Failed to Authenticate some domains (Apache)

BernieG · April 26, 2024, 10:42am

My domain is: lebearcnc.com

I ran this command:

It produced this output: sudo certbot renew --dry-run --debug-challenges -v

My web server is (include version): Server version: Apache/2.4.52 (Ubuntu)
Server built: 2024-04-10T17:45:18

The operating system my web server runs on is (include version): Ubuntu 22.04

My hosting provider, if applicable, is: myself ( virtual server hosted by Contabo)

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Just updated it to certbot version 2.10.0

I am using certbot since a while and now I am getting errors when attempting to renew my certificates. I have read as much as I could before posting this. I saw that it might be linked to the firewall, so I disabled it with ufw disable, makes no difference. As I thought it might be due to some changes, I upgraded to the latest version, still no difference. In fact, there is a difference, now it tells me what is the expected value:

The following URLs should be accessible from the internet and return the value
mentioned:

URL:
http://lebearcnc.com/.well-known/acme-challenge/9avJbuRTB461bq9odtyEnNum8aLn0zflrLwh1cWgGS0
Expected value:
9avJbuRTB461bq9odtyEnNum8aLn0zflrLwh1cWgGS0.UvF08Pe24Lcru1Nv0_ZzNCieGPx_W-kK6u_0G0qWsKU

URL:
http://www.lebearcnc.com/.well-known/acme-challenge/5aO9uX6pP9fVqoiPO1oyVk8dyfkx9MjURBgxZWJwyUU
Expected value:
5aO9uX6pP9fVqoiPO1oyVk8dyfkx9MjURBgxZWJwyUU.UvF08Pe24Lcru1Nv0_ZzNCieGPx_W-kK6u_0G0qWsKU

What let's debug show here make me think it might have to do with permissions on a directory, but which one ?

[LetsEncryptStaging](https://letsdebug.net/lebearcnc.com/1905080?debug=y#LetsEncryptStaging-Debug)

DEBUG

Challenge update failures for lebearcnc.com in order https://acme-staging-v02.api.letsencrypt.org/acme/order/5751349/16160850354

acme: error code 403 "urn:ietf:params:acme:error:unauthorized": 2606:4700:3031::6815:2c4b: Invalid response from http://lebearcnc.com/.well-known/acme-challenge/xAR8Hef6CGtfIC7cnZi1qZOilllsybh8Tq2QwC2_oQg: 404

Thanks for your help,
Bernard

rg305 · April 26, 2024, 3:57pm

Hi @BernieG, and welcome to the LE community forum

Is that IP expected?

[it looks a lot like a CloudFlare IP]

Bruce5051 · April 27, 2024, 12:11am

Hi @BernieG,

Using the online tool Let's Debug yields these results https://letsdebug.net/www.lebearcnc.com/1906577

CloudflareCDN
WARNING
The domain www.lebearcnc.com is being served through Cloudflare CDN. Any Let's Encrypt certificate installed on the origin server will only encrypt traffic between the server and Cloudflare. It is strongly recommended that the SSL option 'Full SSL (strict)' be enabled.
https://support.cloudflare.com/hc/en-us/articles/2001704

and https://letsdebug.net/lebearcnc.com/1906578

CloudflareCDN
WARNING
The domain lebearcnc.com is being served through Cloudflare CDN. Any Let's Encrypt certificate installed on the origin server will only encrypt traffic between the server and Cloudflare. It is strongly recommended that the SSL option 'Full SSL (strict)' be enabled.
https://support.cloudflare.com/hc/en-us/articles/200170416-What-do-the-SSL-options-mean-

Highly recommend checking Cloudflare CDN https://support.cloudflare.com/hc/en-us/articles/200170416-What-do-the-SSL-options-mean-

It is strongly recommended that the SSL option 'Full SSL (strict)' be enabled.

BernieG · April 27, 2024, 10:51pm

Yes, it is expected as I use Cloudflare

BernieG · April 27, 2024, 10:52pm

I know, and it is setup that way.

