Challenge failed for domain on Ubuntu/Apache

Help
1

My domain is: urbanbeach.com

I ran this command:

certbot renew --cert-name urbanbeach.com

It produced this output:

/root/.pyenv/versions/3.4.2/lib/python3.4/site-packages/cryptography/hazmat/bindings/openssl/binding.py:163: CryptographyDeprecationWarning: OpenSSL version 1.0.1 is no longer supported by the OpenSSL project, please upgrade. A future version of cryptography will drop support for it.
  utils.CryptographyDeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/urbanbeach.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.urbanbeach.com
Waiting for verification...
Challenge failed for domain www.urbanbeach.com
http-01 challenge for www.urbanbeach.com
Cleaning up challenges
Attempting to renew cert (urbanbeach.com) from /etc/letsencrypt/renewal/urbanbeach.com.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/urbanbeach.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/urbanbeach.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.urbanbeach.com
   Type:   unauthorized
   Detail: 2606:4700:3036::ac43:98bb: Invalid response from
   http://www.urbanbeach.com/.well-known/acme-challenge/Paszt_gPgOOlURsq8MpiqbmZ-3fZYtLPBriVsagqDNM:
   404

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version):

# apachectl -v
Server version: Apache/2.2.22 (Ubuntu)
Server built:   Apr  9 2019 20:25:49

The operating system my web server runs on is (include version):

# uname -srm
Linux 3.5.0-54-generic x86_64

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

# certbot --version or certbot-auto --version
/root/.pyenv/versions/3.4.2/lib/python3.4/site-packages/cryptography/hazmat/bindings/openssl/binding.py:163: CryptographyDeprecationWarning: OpenSSL version 1.0.1 is no longer supported by the OpenSSL project, please upgrade. A future version of cryptography will drop support for it.
  utils.CryptographyDeprecationWarning
certbot 0.35.1

The above is one of the domains that fails in renewing. I’m aware of the warnings. I prefer not to go through the hours of hassle to upgrade OpenSSL, Ubuntu or anything to eliminate the warnings. I want to migrate my websites off of my hosted server and move them to another site, were I do not need to upgrade or fix anything. To export my site, I need the certificates to work.

I’ve been renewing the certificates successfully for my domains for years now. Then it stopped renewing for one of my domains. I don’t know why.
Here’s one of the domains that successfully renews:

# certbot renew --cert-name avvau.com

/root/.pyenv/versions/3.4.2/lib/python3.4/site-packages/cryptography/hazmat/bindings/openssl/binding.py:163: CryptographyDeprecationWarning: OpenSSL version 1.0.1 is no longer supported by the OpenSSL project, please upgrade. A future version of cryptography will drop support for it.

utils.CryptographyDeprecationWarning

Saving debug log to /var/log/letsencrypt/letsencrypt.log

No certificate found with name avvau.com (expected /etc/letsencrypt/renewal/avvau.com.conf).

root@s-vexxhost:~# certbot renew --cert-name avvau.com-0002

/root/.pyenv/versions/3.4.2/lib/python3.4/site-packages/cryptography/hazmat/bindings/openssl/binding.py:163: CryptographyDeprecationWarning: OpenSSL version 1.0.1 is no longer supported by the OpenSSL project, please upgrade. A future version of cryptography will drop support for it.

utils.CryptographyDeprecationWarning

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Processing /etc/letsencrypt/renewal/avvau.com-0002.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Plugins selected: Authenticator webroot, Installer None

Renewing an existing certificate

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

new certificate deployed without reload, fullchain is

/etc/letsencrypt/live/avvau.com-0002/fullchain.pem

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Congratulations, all renewals succeeded. The following certs have been renewed:

/etc/letsencrypt/live/avvau.com-0002/fullchain.pem (success)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2

Did you change your DNS settings since trying that? Because that is an IPv6 address for Cloudflare. But, I don't see that in your DNS right now. I only see an A record for IPv4 at Vexxhost

4 Likes
3

I do not think I changed the DNS setting at Cloudflare or Vexxhost. What should the settings be?

4

Here is what I am seeing for DNS Records DNS Spy report for urbanbeach.com

image
image1085Ă—331 4.41 KB

And https://unboundtest.com/ presently is in agreement.

