Failed to renew ... with error: Some challenges have failed

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
jasonrhardman.info
jasonrhardman.org

I ran this command:
certbot renew --apache --preferred-challenges http

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/jasonrhardman.org.conf


Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate for jasonrhardman.org and 3 more domains
Performing the following challenges:
http-01 challenge for jasonrhardman.info
http-01 challenge for jasonrhardman.org
http-01 challenge for www.jasonrhardman.info
http-01 challenge for www.jasonrhardman.org
Waiting for verification...
Challenge failed for domain jasonrhardman.info
Challenge failed for domain jasonrhardman.org
Challenge failed for domain www.jasonrhardman.info
Challenge failed for domain www.jasonrhardman.org
http-01 challenge for jasonrhardman.info
http-01 challenge for jasonrhardman.org
http-01 challenge for www.jasonrhardman.info
http-01 challenge for www.jasonrhardman.org
Cleaning up challenges
Failed to renew certificate jasonrhardman.org with error: Some challenges have failed.


All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/jasonrhardman.org/fullchain.pem (failure)


Running post-hook command: /etc/letsencrypt/renewal-hooks/post/httpd_restart.sh
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: jasonrhardman.info
Type: unauthorized
Detail: Invalid response from
http://jasonrhardman.info/.well-known/acme-challenge/Ca6LuVPVl4hOC-bqeJ6I5bXi7CcB2BUMCWLzZSvKflM
[73.52.149.76]: "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0
Strict//EN"\n "http://www.w3.org/TR/xhtml1/D"

Domain: jasonrhardman.org
Type: unauthorized
Detail: Invalid response from
http://jasonrhardman.org/.well-known/acme-challenge/5eHXF43UtLcEwJtwEiNaWKHSxCaqblU8eaAg6besJL4
[73.52.149.76]: "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0
Strict//EN"\n "http://www.w3.org/TR/xhtml1/D"

Domain: www.jasonrhardman.info
Type: unauthorized
Detail: Invalid response from
http://www.jasonrhardman.info/.well-known/acme-challenge/p3j9eAPZN4gukSOMRWWa18lrA-Rc52x1br10l0CtxTQ
[73.52.149.76]: "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0
Strict//EN"\n "http://www.w3.org/TR/xhtml1/D"

Domain: www.jasonrhardman.org
Type: unauthorized
Detail: Invalid response from
http://www.jasonrhardman.org/.well-known/acme-challenge/Wr49nkZcBQp2BZ3YCpzBwad6ZcTB22C7oZPUP2KKdKo
[73.52.149.76]: "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0
Strict//EN"\n "http://www.w3.org/TR/xhtml1/D"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

My web server is (include version):
# pacman -Q | grep apache
apache 2.4.47-1
certbot-apache 1.15.0-1

The operating system my web server runs on is (include version):
Arch Linux - latest as of 2021-may-17

My hosting provider, if applicable, is:
N/A

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
# certbot --version
certbot 1.15.0

I've combed through other posts and have made some modifications. I was running a daily cron per this issue's comments and found in logs this same errors a month ago, which lines up with the 30-day prior to renew, so this has happened since April:
2021-04-18 00:04:09,557:ERROR:certbot._internal.renewal:Failed to renew certificate jasonrhardman.org with error: Some challenges have failed.

I also tried cleaning up my configs, but may have missed something:

