Create a new certificate: lets + rocky linux 9 + apache

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
demo.topa.webgestio.com.br

I ran this command:
sudo certbot --apache -d demo.topa.webgestio.com.br

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for demo.topa.webgestio.com.br

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: demo.topa.webgestio.com.br
Type: unauthorized
Detail: 173.249.42.185: Invalid response from http://demo.topa.webgestio.com.br/.well-known/acme-challenge/UDAl4tAsivON2Qw8tbNWYuIzCe_4P5Sb38wPJ7BRIHM: 403

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
apache

The operating system my web server runs on is (include version):
rocky linux 9
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.11.0

I'm trying to create a new certificate for a new URL (website), but for some reason it's giving an error. I moved this site from another production server, I changed the IP that points to this URL, but when I run the certificate it gives the error.
I'll show the log:

sudo certbot --apache -d demo.topa.webgestio.com.br
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for demo.topa.webgestio.com.br

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: demo.topa.webgestio.com.br
Type: unauthorized
Detail: 173.249.42.185: Invalid response from http://demo.topa.webgestio.com.br/.well-known/acme-challenge/UDAl4tAsivON2Qw8tbNWYuIzCe*******: 403

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

log:
/var/log/lets...

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: demo.topa.webgestio.com.br
Type: unauthorized
Detail: 173.249.42.185: Invalid response from http://demo.topa.webgestio.com.br/.well-known
.........

Detail: 173.249.42.185: Invalid response from http://demo.topa.webgestio.com.br/.well-known/acme-challenge/qZ-osneEkDIctTOEU7K5aakLQiJpdC_482OwVZu4DL4: 403

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

2024-09-25 13:54:03,704:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
File "/usr/lib/python3.9/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.'

.....

File "/usr/lib/python3.9/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2024-09-25 13:54:03,921:ERROR:certbot._internal.log:Some challenges have failed.
2024-09-25 13:59:16,511:DEBUG:certbot._internal.main:certbot version: 2.11.0
2024-09-25 13:59:16,512:DEBUG:certbot._internal.main:Location of certbot entry point: /bin/certbot
2024-09-25 13:59:16,512:DEBUG:certbot._internal.main:Arguments: ['--apache', '-d', 'demo.topa.webgestio.com.br']
2024-09-25 13:59:16,512:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2024-09-25 13:59:16,534:DEBUG:certbot._internal.log:Root logging level set at 30
2024-09-25 13:59:16,536:DEBUG:certbot._internal.plugins.selection:Requested authenticator apache and installer apache
2024-09-25 13:59:16,659:DEBUG:certbot_apache._internal.configurator:Apache version is 2.4.57
2024-09-25 13:59:16,936:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin
Interfaces: Authenticator, Installer, Plugin
Entry point: EntryPoint(name='apache', value='certbot_apache._internal.entrypoint:ENTRYPOINT', group='certbot.plugins')
Initialized: <certbot_apache._internal.override_fedora.FedoraConfigurator object at 0x7ff576e69e80>
Prep: True
2024-09-25 13:59:16,937:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_apache._internal.override_fedora.FedoraConfigurator object at

If you need any specific part of the log, just let me know and I will show it. I appreciate your help in understanding the reason for the error.

What shows?:
sudo apachectl -t -D DUMP_VHOSTS

Using Let's Debug gets these results https://letsdebug.net/demo.topa.webgestio.com.br/2235497

UnexpectedHttpResponse
Warning
Sending an ACME HTTP validation request to demo.topa.webgestio.com.br results in unexpected HTTP response 403 . This indicates that the webserver is misconfigured or misbehaving.
403

{"timestamp":"2024-09-25T18:53:58.175+0000","status":403,"error":"Forbidden","message":"Access Denied","path":"/.well-known/acme-challenge/letsdebug-test"}

