ERROR:certificate authority failed to verify the temporary apache configuration

Help
1

Im having problem while installing the cerbot. Im in apache2 & ubuntu20. My domain is ADMISIONES.SANMARCOS.ORG.AR. I ran the command sudo certbot --apache and outputs ```
The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

I've already changed the redirect to HTTPS leaving only HTTP and nothing yet.

Here's the log and my apache conf.

> VirtualHost configuration:
> *:80                   admisiones.sanmarcos.edu.ar (/etc/apache2/sites-enabled/admisiones.conf:1)
> *:443                  admisiones.sanmarcos.edu.ar (/etc/apache2/sites-enabled/ssl.admisiones.conf:2)
> ServerRoot: "/etc/apache2"
> Main DocumentRoot: "/var/www/html"
> Main ErrorLog: "/var/log/apache2/error.log"
> Mutex mpm-accept: using_defaults
> Mutex watchdog-callback: using_defaults
> Mutex rewrite-map: using_defaults
> Mutex ssl-stapling-refresh: using_defaults
> Mutex ssl-stapling: using_defaults
> Mutex ssl-cache: using_defaults
> Mutex default: dir="/var/run/apache2/" mechanism=default 
> PidFile: "/var/run/apache2/apache2.pid"
> Define: DUMP_VHOSTS
> Define: DUMP_RUN_CFG
> User: name="www-data" id=33
> Group: name="www-data" id=33
``` .

lets encrypt log:
``` .
> 
> 2023-02-06 10:35:34,737:DEBUG:urllib3.connectionpool:http://localhost:None "GET /v2/connections?snap=certbot&interface=content HTTP/1.1" 200 97
> 2023-02-06 10:35:35,113:DEBUG:certbot._internal.main:certbot version: 1.32.2
> 2023-02-06 10:35:35,113:DEBUG:certbot._internal.main:Location of certbot entry point: /snap/certbot/2618/bin/certbot
> 2023-02-06 10:35:35,113:DEBUG:certbot._internal.main:Arguments: ['--apache', '-v', '--preconfigured-renewal']
> 2023-02-06 10:35:35,114:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
> 2023-02-06 10:35:35,125:DEBUG:certbot._internal.log:Root logging level set at 20
> 2023-02-06 10:35:35,126:DEBUG:certbot._internal.plugins.selection:Requested authenticator apache and installer apache
> 2023-02-06 10:35:35,185:DEBUG:certbot_apache._internal.configurator:Apache version is 2.4.52
> 2023-02-06 10:35:35,367:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * apache
> Description: Apache Web Server plugin
> Interfaces: Installer, Authenticator, Plugin
> Entry point: apache = certbot_apache._internal.entrypoint:ENTRYPOINT
> Initialized: <certbot_apache._internal.override_debian.DebianConfigurator object at 0x7f706943db80>
> Prep: True
> 2023-02-06 10:35:35,368:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_apache._internal.override_debian.DebianConfigurator object at 0x7f706943db80> and installer <certbot_apache._internal.override_debian.DebianConfigurator object at 0x7f706943db80>
> 2023-02-06 10:35:35,368:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator apache, Installer apache
> 2023-02-06 10:35:35,423:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/951607476', new_authzr_uri=None, terms_of_service=None), 49a28e4f5a74346eeec00251723fb6fd, Meta(creation_dt=datetime.datetime(2023, 2, 6, 12, 45, 33, tzinfo=<UTC>), creation_host='admisiones', register_to_eff=None))>
> 2023-02-06 10:35:35,424:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
> 2023-02-06 10:35:35,425:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
> 2023-02-06 10:35:35,989:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 756
> 2023-02-06 10:35:35,990:DEBUG:acme.client:Received response:
> HTTP 200
> Server: nginx
> Date: Mon, 06 Feb 2023 13:35:35 GMT
> Content-Type: application/json
> Content-Length: 756
> Connection: keep-alive
> Cache-Control: public, max-age=0, no-cache
> X-Frame-Options: DENY
> Strict-Transport-Security: max-age=604800
> 
> {
>   "YM7WIh-nFV8": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
>   "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
>   "meta": {
>     "caaIdentities": [
>       "letsencrypt.org"
>     ],
>     "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf",
>     "website": "https://letsencrypt.org"
>   },
>   "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
>   "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
>   "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
>   "renewalInfo": "https://acme-v02.api.letsencrypt.org/get/draft-ietf-acme-ari-00/renewalInfo/",
>   "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
> }
> 2023-02-06 10:35:36,868:DEBUG:certbot._internal.display.obj:Notifying user: Requesting a certificate for admisiones.sanmarcos.edu.ar
> 2023-02-06 10:35:37,081:DEBUG:certbot.crypto_util:Generating RSA key (2048 bits): /etc/letsencrypt/keys/0006_key-certbot.pem
> 2023-02-06 10:35:37,087:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0006_csr-certbot.pem
> 2023-02-06 10:35:37,088:DEBUG:acme.client:Requesting fresh nonce
> 2023-02-06 10:35:37,089:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
> 2023-02-06 10:35:37,276:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
> 2023-02-06 10:35:37,276:DEBUG:acme.client:Received response:
> HTTP 200
> Server: nginx
> Date: Mon, 06 Feb 2023 13:35:37 GMT
> Connection: keep-alive
> Cache-Control: public, max-age=0, no-cache
> Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
> Replay-Nonce: 2712Y2SDjM7pf0R4xPalXcB3_RtEWdudvbts1UIDMOTh9-A
> X-Frame-Options: DENY
