Failed to renew certificate

Nabil_bamalli · August 13, 2023, 9:10pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: lms.nphcda.gov.ng

I ran this command: certbot renew

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/lms.nphcda.gov.ng.conf

Renewing an existing certificate for lms.nphcda.gov.ng

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: lms.nphcda.gov.ng
Type: unauthorized
Detail: 105.112.249.244: Invalid response from http://lms.nphcda.gov.ng/.well-known/acme-challenge/mAJ_ygmPIPnrvRGsupgsJ4fRaZ3wIc0NAXr8DhhiJ9c: "\n\n<html lang="en">\n\n\n\n <meta charset="utf-8">\n\n<meta name="csrf-token" content="2euXX"

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Failed to renew certificate lms.nphcda.gov.ng with error: Some challenges have failed.

All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/lms.nphcda.gov.ng/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Apache/2.4.41

The operating system my web server runs on is (include version): Ubuntu 20.04.5 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 2.6.0

9peppe · August 13, 2023, 9:13pm

Something in your Apache configuration is interfering. Have you made any changes in the last two to three months?

Nabil_bamalli · August 13, 2023, 9:15pm

No, I haven't last time I was on the server was when I installed the first certificate

9peppe · August 13, 2023, 9:22pm

Are you sure?

Can you show us the virtualhost for this domain?

Nabil_bamalli · August 13, 2023, 9:29pm

<VirtualHost *:80>
ServerName lms.nphcda
DocumentRoot /var/www/html/lms/public
<Directory /var/www/htm/lms>
AllowOveride All
Require all granted
</Directory>

<VirtualHost/>

9peppe · August 13, 2023, 9:30pm

You can use

```
Paste here
```

Nabil_bamalli · August 13, 2023, 9:32pm

<VirtualHost *:80>
ServerName lms.nphcda
DocumentRoot /var/www/html/lms/public
<Directory /var/www/htm/lms>
AllowOveride All
Require all granted
</Directory>

<VirtualHost/>

9peppe · August 13, 2023, 11:31pm

Ok, I'll try again:

To paste raw text in a message, put three backticks ( ```) on the line before your text, and three backticks ( ```) again on the line after.

This prevents the forum software from messing up your config file (there are a few characters the forum really does not like).

rg305 · August 14, 2023, 1:41am

Those names don't match.

Nabil_bamalli · August 14, 2023, 8:56am

<VirtualHost *:80>
ServerName lms.nphcda
DocumentRoot /var/www/html/lms/public
<Directory /var/www/htm/lms>
AllowOveride All
Require all granted
</Directory>

<VirtualHost/>

Nabil_bamalli · August 14, 2023, 9:12am

I try changing the the server name to to the domain name and still the same error

9peppe · August 14, 2023, 9:44am

Does your website work as intended?

If you don't want to change ServerName add a line like this

ServerAlias lms.nphcda.gov.ng

Also, can you check if 105.112.249.244 is the IP of the machine you're working on? (Or its proxy, at least)

Nabil_bamalli · August 14, 2023, 12:43pm

i Have rename the server and also used the alternative and run
Cerbot renew and with the same error

rg305 · August 14, 2023, 12:45pm

Are you sure there is no device in line ahead of your server that also handles HTTP?

MikeMcQ · August 14, 2023, 2:52pm

Something has changed since you last posted because now there is no route to that domain name using port 80 (HTTP). The Let's Debug test site is helpful as you make changes to fix this. It may be a firewall or some other comms routing problem.

I see port 443 open (HTTPS) but requests fail.

Nabil_bamalli · August 16, 2023, 8:31pm

Thank you for the suggestion But I tried another solution, but it was not available at the time. i tried the LETS DEBUG https://letsdebug.net/lms.nphcda.gov.ng/1583216

rg305 · August 16, 2023, 8:33pm

Have you spoken with your firewall admin?

MikeMcQ · August 16, 2023, 8:44pm

I see your Let's Debug test shows a successful connection but the certbot renew still won't work. Your Apache system is responding wrong to sample HTTP Challenge requests. It is returning a 200 OK page of info instead of 404 Not Found. In your first post you showed this same info for an actual request.

Can you show result of this? I think Apache is setup wrong

apache2ctl -t -D DUMP_VHOSTS

Nabil_bamalli · August 16, 2023, 9:05pm

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 10.11.205.167. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:443                  lms.nphcda.gov.ng (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
*:80                   10.11.205.167 (/etc/apache2/sites-enabled/000-default.conf:1)

MikeMcQ · August 16, 2023, 9:12pm

Can you show us contents of that file? It does not look the same as you showed earlier

Please use the 3 backticks before and after the contents so info is not lost
```
contents of file
```