Error 503 when generating ssl certificate

I'm trying to generate the certificate for my site, I run the command 'certbot certonly', I select 'Place files in webroot directory (webroot)', I enter my domain and my webroot and I get the following information:

IMPORTANT NOTES:

I have other websites on the same server that I did the exact same procedure and got the ssl certificate.
I tried to access it through the browser and I can get a return instead of the error 503. I ran the command 'curl -Ii http://apoiar.sejus.df.gov.br/.well-known/acme-challenge/test' and got status 200:

HTTP/1.1 200 OK
Date: Fri, 02 Sep 2022 13:47:59 GMT
Server: Apache
Content-Length: 4
X-XSS-Protection: 1; mode=block
Content-Type: text/html; charset=utf-8

My domain is:http://apoiar.sejus.df.gov.br/

My web server is (include version): Apache/2.4.6 (CentOS)

The operating system my web server runs on is (include version): CentOS 7

I can login to a root shell on my machine

Hi @victor61236, and welcome to the LE community forum :slight_smile:

Let's have a look at the output of:
apachectl -t -D DUMP_VHOSTS

I don't get 200:

curl -Ii http://apoiar.sejus.df.gov.br/.well-known/acme-challenge/test
HTTP/1.1 301 Moved Permanently
Date: Fri, 02 Sep 2022 18:35:18 GMT
Server: Apache
Location: https://apoiar.sejus.df.gov.br/.well-known/acme-challenge/test
Content-Type: text/html; charset=iso-8859-1
3 Likes

When I run 'apachectl -t -D DUMP VHOSTS' I get the following output:

Passing arguments to httpd using apachectl is no longer supported.
You can only start/stop/restart httpd using this script.
If you want to pass extra arguments to httpd, edit the
/etc/sysconfig/httpd config file.
VirtualHost configuration:
*:80                   is a NameVirtualHost
         default server 10.233.161.8 (/etc/httpd/sites-enabled/00-default.conf:2)
         port 80 namevhost 10.233.161.8 (/etc/httpd/sites-enabled/00-default.conf:2)
                 alias 10.233.161.8
         port 80 namevhost acolhe.sejus.df.gov.br (/etc/httpd/sites-enabled/vhost.acolhe.sejus.df.gov.br.conf:1)
                 alias acolhe.sejus.df.gov.br
         port 80 namevhost fiscalizacao-suaf.sejus.df.gov.br (/etc/httpd/sites-enabled/vhost.fiscalizacao-suaf.sejus.df.gov.br.conf:1)
                 alias fiscalizacao-suaf.sejus.df.gov.br
         port 80 namevhost frequencia.sejus.df.gov.br (/etc/httpd/sites-enabled/vhost.frequencia.sejus.df.gov.br.conf:1)
                 alias frequencia.sejus.df.gov.br
         port 80 namevhost gestaohotel.sejus.df.gov.br (/etc/httpd/sites-enabled/vhost.gestaohotel.sejus.df.gov.br.conf:1)
                 alias gestaohotel.sejus.df.gov.br
         port 80 namevhost apoiar.sejus.df.gov.br (/etc/httpd/sites-enabled/vhost.siv.sejus.df.gov.br.conf:1)
                 alias apoiar.sejus.df.gov.br
                 alias siv.sejus.df.gov.br
         port 80 namevhost suavidavalemuito.sejus.df.gov.br (/etc/httpd/sites-enabled/vhost.suavidavalemuito.sejus.df.gov.br.conf:1)
                 alias suavidavalemuito.sejus.df.gov.br
         port 80 namevhost voluntariadoemacao.sejus.df.gov.br (/etc/httpd/sites-enabled/vhost.voluntarioemacao.sejus.df.gov.br.conf:1)
                 alias voluntariadoemacao.sejus.df.gov.br
         port 80 namevhost voluntariosubsisadm.sejus.df.gov.br (/etc/httpd/sites-enabled/vhost.voluntariosubsisadm.sejus.df.gov.br.conf:1)
                 alias voluntariosubsisadm.sejus.df.gov.br
         port 80 namevhost voluntariosubsisespeciais.sejus.df.gov.br (/etc/httpd/sites-enabled/vhost.voluntariosubsisespeciais.sejus.df.gov.br.conf:1)
                 alias voluntariosubsisespeciais.sejus.df.gov.br
         port 80 namevhost votacao.sejus.df.gov.br (/etc/httpd/sites-enabled/vhost.votacao.sejus.df.gov.br.conf:1)
                 alias votacao.sejus.df.gov.br
*:443                  is a NameVirtualHost
         default server SEJUSSV010.gdfnet.df (/etc/httpd/conf.d/ssl.conf:56)
         port 443 namevhost SEJUSSV010.gdfnet.df (/etc/httpd/conf.d/ssl.conf:56)
         port 443 namevhost acolhe.sejus.df.gov.br (/etc/httpd/sites-enabled/vhost.acolhe.sejus.df.gov.br.conf:7)
                 alias acolhe.sejus.df.gov.br
                 alias http://acolhe.sejus.df.gov.br
         port 443 namevhost fiscalizacao-suaf.sejus.df.gov.br (/etc/httpd/sites-enabled/vhost.fiscalizacao-suaf.sejus.df.gov.br.conf:7)
                 alias fiscalizacao-suaf.sejus.df.gov.br
                 alias http://fiscalizacao-suaf.sejus.df.gov.br
         port 443 namevhost frequencia.sejus.df.gov.br (/etc/httpd/sites-enabled/vhost.frequencia.sejus.df.gov.br.conf:7)
                 alias frequencia.sejus.df.gov.br
         port 443 namevhost apoiar.sejus.df.gov.br (/etc/httpd/sites-enabled/vhost.siv.sejus.df.gov.br.conf:7)
                 alias apoiar.sejus.df.gov.br
                 alias siv.sejus.df.gov.br
         port 443 namevhost voluntariadoemacao.sejus.df.gov.br (/etc/httpd/sites-enabled/vhost.voluntarioemacao.sejus.df.gov.br.conf:8)
                 alias voluntariadoemacao.sejus.df.gov.br
                 alias portaldovoluntariado.df.gov.br
                 alias www.portaldovoluntariado.df.gov.br
         port 443 namevhost votacao.sejus.df.gov.br (/etc/httpd/sites-enabled/vhost.votacao.sejus.df.gov.br.conf:7)
                 alias votacao.sejus.df.gov.br

