Failed Renew Certificate Error getting validation data

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: pits-api.primatc.co.id (corrected)

I ran this command: certbot renew

It produced this output:
Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: pits-api.primatc.co.id
Type: connection
Detail: 103.178.152.171: Fetching http://pits-api.primatc.co.id/.well-known/acme-challenge/AKZvo_Id0zYaehMRamif7DoTI61cT1tWxRUmaItK1j8: Error getting validation data

My web server is (include version):
Server version: Apache/2.4.6 (CentOS)
Server built: May 30 2023 14:01:11

The operating system my web server runs on is (include version): CentOS7

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.10.0

2

Hello @elfaqr, welcome to the Let's Encrypt community. :slightly_smiling_face:

Those 2 do not match. What is the proper string for the domain name in question please.

3 Likes
3

oh sorry, the name is primatc.co.id

2 Likes
4

Hi @elfaqr,

I suspect you have some geo blocking going from this Permanent link to this check report

Please read these:

2 Likes
5

oke, I'll check them.

1 Like
6

@elfaqr

Here is a list of issued certificates https://crt.sh/?q=primatc.co.id, the latest being 2024-05-14;
yet the certificate being served https://decoder.link/sslchecker/primatc.co.id/443 is from 2024-04-26.

Also from around the world not that many OK Responses here Permanent link to this check report

1 Like
7

I try to make manual certification and ask to put a code under achme-challenge folder. like this:

http://pits-api.primatc.co.id/.well-known/acme-challenge/24343sadsadsa9293232

but I cannot acces http for some reason that I dont understand. but the file can be access if using https like this:

https://pits-api.primatc.co.id/.well-known/acme-challenge/24343sadsadsa9293232

please help.

8

You have a working Apache server so you should not use a manual method. You should use --apache or --webroot.

But, none of those will work until you get HTTP connections working to your system. Would you show output of this command?

apachectl -t -D DUMP_VHOSTS

And show this

sudo netstat -pant | grep -i listen | grep -Ei ':80|:443'
3 Likes
9

[root@localhost ~]# apachectl -t -D DUMP_VHOSTS
Passing arguments to httpd using apachectl is no longer supported.
You can only start/stop/restart httpd using this script.
If you want to pass extra arguments to httpd, edit the
/etc/sysconfig/httpd config file.
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:80 is a NameVirtualHost
default server dev-intipam-pits.primatc.co.id (/etc/httpd/conf.d/dev-intipam-pits-le-ssl.conf:2)
port 80 namevhost dev-intipam-pits.primatc.co.id (/etc/httpd/conf.d/dev-intipam-pits-le-ssl.conf:2)
port 80 namevhost dev-intipam-pits.primatc.co.id (/etc/httpd/conf.d/dev-intipam-pits.conf:1)
port 80 namevhost pits-api.primatc.co.id (/etc/httpd/conf.d/intipam-be-le-ssl.conf:2)
port 80 namevhost pits-api.primatc.co.id (/etc/httpd/conf.d/intipam-be.conf:1)
port 80 namevhost pits-api-dev.primatc.co.id (/etc/httpd/conf.d/pits-api-dev.conf:1)
*:443 localhost.localdomain (/etc/httpd/conf.d/ssl.conf:56)
[root@localhost ~]#

#sudo netstat -pant | grep -i listen | grep -Ei ':80|:443'
[root@localhost ~]# sudo netstat -pant | grep -i listen | grep -Ei ':80|:443'
tcp6 0 0 :::80 :::* LISTEN 16936/httpd
tcp6 0 0 :::8080 :::* LISTEN 1751/tnslsnr
tcp6 0 0 :::443 :::* LISTEN 16936/httpd

10

You have the same domain name defined twice for the same port (80). You can only have the same name once for each port.

This is duplicated

And this

Please post the contents of these two files. And add 3 backticks before and after the output so the forum formats it correctly.
Like this
```
show contents of /etc/httpd/conf.d/intipam-be-le-ssl.conf
```
And this:
```
show contents of /etc/httpd/conf.d/intipam-be.conf
```

3 Likes
11

contents of /etc/httpd/conf.d/intipam-be-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:80>
    ServerName pits-api.primatc.co.id
    ProxyPass / http://31.7.101.18:49017/
    ProxyPassReverse / http://31.7.101.18:49017/
    DocumentRoot /opt/intipam_billing_be

SSLCertificateFile /etc/letsencrypt/live/pits-api.primatc.co.id/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/pits-api.primatc.co.id/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/pits-api.primatc.co.id/chain.pem
</VirtualHost>
</IfModule>

And this:
contents of /etc/httpd/conf.d/intipam-be.conf

<VirtualHost *:80>
    ServerName pits-api.primatc.co.id
    ProxyPass / http://31.7.101.18:49017/
    ProxyPassReverse / http://31.7.101.18:49017/
    DocumentRoot /opt/intipam_billing_be
# RewriteEngine on
# RewriteCond %{SERVER_NAME} =pits-api.primatc.co.id
# RewriteRule ^ http://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
12

I don't know how this happened but in this file

Change this line
<VirtualHost *:80>
to:
<VirtualHost *:443>

You probably need to make a similar change for the other duplicate I pointed out.

After you get that fixed we will work through the next step with the cert.

2 Likes
13

I fixed it, and remove the other one as well. this:

[root@localhost conf.d]# apachectl -t -D DUMP_VHOSTS
Passing arguments to httpd using apachectl is no longer supported.
You can only start/stop/restart httpd using this script.
If you want to pass extra arguments to httpd, edit the
/etc/sysconfig/httpd config file.
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:80 is a NameVirtualHost
default server pits-api.primatc.co.id (/etc/httpd/conf.d/intipam-be.conf:1)
port 80 namevhost pits-api.primatc.co.id (/etc/httpd/conf.d/intipam-be.conf:1)
port 80 namevhost pits-api-dev.primatc.co.id (/etc/httpd/conf.d/pits-api-dev.conf:1)
*:443 is a NameVirtualHost
default server pits-api.primatc.co.id (/etc/httpd/conf.d/intipam-be-le-ssl.conf:2)
port 443 namevhost pits-api.primatc.co.id (/etc/httpd/conf.d/intipam-be-le-ssl.conf:2)
port 443 namevhost localhost.localdomain (/etc/httpd/conf.d/ssl.conf:56)

1 Like
14

hey, it works. thanks a lot. this save my job. I really appreciate it. :pray:

[root@localhost conf.d]# certbot -v --apache -d pits-api.primatc.co.id
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Certificate is due for renewal, auto-renewing...
Renewing an existing certificate for pits-api.primatc.co.id
Performing the following challenges:
http-01 challenge for pits-api.primatc.co.id
Waiting for verification...
Cleaning up challenges

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/pits-api.primatc.co.id/fullchain.pem
Key is saved at: /etc/letsencrypt/live/pits-api.primatc.co.id/privkey.pem
This certificate expires on 2024-08-25.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Deploying Certificate to VirtualHost /etc/httpd/conf.d/intipam-be-le-ssl.conf
Successfully deployed certificate for pits-api.primatc.co.id to /etc/httpd/conf.d/intipam-be-le-ssl.conf
Redirecting vhost in /etc/httpd/conf.d/intipam-be.conf to ssl vhost in /etc/httpd/conf.d/intipam-be-le-ssl.conf
Your existing certificate has been successfully renewed, and the new certificate has been installed.

If you like Certbot, please consider supporting our work by:

3 Likes
15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.