BernieG · May 2, 2024, 9:53am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: lebearcnc.com

I ran this command: sudo certbot renew -v

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/lebearcnc.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate for lebearcnc.com and www.lebearcnc.com
Performing the following challenges:
http-01 challenge for lebearcnc.com
http-01 challenge for www.lebearcnc.com
Using the webroot path /var/www/lebearcnc.com for all unmatched domains.
Waiting for verification...
Challenge failed for domain lebearcnc.com
Challenge failed for domain www.lebearcnc.com
http-01 challenge for lebearcnc.com
http-01 challenge for www.lebearcnc.com

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: lebearcnc.com
  Type:   unauthorized
  Detail: 185.2.101.249: Invalid response from https://lebearcnc.com/: "<!DOCTYPE html>\r\n<html lang=\"fr-FR\">\r\n<head>\r\n<meta charset=\"UTF-8\">\r\n<meta name=\"viewport\" content=\"width=device-width, initial"

  Domain: www.lebearcnc.com
  Type:   unauthorized
  Detail: 2606:4700:3031::6815:2c4b: Invalid response from https://lebearcnc.com/: "<!DOCTYPE html>\r\n<html lang=\"fr-FR\">\r\n<head>\r\n<meta charset=\"UTF-8\">\r\n<meta name=\"viewport\" content=\"width=device-width, initial"

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Cleaning up challenges
Failed to renew certificate lebearcnc.com with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/lebearcnc.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
Server version: Apache/2.4.52 (Ubuntu)
Server built: 2024-04-10T17:45:18

The operating system my web server runs on is (include version): Ubuntu 22.04.4 LTS

My hosting provider, if applicable, is: Contabo Virtual server

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.10.0

As you can see on the output from the command "certbot renew", I get an error from https://mydomain
Should I totally remove everything pointing to a *.443 Virtual Host, as the certificates are expired now ?
Yesterday, I re-created a *.80 VirtualHost, as I was having errors on http, and those errors disappeared.

I am using CloudFlare, but let's debug was giving me a warning. Now, I deactivated Cloudflare for the web server, and let's debug give me a nice green "light".

MikeMcQ · May 2, 2024, 12:59pm

Hello @BernieG I moved your new thread to here. It is easier for us to see the history for the same problem all in one thread.

Something is wrong with the redirects in your site. The HTTP Challenge is being redirected to your home page. The Let's Encrypt server is expecting to be returned the challenge token but your system does not do that.

BernieG:

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: lebearcnc.com
  Type:   unauthorized
  Detail: 185.2.101.249: Invalid response from https://lebearcnc.com/

The above error should show the full URL for the challenge but notice it is just for your home page. You need to fix your system to return the proper token and not redirect it.

If your domain is just a Wordpress site have you looked at using the Cloudflare Origin CA Cert? You can get a very long-lived cert from Cloudflare and use that on your origin server.

This avoids the need to install Certbot and regularly get certs with it. There are some restrictions but for many cases it works very well.

BernieG · May 2, 2024, 1:46pm

Thanks for your answer, Mike. I don't understand why the redirects would suddenly be wrong, as this has been working since a couple of years, now. I have been trying to find where the redirect is, but I don't find a redircet in any of the usual places (.htaccess or domain.conf)

I'll check Cloudflare Cert, as you suggest.

MikeMcQ · May 2, 2024, 2:00pm

Maybe check in the WordPress settings too. Some plugins do that. Note the "X-Redirect-By"

It most definitely is redirecting. Directly from HTTP to your HTTPS home page losing the ACME Challenge URI.

Here is more detail if that helps. Still, the Origin CA cert may be best anyway

curl -I http://lebearcnc.com/.well-known/acme-challenge/Test404
HTTP/1.1 301 Moved Permanently
Server: Apache/2.4.52 (Ubuntu)
X-WP-CF-Super-Cache: disabled
X-Redirect-By: WordPress
Location: https://lebearcnc.com/

BernieG · May 2, 2024, 2:55pm

I went the origin CA way with cloudflare, it works. I totally forgot about a possible plugin, I will check, it might very well be possible the redirection is there.

Thanks for your help and for pointing me to an outside easy solution.