Failed authorization procedure

Hi im trying to get a certificate for my website. For some reason its not working. Any help would be really appreciated :slight_smile:
My domain is: jorisprins.com

I ran this command: sudo certbot --apache

It produced this output:

IMPORTANT NOTES:

My web server is (include version): Apache/2.4.25 (Raspbian)

The operating system my web server runs on is (include version):
PRETTY_NAME=“Raspbian GNU/Linux 9 (stretch)”
NAME=“Raspbian GNU/Linux”
VERSION_ID=“9”
VERSION=“9 (stretch)”
ID=raspbian
ID_LIKE=debian

My hosting provider, if applicable, is: Vimexx.nl

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No I only bought the domains.

The version of my client is: certbot 0.28.0

Hi @DevJoris

is your ipv6 configured correct?

What says

apachectl -S

There is a check of your domain, ~~30 minutes old - https://check-your-website.server-daten.de/?q=jorisprins.com

ipv4 and ipv6 have the same answer and the same Server header, that looks good.

May be you have more then one port 80 vHost with that domain name.

Hey thanks for your reply!

It says this:

AH00526: Syntax error on line 33 of /etc/apache2/sites-enabled/jorisprins.ddns.net-le-ssl.conf:
SSLCertificateFile: file ‘/etc/letsencrypt/live/jorisprins.ddns.net/fullchain.pem’ does not exist or is empty
Action ‘-S’ failed.
The Apache error log may have more information.

Background info: jorisprins.ddns.net is also one of my domains, but that one did succeed on getting a SSL certificate

Run it as root / sudo.

If the error is again visible, fix it or disable that vHost.

apachectl -S must work.

The sudo did it:

AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.1.1. Set the ‘ServerName’ directive globally to suppress this message
VirtualHost configuration:
*:443 jorisprins.ddns.net (/etc/apache2/sites-enabled/jorisprins.ddns.net-le-ssl.conf:2)
*:80 is a NameVirtualHost
default server 127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost 127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost jorisprins.com (/etc/apache2/sites-enabled/jorisprins.com.conf:1)
port 80 namevhost jorisprins.ddns.net (/etc/apache2/sites-enabled/jorisprins.ddns.net-le-ssl.conf:38)
port 80 namevhost jorisprins.ddns.net (/etc/apache2/sites-enabled/jorisprins.ddns.net.conf:1)
port 80 namevhost jorisprins.site (/etc/apache2/sites-enabled/jorisprins.site.conf:1)
ServerRoot: “/etc/apache2”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/var/log/apache2/error.log”
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
PidFile: “/var/run/apache2/apache2.pid”
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“www-data” id=33
Group: name=“www-data” id=33

I also read something about insecure forwarding URL’s. On the hosting site (the site where i bought the domains) i forwarded the URL jorisprins.com to my IP address. I read on another post that this might cause the issue, is this right?

Update: Tested it on another domain, jorisprins.site. Disabled url redirect still not working.

That’s wrong

Two port 80 vHosts with the same domain name. Merge these in one vHost. But that’s not the main problem.

The jorisprins.com has only one vHost.

What’s the content of that file:

/etc/apache2/sites-enabled/jorisprins.com.conf

How do I merge the 2 Vhosts?

Content of the file:

<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request’s Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
ServerName jorisprins.com

ServerAdmin webmaster@localhost
DocumentRoot /var/www/html

# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf

vim: syntax=apache ts=4 sw=4 sts=4 sr noet

There is your error.

Testing your raw ip addresses:

Ipv4: https://check-your-website.server-daten.de/?q=185.104.28.238&h=jorisprins.com

Ipv6: https://check-your-website.server-daten.de/?q=[2a06%3A2ec0%3A1%3A%3Affed]&h=jorisprins.com

Both have a frame to another ip address http://213.233.208.209. That can’t work.

You must use that ip address in your A record, perhaps remove your ipv6 address.

Then run certbot on that ip address.

How do I remove the ipv6? And what do you mean by: “run certbot on that ip address”

Check your DNS.

Please start with some basics:

Then read that:

If you use http-validation, your running Certbot must be able to write in the /.well-known/acme-challenge - subdirectory of your website (if you don’t have a redirect). So if that ip 2a06:2ec0:1::ffed isn’t the ip where you run Certbot (because it’s a frame of your hoster or dns provider), that can’t work.

U said I had to update my A records. I changed them to my ip but do I also need to update my AAAA records?

Yes, that’s required. Letsencrypt prefers ipv6.

But if you don’t have an ipv6 entry, remove it.

Will try, DNS will update in 2-4 hours and then ill update you :slight_smile:

Did I update the right records?

That’s wrong. Your non-www “@” and your www have different ip addresses. Should both be the 213.*, if you run there your Certbot.

And your ipv6 is a private address. Remove the AAAA record if the 213.* doesn’t have a public ipv6.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.