Error when generating certificat with cerbot

Gamma2011 · January 27, 2021, 11:09am

Hello, when I tried to use cerbot to turning on HTTPS my server, I had some problems.

Thank you in advance for your help !

=====

My domain is: ibfinance.sas.pro.dns-orange.fr

I ran this command: sudo certbot --apache

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?

1: ibfinance.sas.pro.dns-orange.fr

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Requesting a certificate for ibfinance.sas.pro.dns-orange.fr
Performing the following challenges:
http-01 challenge for ibfinance.sas.pro.dns-orange.fr
Waiting for verification...
Challenge failed for domain ibfinance.sas.pro.dns-orange.fr
http-01 challenge for ibfinance.sas.pro.dns-orange.fr
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: ibfinance.sas.pro.dns-orange.fr
Type: unauthorized
Detail: Invalid response from
http://ibfinance.sas.pro.dns-orange.fr/.well-known/acme-challenge/GSn50lOb_xbwMT4zSb03m2cTHUZhlsiAXuCqdSXF-gA
[90.76.236.125]: "\n\n403
Forbidden\n\n

Forbidden
\n<p"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

My web server is (include version): Apache/2.4.29 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 18.04.5 LTS (ubuntu server)

My hosting provider, if applicable, is: It's a private server, hosted by myself

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.11.0

=====

griffin · January 27, 2021, 12:47pm

Welcome to the Let's Encrypt Community

Having run several tests on ibfinance.sas.pro.dns-orange.fr, I am unable to determine why you're seeing that error. Have you changed anything since creating this topic? I noticed from your certificate history that you were able to successfully acquire a certificate a while ago. What has changed about your setup since then? Did you recently remove an HTTP to HTTPS redirect?

griffin · January 27, 2021, 12:53pm

I am seeing this:

>>> http://ibfinance.sas.pro.dns-orange.fr:443

> --------------------------------------------
> 403 Forbidden
> --------------------------------------------

Status: 403 Forbidden
Code: 403
Date: Wed, 27 Jan 2021 12:52:27 GMT
Server: Apache/2.4.29 (Ubuntu)
Content-Length: 297
Connection: close
Content-Type: text/html; charset=iso-8859-1

That appears to be an HTTP response on port 443, which is supposed to be HTTPS.

Gamma2011 · January 27, 2021, 12:57pm

Since the last certificate, my server has been reinstalled. And I dont think that the port 443 is opened, same for HTTP to HTTPS, I think that is not redirected.

griffin · January 27, 2021, 12:58pm

From my last post, I'm clearly seeing port 443 open.

griffin · January 27, 2021, 1:00pm

I do not see a redirect either, which is why I'm so baffled by the 403 error in your certbot output. Every test I ran resulted in a 404, which is the expected result.

griffin · January 27, 2021, 1:00pm

What is the output of this:

sudo apachectl -S

Gamma2011 · January 27, 2021, 1:01pm

The output is:

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:80 is a NameVirtualHost
default server 127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost 127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost ibfinance.sas.pro.dns-orange.fr (/etc/apache2/sites-enabled/ibfinance.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

griffin · January 27, 2021, 1:08pm

What are the contents of this file:

/etc/apache2/sites-available/ibfinance.conf

Gamma2011 · January 27, 2021, 1:10pm

The content is:

<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com

    ServerName ibfinance.sas.pro.dns-orange.fr
    ServerAdmin webmaster@localhost
    DocumentRoot /home/minecraft_serveur_owner/Sites_Internet/www

    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf

vim: syntax=apache ts=4 sw=4 sts=4 sr noet

griffin · January 27, 2021, 1:13pm

Please edit your last post and add 3 backticks (```) on a line before and after your output. It will help tremendously with readability.

```
output
```

Gamma2011 · January 27, 2021, 1:14pm

Ok, sorry:

'''

VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com

    ServerName ibfinance.sas.pro.dns-orange.fr
    ServerAdmin webmaster@localhost
    DocumentRoot /home/minecraft_serveur_owner/Sites_Internet/www

    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf

vim: syntax=apache ts=4 sw=4 sts=4 sr noet

'''

griffin · January 27, 2021, 1:19pm

Those are single quotes ('). You need backticks (`).

The key is below the escape key on English keyboards.

Gamma2011 · January 27, 2021, 1:21pm

<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerName ibfinance.sas.pro.dns-orange.fr
        ServerAdmin webmaster@localhost
        DocumentRoot /home/minecraft_serveur_owner/Sites_Internet/www

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

griffin · January 27, 2021, 1:24pm

Beautiful!

Thanks for that!

Gamma2011 · January 27, 2021, 1:27pm

No problem, thank you too for help me!

griffin · January 27, 2021, 1:27pm

What does this contain:

/etc/apache2/sites-available/000-default.conf

Gamma2011 · January 27, 2021, 1:30pm

The content is:


<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerAdmin webmaster@localhost
        DocumentRoot /home/minecraft_serveur_owner/Sites_Internet/www

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

griffin · January 27, 2021, 1:32pm

Just for cleanliness, let's run these:

sudo a2dissite 000-default.conf

sudo apachectl -k graceful

griffin · January 27, 2021, 1:34pm

Then let's see the new output of this:

sudo apachectl -S