root@web01 letsencrypt # apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:80                   is a NameVirtualHost
         default server www.jasonrhardman.org (/etc/httpd/conf/extra/httpd-ssl.conf:122)
         port 80 namevhost www.jasonrhardman.org (/etc/httpd/conf/extra/httpd-ssl.conf:122)
         port 80 namevhost jasonrhardman.org (/etc/httpd/conf/extra/httpd-ssl.conf:134)
         port 80 namevhost www.jasonrhardman.info (/etc/httpd/conf/extra/httpd-ssl.conf:146)
         port 80 namevhost jasonrhardman.info (/etc/httpd/conf/extra/httpd-ssl.conf:158)
*:443                  is a NameVirtualHost
         default server www.jasonrhardman.org (/etc/httpd/conf/extra/httpd-ssl.conf:170)
         port 443 namevhost www.jasonrhardman.org (/etc/httpd/conf/extra/httpd-ssl.conf:170)
                 alias www.jasonrhardman.org
         port 443 namevhost jasonrhardman.org (/etc/httpd/conf/extra/httpd-ssl.conf:345)
                 alias jasonrhardman.org
         port 443 namevhost www.jasonrhardman.info (/etc/httpd/conf/extra/httpd-ssl.conf:368)
                 alias www.jasonrhardman.info
         port 443 namevhost jasonrhardman.info (/etc/httpd/conf/extra/httpd-ssl.conf:391)
                 alias jasonrhardman.info

I can post more of my config if it would help. I'm trying to redirect any http to https for *.jasonrhardman.org and *.jasonrhardman.info.

It seems your attempt to fix things made it worse: your Apache is now speaking TLS on port 80.

I recommend undoing your recent attempt.

@Osiris - thanks for taking a look. What are you looking at that tells you that? I reverted configs and get this still:

# apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:80                   is a NameVirtualHost
         default server www.jasonrhardman.org (/etc/httpd/conf/extra/httpd-ssl.conf:122)
         port 80 namevhost www.jasonrhardman.org (/etc/httpd/conf/extra/httpd-ssl.conf:122)
         port 80 namevhost jasonrhardman.org (/etc/httpd/conf/extra/httpd-ssl.conf:131)
         port 80 namevhost www.jasonrhardman.info (/etc/httpd/conf/extra/httpd-ssl.conf:140)
         port 80 namevhost jasonrhardman.info (/etc/httpd/conf/extra/httpd-ssl.conf:149)
*:443                  is a NameVirtualHost
         default server www.jasonrhardman.org (/etc/httpd/conf/extra/httpd-ssl.conf:158)
         port 443 namevhost www.jasonrhardman.org (/etc/httpd/conf/extra/httpd-ssl.conf:158)
                 alias www.jasonrhardman.org
         port 443 namevhost jasonrhardman.org (/etc/httpd/conf/extra/httpd-ssl.conf:333)
                 alias jasonrhardman.org
         port 443 namevhost www.jasonrhardman.info (/etc/httpd/conf/extra/httpd-ssl.conf:356)
                 alias www.jasonrhardman.info
         port 443 namevhost jasonrhardman.info (/etc/httpd/conf/extra/httpd-ssl.conf:379)
                 alias jasonrhardman.info

I'm afraid you still have a broken Apache. Your server still responds with TLS on port 80.

It's also kinda odd to have your port 80 virtualhost configured in httpd-ssl.conf? Could you provide that config file?

See if you have something like a jasonrhardman.org.conf file under /etc/httpd/conf/extra/ as @Osiris says httpd-ssl.conf is normally just your SSL config file and has nothing to do with the http port 80 version of your site and currently port 80 is not serving traffic properly because it thinks it should be talking TLS on that port.

Check through your main httpd.conf file to see what everything is pointing to.

This was set up a while ago and SSL was fine up until the renewal attempt. I'm willing to admit better configs are needed, but how is this related to the issue?

@webprofusion - that files not in my configs.

root@web01 httpd # pwd
/etc/httpd
root@web01 httpd # find . -name *jasonrhardman*conf*
root@web01 httpd # 

@Osiris and @webprofusion - Are you saying that port 80 thinks it should be talking ssl because it's in the /etc/httpd/conf/extra/httpd-ssl.conf? If I remove those entries and put them in, say, /etc/httpd/conf/extra/httpd-vhosts.conf, the site become unresponsive. It seems the guide I followed was a poor guide if you're saying this is my issue. Can you recommend a good guide to correct my configs, then?

