Debugging webroot issues on new web server

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
illuminosi.com & others

I ran this command:
certbot certonly -v
-w /media/web2/illuminosi.com/public_html/public_html
--email tomf@illuminosi.com
--dry-run
--key-type rsa
--agree-tos
-d illuminosi.com,www.illuminosi.com,mail.illuminosi.com
-d unifi.illuminosi.com,unvr-1.illuminosi.com,untangle.illuminosi.com
--deploy-hook /etc/letsencrypt/renewal-hooks/deploy/my-deploy

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Certificate not due for renewal, but simulating renewal for dry run
Simulating renewal of an existing certificate for illuminosi.com and 5 more domains
Performing the following challenges:
http-01 challenge for illuminosi.com
http-01 challenge for mail.illuminosi.com
http-01 challenge for unifi.illuminosi.com
http-01 challenge for untangle.illuminosi.com
http-01 challenge for unvr-1.illuminosi.com
http-01 challenge for www.illuminosi.com
Using the webroot path /media/web2/illuminosi.com/public_html/public_html for all unmatched domains.
Waiting for verification...
Challenge failed for domain illuminosi.com
Challenge failed for domain mail.illuminosi.com
Challenge failed for domain unifi.illuminosi.com
Challenge failed for domain untangle.illuminosi.com
Challenge failed for domain unvr-1.illuminosi.com
Challenge failed for domain www.illuminosi.com
http-01 challenge for illuminosi.com
http-01 challenge for mail.illuminosi.com
http-01 challenge for unifi.illuminosi.com
http-01 challenge for untangle.illuminosi.com
http-01 challenge for unvr-1.illuminosi.com
http-01 challenge for www.illuminosi.com

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: illuminosi.com
Type: unauthorized
Detail: 208.70.146.4: Invalid response from http://illuminosi.com/.well-known/acme-challenge/_-HmytaW6aDZmhpstmzTkPpsPdUG8zHoSKxMha7eoqA: 404

Domain: mail.illuminosi.com
Type: unauthorized
Detail: 208.70.146.4: Invalid response from http://mail.illuminosi.com/.well-known/acme-challenge/KdnUz8yp-ZJuQ33B1Id2qDBbhlU2szXDdMgCrjBjvR4: 404

Domain: unifi.illuminosi.com
Type: unauthorized
Detail: 208.70.146.4: Invalid response from http://unifi.illuminosi.com/.well-known/acme-challenge/RreDWJQbMx9acsSaVEQ44ONDd8f4Ga1lGjgHo92CgCY: 404

Domain: untangle.illuminosi.com
Type: unauthorized
Detail: 208.70.146.4: Invalid response from http://untangle.illuminosi.com/.well-known/acme-challenge/m_6l0mykj2RHWMVGYZwIrnRaot3jApWRcDbQFRklyMo: 404

Domain: unvr-1.illuminosi.com
Type: unauthorized
Detail: 208.70.146.4: Invalid response from http://unvr-1.illuminosi.com/.well-known/acme-challenge/uAKKgae9afStLGHVqFiKJtLd-b2FHjSfGkJGfXb1IPw: 404

Domain: www.illuminosi.com
Type: unauthorized
Detail: 208.70.146.4: Invalid response from http://www.illuminosi.com/.well-known/acme-challenge/D0Ddtz1RYkhOTncac1_h8tahAdATZmbZXFa03SIsZzo: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
All done updating certificates!

My web server is (include version):
Apache 2.4.55r17

The operating system my web server runs on is (include version):
private label RedHat Linux (asustor ADM 4.3.1R752

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.21.0

It looks like the script is writing the challenges into the well-known directory, and I can see it happening in the samba logs on that machine. Yet is appears that apache cannot find them. Any ideas for me? Could this be because of my https redirects? How can I disable those for LE challenges?

Have you changed your architecture from a couple weeks ago? Because I thought you had this working.

You should check your Apache error logs for more info about the "404" error

No. The link in the error message is for http:// so the challenge was not redirected

It's related. The eventual goal is to move web services to a different server. First I needed to move certbot, and that part is done and working. In this next phase, I have moved web services to a different server. Old server was xeon Ubuntu LAMP style. New server is a low power nas box. Still using apache2, I'm trying to find the apache log files so that I can get a better understanding of what's happening. At this point, all I have is the certbot log, and a samba log.

Try adding these two options to your Certbot command to help debug

--debug-challenges -v 

It will create the challenge token file and then pause. Do NOT press enter to continue but use a different machine to try to reach the URL you will be shown. It may be tedious to try because the URL is so long but maybe it helps anyway.

Usually a problem with --webroot and "404" (Not Found) error is simply that the -w folder does not match the DocumentRoot for the domain and URI. Various Apache config problems can cause it to behave oddly.

Show us the output of this so we can review

sudo httpd -t -D DUMP_VHOSTS

You might need apache2ctl or apachectl instead of httpd on your distro

Lastly, you can specify --webroot in the command in your first post to avoid being prompted for it.

Thanks Mike. This is exactly what I needed to debug the issue. It may be a day or two before I can get back to this, but I feel that I have the tools needed, thanks to you.

For anyone who might be curious about this, I am posting this follow-up. I wanted to replace my ProLiant server with my Asus NAS box. After all, it has Apache, containers and lots of other stuff. It's simple Celeron should be more than capable of handling simple web services, right?

Well, I eventually gave up on that idea. It seems that Asus has created this really nice little box based on a very stripped RedHat distro. The few apps they include all have numerous extra "features" that are used to make life easier for most folks. Well, for me, those extra features made it so that I could not get the machine to do what I needed. In this case, the provided Apache implementation had this re-mapping of any lets-encrypt challenges to a different folder so that their own implementation of LE would work. Evey time I would carve up the conf files in apache to disable that re-mapping, apache woule restore that on a restart. It got to be too much hassle for me, and so I am giving up on this idea, and I will go back to using my fan-howling ProLiant box to run my website & email.

Can't you simply use that same directory as the webroot path?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.