"Challenged failed for" when renewing expired certification

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: crazyblockstech.com and www.crazyblockstech.com

I ran this command:

certbot certonly --cert-name crazyblockstech.com -a apache -d crazyblockstech.com,www.crazyblockstech.com --dry-run

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer None
Cert is due for renewal, auto-renewing...
Simulating renewal of an existing certificate for crazyblockstech.com and www.crazyblockstech.com
Performing the following challenges:
http-01 challenge for crazyblockstech.com
http-01 challenge for www.crazyblockstech.com
Waiting for verification...
Challenge failed for domain crazyblockstech.com
Challenge failed for domain www.crazyblockstech.com
http-01 challenge for crazyblockstech.com
http-01 challenge for www.crazyblockstech.com
Cleaning up challenges 

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: crazyblockstech.com
   Type:   unauthorized
   Detail: 198.199.89.17: Invalid response from
   http://crazyblockstech.com/.well-known/acme-challenge/VaeN0vIR3y83ZvdYtZPgW8A6hehL4fdEHFI1BvEQ9SE:
   403

   Domain: www.crazyblockstech.com
   Type:   unauthorized
   Detail: 198.199.89.17: Invalid response from
   http://www.crazyblockstech.com/.well-known/acme-challenge/GJTc6_KhY6hjzSL_RguqbpZfnSmi5fseNG2z9pb4cxI:
   403

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version):

The operating system my web server runs on is (include version):
Debian 11 GNU/Linux x86-64
uname -a:
Linux debian-s-1vcpu-1gb-amd-nyc1-01 5.10.0-10-amd64 #1 SMP Debian 5.10.84-1 (2021-12-08) x86_64 GNU/Linux

My hosting provider, if applicable, is:
DigitalOcean
debian-s-1vcpu-1gb-amd ("Premium AMD")

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.12.0

I am trying to renew my certificate for my website but running into this error when renewing.

Apache is used as a reverse proxy for Gunicorn in this case.

Thanks in advance.

Update: Disabled fail2ban but received the same error

1 Like

Hi @CrazyblocksTech, and welcome to the LE community forum :slight_smile:

It's not a fail2ban issue.
Looks like Apache is up to some mischief.
Let's have a look at the output of:
apachectl -t -D DUMP_VHOSTS

5 Likes

Let's have a look at the output of: apachectl -t -D DUMP_VHOSTS

Output of apachectl -t -D DUMP_VHOSTS:

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:443                  is a NameVirtualHost
         default server catchall (/etc/apache2/sites-enabled/crazyblockstech.com-le-ssl.conf:1)
         port 443 namevhost catchall (/etc/apache2/sites-enabled/crazyblockstech.com-le-ssl.conf:1)
         port 443 namevhost crazyblockstech.com (/etc/apache2/sites-enabled/crazyblockstech.com-le-ssl.conf:13)
                 alias www.crazyblockstech.com
*:80                   127.0.1.1 (/etc/apache2/sites-enabled/crazyblockstech.com.conf:12)
2 Likes

I ended up doing an reinstallation of Debian 11 (i.e. created new "Droplet" on DigitalOcean).
Redid the Apache and certbot configurations.
Now, verification succeeded after running certbot --apache -d crazyblockstech.com -d www.crazyblockstech.com

I am still unsure what happened with verification before but it was likely something to do with Apache.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.