DNS A record for urbanbeach.com https://unboundtest.com/m/A/urbanbeach.com/XTBRPZH2
DNS AAAA record for urbanbeach.com https://unboundtest.com/m/AAAA/urbanbeach.com/L6MZ6JFF

DNS A record for www.urbanbeach.com https://unboundtest.com/m/A/www.urbanbeach.com/5CCIMYTF
DNS AAAA record for www.urbanbeach.com https://unboundtest.com/m/AAAA/www.urbanbeach.com/SBSNMGVP

Edit:

And Let's Debug results
https://letsdebug.net/urbanbeach.com/2220646
https://letsdebug.net/www.urbanbeach.com/2220647

Both basically show the same thing

UnexpectedHttpResponse
Warning
Sending an ACME HTTP validation request to www.urbanbeach.com results in unexpected HTTP response 500 Internal Server Error. This indicates that the webserver is misconfigured or misbehaving.
500 Internal Server Error

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Database Error</title>

</head>
<body>
<h1>Error establishing a database connection</h1>
</body>
</html>


Trace:
@0ms: Making a request to http://www.urbanbeach.com/.well-known/acme-challenge/letsdebug-test (using initial IP 199.204.46.139)
@0ms: Dialing 199.204.46.139
@241ms: Server response: HTTP 500 Internal Server Error
2 Likes
5

Did you maybe toggle Cloudflare "proxy" setting on / off ?

Because right now it is off. In any case, can you show the result of the below command

certbot renew --dry-run --cert-name urbanbeach.com

The --dry-run is a test and will not affect your existing production certs. We should not be seeing an error with an IPv6 address when none is defined in your DNS.

You will probably get an HTTP 500 error like Bruce shows but this is important to know.

3 Likes
6

I don't see the IPv6 address in DNS:

Name:    urbanbeach.com
Address: 199.204.46.139
Aliases: www.urbanbeach.com

Does the renewal work now?

2 Likes
7

And here is what I see using curl; HTTP/1.1 500 Internal Server Error

$ curl -i http://www.urbanbeach.com/.well-known/acme-challenge/sometestfile
HTTP/1.1 500 Internal Server Error
Date: Tue, 10 Sep 2024 19:29:01 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.3.10-1ubuntu3.48
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
P3P: CP="HONK"
Vary: Accept-Encoding
Content-Length: 252
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
        <title>Database Error</title>

</head>
<body>
        <h1>Error establishing a database connection</h1>
</body>
</html>
2 Likes
8

@Bruce5051

Thanks for your input but I'm not sure what those scans or tests are telling me.

What do you think I should do or set for DNS in Cloudflare?

@rg305 No, the renewal did not work.

1 Like
9

I might have toggled Cloudflare’s “Proxy status” on and off, but I don’t remember if I did or when.

Proxy status is set to “DNS only” currently.

I got the following:

# certbot renew --dry-run --cert-name urbanbeach.com
/root/.pyenv/versions/3.4.2/lib/python3.4/site-packages/cryptography/hazmat/bindings/openssl/binding.py:163: CryptographyDeprecationWarning: OpenSSL version 1.0.1 is no longer supported by the OpenSSL project, please upgrade. A future version of cryptography will drop support for it.
  utils.CryptographyDeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/urbanbeach.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for urbanbeach.com
http-01 challenge for www.urbanbeach.com
Waiting for verification...
Challenge failed for domain www.urbanbeach.com
http-01 challenge for www.urbanbeach.com
Cleaning up challenges
Attempting to renew cert (urbanbeach.com) from /etc/letsencrypt/renewal/urbanbeach.com.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/urbanbeach.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/urbanbeach.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.urbanbeach.com
   Type:   unauthorized
   Detail: 199.204.46.139: Invalid response from
   http://www.urbanbeach.com/.well-known/acme-challenge/fEOx49ERBR06BauAe3yOPfkOxP7pwcTN2g9Avttb2pE:
   500

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
10

Okay. That explains that much anyway. Now you have to figure out why your server replies with an error 500 for any request. That is not just a Let's Encrypt issue. Even a request for your "home" page gets this error.

Based on the error page details, looks like there is some database connection problem.

curl -i http://urbanbeach.com
HTTP/1.1 500 Internal Server Error
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.3.10-1ubuntu3.48
P3P: CP="HONK"
...

