I am failing the http-01 challenge - but weirdly enough, Let's Debug gives me an All OK! no issues. May anyone help me understand what is going wrong?
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: brass.run
I ran this command: certbot --apache (from root)
It produced this output: Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems: Domain: brass.run Type: unauthorized Detail: 87.106.80.75: Invalid response from http://brass.run/.well-known/acme-challenge/1RTGK_AhVxbAelY4eEmPt0Hy2nztKVl-QXT_ZuEmGl4: 404 Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet. Some challenges have failed.
My web server is (include version): ubuntu 22.04
The operating system my web server runs on is (include version): ubuntu 22.04
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot): certbot 3.0.1
Welcome @vulpes.berolinensis
First, you say you are not using a control panel yet I see a Plesk page when accessing your domain. Is the DNS IP address the public IP for your server?
Assuming so, what does this show
sudo apache2ctl -t -D DUMP_VHOSTS
2 Likes
I never changed the default page as i mainly work on another port.
The output to the command is
VirtualHost configuration:
[2a01:239:2cc:c200::1]:80 default (/etc/apache2/plesk.conf.d/server.conf:63)
[2a01:239:2cc:c200::1]:443 default (/etc/apache2/plesk.conf.d/server.conf:99)
87.106.80.75:80 default (/etc/apache2/plesk.conf.d/server.conf:63)
87.106.80.75:443 default (/etc/apache2/plesk.conf.d/server.conf:99)
127.0.0.1:80 plesk-service.localdomain (/etc/apache2/plesk.conf.d/server.conf:141)
127.0.0.1:443 plesk-service.localdomain (/etc/apache2/plesk.conf.d/server.conf:147)
*:80 brass.run (/etc/apache2/sites-enabled/000-default.conf:1)
I don't think using the --apache plugin is a good choice with that VHost layout. It matches the domain name you request to a specific VHost. And, adds temp code to that VHost to handle the challenge.
In your case you have a mix of IP and Name based VHosts. You should switch to the --webroot method or convert all your IP based to Name based (far more common).
You don't have IPv6 in your public DNS so those VHosts can't be reached from the public internet. It is not required ... just thought I'd mention it.
So, maybe something like this
sudo certbot certonly --webroot -w (DocumentRoot) -d brass.run --deploy-hook (cmd) --dry-run
(DocumentRoot) is the folder matching the Document Root for the VHost that will handle the incoming challenge. Right now that is the IP based VHost
(cmd) is whatever reloads Apache on your system. Like: "systemctl reload apache2"
--dry-run is for testing. Remove once successful to get a valid cert
Once you get a cert you need to configure an HTTPS VHost manually. Certbot follows the settings at this site: Mozilla SSL Configuration Generator
Do not use stapling as Let's Encrypt is dropping OCSP support (well, now). Don't use HSTS until you are fully aware of its implications. Often not much helpful today anyway (my personal opinion)
4 Likes
Thank you so much! I realized that everything defaults to plesk (which i cant get rid off, bc it comes with the ubuntu installation from my provider). Ill see how to do a workaround and try the name based VHost after.
Does that Plesk system have option to automatically get a Let's Encrypt cert? At least some do (just by reading their docs). Maybe just ask the provider of that Plesk system for help?
3 Likes