Failed to renew certificate victoroos.nl with error: Some challenges have failed

Help
1

My domain is: victoroos.nl

I ran this command: sudo certbot renew

It produced this output:

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Domain: victoroos.nl
  Type:   connection
  Detail: Fetching http://victoroos.nl/.well-known/acme-challenge/54uopgiZ6Wpfyy8GRs-5OEuqGcoX767Cgm4bDiRZZcA: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Failed to renew certificate victoroos.nl with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/victoroos.nl/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

My web server is (include version): Apache

The operating system my web server runs on is (include version): Ubuntu Server

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.22.0

Error log: letsencrypt_error_vro - Pastebin.com

hi all, I'm sure I did something wrong (I know I should update my cert daily.. I got crons working few weeks ago, so yeah!) but I can't get my cert to renew.. and.. it hurts seeing my nextcloud isntance isn't secure :P.

Any tips?

cheers
Victor

2

That usually happens in a few cases:

  1. You're not listening on port 80
  2. Your firewall blocks port 80 (or your provider's)
  3. If it's in your home, port forwarding on port 80 isn't working.

If you don't want your webserver to listen on port 80, you can use --standalone instead of --apache while using --pre-hook and --post-hook to open and close your firewall and --deploy-hook to reload apache.

But you should really listen on port 80 to redirect http to https and keep using --apache

2 Likes
3

ehm, how do I check port listening to 80?
Cause, my config is like this:

<VirtualHost *:80>
ServerName victoroos.nl
Redirect permanent / https://www.victoroos.nl/
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerAdmin victor_roosjr@hotmail.com
      DocumentRoot /mnt/www/vicsfilesharing
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

ServerAlias www.victoroos.nl
ServerAlias *.victoroos.nl

Alias "/cloud" "/mnt/www/vicscloud"
<IfModule mod_headers.c>
      Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
    </IfModule>

SSLCertificateFile /etc/letsencrypt/live/victoroos.nl/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/victoroos.nl/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

which should be port 80 adn 443 right?

Both ports are opened in teh Firewall..

4

This means it should work

I don't see a ServerName in the 443 VirtualHost, just copy it from the port 80 one and replace ServerAlias www.victoroos.nl, as *. includes www. (but you should not use *. on 443 if you don't have a wildcard certificate, just use ServerName victoroos.nl and ServerAlias www.victoroos.nl on both -- redirect one on the other)

Some firewall is interfering. I can get to your https but not to your http.

peppe@monolite:~$ curl -Ik https://victoroos.nl
HTTP/1.1 200 OK
Date: Wed, 02 Feb 2022 10:34:24 GMT
Server: Apache/2.4.41 (Ubuntu)
Strict-Transport-Security: max-age=15552000; includeSubDomains
Link: <https://victoroos.nl/index.php/wp-json/>; rel="https://api.w.org/"
Content-Type: text/html; charset=UTF-8

peppe@monolite:~$ curl -Ik http://victoroos.nl
curl: (7) Failed to connect to victoroos.nl port 80: Connection refused
2 Likes
5

This is wordpress, did you say it was nextcloud? Is your A record pointing to the right IP address? (make sure your AAAA record points to the same machine if you have one set up.)

2 Likes
6

It is a wordpress site, with a special alias for a nextcloud instance.
Okey, my router didn't accept 80 port anymore, that fixed that rpoblem. Hwoever,

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: victoroos.nl
2: www.victoroos.nl
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 2
Requesting a certificate for www.victoroos.nl

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/www.victoroos.nl/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/www.victoroos.nl/privkey.pem
This certificate expires on 2022-05-03.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for www.victoroos.nl to /etc/apache2/sites-enabled/vicsfileshare-le-ssl.conf
Failed redirect for www.victoroos.nl
Unable to set the redirect enhancement for www.victoroos.nl.

NEXT STEPS:
- The certificate was saved, but could not be installed (installer: apache). After fixing the error shown below, try installing it again by running:
  certbot install --cert-name www.victoroos.nl

Unable to find corresponding HTTP vhost; Unable to create one as intended addresses conflict; Current configuration does not support automated redirection
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

With error log:
Log2_letencry - Pastebin.com

Do.. know what I did wrong? Last year worked perfectly :S

7

Is this the issue?

edit your port 80 virtualhost like I said above :wink:

2 Likes
8 
<VirtualHost *:80>
ServerName victoroos.nl
Redirect permanent / https://www.victoroos.nl/
RewriteEngine on
RewriteCond %{SERVER_NAME} =victoroos.nl
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName www.victoroos.nl
    ServerAdmin victor_roosjr@hotmail.com
      DocumentRoot /mnt/www/vicsfilesharing
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

ServerAlias *.victoroos.nl

Alias "/cloud" "/mnt/www/vicscloud"
<IfModule mod_headers.c>
      Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
    </IfModule>

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/www.victoroos.nl/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.victoroos.nl/privkey.pem
</VirtualHost>
</IfModule>

And this is teh other .conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName victoroos.nl
Redirect permanent / https://www.victoroos.nl/

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/victoroos.nl-0001/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/victoroos.nl-0001/privkey.pem
</VirtualHost>
</IfModule>

So I think certbot did it already by itself, the redirecting? :confused:

9

Ok.