This is in it:

<VirtualHost *:80>
    ServerName jasonrhardman.org:80
    ServerAlias www.jasonrhardman.org
    Redirect permanent / https://jasonrhardman.org/
    RewriteEngine on
    RewriteCond %{SERVER_NAME} =jasonrhardman.org
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost *:80>
    ServerName jasonrhardman.info:80
    ServerAlias www.jasonrhardman.info
    Redirect permanent / https://jasonrhardman.info/
    RewriteEngine on
    RewriteCond %{SERVER_NAME} =jasonrhardman.info
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

Should that be in another file, like /etc/httpd/conf/extra/httpd-vhosts.conf or jasonrhardman.org.conf/ jasonrhardman.info.conf and in one of these as it?

I'm not a frequent Apache user, hopefully someone else can provide more specific advice.

The location itself shouldn't matter, but it's just weird and could have been a hint to why your Apache is doing weird stuff.

Also, why does your ServerName directive contain the port? That's not correct.

The virtualhosts themselves are good, but it seems something (perhaps elsewhere) there's something incorrectly going on. Please share all your Apache configuration files.

root@web01 conf # grep -vE '^$|[ ]{0,}#' httpd.conf
ServerRoot "/etc/httpd"
Listen 80
LoadModule mpm_event_module modules/mod_mpm_event.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule access_compat_module modules/mod_access_compat.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
LoadModule reqtimeout_module modules/mod_reqtimeout.so
LoadModule include_module modules/mod_include.so
LoadModule filter_module modules/mod_filter.so
LoadModule mime_module modules/mod_mime.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule env_module modules/mod_env.so
LoadModule headers_module modules/mod_headers.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule version_module modules/mod_version.so
LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule unixd_module modules/mod_unixd.so
LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
<IfModule !mpm_prefork_module>
	LoadModule cgid_module modules/mod_cgid.so
</IfModule>
<IfModule mpm_prefork_module>
	LoadModule cgi_module modules/mod_cgi.so
</IfModule>
LoadModule vhost_alias_module modules/mod_vhost_alias.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
LoadModule userdir_module modules/mod_userdir.so
LoadModule alias_module modules/mod_alias.so
LoadModule rewrite_module modules/mod_rewrite.so
<IfModule unixd_module>
User http
Group http
</IfModule>
ServerAdmin jasonrhardman@gmail.com
<Directory />
    AllowOverride none
    Require all denied
</Directory>
DocumentRoot "/var/www"
<Directory "/var/www">
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>
<Directory "/var/www/dotOrg/membersOnly" >
    AllowOverride None
    AuthName "Enter the right stuff to get in."
    AuthType Basic
    AuthUserFile "<redacted>"
    AuthGroupFile "<redacted>"
    require group <redacted>
</Directory>
<IfModule dir_module>
    DirectoryIndex index.html
</IfModule>
<Files ".ht*">
    Require all denied
</Files>
ErrorLog "/var/log/httpd/error_log"
LogLevel warn
<IfModule log_config_module>
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
    <IfModule logio_module>
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>
    CustomLog "/var/log/httpd/access_log" common
</IfModule>
<IfModule alias_module>
    ScriptAlias /membersOnly/cgi-bin/ "<redacted>"
</IfModule>
<IfModule cgid_module>
</IfModule>
<Directory "<redacted>">
    AllowOverride None
    Options None
    Require all granted
</Directory>
<IfModule headers_module>
    RequestHeader unset Proxy early
</IfModule>
<IfModule mime_module>
    TypesConfig conf/mime.types
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz
    AddHandler cgi-script .py
</IfModule>
Include conf/extra/httpd-mpm.conf
Include conf/extra/httpd-multilang-errordoc.conf
Include conf/extra/httpd-autoindex.conf
Include conf/extra/httpd-languages.conf
Include conf/extra/httpd-userdir.conf
