Domain unauthorized

Hi guys welcome back. I’m in troubles ; I’ve

My domain is: kameleon.fr I’m using ./certbot-auto and I don’t understand the error :

sudo ./certbot-auto --apache -d srv-a.kameleon.fr
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for srv-a.kameleon.fr
Waiting for verification...
Challenge failed for domain srv-a.kameleon.fr
http-01 challenge for srv-a.kameleon.fr
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: srv-a.kameleon.fr
   Type:   unauthorized
   Detail: Invalid response from
   http://srv-a.kameleon.fr/.well-known/acme-challenge/P8U8he1KNC10bo-iEcuVmp8g9s0f6Kta992BrggW7VI
   [163.172.131.140]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

but https://www.ssllabs.com/ssltest/analyze.html?d=master.kameleon.fr is red

Thanks a lot for your help. Best regards.

Hi @kameleon1er

checking your subdomain the main things are ok ( https://check-your-website.server-daten.de/?q=srv-a.kameleon.fr ):

Port 80 is open, checking a not existing files in /.well-known/acme-challenge sends the expected http status 404 - Not Found.

So find your DocumentRoot, then use it:

certbot run -a webroot -i apache -w yourDocumentRoot -d srv-a.kameleon.fr

PS:

There is nothing red, there is a Grade A.

There is one error you should fix, but Ssllabs doesn't check that.

You have the non-www and the www:

But your certificate

CN=master.kameleon.fr
	12.05.2019
	10.08.2019
expires in 89 days	master.kameleon.fr - 1 entry

has only the non-www, so your www version isn't secure.

Create one certificate with both domain names or remove the www dns entry.

Hi Juergen, thanks for your help one more time

I don’t really need the “www” , I’ll probably delete the entry in my registar panel.

but I would have liked to understand a little more Certbot.

For my other installed domains declared on my machine, I start by creating a simple Vhost *: 80, then I launch Certbot with its Apache module, and I have the impression that it looks at the configuration of Vhost and created itself the https version; “very cool”.

But for this one, he does not want to. The only thing different I see is that this is the domain that is declared as host of my machine.

I tried to regenerate the cert for srv-a.kameleon.fr but something goes wrong…

sudo ./certbot-auto certonly -d srv-a.kameleon.fr --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Apache Web Server plugin (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator apache, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for srv-a.kameleon.fr
Waiting for verification...
Challenge failed for domain srv-a.kameleon.fr
http-01 challenge for srv-a.kameleon.fr
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: srv-a.kameleon.fr
   Type:   unauthorized
   Detail: Invalid response from
   http://srv-a.kameleon.fr/.well-known/acme-challenge/4QidPgZN10D9Kw1enho0fFDSt0R-3wvIykHWYSMEbfo
   [163.172.131.140]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

My DNS Zone for settings for type A inputs look correct :

kameleon.fr.			0 A 163.172.131.140 	
	
master.kameleon.fr.		0 A 163.172.131.140 	
	
srv-a.kameleon.fr.		0 A 163.172.131.140

certbot run -a webroot -i apache -w /var/www/html/ -d srv-a.kameleon.fr
doesn’t work

command not found
I also tried ./certbot run…

this little robot drives me crazy

My Vhost for my document root

<VirtualHost *:80>
        ServerAdmin    contact@kameleon.fr
        ServerName     srv-a.kameleon.fr
        ServerAlias    www.srv-a.kameleon.fr


        DocumentRoot /var/www/html/index.html

        <Directory />
                Options FollowSymLinks
                AllowOverride All
        </Directory>
        <Directory /var/www/html/index.html>
                Options FollowSymLinks
                AllowOverride All
        </Directory>

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =srv-a.kameleon.fr [OR]
RewriteCond %{SERVER_NAME} =www.srv-a.kameleon.fr
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

</VirtualHost>

For https :

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerAdmin    contact@kameleon.fr
        ServerName     srv-a.kameleon.fr
        ServerAlias    www.srv-a.kameleon.fr


        DocumentRoot /var/www/html/index.html

        <Directory />
                Options FollowSymLinks
                AllowOverride All
        </Directory>
        <Directory /var/www/html/index.html>
                Options FollowSymLinks
                AllowOverride All
        </Directory>

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
# Some rewrite rules in this file were disabled on your HTTPS site,
# because they have the potential to create redirection loops.

# RewriteCond %{SERVER_NAME} =srv-a.kameleon.fr [OR]
# RewriteCond %{SERVER_NAME} =www.srv-a.kameleon.fr
# RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

<Directory /usr/share/phpmyadmin>
    Allow from all
    Deny from None
    Order Allow,Deny
</Directory>

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/srv-a.kameleon.fr-0001/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/srv-a.kameleon.fr-0001/privkey.pem
</VirtualHost>
</IfModule>

You have certbot-auto, so use that with sudo.

If the apache plugin doesn't work, it may not understand your configuration. But if you have a running webserver, webroot should always work.

That's

DocumentRoot /var/www/html/index.html

a terrible definition, a DocumentRoot should be a folder, not a file.

Change that to

DocumentRoot /var/www/html

then use this DocumentRoot as webroot.

Hi Juergen, I fixed the document root and relaunch certbot-auto but still have mismatch common name " |Common names|scw-60ac07|| --- | --- |Alternative names|- **INVALID**|"

After reading lot of posts this night in the forum, I found this one, very similar of my own "

Invalid Alternative Name "

and after exploring my memory I remember that this domain is very young in my server config, and probably my ex sys-admin didn’t use certbot-apache to deploy it. Damned !

How can I erase it and replace whith a fresh new one from my favorite little bot ?

Thanks a lot.

here my las command :

sudo ./certbot-auto --apache --cert-name srv-a.kameleon.fr
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/srv-a.kameleon.fr.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Then install it, if there is already a certificate.

Certbot is waiting.

…

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)

choose option : 1

then :

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

choose opation : 1 too…

then :

Congratulations! You have successfully enabled https://srv-a.kameleon.fr and
https://www.srv-a.kameleon.fr

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=srv-a.kameleon.fr
https://www.ssllabs.com/ssltest/analyze.html?d=www.srv-a.kameleon.fr

Always T grade

You have a curious configuration ( https://check-your-website.server-daten.de/?q=srv-a.kameleon.fr ):

Why? Your www version is correct, your non-www doesn’t work:

Your non-www has a self signed certificate

CN=scw-60ac07
	18.10.2016
	16.10.2026
expires in 2713 days	

your www version has the correct certificate with both domain names:

CN=srv-a.kameleon.fr
	13.05.2019
	11.08.2019
expires in 90 days	
srv-a.kameleon.fr, www.srv-a.kameleon.fr - 2 entries

So check your vHost - configuration with

apachectl -S

find your www-vHost and add the non-www version as alias.

And deactivate your non-www version.

Or deactivate your www-version and change the rows with the certificate of your non-www version.

But it’s possible that there is no non-www version, because the default vHost with a self signed certificate is used.

You’re simply the best

stupid error in document root, this magic command helped me too :

grep -R "DocumentRoot" /etc/apache2/sites-enabled

/var/www is the directory where are my websites but the defaut installation with index.html is in /www/var/www/html

Have to my www version to achieve.

Thanks a lot Juergen