I'm trying to generate the certificate for my site, I run the command 'certbot certonly', I select 'Place files in webroot directory (webroot)', I enter my domain and my webroot and I get the following information:
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
I have other websites on the same server that I did the exact same procedure and got the ssl certificate.
I tried to access it through the browser and I can get a return instead of the error 503. I ran the command 'curl -Ii http://apoiar.sejus.df.gov.br/.well-known/acme-challenge/test' and got status 200:
When I run 'apachectl -t -D DUMP VHOSTS' I get the following output:
Passing arguments to httpd using apachectl is no longer supported.
You can only start/stop/restart httpd using this script.
If you want to pass extra arguments to httpd, edit the
/etc/sysconfig/httpd config file.
VirtualHost configuration:
*:80 is a NameVirtualHost
default server 10.233.161.8 (/etc/httpd/sites-enabled/00-default.conf:2)
port 80 namevhost 10.233.161.8 (/etc/httpd/sites-enabled/00-default.conf:2)
alias 10.233.161.8
port 80 namevhost acolhe.sejus.df.gov.br (/etc/httpd/sites-enabled/vhost.acolhe.sejus.df.gov.br.conf:1)
alias acolhe.sejus.df.gov.br
port 80 namevhost fiscalizacao-suaf.sejus.df.gov.br (/etc/httpd/sites-enabled/vhost.fiscalizacao-suaf.sejus.df.gov.br.conf:1)
alias fiscalizacao-suaf.sejus.df.gov.br
port 80 namevhost frequencia.sejus.df.gov.br (/etc/httpd/sites-enabled/vhost.frequencia.sejus.df.gov.br.conf:1)
alias frequencia.sejus.df.gov.br
port 80 namevhost gestaohotel.sejus.df.gov.br (/etc/httpd/sites-enabled/vhost.gestaohotel.sejus.df.gov.br.conf:1)
alias gestaohotel.sejus.df.gov.br
port 80 namevhost apoiar.sejus.df.gov.br (/etc/httpd/sites-enabled/vhost.siv.sejus.df.gov.br.conf:1)
alias apoiar.sejus.df.gov.br
alias siv.sejus.df.gov.br
port 80 namevhost suavidavalemuito.sejus.df.gov.br (/etc/httpd/sites-enabled/vhost.suavidavalemuito.sejus.df.gov.br.conf:1)
alias suavidavalemuito.sejus.df.gov.br
port 80 namevhost voluntariadoemacao.sejus.df.gov.br (/etc/httpd/sites-enabled/vhost.voluntarioemacao.sejus.df.gov.br.conf:1)
alias voluntariadoemacao.sejus.df.gov.br
port 80 namevhost voluntariosubsisadm.sejus.df.gov.br (/etc/httpd/sites-enabled/vhost.voluntariosubsisadm.sejus.df.gov.br.conf:1)
alias voluntariosubsisadm.sejus.df.gov.br
port 80 namevhost voluntariosubsisespeciais.sejus.df.gov.br (/etc/httpd/sites-enabled/vhost.voluntariosubsisespeciais.sejus.df.gov.br.conf:1)
alias voluntariosubsisespeciais.sejus.df.gov.br
port 80 namevhost votacao.sejus.df.gov.br (/etc/httpd/sites-enabled/vhost.votacao.sejus.df.gov.br.conf:1)
alias votacao.sejus.df.gov.br
*:443 is a NameVirtualHost
default server SEJUSSV010.gdfnet.df (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost SEJUSSV010.gdfnet.df (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost acolhe.sejus.df.gov.br (/etc/httpd/sites-enabled/vhost.acolhe.sejus.df.gov.br.conf:7)
alias acolhe.sejus.df.gov.br
alias http://acolhe.sejus.df.gov.br
port 443 namevhost fiscalizacao-suaf.sejus.df.gov.br (/etc/httpd/sites-enabled/vhost.fiscalizacao-suaf.sejus.df.gov.br.conf:7)
alias fiscalizacao-suaf.sejus.df.gov.br
alias http://fiscalizacao-suaf.sejus.df.gov.br
port 443 namevhost frequencia.sejus.df.gov.br (/etc/httpd/sites-enabled/vhost.frequencia.sejus.df.gov.br.conf:7)
alias frequencia.sejus.df.gov.br
port 443 namevhost apoiar.sejus.df.gov.br (/etc/httpd/sites-enabled/vhost.siv.sejus.df.gov.br.conf:7)
alias apoiar.sejus.df.gov.br
alias siv.sejus.df.gov.br
port 443 namevhost voluntariadoemacao.sejus.df.gov.br (/etc/httpd/sites-enabled/vhost.voluntarioemacao.sejus.df.gov.br.conf:8)
alias voluntariadoemacao.sejus.df.gov.br
alias portaldovoluntariado.df.gov.br
alias www.portaldovoluntariado.df.gov.br
port 443 namevhost votacao.sejus.df.gov.br (/etc/httpd/sites-enabled/vhost.votacao.sejus.df.gov.br.conf:7)
alias votacao.sejus.df.gov.br
This file: /etc/httpd/sites-enabled/vhost.acolhe.sejus.df.gov.br.conf belongs to a website that I already have a certificate, what I can't generate would be the one referring to the file /etc/httpd/ sites-enabled/vhost.siv.sejus.df.gov.br.conf which it's content would be:
I run the command 'certbot certonly', I select 'Place files in webroot directory (webroot)', I enter my domain and my webroot and I get the following information:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
How would you like to authenticate with the ACME CA?
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): apoiar.sejus.df.gov.br
Requesting a certificate for apoiar.sejus.df.gov.br
Performing the following challenges:
http-01 challenge for apoiar.sejus.df.gov.br
Input the webroot for apoiar.sejus.df.gov.br: (Enter 'c' to cancel): var/www/siv/siv/static/
Waiting for verification...
Challenge failed for domain apoiar.sejus.df.gov.br
http-01 challenge for apoiar.sejus.df.gov.br
Cleaning up challenges
Some challenges have failed.
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
You are being affected by a Palo Alto Networks brand firewall. You should contact your network admins and ask them to change the Application Rule for "acme protocol".
This firewall company changed this setting earlier this year.
Here is an example curl and URL that should return an http 404 once the firewall setting is changed.
For your case, it is necessary to use the '-A' value just as it is. This is the user-agent that the Let's Encrypt servers use. Any other user-agent value will not show the problem.
Yes, I see that now too but they just got a cert so that's great.
I get an odd response they might want to correct. No matter what sample token value I use I get an HTTP 200. I should be seeing 404 Not Found when I make up random names. At least it responds correctly when certbot ran so that's more important.
curl -ik https://apoiar.sejus.df.gov.br/.well-known/acme-challenge/SampleTokenMikeTest
HTTP/1.1 200 OK
Date: Fri, 09 Sep 2022 12:06:43 GMT
Server: Apache
Content-Length: 17
X-XSS-Protection: 1; mode=block
Content-Type: text/html; charset=utf-8
[Errno 2] No such file or directory: '/var/www/siv/siv/static/.well-known/acme-challenge/SampleTokenMikeTest'
Now I managed to generate the certificate, I did as you instructed me and I contacted my network admins and ask them to change the Application Rule for "acme protocol". After that I managed to generate here. Thank you very much. The website is already running with https. Thank you for your help.