Failed http-01 challenge for renewal of vhost

Hi, I'm relatively new to LetsEncrypt and certbot, and struggling to resolve this issue alone - treading cautiously so as not to trigger another 1 week lockout. Any help would be much appreciated.

Context: I have three virtual hosts set up on this server. No issues since the initial certificates created a few months ago. I renewed all of them at the same time (a few days late, after expiry) and two of three succeeded but this one failed the http-01 challenge with a 404 response. The three sites are supposed to be configured the same as one another, but it seems something has diverted with this site.

My domain is:

I ran this command:
sudo certbot --dry-run --apache certonly -n -d

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for
Waiting for verification...
Challenge failed for domain
http-01 challenge for
Cleaning up challenges
Some challenges have failed.

 - The following errors were reported by the server:

   Type:   unauthorized
   Detail: Invalid response from
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version):
Apache/2.4.41 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 20.04.2 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.40.0

$ cat /etc/apache2/sites-enabled/

<VirtualHost *:80>
	DocumentRoot /var/www/vhosts/
	ServerAdmin <redacted>
	<Directory /var/www/vhosts/>
	AllowOverride All
RewriteEngine on
RewriteCond %{SERVER_NAME} [OR]
RewriteCond %{SERVER_NAME}
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

$ cat /etc/apache2/sites-enabled/

<IfModule mod_ssl.c>
<VirtualHost *:443>
	DocumentRoot /var/www/vhosts/
	ServerAdmin <redacted>
	<Directory /var/www/vhosts/>
	AllowOverride All
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/
SSLCertificateKeyFile /etc/letsencrypt/live/
1 Like

What's the output of apachectl -S?

1 Like

This file is never matched:

It clearly shows that it would have redirected the HTTP challenge request to HTTPS.
But the failed request is not for HTTPS:

So, I'm agreed with @Osiris
We need to have a look at the apache configuration.
[there must be a name overlap in there]

1 Like

You are saints for even responding - thank you.
Here is the output of $ sudo apachectl -S

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:443 is a NameVirtualHost
port 443 namevhost (/etc/apache2/sites-enabled/
*:80 is a NameVirtualHost
default server (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost (/etc/apache2/sites-enabled/
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
PidFile: "/var/run/apache2/"
User: name="www-data" id=33
Group: name="www-data" id=33

1 Like

Here is the problem:

port 80 namevhost (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost (/etc/apache2/sites-enabled/

Based on the file names, it would seem that should be the one handling this name.
If so, then 000-default.conf should NOT.
You should probably be able to fix this quickly/easily by disabling that file.
For that, use:
a2dissite 000-default.conf
Then restart apache [there are many ways to do that]
Then recheck
apachectl -S
[to be sure that 000-default.conf is no longer shown]
Then redo the test run on the expected renewal:
sudo certbot --dry-run --apache certonly -d
[not sure why you used -n at the command prompt - I would leave that out]
If it says "Congratulations!" - We WIN ! ! !
Just remove --dry-run and get your real cert.
If it still fails, please post the error message shown.
[I'm confident it will work though]

Cheers from Miami :beers:


the steps you gave me worked exactly as you intended and resolved the problem. Thank you so much - I'd been going around in circles.

Beers on me next time!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.