Dry Run Fails when I audit under FreeBSD 14.2

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
Kasdivi.com
I ran this command:

sudo certbot renew --dry-run
It produced this output:

Processing /usr/local/etc/letsencrypt/renewal/kasdivi.com-0001.conf

Simulating renewal of an existing certificate for kasdivi.com and theoceanwindow.com

Processing /usr/local/etc/letsencrypt/renewal/kasdivi.com.conf

Simulating renewal of an existing certificate for kasdivi.com and 8 more domains

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: mail.wandjbrewers.com
Type: unauthorized
Detail: 15.197.172.60: Invalid response from http://mail.wandjbrewers.com/.well-known/acme-challenge/22xeA80ZaF6KK2yVBA7U8SarrV8g4lpfEjgmSW6HACU: 403

Domain: wandjbrewers.com
Type: unauthorized
Detail: 15.197.172.60: Invalid response from http://wandjbrewers.com/.well-known/acme-challenge/EDZqEPZTj13wFWViGomc17FXvWa9DHX73yT7V8igDAY: 403

Domain: www.wandjbrewers.com
Type: unauthorized
Detail: 15.197.172.60: Invalid response from http://www.wandjbrewers.com/.well-known/acme-challenge/O_B1Y4KboQi0WSwzyHwz1x9DlDvCaiaez1mppYU6qIw: 403

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Failed to renew certificate kasdivi.com with error: Some challenges have failed.

The following simulated renewals succeeded:
/usr/local/etc/letsencrypt/live/kasdivi.com-0001/fullchain.pem (success)

The following simulated renewals failed:
/usr/local/etc/letsencrypt/live/kasdivi.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):

The operating system my web server runs on is (include version):
Ap0ache 2.4.62
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):\ 9.0.3

I think my problems lies in that fact that I Deleted a domain that use to be on the cerificate but is no longer in BIND

wandjbrewers.com

thanks

2

That IP address is for AWS Global Accelerator. I also see your apex domain uses a cert from GoDaddy you got just days ago.

Putting those two together has me guessing you enabled Domain Forwarding in your GoDaddy DNS settings. You need to disable that and use the public IP of your server in your DNS instead.

2 Likes
3

what Ip address. ? I dont do anything with GoDassy. ?

4

This one

That is the IP in the public DNS for your domains.

It should be the public IP for your server.

Where is your server hosted? What is its public IP?

Show output of this is one way to find out

curl -4 https://ifconfig.io
1 Like
5

Maybe on my former domain. [wandjbrewers.com

root@triggerfish:/etc # curl -4 https://ifconfig.io

209.160.64.187

6

Sorry, I may have misunderstood what you are trying to do.

Do you want to remove the 3 domain names from your existing certificate?

Because using certbot renew won't do that. You need to re-issue the original command but omit those 3 domain names from it. That will get you a new cert with just the new names.

Looks like you used --standalone option originally. Do you remember the command you used?

2 Likes
7

no I don't. remember the command. I tried issuing a n we cert for my 4 domains and apparently I have damaged apache.

Unable to restart apache using ['apachectl', 'graceful']

Encountered exception during recovery: certbot.errors.MisconfigurationError: Error while running apachectl graceful.
apache24 not running? (check /var/run/httpd.pid).
Error while running apachectl graceful.
apache24 not running? (check /var/run/httpd.pid).

Apache is running but apparently I need to fix the configuratuion

8

OK I havd removed the read domain from my virtual hosts. I try o issue a new certficate for the three remaining hosts for a total of 6 domains but I get this error

Encountered exception during recovery: certbot.errors.MisconfigurationError: Error while running apachectl graceful

essentialy they same error. Anu ideas would b appreciated

9

Start with showing the output of this

sudo apachectl -t -D DUMP_VHOSTS

Hopefully it will give reason that Apache cannot be reloaded.

What operating system are you using?
What version of the o/s?

Does this show anything?

sudo ps -eF | grep -Ei 'apache|httpd'
1 Like
10

what first gives me is

VirtualHost configuration:

> *:80                   is a NameVirtualHost
>          default server kasdivi.com (/usr/local/etc/apache24/extra/httpd-vhosts.conf:2)
>          port 80 namevhost kasdivi.com (/usr/local/etc/apache24/extra/httpd-vhosts.conf:2)
>                  alias www.kasdivi.com
>          port 80 namevhost theoceanwindow.com (/usr/local/etc/apache24/extra/httpd-vhosts.conf:37)
>                  alias www.theoceanwindow.com
> *:443                  is a NameVirtualHost
>          default server kasdivi.com (/usr/local/etc/apache24/extra/httpd-vhosts.conf:18)
>          port 443 namevhost kasdivi.com (/usr/local/etc/apache24/extra/httpd-vhosts.conf:18)
>                  alias www.kasdivi.com
>          port 443 namevhost www.theoceanwindow.com (/usr/local/etc/apache24/extra/httpd-vhosts.conf:52)
>          port 443 namevhost localhost (/usr/local/etc/apache24/extra/httpd-ssl.conf:121)+

I am far from having any knowledge but the localist reference looks questioable

I am using FreeBSD 14.2 and Apache 2.4.62

FreeBSD doen't like the the options in your last command.

11

Ok stupid me I found the LETSENCRYPT log where it was supposed to be and it reports

File "/usr/local/lib/python3.11/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
File "/usr/local/lib/python3.11/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2025-03-20 12:28:00,729:ERROR:certbot._internal.log:Some challenges have failed.