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
        <title>Database Error</title>
</head>
<body> <h1>Error establishing a database connection</h1></body>
</html>
3 Likes
11

MySQL stops every once in a while. I started it with:

# service mysql start

I ran the following and both gave the same result as before:

# certbot renew --dry-run --cert-name urbanbeach.com

# certbot renew --cert-name urbanbeach.com

12

Okay. I see connections are working now.

A 404 error when using --webroot method means the webroot-path on the Certbot command does not match the DocumentRoot in your Apache config for that domain.

Would you show contents of this file

/etc/letsencrypt/renewal/urbanbeach.com.conf

And the output of this

apachectl -t -D DUMP_VHOSTS
2 Likes
13 
# cat /etc/letsencrypt/renewal/urbanbeach.com.conf
# renew_before_expiry = 30 days
cert = /etc/letsencrypt/live/urbanbeach.com/cert.pem
privkey = /etc/letsencrypt/live/urbanbeach.com/privkey.pem
chain = /etc/letsencrypt/live/urbanbeach.com/chain.pem
fullchain = /etc/letsencrypt/live/urbanbeach.com/fullchain.pem
version = 0.35.1
archive_dir = /etc/letsencrypt/archive/urbanbeach.com

# Options and defaults used in the renewal process
[renewalparams]
authenticator = webroot
rsa_key_size = 4096
account = 858bbc3d2acfb9f905394e87ad1800c7
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
www.urbanbeach.com = /var/www/urbanbeach.com/public_html
urbanbeach.com = /var/www/urbanbeach.com/public_html

# apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
*:443                  is a NameVirtualHost
         default server avvau.com (/etc/apache2/sites-enabled/avvau.com:73)
         port 443 namevhost avvau.com (/etc/apache2/sites-enabled/avvau.com:73)
         port 443 namevhost urbanbeach.com (/etc/apache2/sites-enabled/urbanbeach.com:72)
*:80                   is a NameVirtualHost
         default server avvau.com (/etc/apache2/sites-enabled/avvau.com:13)
         port 80 namevhost avvau.com (/etc/apache2/sites-enabled/avvau.com:13)
         port 80 namevhost urbanbeach.com (/etc/apache2/sites-enabled/urbanbeach.com:13)
Syntax OK
14

And now the contents of that file too please.

2 Likes
15 
# cat /etc/apache2/sites-enabled/urbanbeach.com
<VirtualHost *:80>
        ServerName urbanbeach.com

        DocumentRoot /var/www/urbanbeach.com/public_html
        # <Directory />
        # replaced above with bloew as per http://stackoverflow.com/questions/17745310/how-to-enable-mod-rewrite-in-$
        <Directory />
                Options FollowSymLinks
                # AllowOverride None
                # Curt replaced above with below
                AllowOverride None
                # added below as per https://commons.lbl.gov/display/cpp/Securing+Apache+Web+Servers
                Order Deny,Allow
                Deny from all
        </Directory>
        <Directory /var/www/urbanbeach.com/public_html>
                Options Indexes FollowSymLinks MultiViews
                # AllowOverride None
                # AllowOverride FileInfo enables mod_rewrite in .htaccess but does not enable other modules.
		# See http://httpd.apache.org/docs/current/mod/core.html#allowoverride for more info.
		# TO_DO:  Replace AllowOverride All with AllowOverrideList
                AllowOverride All
                # Order allow,deny
                # replaced above with below as per https://commons.lbl.gov/display/cpp/Securing+Apache+Web+Servers
                Order Deny,Allow
                allow from all
        </Directory>

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                # Order allow,deny
                # replaced above with below as per https://commons.lbl.gov/display/cpp/Securing+Apache+Web+Servers
                Order Deny,Allow
                Allow from all
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog ${APACHE_LOG_DIR}/access.log combined

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

</VirtualHost>

# Below is per https://www.digitalocean.com/community/articles/how-to-set-up-apache-with-a-free-signed-ssl-certificate-on-a-vps
<VirtualHost *:443>
	SSLEngine on                                                                
	SSLProtocol all -SSLv2                                                      
	SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM                

        #SSLCertificateFile /etc/apache2/ssl/ssl.crt
        #SSLCertificateKeyFile /etc/apache2/ssl/private.key
        #SSLCertificateChainFile /etc/apache2/ssl/sub.class1.server.ca.pem
        # 2016-01-18 repaced above with below, to use LetsEncrypt.org:
        SSLCertificateFile /etc/letsencrypt/live/urbanbeach.com/cert.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/urbanbeach.com/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/urbanbeach.com/fullchain.pem

