Challenge failed for domain, Invalid response

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: brockart.de

I ran this command:certbot --apache2

It produced this output:
Which names would you like to activate HTTPS for?

1: brockart.de
2: www.brockart.de
3: descent2.de
4: www.descent2.de

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for brockart.de
http-01 challenge for descent2.de
http-01 challenge for www.brockart.de
http-01 challenge for www.descent2.de
Enabled Apache rewrite module
Waiting for verification...
Challenge failed for domain brockart.de
Challenge failed for domain www.brockart.de
http-01 challenge for brockart.de
http-01 challenge for www.brockart.de
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: brockart.de
  Type: unauthorized
  Detail: Invalid response from http://www.descent2.de/index.html
  [82.165.48.186]: "\n<!--
  h"

  Domain: www.brockart.de
  Type: unauthorized
  Detail: Invalid response from http://www.descent2.de/index.html
  [82.165.48.186]: "\n<!--
  h"

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address.

My web server is (include version): Apache/2.4.41

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is: IONOS

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.40.0

Why does certbot try to verify brockart.de by accessing folders descent2.de is pointing to?

When I invoke brockart.de in a web browser, the correct web pages are loaded and displayed.

Hi @karx11erx

looks like Certbot doesn't understand your configuration. May be there is no matching vHost with all 4 domain names.

What says

apachectl -S

Perhaps create two certificates, one per main domain.

There are two different .conf files, each containing virtualhost descriptions: One for brockart.de and www.brockart.de (brockart.conf), the other for descent2.de and www.descent2.de (descent2.conf). Accessing the brockart web content using e.g. Chrome on Windows via http://www.brockart.de (or brockart.de) works.

apachectl -S says:

VirtualHost configuration:
*:80 is a NameVirtualHost
default server localhost.localdomain (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost localhost.localdomain (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost brockart.de (/etc/apache2/sites-enabled/brockart.conf:1)
alias www.brockart.de
port 80 namevhost descent2.de (/etc/apache2/sites-enabled/descent2.conf:1)
alias www.descent2.de
*:443 is a NameVirtualHost
default server brockart.de (/etc/apache2/sites-enabled/brockart.conf:18)
port 443 namevhost brockart.de (/etc/apache2/sites-enabled/brockart.conf:18)
alias www.brockart.de
port 443 namevhost descent2.de (/etc/apache2/sites-enabled/descent2.conf:18)
alias www.descent2.de
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex watchdog-callback: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

So you see: No matching vHost.

With such a vHost configuration, you shouldn't create one certificate with both main domain names.

-->> create two certificates, use two commands.

To be honest: I don't understand that. brockart.de wouldn't be resolved if there wasn't a working virtualhost definition active for it I believe.

If I have certbot create a certificate for www.brockart.de, it works. If I have it do it for brockart.de, it fails. ???

That's expected.

Now checked your configuration - completely buggy - what a mess - https://check-your-website.server-daten.de/?q=brockart.de

Different ip addresses, different servers:

One is an Apache

Server: Apache/2.4.41 (Ubuntu)

the other is Plesk:

Server: Apache
X-Powered-By: PleskLin

Errors are expected.

The Plesk configuration doesn't exist anymore. What happened is that I switched from a very old server package at IONOS to an actual one. They installed Plesk with the new server, which caused a mess, so I reinstalled Ubuntu 20.04 without Plesk. I then migrated the two domains using the IONOS web interface. I didn't even edit the IP addresses, I simply ordered the domains to be migrated to the new contract. IONOS messed up the IP addresses. I just noticed that for one A record and fixed it. When migrating, the interface even created partially different A records for the two domains. Obviously brockart.de still somehow sticks with the old server - I have no bloody clue why.

Edit: Well I, do have a clue. Their web interface / services behind it didn't handle this properly.

Thanks for pointing this problem out. I haven't been setting up a server for 8 or 10 years, and I am a bit rusty.

Edit 2: I just fixed the IP address in brockart.de's A record's '@' entry, and now everything works.

Yep. Different ip addresses - that can't work. The same ip address -> all is easy.

Happy to read you have fixed it

Thanks for your help. You led me on the right track.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.