Error message even if the certificate is validated

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Processing /etc/letsencrypt/renewal/up2school.com-0001.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Simulating renewal of an existing certificate for up2school.com

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:

Domain: up2school.com

Type: unauthorized

Detail: 135.125.202.29: Invalid response from https://up2school.com/fr/.well-known/acme-challenge/IyoRkl_Url8UKeUW2YczcarG-DI67wv3cbjOqXbLlqA: 404

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Failed to renew certificate up2school.com-0001 with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All simulated renewals failed. The following certificates could not be renewed:

/etc/letsencrypt/live/up2school.com-0001/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1 renew failure(s), 0 parse failure(s)

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Please show this file:
/etc/apache2/sites-enabled/000-default.conf

<VirtualHost *:80>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	#ServerName www.example.com

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.up2school.com [OR]
RewriteCond %{SERVER_NAME} =up2school.fr [OR]
RewriteCond %{SERVER_NAME} =up2school.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

That is a broken redirection.
Please show this file:

2 Likes
<VirtualHost *:80>
    ServerName up2school.com
    ServerAlias www.up2school.com
    ServerAdmin alexis@2empower.com
    DocumentRoot "/var/www/up2school/public"
    
    RedirectMatch 301 /fr/article/?$ https://up2school.com/bac
    RedirectMatch 301 /fr/article/(.+) https://up2school.com/bac/$1

    <Directory "/var/www/up2school/public">
        Options FollowSymLinks Indexes
        AllowOverride All
        Allow from all
        Require all granted
        FallbackResource /index.php
        <IfModule mod_rewrite.c>
            RewriteEngine On
            RewriteBase /
            RewriteCond %{REQUEST_FILENAME} !-f
            RewriteCond %{REQUEST_URI} !^/ajax
            RewriteCond %{REQUEST_URI} !^/api
            RewriteCond %{REQUEST_URI} !^/zone_m1tenance
            RewriteCond %{REQUEST_URI} !^/espace-ecole
            RewriteCond %{REQUEST_URI} !^/(fr|en)
            RewriteCond %{REQUEST_URI} !^/index.php
            RewriteCond %{REQUEST_URI} !^/_
            RewriteRule ^(.*)$ /fr/$1 [L,R=307]
            RewriteCond %{REQUEST_FILENAME} !-f
            RewriteCond %{REQUEST_FILENAME} !-d
            RewriteCond %{REQUEST_URI} !^/(fr|en)/article(/.+)? [NC]
            RewriteRule . /index.php [L]
        </IfModule>
    </Directory>
    
    Alias "/fr/article" "/var/www/up2school/ressources"
    
    <Directory "/var/www/up2school/ressources">
        # BEGIN WordPress
        <IfModule mod_rewrite.c>
            RewriteEngine On
            RewriteBase /fr/article/
            RewriteRule ^index\.php$ - [L]
            RewriteCond $1 ^(index\.php)?$ [OR]
            RewriteCond $1 \.(gif|jpg|png|ico|css|js)$ [NC,OR]
            RewriteCond %{REQUEST_FILENAME} -f [OR]
            RewriteCond %{REQUEST_FILENAME} -d
            RewriteRule ^(.*)$ - [S=1]
            RewriteRule . /fr/article/index.php [L]
        </IfModule>
        # END Wordpress
        Require all granted
        DirectoryIndex index.php
        Options +Indexes
        Allow from All
    </Directory>

    ErrorLog "/var/log/apache2/up2school_error_log.log"
    CustomLog "/var/log/apache2/up2school_access_log.log" common
    RewriteEngine On
    RewriteCond %{SERVER_NAME} =www.up2school.com [OR]
    RewriteCond %{SERVER_NAME} =up2school.com
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

That output seems correct [let me check deeper on that in a minute].
But it contradicts with the test output:

Where the ACME challenge request for domain up2school.com ends up with a garbled redirection:

Invalid response from https://up2school.com/fr/.well-known/acme-challenge/IyoRkl_Url8UKeUW2YczcarG-DI67wv3cbjOqXbLlqA: 404
2 Likes

Ok, there are multiple redirects involved!:

curl -Ii http://up2school.com/.well-known/acme-challenge/Test_File-1234
HTTP/1.1 301 Moved Permanently
Location: https://up2school.com/.well-known/acme-challenge/Test_File-1234
curl -Ii https://up2school.com/.well-known/acme-challenge/Test_File-1234
HTTP/2 307
location: https://up2school.com/fr/.well-known/acme-challenge/Test_File-1234

The first one works.
The second one breaks the challenge request path.
But that second one happens in the HTTPS vhost.
Can we see that config?