Trace:
@0ms: Making a request to http://demo.topa.webgestio.com.br/.well-known/acme-challenge/letsdebug-test (using initial IP 173.249.42.185)
@0ms: Dialing 173.249.42.185
@67ms: Server response: HTTP 302 Found
@67ms: Received redirect to https://demo.topa.webgestio.com.br/.well-known/acme-challenge/letsdebug-test
@67ms: Dialing 173.249.42.185
@174ms: Server response: HTTP 403

sudo httpd -t -D DUMP_VHOSTS

VirtualHost configuration:
*:443                  is a NameVirtualHost
         default server bacana.etpi.com.br (/etc/httpd/sites-enabled/bacana.etpi.com.br.conf:10)
         port 443 namevhost bacana.etpi.com.br (/etc/httpd/sites-enabled/bacana.etpi.com.br.conf:10)
         port 443 namevhost demo.topa.webgestio.com.br (/etc/httpd/sites-enabled/demo.topa.webgestio.com.br.conf:19)
                 alias demo.topa.webgestio.com.br
*:80                   is a NameVirtualHost
         default server bacana.etpi.com.br (/etc/httpd/sites-enabled/bacana.etpi.com.br.conf:1)
         port 80 namevhost bacana.etpi.com.br (/etc/httpd/sites-enabled/bacana.etpi.com.br.conf:1)
         port 80 namevhost demo.topa.webgestio.com.br (/etc/httpd/sites-enabled/demo.topa.webgestio.com.br.conf:1)
                 alias demo.topa.webgestio.com.br
         port 80 namevhost localhost (/etc/httpd/sites-enabled/localhost.conf:1)
                 alias localhost

In addition to this virtualhost information, would there be anything you need?

So it could be a configuration error in sites-enabled? The other server url is OK. I'll take a closer look to see if I find anything wrong with the configuration.

Would be helpful to see contents of this file if you can't find the problem.

Your server is rejecting many HTTP(S) requests with 403. And, it is different than how your bacana domain works.

Example which should give a "404 Not Found" instead gets a 403 with a similar error message as the Let's Encrypt server got for its HTTP request to you. So is probably caused by the same thing.

curl -ik https://demo.topa.webgestio.com.br/Test404
HTTP/1.1 403
Server: Apache
Pragma:
Expires:

{"timestamp":"2024-09-25T19:32:49.599+0000","status":403,"error":"Forbidden","message":"Access Denied","path":"/Test404"}

<VirtualHost *:80>
  ServerName demo.topa.webgestio.com.br
  ServerAlias demo.topa.webgestio.com.br
  Redirect / https://demo.topa.webgestio.com.br/
  JkMount /* demotopa

        CustomLog "/var/log/httpd/demo-topa-access_log" combined
        ErrorLog  "/var/log/httpd/demo-topa-error_log"

< /VirtualHost>
< IfModule mod_ssl.c>

< VirtualHost *:443>
  ServerName demo.topa.webgestio.com.br
  ServerAlias demo.topa.webgestio.com.br

Include /etc/letsencrypt/options-ssl-apache.conf
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteCond %{HTTP:Connection} upgrade [NC]
RewriteRule /(.*) "wss://[demo.topa.webgestio.com.br]:[127.0.0.46]/$1" [P,L]

ProxyPreserveHost on
RequestHeader set X-Forwarded-Proto https
RequestHeader set X-Forwarded-Port 443

ProxyPass / "ws://127.0.0.46:8000/" retry=5
ProxyPassReverse / "ws://127.0.0.46:8000/" retry=5
< /VirtualHost>
< /IfModule>

What doesn't make sense is that I generated a server for the server yesterday 24-09 and everything went correctly.

I see a cert with your demo.topa domain issued yesterday. But, it also had a large number of other domains with it.

But, above you only show VirtualHosts for one other domain (bocana).

Are you still on that same server? Does the DNS point to the Apache server config you are showing us here?

Yes, I changed the server, I changed the IP that points to the old one and it is now pointing to the server named bacana.etpi.com.br, the other server had several virtualhosts. I changed his DNS already.

Your VirtualHost for port 443 does not have any SSL Certificate definitions. Yet, you include the /etc/letsencrypt/options-ssl-apache.conf file which enables SSL.

Does Apache show any errors for below command? Because that is not a valid SSL VirtualHost. Any failures reloading Apache can affect the Certbot --apache plugin

sudo httpd -t

If you run an https://letsdebug.net test for HTTP-01 and your demo domain what do these log files show right after that?

