Error creating cert - activating HTTPS

Hello,

I don't have experience with Let's Encrypt. I tried a few tutorials but none of them worked for me.

I have a domain that I want to secure. I used an own-signed cert but because it is not recognised, it displays "Your connection is not private".

I use noip to redirect to my ip.

I then try to use let's encrypt but I couldn't make it work. What I am doing wrong?

My domain is:
https://nubepozo.ddns.net/

I ran this command:

certbot certonly -n -d nubepozo.ddns.net --standalone --preferred-challenges http --email cesypozo@gmail.com --agree-tos --expand

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Requesting a certificate for nubepozo.ddns.net
Performing the following challenges:
http-01 challenge for nubepozo.ddns.net
Waiting for verification...
Challenge failed for domain nubepozo.ddns.net
http-01 challenge for nubepozo.ddns.net
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: nubepozo.ddns.net
   Type:   unauthorized
   Detail: 38.43.83.253: Invalid response from
   http://nubepozo.ddns.net/.well-known/acme-challenge/QFC2cEaBYFrZYYoH4-639HmYT1I67Gwceem_3rMa6gw:
   "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\"
   \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\r\n<html"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): Apache/2.4.54 (Raspbian)

The operating system my web server runs on is (include version): Raspbian GNU/Linux 11

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.12.0

Welcome to the community @cesypozo

The --standalone is used when no other web server is running or available. You could stop Apache and try that again. But, when you have a web server it is best to use a different method.

The --webroot method is the closest to what you tried. There is also the --apache plug-in.

Using --webroot with certonly just gets a cert. The apache plug-in will get a cert and update your Apache config by creating an HTTPS VirtualHost once the cert request succeeds.

See the Certbot docs or ask here
https://eff-certbot.readthedocs.io/en/stable/using.html#user-guide

First I stopped again the apache server:

sudo service apache2 stop

And then I tried what you suggested with the --apache flag, but it doesn't seem to work:

sudo certbot certonly --apache -n -d nubepozo.ddns.net --preferred-challenges http --email cesypozo@gmail.com --agree-tos --expand

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Requesting a certificate for nubepozo.ddns.net
Performing the following challenges:
http-01 challenge for nubepozo.ddns.net
Waiting for verification...
Challenge failed for domain nubepozo.ddns.net
http-01 challenge for nubepozo.ddns.net
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: nubepozo.ddns.net
   Type:   unauthorized
   Detail: 38.43.83.253: Invalid response from
   http://nubepozo.ddns.net/.well-known/acme-challenge/MLxwptuZkzgcfNSDi3_52pgqXB7GZoGwuuFOLxzYE7M:
   "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\"
   \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\r\n<html"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

I also tried

sudo certbot certonly --webroot -w /var/www/owncloud -n -d nubepozo.ddns.net --preferred-challenges http --email cesypozo@gmail.com --agree-tos --expand

Oh, sorry, that is not what I meant. I meant if you want to continue to use --standalone you must stop Apache. But, if you use --webroot or --apache you leave Apache running all the time.

As to your new error, your Apache server or something else is not responding correctly. When the Let's Encrypt server makes the HTTP request for the challenge token created by Certbot it should get that token. Instead, your Apache server responds with something like below.

What is listening or handling HTTP requests on your system? Is it Apache?

curl -i http://nubepozo.ddns.net/.well-known/acme-challenge/SampleTokenValueForTesting
(note no Server response header.  It is not required but usually we see one w/Apache)
HTTP/1.1 200 OK
Content-Type:text/html
Pragma:no-cache
Cache-control:no-cache, no-store, max-age=0
Transfer-Encoding:chunked
X-Frame-Options:SAMEORIGIN
Connection:Keep-Alive
X-XSS-Protection:1; mode=block
Content-Security-Policy:default-src 'self' 'unsafe-inline' 'unsafe-eval'

This is the data returned.  For my test request we should see a 404 Not Found
This looks like the same data you got instead of the challenge token value.
Where did this come from?

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge;chrome=1">
<meta http-equiv="Pragma" content="no-cache" />
<title></title>
<script language="JavaScript" type="text/javascript">
var SSLPort ='80';
var SSLHostIp ='38\x2e43\x2e83\x2e253';
var HostInfo = window.location.host.replace(/\[|]/g,'');
var IsMaintWan = '0';
if (IsMaintWan == 1)
{
SSLPort = '7017';

I am using a raspberry pi, with an apache server for Owncloud.

So when I log in to my address, I get the owncloud login page. That's what I am serving with Apache.

When you request a Let's Encrypt cert you must respond properly to the HTTP Challenge request. You'll have to wait for someone with owncloud experience to help or maybe ask on a owncloud forum.

Using Let's Encrypt with ownCloud is no different than using Let's Encrypt with any Apache website.

When using Let's Encrypt with Apache, I use mod_md.

There is also ownCloud documentation on securing your instance with Let's Encrypt.