You can't use "http://" in an alias statement

Let's have a look at this file:
/etc/httpd/sites-enabled/vhost.acolhe.sejus.df.gov.br.conf

3 Likes

This file: /etc/httpd/sites-enabled/vhost.acolhe.sejus.df.gov.br.conf belongs to a website that I already have a certificate, what I can't generate would be the one referring to the file /etc/httpd/ sites-enabled/vhost.siv.sejus.df.gov.br.conf which it's content would be:

<VirtualHost *:80>.
ServerName apoiar.sejus.df.gov.br
ServerAlias ​​apoiar.sejus.df.gov.br siv.sejus.df.gov.br
Permanent Redirect / https://apoiar.sejus.df.gov.br/
</VirtualHost>

<VirtualHost *:443>
DocumentRoot "/var/www/siv/"
ServerName apoiar.sejus.df.gov.br
ServerAlias ​​apoiar.sejus.df.gov.br siv.sejus.df.gov.br

    WSGIDaemonProcess siv threads=5
    WSGIScriptAlias ​​/ /var/www/siv/wsgi.py

    <Directory "/var/www/siv/">
        #Options FollowSymLinks
        WSGIProcessGroup siv
        WSGIApplicationGroup %{GLOBAL}
        #WSGIScriptReloading On
        #AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript image/svg+xml
        AllowOverride All
        Require all granted
        RedirectMatch 404 /\.git
    </Directory>


#Include /etc/letsencrypt/options-ssl-apache.conf

#SSLCertificateFile /etc/letsencrypt/live/apoiar.sejus.df.gov.br/cert.pem
#SSLCertificateKeyFile /etc/letsencrypt/live/apoiar.sejus.df.gov.br/privkey.pem
#SSLCertificateChainFile /etc/letsencrypt/live/apoiar.sejus.df.gov.br/chain.pem
</VirtualHost>
1 Like

What certbot command did you run?
What error did it show?

5 Likes

I run the command 'certbot certonly', I select 'Place files in webroot directory (webroot)', I enter my domain and my webroot and I get the following information:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?


1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)


Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): apoiar.sejus.df.gov.br
Requesting a certificate for apoiar.sejus.df.gov.br
Performing the following challenges:
http-01 challenge for apoiar.sejus.df.gov.br
Input the webroot for apoiar.sejus.df.gov.br: (Enter 'c' to cancel): var/www/siv/siv/static/
Waiting for verification...
Challenge failed for domain apoiar.sejus.df.gov.br
http-01 challenge for apoiar.sejus.df.gov.br
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

You are being affected by a Palo Alto Networks brand firewall. You should contact your network admins and ask them to change the Application Rule for "acme protocol".

This firewall company changed this setting earlier this year.

Here is an example curl and URL that should return an http 404 once the firewall setting is changed.

curl -I apoiar.sejus.df.gov.br/.well-known/acme-challenge/SampleToken -A "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

HTTP/1.1 503 Service Unavailable
Content-Type: text/html; charset=UTF-8
Content-Length: 2204
Connection: close
P3P: CP="CAO PSA OUR"
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache

For your case, it is necessary to use the '-A' value just as it is. This is the user-agent that the Let's Encrypt servers use. Any other user-agent value will not show the problem.

4 Likes

It seems their IT has made a change, now the 503 error was replaced.
But there is no new cert seen.

3 Likes

Yes, I see that now too but they just got a cert so that's great.

I get an odd response they might want to correct. No matter what sample token value I use I get an HTTP 200. I should be seeing 404 Not Found when I make up random names. At least it responds correctly when certbot ran so that's more important.

curl -ik https://apoiar.sejus.df.gov.br/.well-known/acme-challenge/SampleTokenMikeTest 
HTTP/1.1 200 OK
Date: Fri, 09 Sep 2022 12:06:43 GMT
Server: Apache
Content-Length: 17
X-XSS-Protection: 1; mode=block
Content-Type: text/html; charset=utf-8

[Errno 2] No such file or directory: '/var/www/siv/siv/static/.well-known/acme-challenge/SampleTokenMikeTest'
4 Likes

Now I managed to generate the certificate, I did as you instructed me and I contacted my network admins and ask them to change the Application Rule for "acme protocol". After that I managed to generate here. Thank you very much. The website is already running with https. Thank you for your help.

2 Likes