> Strict-Transport-Security: max-age=604800
> 
> 
> 2023-02-06 10:35:37,276:DEBUG:acme.client:Storing nonce: 2712Y2SDjM7pf0R4xPalXcB3_RtEWdudvbts1UIDMOTh9-A
> 2023-02-06 10:35:37,276:DEBUG:acme.client:JWS payload:
> b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "admisiones.sanmarcos.edu.ar"\n    }\n  ]\n}'
> 2023-02-06 10:35:37,279:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
> {
>   "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvOTUxNjA3NDc2IiwgIm5vbmNlIjogIjI3MTJZMlNEak03cGYwUjR4UGFsWGNCM19SdEVXZHVkdmJ0czFVSURNT1RoOS1BIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctb3JkZXIifQ",
>   "signature": "dpgQya_k1uhFaxTgvxuL77sSenlcY-BWY4odaCmOQMbfO7iAotCp1X3fvKdNAr19vBTZhSV3zIFl9TWAwJzovio9gKF857x-wwA3lZZIGSwj_n32-dRsnU6UeqM_JlPFNcUPU7JrxK6LAINttYYKhO3v3Jg55gknOHF6u91cUCRyV8tXQAIwkQWrDeM_HdvIrSnDOwWpkXLRmWd2MlWKe02dEMuVnWAr9ASAmNYpsP2hgCnAwTSQS2-glS76zKOGqXA6rB9BRet4cBpdWB8cr217Mgrm7rLgDSMPDW3M8fCAwSBvOyrhTMgpA1ikZ6n9kZHcjhqyt1DzrcbzMpgWeg",
>   "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogImFkbWlzaW9uZXMuc2FubWFyY29zLmVkdS5hciIKICAgIH0KICBdCn0"
> }
> 2023-02-06 10:35:37,483:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 429 213
> 2023-02-06 10:35:37,484:DEBUG:acme.client:Received response:
> HTTP 429
> Server: nginx
> Date: Mon, 06 Feb 2023 13:35:37 GMT
> Content-Type: application/problem+json
> Content-Length: 213
> Connection: keep-alive
> Boulder-Requester: 951607476
> Cache-Control: public, max-age=0, no-cache
> Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
> Replay-Nonce: 2712VKlozBmzTnqmZnB3D9jVgiQA6PfioXdYy1gLK3UNXMY
> 
> {
>   "type": "urn:ietf:params:acme:error:rateLimited",
>   "detail": "Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/failed-validation-limit/",
>   "status": 429
> }
> 2023-02-06 10:35:37,484:DEBUG:certbot._internal.log:Exiting abnormally:
> Traceback (most recent call last):
>   File "/snap/certbot/2618/bin/certbot", line 8, in <module>
>     sys.exit(main())
>   File "/snap/certbot/2618/lib/python3.8/site-packages/certbot/main.py", line 19, in main
>     return internal_main.main(cli_args)
>   File "/snap/certbot/2618/lib/python3.8/site-packages/certbot/_internal/main.py", line 1744, in main
>     return config.func(config, plugins)
>   File "/snap/certbot/2618/lib/python3.8/site-packages/certbot/_internal/main.py", line 1441, in run
>     new_lineage = _get_and_save_cert(le_client, config, domains,
>   File "/snap/certbot/2618/lib/python3.8/site-packages/certbot/_internal/main.py", line 141, in _get_and_save_cert
>     lineage = le_client.obtain_and_enroll_certificate(domains, certname)
>   File "/snap/certbot/2618/lib/python3.8/site-packages/certbot/_internal/client.py", line 530, in obtain_and_enroll_certificate
>     cert, chain, key, _ = self.obtain_certificate(domains)
>   File "/snap/certbot/2618/lib/python3.8/site-packages/certbot/_internal/client.py", line 442, in obtain_certificate
>     orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
>   File "/snap/certbot/2618/lib/python3.8/site-packages/certbot/_internal/client.py", line 492, in _get_order_and_authorizations
>     orderr = self.acme.new_order(csr_pem)
>   File "/snap/certbot/2618/lib/python3.8/site-packages/acme/client.py", line 953, in new_order
>     return cast(ClientV2, self.client).new_order(csr_pem)
>   File "/snap/certbot/2618/lib/python3.8/site-packages/acme/client.py", line 714, in new_order
>     response = self._post(self.directory['newOrder'], order)
>   File "/snap/certbot/2618/lib/python3.8/site-packages/acme/client.py", line 114, in _post
>     return self.net.post(*args, **kwargs)
>   File "/snap/certbot/2618/lib/python3.8/site-packages/acme/client.py", line 1289, in post
>     return self._post_once(*args, **kwargs)
>   File "/snap/certbot/2618/lib/python3.8/site-packages/acme/client.py", line 1303, in _post_once
>     response = self._check_response(response, content_type=content_type)
>   File "/snap/certbot/2618/lib/python3.8/site-packages/acme/client.py", line 1149, in _check_response
>     raise messages.Error.from_json(jobj)
> acme.messages.Error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/failed-validation-limit/
> 2023-02-06 10:35:37,485:ERROR:certbot._internal.log:An unexpected error occurred:
> 2023-02-06 10:35:37,485:ERROR:certbot._internal.log:Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/failed-validation-limit/
2

Welcome to the community @Tdalton

First, HTTPS connections to your domain are working fine. It works from my own test server and this SSL Checker test site (link here).

Even the redirect from HTTP->HTTPS works fine. You redirect HTTP to HTTPS and then redirect to your /admin/redirect/ page which is successful.

Are you still having a problem because that looks like the cert and redirects are fine.

In your log I see a problem when you tried something too many times and failed. Let's Encrypt will reject requests when you fail too many times. You have to wait an hour to try again. But, I don't know why you are still trying. It looks good to me.

3 Likes
3

On renewals, don't use:

Just use:
sudo certbot renew

3 Likes
4

I've solved it, it was a firewall problem :smiley: where http wasn't enabled to access from outside our network.

3 Likes
5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.