Failed http-01 challenge for renewal of vhost

ozpac · February 4, 2021, 5:47pm

Hi, I'm relatively new to LetsEncrypt and certbot, and struggling to resolve this issue alone - treading cautiously so as not to trigger another 1 week lockout. Any help would be much appreciated.

Context: I have three virtual hosts set up on this server. No issues since the initial certificates created a few months ago. I renewed all of them at the same time (a few days late, after expiry) and two of three succeeded but this one failed the http-01 challenge with a 404 response. The three sites are supposed to be configured the same as one another, but it seems something has diverted with this site.

My domain is:
tranquilitynode.com

I ran this command:
sudo certbot --dry-run --apache certonly -n -d tranquilitynode.com

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for tranquilitynode.com
Waiting for verification...
Challenge failed for domain tranquilitynode.com
http-01 challenge for tranquilitynode.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: tranquilitynode.com
   Type:   unauthorized
   Detail: Invalid response from
   http://tranquilitynode.com/.well-known/acme-challenge/vSP7L4ROxwlIgMehWv_5xrJDWGhtZUcQWWLpY3linJU
   [3.8.59.189]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version):
Apache/2.4.41 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 20.04.2 LTS

My hosting provider, if applicable, is:
n/a

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.40.0

$ cat /etc/apache2/sites-enabled/tranquilitynode.com.conf

<VirtualHost *:80>
	ServerName tranquilitynode.com
	ServerAlias www.tranquilitynode.com
	DocumentRoot /var/www/vhosts/tranquilitynode.com
	ServerAdmin <redacted>@tranquilitynode.com
	<Directory /var/www/vhosts/tranquilitynode.com>
	AllowOverride All
	</Directory>
RewriteEngine on
RewriteCond %{SERVER_NAME} =tranquilitynode.com [OR]
RewriteCond %{SERVER_NAME} =www.tranquilitynode.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

$ cat /etc/apache2/sites-enabled/tranquilitynode.com-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
	ServerName tranquilitynode.com
	ServerAlias www.tranquilitynode.com
	DocumentRoot /var/www/vhosts/tranquilitynode.com
	ServerAdmin <redacted>@tranquilitynode.com
	<Directory /var/www/vhosts/tranquilitynode.com>
	AllowOverride All
	</Directory>
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/tranquilitynode.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/tranquilitynode.com/privkey.pem
</VirtualHost>
</IfModule>

Osiris · February 4, 2021, 6:41pm

What's the output of apachectl -S?

rg305 · February 4, 2021, 10:34pm

This file is never matched:

It clearly shows that it would have redirected the HTTP challenge request to HTTPS.
But the failed request is not for HTTPS:

So, I'm agreed with @Osiris
We need to have a look at the apache configuration.
[there must be a name overlap in there]

ozpac · February 5, 2021, 10:39am

You are saints for even responding - thank you.
Here is the output of $ sudo apachectl -S

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using tranquilitynode.com. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:443 is a NameVirtualHost
[...]
port 443 namevhost tranquilitynode.com (/etc/apache2/sites-enabled/tranquilitynode.com-le-ssl.conf:2)
alias www.tranquilitynode.com
*:80 is a NameVirtualHost
default server tranquilitynode.com (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost tranquilitynode.com (/etc/apache2/sites-enabled/000-default.conf:1)
[...]
port 80 namevhost tranquilitynode.com (/etc/apache2/sites-enabled/tranquilitynode.com.conf:1)
alias www.tranquilitynode.com
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

rg305 · February 5, 2021, 2:47pm

Here is the problem:

port 80 namevhost tranquilitynode.com (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost tranquilitynode.com (/etc/apache2/sites-enabled/tranquilitynode.com.conf:1)

Based on the file names, it would seem that tranquilitymode.com.conf should be the one handling this name.
If so, then 000-default.conf should NOT.
You should probably be able to fix this quickly/easily by disabling that file.
For that, use:
a2dissite 000-default.conf
Then restart apache [there are many ways to do that]
Then recheck
apachectl -S
[to be sure that 000-default.conf is no longer shown]
Then redo the test run on the expected renewal:
sudo certbot --dry-run --apache certonly -d tranquilitynode.com
[not sure why you used -n at the command prompt - I would leave that out]
If it says "Congratulations!" - We WIN ! ! !
Just remove --dry-run and get your real cert.
If it still fails, please post the error message shown.
[I'm confident it will work though]

Cheers from Miami

ozpac · February 5, 2021, 3:18pm

LOVE YOU!
the steps you gave me worked exactly as you intended and resolved the problem. Thank you so much - I'd been going around in circles.

Beers on me next time!

system · March 7, 2021, 3:19pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.