Show:
ls -l /etc/httpd/sites-available/demo*
ls -l /etc/httpd/sites-enabled/demo*

sudo httpd -t

Syntax OK

tail -f demo-topa-access_log:

17.58.62.20 - - [25/Sep/2024:20:45:06 -0300] "GET /.well-known/acme-challenge/qZ-osneEkDIctTOEU7K5aakLQiJpdC_482OwVZu4DL4: HTTP/1.1" 302 290 "-" "AppleNewsBot"
17.58.57.101 - - [25/Sep/2024:20:45:21 -0300] "GET /.well-known HTTP/1.1" 302 230 "-" "AppleNewsBot"
17.58.57.104 - - [25/Sep/2024:20:45:22 -0300] "GET /.well-known/acme-challenge/UDAl4tAsivON2Qw8tbNWYuIzCe*******: HTTP/1.1" 302 280 "-" "AppleNewsBot"
17.58.57.102 - - [25/Sep/2024:20:45:23 -0300] "GET /.well-known/acme-challenge/UDAl4tAsivON2Qw8tbNWYuIzCe_4P5Sb38wPJ7BRIHM: HTTP/1.1" 302 290 "-" "AppleNewsBot"
17.58.57.101 - - [25/Sep/2024:20:45:24 -0300] "GET /.well-known/acme-challenge/qZ-osneEkDIctTOEU7K5aakLQiJpdC_482OwVZu4DL4: HTTP/1.1" 302 290 "-" "AppleNewsBot"
57.103.74.224 - - [25/Sep/2024:21:23:54 -0300] "GET /.well-known HTTP/1.1" 302 230 "-" "AppleNewsBot"
57.103.74.241 - - [25/Sep/2024:21:23:55 -0300] "GET /.well-known/acme-challenge/UDAl4tAsivON2Qw8tbNWYuIzCe*******: HTTP/1.1" 302 280 "-" "AppleNewsBot"
57.103.74.192 - - [25/Sep/2024:21:23:55 -0300] "GET /.well-known/acme-challenge/UDAl4tAsivON2Qw8tbNWYuIzCe_4P5Sb38wPJ7BRIHM: HTTP/1.1" 302 290 "-" "AppleNewsBot"
57.103.74.161 - - [25/Sep/2024:21:23:56 -0300] "GET /.well-known/acme-challenge/qZ-osneEkDIctTOEU7K5aakLQiJpdC_482OwVZu4DL4: HTTP/1.1" 302 290 "-" "AppleNewsBot"
106.54.200.247 - - [26/Sep/2024:07:41:15 -0300] "GET / HTTP/1.1" 302 219 "-" "Mozilla/5.0 (Linux; Android 10; LIO-AN00 Build/HUAWEILIO-AN00; wv) MicroMessenger Weixin QQ AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.62 XWEB/2692 MMWEBSDK/200901 Mobile Safari/537.36"

ls -l /etc/httpd/sites-available/demo*
-rw-r--r-- 1 root root 1522 Sep 25 13:47 /etc/httpd/sites-available/demo.topa.webgestio.com.br.conf

ls -l /etc/httpd/sites-enabled/demo*
lrwxrwxrwx 1 root root 50 Sep 25 13:39 /etc/httpd/sites-enabled/demo.topa.webgestio.com.br.conf -> ../sites-available/demo.topa.webgestio.com.br.conf

That file was modified yesterday.

yes, I changed it because I thought there was something wrong with my *.conf file.

Do you have an older [working] copy you can restore?

None of those log entries came from a Let's Debug test. There should have been one with a URI containing letsdebug-test and one from the Let's Encrypt staging system.

Neither of those appear.

I was just going to send you some test HTTP requests from my own server so we could check those. But, connection requests fail. Is your server down?

curl -i http://demo.topa.webgestio.com.br/Test404
curl: (7) Failed to connect to demo.topa.webgestio.com.br port 80 after 207 ms:
Connection refused

curl -i http://demo.topa.webgestio.com.br/.well-known/acme-challenge/Test404
curl: (7) Failed to connect to demo.topa.webgestio.com.br port 80 after 106 ms:
Connection refused

It is now inactive because I am working on Apache, which is why it is offline. I will be back to normal soon.

Now it's live, testing the url bacana.etpi.com.br everything is ok. The other one demo.topa.webgestio.com.br I'm still fighting lol

A thing to fix right away is this redirect loop. Looks like maybe something you had before that redirected to HTTPS but now that HTTPS is not working you redirect just to HTTP (which is repeatedly back to itself).

curl -i http://demo.topa.webgestio.com.br/
HTTP/1.1 302 Found
Date: Thu, 26 Sep 2024 20:49:37 GMT
Server: Apache
Location: http://demo.topa.webgestio.com.br/