Include conf/extra/httpd-default.conf
<IfModule proxy_html_module>
Include conf/extra/proxy-html.conf
</IfModule>
Include conf/extra/httpd-ssl.conf
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
root@web01 conf # grep -vE '^$|[ ]{0,}#' extra/httpd-ssl.conf
Listen 443
SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLHonorCipherOrder on 
SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3
SSLPassPhraseDialog  builtin
SSLSessionCache        "shmcb:/run/httpd/ssl_scache(512000)"
SSLSessionCacheTimeout  300
<VirtualHost *:80>
    ServerName jasonrhardman.org:80
    ServerAlias www.jasonrhardman.org
    Redirect permanent / https://jasonrhardman.org/
    RewriteEngine on
    RewriteCond %{SERVER_NAME} =jasonrhardman.org
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost *:80>
    ServerName jasonrhardman.info:80
    ServerAlias www.jasonrhardman.info
    Redirect permanent / https://jasonrhardman.info/
    RewriteEngine on
    RewriteCond %{SERVER_NAME} =jasonrhardman.info
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost _default_:443>
    DocumentRoot "/var/www/dotOrg"
    ServerName jasonrhardman.org:443
    ServerAlias www.jasonrhardman.org
    ServerAdmin jasonrhardman@gmail.com
    ErrorLog "/var/log/httpd/jasonrhardman.org-error_log"
    TransferLog "/var/log/httpd/access_log"
    SSLEngine on
    SSLCACertificateFile "/etc/letsencrypt/live/jasonrhardman.org/fullchain.pem"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory "<REDACTED>">
    SSLOptions +StdEnvVars
</Directory>
    BrowserMatch "MSIE [2-5]"nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
    CustomLog "/var/log/httpd/ssl_request_log""%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    SSLCertificateFile /etc/letsencrypt/live/jasonrhardman.org/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/jasonrhardman.org/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>                                  
<VirtualHost *:443>
    DocumentRoot "/var/www/dotInfo"
    ServerName jasonrhardman.info:443
    ServerAlias www.jasonrhardman.info
    ServerAdmin jasonrhardman@gmail.com
    ErrorLog "/var/log/httpd/jasonrhardman.info-error_log"
    TransferLog "/var/log/httpd/access_log"
    SSLEngine on
    SSLCACertificateFile "/etc/letsencrypt/live/jasonrhardman.org/fullchain.pem"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/srv/http/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>
    BrowserMatch "MSIE [2-5]"nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
    CustomLog "/var/log/httpd/ssl_request_log""%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    ServerAlias www.jasonrhardman.info
    SSLCertificateFile /etc/letsencrypt/live/jasonrhardman.org/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/jasonrhardman.org/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

Hm, one would think the lack of SSLEngine on in the :80 virtualhosts should be enough to let if function properly.. Perhaps SSLEngine on is specified somewhere globally? Could you do a grep -Ri sslengine /etc/httpd/ to doublecheck that?

Also, you could also try to specifically use SSLEngine off in the :80 VirtualHosts.. While that shouldn't be necessary, we might as well check if that would disable HTTPS on those port 80 virtualhosts.. If not, the problem is not with a generally active SSLEngine on but something else..

root@web01 httpd # grep -Ri sslengine
conf/extra/httpd-ssl.conf:    SSLEngine on
conf/extra/httpd-ssl.conf:#SSLEngine on
conf/extra/httpd-ssl.conf:    SSLEngine on
conf/extra/httpd-ssl.conf:#SSLEngine on
grep: modules/mod_md.so: binary file matches
grep: modules/mod_ssl.so: binary file matches
root@web01 httpd # 

Made some changes to clean up a bit. First, moved the port 80 virtual hosts to conf/extra/httpd-vhosts.conf, added Include conf/extra/httpd-vhosts.conf to conf/httpd.conf, then added SSLEngine off to those vhost blocks in conf/extra/httpd-vhosts.conf, restarted httpd, and tried to renew the cert again, with no success.

