Unfortunately I am completely stuck with testing the certificates renewal process. Here are the main coordinates:
My domain is: wiki.sdidev.com & sdidev.com
I ran this command: sudo certbot renew --dry-run
It produced this output:
...
Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: wiki.sdidev.com
Type: unauthorized
Detail: 65.83.236.94: Invalid response from http://wiki.sdidev.com/.well-known/acme-challenge/gtiocHekTTMz7JxGla5X-NIKUZvPgz3aMoTy1zqkRGk: 404
...
My web server is: Apache/2.4.58 (Ubuntu)
The operating system my web server runs on is: Ubuntu 24.04
My [hosting] provider, is: easyname.at (only using dns-server here)
I can login to a root shell on my machine: yes
I'm using a control panel to manage my site: no - I am running a home server, the A-record (editable) of my DNS server at easyname points to my fixed IP
The version of my client is: 2.9.0
The infrastructure is:
DNS-server is at easyname (has unfortunately no API for challenge) and points via A-record to my fixed IP
there a Nginx Reverse Proxy Manager is running, delivering the URI (wiki.sdidev.com) to a server (it's a Proxmox VM)
routed through the Nginx reverse proxy manager by using this certificate (ok)
created configs for VirtualHosts *.80 as well as *.443
created a letsencrypt.conf
These configs have aliases for the acme-challenge like this:
...
Alias "/.well-known/acme-challenge/" "/var/lib/letsencrypt/well-known/http-challenges/"
<Directory "/var/lib/letsencrypt/">
Options Indexes FollowSymLinks
AllowOverride None
## for test
Require all granted
## for production
# Require method GET POST OPTIONS
</Directory>
...
path /var/lib/letsencrypt/well-known/http-challenges/ is created, accessible for www-data
nevertheless no success with sudo certbot renew --dry-run
created a test.htm within this path for test purposes => cannot access
So, I guess it is a problem to access the required path, but after hours I don't have a glue where the glitch may be.
Here is my /etc/letsencrypt/renewal/wiki.sdidev.com.conf file
# renew_before_expiry = 30 days
version = 2.9.0
archive_dir = /etc/letsencrypt/archive/wiki.sdidev.com
cert = /etc/letsencrypt/live/wiki.sdidev.com/cert.pem
privkey = /etc/letsencrypt/live/wiki.sdidev.com/privkey.pem
chain = /etc/letsencrypt/live/wiki.sdidev.com/chain.pem
fullchain = /etc/letsencrypt/live/wiki.sdidev.com/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = c1bb1db9c969eaab5d0ec62b2ee85d0b
authenticator = apache
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa
installer = apache
I don't see any A record for that domain right now. See test result: Let's Debug
I see an A record for this one sdidev.com. 0 IN A 54.163.253.203
Should the wiki subdomain have the same IP? Because the one in the error msg is different. It is fine to be different ... just trying to understand more of your configuration
Yes, still the same problem - tried it on another domain too, same results. Certbot always results in 404 can't access the http://[whateverdomainItried]/.well-known/acme-challenge/xyz
I can't get the point where the server config files including
...
Alias "/.well-known/acme-challenge/" "/var/lib/letsencrypt/well-known/http-challenges/"
<Directory "/var/lib/letsencrypt/">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
...
are overwritten or why.
tried various approaches I found online for ubuntu
tried even using no .htaccess in /var/www/html
but in vain.
Google KI answer was not helpful too
Unfortunately I am missing good step by step docs on that, for newbies like me.
Would you show the command you used and the error shown by Certbot? Because the domain name in your first post no longer has a DNS A record so cannot work for an HTTP Challenge.
And, as long as we're talking about Apache, what does this show
Here my certbot command (now the wiki.sdidev.net machine) and the answer copy & paste:
$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/wiki.sdidev.net.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for wiki.sdidev.net
Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: wiki.sdidev.net
Type: unauthorized
Detail: 83.65.239.94: Invalid response from http://wiki.sdidev.net/.well-known/acme-challenge/rvPlDJ5hoj3flRSKVMvPb7MGarHQFVCdn_X-ln6Er84: 404
Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.
Failed to renew certificate wiki.sdidev.net with error: Some challenges have failed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/wiki.sdidev.net/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
and here the apache dump
$ sudo apache2ctl -t -D DUMP_VHOSTS
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:443 sdidev.net (/etc/apache2/sites-enabled/sdidev.net-le-ssl.conf:2)
*:80 sdidev.net (/etc/apache2/sites-enabled/sdidev.net.conf:1)
But, requests to wiki.sdidev.net are handled by an openresty server not Apache. What is that about? Seems like maybe NPM isn't sending the requests to Apache maybe?
but requests from the Internet are routed via Nginx Reverse Proxy Manager (this one: https://nginxproxymanager.com/ ) to distribute different urls to different servers (some Proxmox VMs)
Well, maybe I will install everything from scratch to find out where and when the problem starts.
Had the impression the combination of Nginx Reverse Proxy and Apache is used relatively often. Nevertheless most blogs, tutorials etc are referring to an API service like cloudflair, I cannot use unfortunately, to handle letsencrypt.
Anyhow, if I am able to find a solution in time, I will gladly return to share the How-To
Our main focus is helping people get and use Let's Encrypt certs. But, configuring complex server and container integration is beyond what we (usually) help with. Especially NPM which can be exceedingly difficult to debug if it goes wrong.
If you're looking for a tool that sits in front of several sites to direct traffic (and automatically handles HTTPS), you might want to look at using Caddy instead of NPM.