In that case, @cesypozo what does this command show?

apachectl -t -D DUMP_VHOSTS

cesar@raspberrypi:/ $ apachectl -t -D DUMP_VHOSTS
[Sun Jan 08 17:54:34.761876 2023] [so:warn] [pid 25199] AH01574: module headers_module is already loaded, skipping
AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/apache2.conf:8
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:8080                 127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)
*:80                   127.0.1.1 (/etc/apache2/sites-enabled/owncloud.conf:1)
*:443                  is a NameVirtualHost
         default server nubepozo.ddns.net (/etc/apache2/sites-enabled/default-ssl.conf:2)
         port 443 namevhost nubepozo.ddns.net (/etc/apache2/sites-enabled/default-ssl.conf:2)
         port 443 namevhost nubepozo.ddns.net (/etc/apache2/sites-enabled/owncloud.conf:9)

Can you show us the contents of this file? Please add 3 backticks before and after the contents to format it properly. Thanks

Like this
```
contents
```

<VirtualHost *:80>
	RewriteEngine on
	#ReWriteCond %{SERVER_PORT} !^443$
	#RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]
	RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
    	RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</VirtualHost>	

<VirtualHost *:443> 
	Servername nubepozo.ddns.net
	Header always add Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
	DocumentRoot /var/www/owncloud 
   <Directory /var/www/owncloud> 
	Options Indexes FollowSymLinks MultiViews 
	AllowOverride None 
	Order allow,deny 
	allow from all 
   </Directory>

   <IfModule mod_headers.c>
      Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
   </IfModule>   
   SSLEngine on
   SSLCertificateFile /etc/apache2/ssl/owncloud.crt
   SSLCertificateKeyFile /etc/apache2/ssl/owncloud.key

   <FilesMatch "\.(cgi|shtml|phtml|php)$"> 
		SSLOptions +StdEnvVars
   </FilesMatch>

   BrowserMatch "MSIE [2-6]" \
	nokeepalive ssl-unclean-shutdown \
	downgrade-1.0 force-response-1.0 
   #MSIE 7 and newer should be able to use keepalive
   BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

</VirtualHost>

# intermediate configuration
SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder     off
SSLSessionTickets       off

SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

You should add this line right after the VirtualHost *:80:

	ServerName nubepozo.ddns.net

Then restart Apache.

BUT, while that is needed I don't think that is enough. It doesn't look like Apache is handling the HTTP request but we'll look at that after you add the Servername

I added it and restarted apache. Tried again but still no luck

cesar@raspberrypi:/ $ sudo certbot
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: nubepozo.ddns.net
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 
Requesting a certificate for nubepozo.ddns.net
Performing the following challenges:
http-01 challenge for nubepozo.ddns.net
Waiting for verification...
Challenge failed for domain nubepozo.ddns.net
http-01 challenge for nubepozo.ddns.net
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: nubepozo.ddns.net
   Type:   unauthorized
   Detail: 38.43.83.253: Invalid response from
   http://nubepozo.ddns.net/.well-known/acme-challenge/2w1rUbS2vaIK7_O819-yfua63doA06wpss5EtuxveC4:
   "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\"
   \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\r\n<html"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

Yes, I don't think HTTP requests are reaching your Apache server. You have a redirect in your port 80 VirtualHost. Yet, when I try reaching your "home" page I am not redirected (see my post #4). Also, there is no "Server: Apache/2.4.54 (Raspbian)" response header like I see with HTTPS requests.

I do see an Apache server with HTTPS (port 443) just not with HTTP (port 80). You should review your router and other network config to ensure port 80 gets to Apache. It looks like it might be processed by some sort of admin panel instead.

Please also show the latest results of below.

apachectl -t -D DUMP_VHOSTS

That says redirect when not ("!") a request for a challenge file.
But it has no document root, so there is nowhere for those challenge requests to go.

What should I add then to fix it?

The missing DocumentRoot is not your primary problem. When trying to reach your site with HTTP it does not connect to your Apache server. Instead, it connects to a system with a screen like below. You need to find out why you can't reach Apache with HTTP (port 80)

image1920×949 50 KB

The simplest is:

But that is not the most secure.
For that, you should create a new folder [just for this purpose].
Something like:
mkdir /var/challenges
Then use:
DocumentRoot /var/challenges
[note: you might need to give read access to that folder within Apache]

The 80 port is redirecting to the router page while the 443 is redirecting to the owncloud login page.

I am having a look into it.

Thanks.

Gracias por la respuesta!

I used the 1st option you suggested "DocumentRoot /var/www/owncloud", since I would like to display the owncloud login page in both 80 and 443 ports ( I guess that's safe).

Although I added it to owncloud.conf, I still get redirected to the router home page using port 80.

VirtualHost *:80>
        Servername nubepozo.ddns.net
        RewriteEngine on
        DocumentRoot /var/www/owncloud
        #ReWriteCond %{SERVER_PORT} !^443$
        #RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]
        RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
        RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</VirtualHost>

Then, as you guys suggested, my problem is related to what I am serving in port 80, not creating the cert itself.