/sites-enabled/iturizam.hr.conf:1)
                 alias www.iturizam.hr
         port 80 namevhost nevera.hr (/etc/apache2/sites-enabled/nevera.hr.conf:1)
                 alias www.nevera.hr
         port 80 namevhost rovinjvillas.com (/etc/apache2/sites-enabled/rovinjvillas.com.conf:1)
         port 80 namevhost sesulabayresort.com (/etc/apache2/sites-enabled/sesulabayresort.com.conf:1)
                 alias www.sesulabayresort.com
         port 80 namevhost static.adriaticwaves.com (/etc/apache2/sites-enabled/static.adriaticwaves.com.conf:1)
         port 80 namevhost static.iturizam.hr (/etc/apache2/sites-enabled/static.iturizam.hr.conf:1)
         port 80 namevhost stomorskabaystudios.com (/etc/apache2/sites-enabled/stomorskabaystudios.com.conf:1)
                 alias www.stomorskabaystudios.com
         port 80 namevhost templates.adriaticwaves.com (/etc/apache2/sites-enabled/templates.adriaticwaves.com.conf:1)
         port 80 namevhost vertebra.hr (/etc/apache2/sites-enabled/vertebra.hr.conf:1)
                 alias www.vertebra.hr
         port 80 namevhost villa-drvenik.com (/etc/apache2/sites-enabled/villa-drvenik.com.conf:1)
         port 80 namevhost villa-golubica.com (/etc/apache2/sites-enabled/villa-golubica.com.conf:1)
                 alias www.villa-golubica.com
         port 80 namevhost villa-mileana.com (/etc/apache2/sites-enabled/villa-mileana.com.conf:1)
                 alias www.villa-mileana.com
         port 80 namevhost villajulia-brac.com (/etc/apache2/sites-enabled/villajulia-brac.com.conf:1)
                 alias www.villajulia-brac.com
         port 80 namevhost villamrovinj.com (/etc/apache2/sites-enabled/villamrovinj.com.conf:1)
                 alias www.villamrovinj.com
78.46.72.120:443       is a NameVirtualHost
         default server admin.barberino.xyz (/etc/apache2/sites-enabled/admin.barberino.xyz.conf:12)
         port 443 namevhost admin.barberino.xyz (/etc/apache2/sites-enabled/admin.barberino.xyz.conf:12)
         port 443 namevhost admin.iturizam.hr (/etc/apache2/sites-enabled/admin.iturizam.hr.conf:12)
         port 443 namevhost adriaticwaves.com (/etc/apache2/sites-enabled/adriaticwaves.com.conf:11)
                 alias www.adriaticwaves.com
         port 443 namevhost apt-katarina.com (/etc/apache2/sites-enabled/apt-katarina.com.conf:10)
         port 443 namevhost barberino.xyz (/etc/apache2/sites-enabled/barberino.xyz.conf:13)
                 alias www.barberino.xyz
         port 443 namevhost cromag.tv (/etc/apache2/sites-enabled/cromag.conf:13)
                 alias www.cromag.tv
         port 443 namevhost fegswap.com (/etc/apache2/sites-enabled/fegswap.com.conf:10)
         port 443 namevhost fegtrack.app (/etc/apache2/sites-enabled/fegtrack.app.conf:13)
                 alias www.fegtrack.app
         port 443 namevhost filip.homeadriatic.com (/etc/apache2/sites-enabled/filip.homeadriatic.com.conf:12)
         port 443 namevhost homeadriatic.com (/etc/apache2/sites-enabled/homeadriatic.com.conf:13)
                 alias www.homeadriatic.com
         port 443 namevhost iturizam.hr (/etc/apache2/sites-enabled/iturizam.hr.conf:13)
                 alias www.iturizam.hr
         port 443 namevhost nevera.hr (/etc/apache2/sites-enabled/nevera.hr.conf:13)
                 alias www.nevera.hr
         port 443 namevhost sesulabayresort.com (/etc/apache2/sites-enabled/sesulabayresort.com.conf:13)
                 alias www.sesulabayresort.com
         port 443 namevhost static.adriaticwaves.com (/etc/apache2/sites-enabled/static.adriaticwaves.com.conf:12)
         port 443 namevhost static.iturizam.hr (/etc/apache2/sites-enabled/static.iturizam.hr.conf:12)
         port 443 namevhost stomorskabaystudios.com (/etc/apache2/sites-enabled/stomorskabaystudios.com.conf:13)
                 alias www.stomorskabaystudios.com
         port 443 namevhost templates.adriaticwaves.com (/etc/apache2/sites-enabled/templates.adriaticwaves.com.conf:12)
         port 443 namevhost vertebra.hr (/etc/apache2/sites-enabled/vertebra.hr.conf:13)
                 alias www.vertebra.hr
         port 443 namevhost villa-drvenik.com (/etc/apache2/sites-enabled/villa-drvenik.com.conf:10)
         port 443 namevhost villa-golubica.com (/etc/apache2/sites-enabled/villa-golubica.com.conf:13)
                 alias www.villa-golubica.com
         port 443 namevhost villa-mileana.com (/etc/apache2/sites-enabled/villa-mileana.com.conf:13)
                 alias www.villa-mileana.com
         port 443 namevhost villajulia-brac.com (/etc/apache2/sites-enabled/villajulia-brac.com.conf:13)
                 alias www.villajulia-brac.com
         port 443 namevhost villamrovinj.com (/etc/apache2/sites-enabled/villamrovinj.com.conf:13)
                 alias www.villamrovinj.com
         port 443 namevhost feg.adriaticwaves.com (/etc/apache2/sites-enabled/webmin.1612718826.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33 not_used
Group: name="www-data" id=33 not_used
1 Like