2 Likes

I'm not sure what I should do? :grimacing:

Show file that has the HTTPS vhost for up2school.com.
We either fix that file.
OR
Handle the challenge requests in HTTP [don't redirect them to HTTPS].

I'd like to see the file first to see what we're up against.
Before recommended any of the two.

2 Likes

But which file has the HTTPS vhost for up2school.com? I'm sorry if my question seems quite basic, my knowledge is very limited in this field...

1 Like

I suppose that one does.

2 Likes

see post #5

2 Likes

Based on post #5, I choose:
"Handle the challenge requests in HTTP [don't redirect them to HTTPS]."

2 Likes

So what should I do or change?

I see that --dry-run test failed. But, you just got that cert 3 days ago. Can you provide more info on what changed in your server config since then?

It seems something has changed in your Apache config that causes it not to work right with the Apache plug-in. We can convert to certonly webroot but it's probably easier if we can find/fix what changed instead.

3 Likes

I don't think I've changed anything in the last three days.

However, we did have an initial certificate (valid until August 24th). I wanted to renew it through several methods, including through the OVH Gateway service. I didn't succeed (I had a redirection error) and I deactivated this certificate so that the site is available again. Then I finally went through Let's Encrypt. Since then, the site is sometimes 100% functional (certificate valid until December 4th) but sometimes I have an error again (certificate valid until August 24th again)

Well, something changed on your server. Otherwise the method used to get a Let's Encrypt cert a couple days ago would still work.

Let's ignore that for now and try to resolve the inconsistent Apache responses. That could be contributing to the non-renewal problem.

Can you show output of this?

sudo ps -eF | grep -Ei 'httpd|apache|nginx'

3 Likes

Yes sure

root       700     1  0 25099 12172   2 Apr11 ?        00:08:14 /usr/sbin/apache2 -k start
www-data  3010   700  0 665707 21596  0 06:25 ?        00:00:42 /usr/sbin/apache2 -k start
www-data  3076   700  0 665939 23108  1 06:25 ?        00:00:52 /usr/sbin/apache2 -k start
admin    11174 11160  0  2668   864   2 13:32 pts/0    00:00:00 grep -Ei httpd|apache|nginx
www-data 28038   700  0 666520 27272  1 Jun27 ?        01:32:07 /usr/sbin/apache2 -k start
www-data 28056   700  0 666730 28884  1 Jun27 ?        01:46:48 /usr/sbin/apache2 -k start
www-data 28143   700  0 666759 28264  0 Jun27 ?        01:40:45 /usr/sbin/apache2 -k start
www-data 28197   700  0 666545 28384  1 Jun27 ?        01:30:25 /usr/sbin/apache2 -k start

What does this show?

sudo apachectl -t

and

sudo systemctl status apache

(or maybe apache2)

2 Likes

For the first one:

Syntax OK

For the second one (with apache2):

● apache2.service - The Apache HTTP Server
   Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: 
   Active: active (running) since Mon 2022-04-11 13:59:29 UTC; 4 months 28 days 
  Process: 2656 ExecReload=/usr/sbin/apachectl graceful (code=exited, status=0/S
 Main PID: 700 (apache2)
    Tasks: 385 (limit: 4915)
   CGroup: /system.slice/apache2.service
           ├─  700 /usr/sbin/apache2 -k start
           ├─ 3010 /usr/sbin/apache2 -k start
           ├─ 3076 /usr/sbin/apache2 -k start
           ├─28038 /usr/sbin/apache2 -k start
           ├─28056 /usr/sbin/apache2 -k start
           ├─28143 /usr/sbin/apache2 -k start
           └─28197 /usr/sbin/apache2 -k start