Where you see

<VirtualHost *:80>
ServerName victoroos.nl

add a line after:

ServerAlias www.victoroos.nl

and where you see

ServerAlias *.victoroos.nl

remove *.

then run certbot enhance

Yes, it did it. On https using two certificates. It looks strange, but it works.

1 Like
10 
Please specify one or more enhancement types to configure. To list the available enhancement types, run:

certbot --help enhance

No enhancements requested, exiting.

Almost, there?

11

Yes, go on, certbot told you what to do :smiley:

1 Like
12

Now it added another version of my site.. where does it gets these values from?

root@vicsserver:/home/victoroos# certbot --redirect enhance
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which certificate would you like to use to enhance your configuration?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: victoroos.nl-0001
2: victoroos.nl
3: www.victoroos.nl
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-3] then [enter] (press 'c' to cancel):
13

It looks like you have three certificates.

You have to check what domain names each of those is covering, run certbot certificates to do so

1 Like
14

And the wbesite adress still redirects too many times.I really don't get it anymore but I'm happy that your are helping!!

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: victoroos.nl-0001
    Serial Number: 329dbbef8a13c3180bad7b3da458671a7fd
    Key Type: RSA
    Domains: victoroos.nl
    Expiry Date: 2022-05-03 10:17:36+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/victoroos.nl-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/victoroos.nl-0001/privkey.pem
  Certificate Name: victoroos.nl
    Serial Number: 300fd87c7e3ed7a163e5bbeec379605d31d
    Key Type: RSA
    Domains: victoroos.nl www.victoroos.nl
    Expiry Date: 2022-05-03 10:16:35+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/victoroos.nl/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/victoroos.nl/privkey.pem
  Certificate Name: www.victoroos.nl
    Serial Number: 49465f92de8b4eaedcfe21eb8e194488e72
    Key Type: RSA
    Domains: www.victoroos.nl
    Expiry Date: 2022-05-03 10:17:29+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/www.victoroos.nl/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.victoroos.nl/privkey.pem
15

This is the good one, I'd say.

You can use it in both your port 443 virtualhosts.

1 Like
16

How would I do that? As in, it should already be there right?
Host 1:

<VirtualHost *:80>
ServerName victoroos.nl
ServerAlias www.victoroos.nl
Redirect permanent / https://www.victoroos.nl/
RewriteEngine on
RewriteCond %{SERVER_NAME} =victoroos.nl
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName www.victoroos.nl
    ServerAdmin victor_roosjr@hotmail.com
      DocumentRoot /mnt/www/vicsfilesharing
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

ServerAlias victoroos.nl

Alias "/cloud" "/mnt/www/vicscloud"
<IfModule mod_headers.c>
      Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
    </IfModule>

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/www.victoroos.nl/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.victoroos.nl/privkey.pem
</VirtualHost>
</IfModule>

Host 2

<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName victoroos.nl
Redirect permanent / https://www.victoroos.nl/

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/victoroos.nl-0001/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/victoroos.nl-0001/privkey.pem
</VirtualHost>
</IfModule>

Why are there 2 now anyway.

17

ok, I get this. Your server is redirecting non-www to www and your wordpress is redirecting www to non-www. Make them agree. :slight_smile:

1 Like
18

Ah, makes sense..Could you.. help me with that as well? Cause, well, wordpress used to work before I tried to renew the cert :confused:

19

ok, I am going to rewrite your config.

this will send everything to non-www. replaces both .conf files. (backup them)

<VirtualHost *:80>
  ServerName victoroos.nl
  ServerAlias www.victoroos.nl
  Redirect permanent / https://victoroos.nl/
  RewriteEngine on
  RewriteCond %{SERVER_NAME} =victoroos.nl
  RewriteCond %{SERVER_NAME} =www.victoroos.nl
  RewriteRule ^ https://victoroos.nl%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
  ServerName victoroos.nl
  ServerAlias www.victoroos.nl
  ServerAdmin victor_roosjr@hotmail.com
  DocumentRoot /mnt/www/vicsfilesharing
  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined
  
  Alias "/cloud" "/mnt/www/vicscloud"
  <IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
  </IfModule>
  Include /etc/letsencrypt/options-ssl-apache.conf
  SSLCertificateFile /etc/letsencrypt/live/victoroos.nl/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/victoroos.nl/privkey.pem

  RewriteEngine on
  RewriteCond %{SERVER_NAME} =www.victoroos.nl
  RewriteRule ^ https://victoroos.nl%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
</IfModule>
2 Likes
20

YES! hahaha, thanks. Okey, can you explain to me what I did wrong? (something with the rewrite?)