        ServerAlias www.urbanbeach.com
        ServerName urbanbeach.com:443

        DocumentRoot /var/www/urbanbeach.com/public_html
        # <Directory />
        # replaced above with bloew as per http://stackoverflow.com/questions/17745310/how-to-enable-mod-re$
        <Directory />
                Options FollowSymLinks
                # AllowOverride None
                # replaced above with below
                AllowOverride None
                # added below as per https://commons.lbl.gov/display/cpp/Securing+Apache+Web+Servers
                Order Deny,Allow
                Deny from all
        </Directory>
        <Directory /var/www/urbanbeach.com/public_html>
                Options Indexes FollowSymLinks MultiViews
                # AllowOverride None
		# AllowOverride FileInfo enables mod_rewrite in .htaccess but does not enable other modules.    
                # See http://httpd.apache.org/docs/current/mod/core.html#allowoverride for more info.   
                # TO_DO:  Replace AllowOverride All with AllowOverrideList
		AllowOverride All
                # Order allow,deny
                # replaced above with below as per https://commons.lbl.gov/display/cpp/Securing+Apache+Web+$
                Order Deny,Allow
                allow from all
        </Directory>

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                # Order allow,deny
                # replaced above with below as per https://commons.lbl.gov/display/cpp/Securing+Apache+Web+$
                Order Deny,Allow
                Allow from all
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog ${APACHE_LOG_DIR}/access.log combined

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

</VirtualHost>
16

Your port 80 VirtualHost seems to be missing the ServerAlias for your www subdomain like you have in your port 443 for this domain.

So, HTTP requests to www.urbanbeach.com will instead be processed by your default port 80 VirtualHost (the one for avvau)

This matches the error in your first post that only complained about the www subdomain and not the apex domain too.

Also, you can see that HTTP requests to each are handled differently. The www subdomain getting redirected to avvau and your apex gets your home page.

curl -I http://urbanbeach.com
HTTP/1.1 200 OK
Date: Wed, 11 Sep 2024 19:11:50 GMT
Server: Apache/2.2.22 (Ubuntu)
X-CF-Powered-By: WP 1.3.18

curl -I http://www.urbanbeach.com
HTTP/1.1 301 Moved Permanently
Server: Apache/2.2.22 (Ubuntu)
X-Redirect-By: WordPress
Location: https://avvau.com/

Also, you can remove the :443 port from the ServerName here but this is cosmetic

2 Likes
17

That seems to be missing the line for:
ServerAlias www.urbanbeach.com

1 Like
18

As suggested, I added:


<VirtualHost *:80>
        ServerAlias www.urbanbeach.com

and changed to:

<VirtualHost *:443>
        ServerName urbanbeach.com

I ran:

# a2dissite urbanbeach.com
# a2ensite urbanbeach.com
# service apache2 reload
# certbot renew --cert-name urbanbeach.com

and it worked. I got this:

# certbot renew --cert-name urbanbeach.com
/root/.pyenv/versions/3.4.2/lib/python3.4/site-packages/cryptography/hazmat/bindings/openssl/binding.py:163: CryptographyDeprecationWarning: OpenSSL version 1.0.1 is no longer supported by the OpenSSL project, please upgrade. A future version of cryptography will drop support for it.
  utils.CryptographyDeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/urbanbeach.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.urbanbeach.com
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/urbanbeach.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/urbanbeach.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

I ran:

# service apache2 reload

I was able to access urbanbeach.com with SSL successfully on the Brave browser. But on the Safari browser, it still does not have a secure connection. Do you know why?

1 Like
19

Your cert definition should be improved but does Safari fail even after it is restarted? Maybe it just has some old status cached?

The improvement is to change

       SSLCertificateChainFile /etc/letsencrypt/live/urbanbeach.com/fullchain.pem

to

       SSLCertificateChainFile /etc/letsencrypt/live/urbanbeach.com/chain.pem

On Apache versions since 2.4.8 you should actually omit the "ChainFile" line and use the "fullchain.pem" for SSLCertificateFile. Yours you do like above though

2 Likes
20

Probably due to other security settings; not the certificate itself.

See these results:
https://www.ssllabs.com/ssltest/analyze.html?d=www.urbanbeach.com
https://www.ssllabs.com/ssltest/analyze.html?d=urbanbeach.com

2 Likes