Sep 04 06:25:02 vps-991e8f9b systemd[1]: Reloading The Apache HTTP Server.
Sep 04 06:25:02 vps-991e8f9b systemd[1]: Reloaded The Apache HTTP Server.
Sep 05 06:25:01 vps-991e8f9b systemd[1]: Reloading The Apache HTTP Server.
Sep 05 06:25:01 vps-991e8f9b systemd[1]: Reloaded The Apache HTTP Server.
Sep 06 06:25:01 vps-991e8f9b systemd[1]: Reloading The Apache HTTP Server.
Sep 06 06:25:01 vps-991e8f9b systemd[1]: Reloaded The Apache HTTP Server.
Sep 07 06:25:02 vps-991e8f9b systemd[1]: Reloading The Apache HTTP Server.
Sep 07 06:25:02 vps-991e8f9b systemd[1]: Reloaded The Apache HTTP Server.
lines 1-23...skipping...
● apache2.service - The Apache HTTP Server
   Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: 
   Active: active (running) since Mon 2022-04-11 13:59:29 UTC; 4 months 28 days 
  Process: 2656 ExecReload=/usr/sbin/apachectl graceful (code=exited, status=0/S
 Main PID: 700 (apache2)
    Tasks: 385 (limit: 4915)
   CGroup: /system.slice/apache2.service
           ├─  700 /usr/sbin/apache2 -k start
           ├─ 3010 /usr/sbin/apache2 -k start
           ├─ 3076 /usr/sbin/apache2 -k start
           ├─28038 /usr/sbin/apache2 -k start
           ├─28056 /usr/sbin/apache2 -k start
           ├─28143 /usr/sbin/apache2 -k start
           └─28197 /usr/sbin/apache2 -k start

Sep 04 06:25:02 vps-991e8f9b systemd[1]: Reloading The Apache HTTP Server.
Sep 04 06:25:02 vps-991e8f9b systemd[1]: Reloaded The Apache HTTP Server.
Sep 05 06:25:01 vps-991e8f9b systemd[1]: Reloading The Apache HTTP Server.
Sep 05 06:25:01 vps-991e8f9b systemd[1]: Reloaded The Apache HTTP Server.
Sep 06 06:25:01 vps-991e8f9b systemd[1]: Reloading The Apache HTTP Server.
Sep 06 06:25:01 vps-991e8f9b systemd[1]: Reloaded The Apache HTTP Server.
Sep 07 06:25:02 vps-991e8f9b systemd[1]: Reloading The Apache HTTP Server.
Sep 07 06:25:02 vps-991e8f9b systemd[1]: Reloaded The Apache HTTP Server.
Sep 08 06:25:02 vps-991e8f9b systemd[1]: Reloading The Apache HTTP Server.
Sep 08 06:25:02 vps-991e8f9b systemd[1]: Reloaded The Apache HTTP Server.
lines 1-25...skipping...
● apache2.service - The Apache HTTP Server
   Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2022-04-11 13:59:29 UTC; 4 months 28 days ago
  Process: 2656 ExecReload=/usr/sbin/apachectl graceful (code=exited, status=0/SUCCESS)
 Main PID: 700 (apache2)
    Tasks: 385 (limit: 4915)
   CGroup: /system.slice/apache2.service
           ├─  700 /usr/sbin/apache2 -k start
           ├─ 3010 /usr/sbin/apache2 -k start
           ├─ 3076 /usr/sbin/apache2 -k start
           ├─28038 /usr/sbin/apache2 -k start
           ├─28056 /usr/sbin/apache2 -k start
           ├─28143 /usr/sbin/apache2 -k start
           └─28197 /usr/sbin/apache2 -k start

Sep 04 06:25:02 vps-991e8f9b systemd[1]: Reloading The Apache HTTP Server.
Sep 04 06:25:02 vps-991e8f9b systemd[1]: Reloaded The Apache HTTP Server.
Sep 05 06:25:01 vps-991e8f9b systemd[1]: Reloading The Apache HTTP Server.
Sep 05 06:25:01 vps-991e8f9b systemd[1]: Reloaded The Apache HTTP Server.
Sep 06 06:25:01 vps-991e8f9b systemd[1]: Reloading The Apache HTTP Server.
Sep 06 06:25:01 vps-991e8f9b systemd[1]: Reloaded The Apache HTTP Server.
Sep 07 06:25:02 vps-991e8f9b systemd[1]: Reloading The Apache HTTP Server.
Sep 07 06:25:02 vps-991e8f9b systemd[1]: Reloaded The Apache HTTP Server.
Sep 08 06:25:02 vps-991e8f9b systemd[1]: Reloading The Apache HTTP Server.
Sep 08 06:25:02 vps-991e8f9b systemd[1]: Reloaded The Apache HTTP Server.
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
lines 1-25/25 (END)

I was looking for something odd with the running Apache but don't see anything. Although I am not sure why the same info was repeated for systemctl status 3 times.

I don't see any reason for Apache to respond differently to repeated requests. The only thing I can think of to resolve that is to sudo apachectl restart. If inconsistent results still occur, a restart of the server should be tried.

I know this can be disruptive so let us know what you did and when it's done. Thanks

3 Likes

I try today to restart (sudo systemctl restart apache2 && sudo systemctl restart php7.4-fpm) and it seems to be ok now... It's pretty weird but it's nice if it's working