12

That is pretty normal. The VirtualHost in that config file can probably be commented out but be sure to keep any other Apache settings in that file. Those are the base settings for SSL (TLS).

Let's backup a bit more. What does this show

sudo certbot certificates

Did it issue an error running the command? Or did it just not produce any output?

1 Like
13

I like basics.

14

Good. So, what did that command show?

1 Like
15

Found the following certs:

>   Certificate Name: kasdivi.com-0001
>     Serial Number: 5fa0f839f747347a9e52d2519904f22b986
>     Key Type: ECDSA
>     Domains: kasdivi.com theoceanwindow.com
>     Expiry Date: 2025-06-14 13:22:00+00:00 (VALID: 85 days)
>     Certificate Path: /usr/local/etc/letsencrypt/live/kasdivi.com-0001/fullchain.pem
>     Private Key Path: /usr/local/etc/letsencrypt/live/kasdivi.com-0001/privkey.pem
>   Certificate Name: kasdivi.com-0002
>     Serial Number: 6b3638634bca1bbb99d6ad123d3532ed5bc
>     Key Type: ECDSA
>     Domains: kasdivi.com
>     Expiry Date: 2025-06-17 16:14:19+00:00 (VALID: 88 days)
>     Certificate Path: /usr/local/etc/letsencrypt/live/kasdivi.com-0002/fullchain.pem
>     Private Key Path: /usr/local/etc/letsencrypt/live/kasdivi.com-0002/privkey.pem
>   Certificate Name: kasdivi.com
>     Serial Number: 42b6b5f7552a52786ece62ddbb5c1c6eba2
>     Key Type: ECDSA
>     Domains: kasdivi.com mail.kasdivi.com mail.theoceanwindow.com mail.wandjbrewers.com theoceanwindow.com wandjbrewers.com www.kasdivi.com www.theoceanwindow.com www.wandjbrewers.com
>     Expiry Date: 2025-06-03 11:11:48+00:00 (VALID: 74 days)
>     Certificate Path: /usr/local/etc/letsencrypt/live/kasdivi.com/fullchain.pem
>     Private Key Path: /usr/local/etc/letsencrypt/live/kasdivi.com/privkey.pem

So somehow instead of overwriting or replacing. I created new certs

1 Like
16

And now show contents of this file

2 Likes
17 
> #Listen 80
> <VirtualHost *:80>
>     ServerAdmin admin@theoceanwindow.com
>     DocumentRoot "/usr/local/www/kasdivi.com"
>     ServerName kasdivi.com
>     ServerAlias www.kasdivi.com
>     <Directory "/">
>         Allow from all
>         AllowOverride All
>         Options Indexes FollowSymLinks Includes
>         Require all granted
>     </Directory>
> 
>     ErrorLog "/var/log/httpd-error.log"
>     CustomLog "/var/log/kasdivi.com-access.log" common
>     Redirect permanent / https://kasdivi.com
> </VirtualHost>
> <VirtualHost *:443>
>     ServerAdmin admin@theoceanwindow.com
>     DocumentRoot "/usr/local/www/kasdivi.com"
>     <Directory "/">
>         Allow from all
>         AllowOverride All
>         Options Indexes FollowSymLinks Includes
>         Require all granted
>     </Directory>
>     SSLEngine on
>     SSLCertificateFile /usr/local/etc/letsencrypt/live/kasdivi.com/fullchain.pem
>     SSLCertificateKeyFile /usr/local/etc/letsencrypt/live/kasdivi.com/privkey.pe
>     #SSLCertificateChainFile  /etc/ssl/certs/ca_bundle.crt
>     ServerName kasdivi.com
>     ServerAlias www.kasdivi.com
>     ErrorLog "/var/log/httpd-error.log"
>     CustomLog "/var/log/kasdivi.com-access_log" common
> </VirtualHost>
> 
> <VirtualHost *:80>
>     ServerAdmin admin@theoceanwindow.com
>     DocumentRoot "/usr/local/www/theoceanwindow.com"
>     ServerName theoceanwindow.com
>     ServerAlias www.theoceanwindow.com
>     <Directory "/">
>         Allow from all
>         AllowOverride All
>         Options Indexes FollowSymLinks Includes
>         Require all granted
>     </Directory>
>     ErrorLog "/var/log/httpd-error.log"
>     CustomLog "/var/log/theoceanwindow.com-access.log" common
>     Redirect permanent / https://theoceanwindow.com
> </VirtualHost>
> <VirtualHost *:443>
>     ServerAdmin admin@theoceanwindow.com
>     DocumentRoot "/usr/local/www/theoceanwindow.com"
>     ServerName www.theoceanwindow.com
>     <Directory "/">
>         Allow from all
>         AllowOverride All
>         Options Indexes FollowSymLinks Includes
>     </Directory>
>     SSLEngine on
>     SSLCertificateFile /etc/ssl/certs/fullchain.pem
>     SSLCertificateKeyFile /etc/ssl/certs/privkey.pem
>     #SSLCertificateChainFile  /etc/ssl/certs/ca_bundle.crt
> </VirtualHost>
1 Like
19

I just realized the IP addresses you have for your kasdivi domain is different than the IP you have for oceanwindow

Are these both supposed to be on the same server? If so, you need to modify the DNS A record for oceanwindow to be the same as kasdivi

2 Likes
20

one physical serve three different ips But I wil do as you say

21

Does each IP reach the same Apache instance? If so then no need to change it and probably shouldn't.

2 Likes