Yeah, buy when I go through all Vhosts or any other config, I cannot find what could cause this redirect. That is not the server hostname tld or anything else, it is just a addon-domain like many others (the barberino.xyz one). The photo is from a friend, I will let him know you like it :smiley:

1 Like

My post is being review. I hope they let it go :slight_smile: If not, I just want to say thank you for your fast reply and for helping out :slight_smile: Both of you guys, I was losing it already :smiley:

2 Likes

Hi @Bralemili

there is a check of your domain, some hours old - https://check-your-website.server-daten.de/?q=sesulabayresort.com - there you see the problem:

Port 80 has a Bad Request.

So port 80 is checked with https. And the answer:

https://sesulabayresort.com:80/
78.46.72.120
	302
	https://sesulabayresort.com
Html is minified: 100,00 %	2.487
	Q
Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors
Visible Content: Found 
The document has moved here . Apache/2.4.41 (Ubuntu) Server 
at sesulabayresort.com Port 443

• https://www.sesulabayresort.com:80/
78.46.72.120
	302
	https://sesulabayresort.com
Html is minified: 100,00 %	2.324
	Q
Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors
Visible Content: Found 
The document has moved here . Apache/2.4.41 (Ubuntu) Server 
at www.sesulabayresort.com Port 443

You see: Port 80 is checked, but port 443 answers -> so you have a wrong port forwarding

port 80 extern -> port 443 intern.

3 Likes

Thank you very much for this information!
I was having issues installing the cert for the strict HSTS .app domain and I probably wanted to force HTTPS somewhere, I really don't know where to check now. As most things I've checked are ok.
I do have a redirect in the domain:80 .config from http to https, but that shouldn't bother certbot, as it was working before.
Can I give any other info or config to check?
P.S. - Sorry for the 3 posts, they were set for verification so I mistakenly posted 3 times - deleted

2 Likes

Can we have a look at this file?:
/etc/apache2/sites-enabled/sesulabayresort.com.conf

1 Like

Please read your output. Connecting port 80 your port 443 answers.

So you have a wrong port forwarding -> change that.

2 Likes
<VirtualHost adriaticwaves.com:80>
DocumentRoot "/var/www/adriaticwaves"
ServerName adriaticwaves.com
ServerAlias www.adriaticwaves.com
<Directory "/var/www/adriaticwaves">
allow from all
Options None
Require all granted
</Directory>
</VirtualHost>
<VirtualHost adriaticwaves.com:443>
DocumentRoot "/var/www/adriaticwaves"
ServerName adriaticwaves.com
ServerAlias www.adriaticwaves.com
<Directory "/var/www/adriaticwaves">
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
RewriteEngine On
RewriteCond %{HTTP_HOST} ^www\.adriaticwaves\.com [NC]
RewriteRule ^(.*)$ https://adriaticwaves.com/$1 [L,R=301]
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/adriaticwaves.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/adriaticwaves.com/privkey.pem
</VirtualHost>
1 Like

The domain resolves to both IPv4 and IPv6 addresses:

Name:      adriaticwaves.com
Addresses: 2a01:4f8:120:5026::2
           78.46.72.120
Aliases:   www.adriaticwaves.com

I think there is a problem with the IPv6 side of things.

2 Likes

Thanks, I will try to check the settings there. Could just removing the IPv6 from DNS fix the issue? Does certbot need IPv6?

2 Likes

Yes and no - see https://check-your-website.server-daten.de/?q=adriaticwaves.com#url-checks

Domainname Http-Status redirect Sec. G
http://adriaticwaves.com/ 78.46.72.120 400 Html is minified: 100,22 % 0.040 M
Bad Request
http://adriaticwaves.com/ 2a01:4f8:120:5026::2 -2 1.057 V
ConnectFailure - Unable to connect to the remote server

Your ipv6 doesn't work, that's fatal.

Removing ipv6 resolves that problem.

But with that domain your ipv4 + http has the Bad Request - http status 400 again.

Bad Request
Visible Content: Bad Request Your browser sent a request that this server could not understand. Reason: You're speaking plain HTTP to an SSL-enabled server port. Instead use the HTTPS scheme to access this URL, please. Apache/2.4.41 (Ubuntu) Server at admin.barberino.xyz Port 80

Again your port 80 is a https port, so creating a certificate via http validation will not work.

2 Likes

PS: Why is your configuration so completely buggy?

See

https://httpd.apache.org/docs/2.4/vhosts/examples.html

there is nowhere such a configuration <VirtualHost domainname:port>.

Use * to catch all ip addresses. Your domain name isn't a valid ip address.

So these vHosts aren't used.

2 Likes

While the examples you link don't use such a scheme, it actually is allowed. See <VirtualHost> Directive:

(…)
Syntax: <VirtualHost addr[:port] [addr[:port]] ...> ... </VirtualHost>
(…)
Addr can be any of the following, optionally followed by a colon and a port number (or *):

  • The IP address of the virtual host;
  • A fully qualified domain name for the IP address of the virtual host (not recommended);
  • The character * , which acts as a wildcard and matches any IP address.
  • The string _default_ , which is an alias for *

While not recommended, it's not an illegal syntax.

2 Likes

Basically, I was not adding these domains in this manner myself, it was the apache server module doing it automatically on vhost creation. But if it worked before, I don't think changing it will resolve my situation now.
I turned off IPv6 last night, I let it resolve until today.
I will continue with some changes today and see if I get a solution
Thank you all for support!! Much appreciated!

2 Likes

I've deleted my previous post as I found the solution :slight_smile:
One of the domains added as vHost was actually pushing it's config into the global config, so the force https was affecting all websites, I still don't know why and how creating a vhost could do this, probably my error.

I found this in WebMin by going to Apache and selecting the top server "Any" (or global) and looked into the "Show directives" where it shows how the config looks globally before start.

Thank you all very much, you found some errors I probably wouldn't :slight_smile:

2 Likes

I noticed that your default server was set to the admin.barberino.xyz subdomain and the first vHost listed was the same. It could have been that this is what was being used and why the server reply was coming from barberino.xyz instead of sesulabayresort.com.

VirtualHost configuration:
[2a01:4f8:120:5026::2]:80 is a NameVirtualHost
         default server admin.barberino.xyz (/etc/apache2/sites-enabled/admin.barberino.xyz.conf:1)
         port 80 namevhost admin.barberino.xyz (/etc/apache2/sites-enabled/admin.barberino.xyz.conf:1)
1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.