# grep -vE '^$|[ ]{0,}#' conf/extra/httpd-vhosts.conf
<VirtualHost *:80>
    ServerName jasonrhardman.org
    ServerAlias www.jasonrhardman.org
    Redirect permanent / https://jasonrhardman.org/
    RewriteEngine on
    SSLEngine off
    RewriteCond %{SERVER_NAME} =jasonrhardman.org
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost *:80>
    ServerName jasonrhardman.info
    ServerAlias www.jasonrhardman.info
    Redirect permanent / https://jasonrhardman.info/
    RewriteEngine on
    SSLEngine off
    RewriteCond %{SERVER_NAME} =jasonrhardman.info
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

# certbot renew --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/jasonrhardman.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate for jasonrhardman.org and 3 more domains
Performing the following challenges:
http-01 challenge for jasonrhardman.info
http-01 challenge for jasonrhardman.org
http-01 challenge for www.jasonrhardman.info
http-01 challenge for www.jasonrhardman.org
Waiting for verification...
Challenge failed for domain jasonrhardman.info
Challenge failed for domain jasonrhardman.org
Challenge failed for domain www.jasonrhardman.info
Challenge failed for domain www.jasonrhardman.org
http-01 challenge for jasonrhardman.info
http-01 challenge for jasonrhardman.org
http-01 challenge for www.jasonrhardman.info
http-01 challenge for www.jasonrhardman.org
Cleaning up challenges
Failed to renew certificate jasonrhardman.org with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/jasonrhardman.org/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Running post-hook command: /etc/letsencrypt/renewal-hooks/post/httpd_restart.sh
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: jasonrhardman.info
   Type:   unauthorized
   Detail: Invalid response from
   http://jasonrhardman.info/.well-known/acme-challenge/FRtwva6A6rC3wkK7R1dLvl6EthrtD-dsDv7mOqyUSic
   [73.52.149.76]: "<?xml version=\"1.0\"
   encoding=\"UTF-8\"?>\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0
   Strict//EN\"\n  \"http://www.w3.org/TR/xhtml1/D"

   Domain: jasonrhardman.org
   Type:   unauthorized
   Detail: Invalid response from
   http://jasonrhardman.org/.well-known/acme-challenge/zBwwiai1VRswSuRKuyB7Mx6E4eLxaFOY1PjJ9BaWMh4
   [73.52.149.76]: "<?xml version=\"1.0\"
   encoding=\"UTF-8\"?>\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0
   Strict//EN\"\n  \"http://www.w3.org/TR/xhtml1/D"

   Domain: www.jasonrhardman.info
   Type:   unauthorized
   Detail: Invalid response from
   http://www.jasonrhardman.info/.well-known/acme-challenge/K5Sz0qy87NwwFR61nzr5oMcbtfrFXT-dErOmT_Xo2ik
   [73.52.149.76]: "<?xml version=\"1.0\"
   encoding=\"UTF-8\"?>\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0
   Strict//EN\"\n  \"http://www.w3.org/TR/xhtml1/D"

   Domain: www.jasonrhardman.org
   Type:   unauthorized
   Detail: Invalid response from
   http://www.jasonrhardman.org/.well-known/acme-challenge/lHrYTW2P2rTOklESSTD8wzGsnOmfu9H4slOtHPEpX50
   [73.52.149.76]: "<?xml version=\"1.0\"
   encoding=\"UTF-8\"?>\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0
   Strict//EN\"\n  \"http://www.w3.org/TR/xhtml1/D"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

I think there's still an issue in httpd-ssl.conf and it would be great to see the current complete content of that file.

1 Like

@schoen Here you are. I filtered out only commented and blank lines:

root@web01 httpd # grep -vE '^$|^[ ]{0,}#' conf/extra/httpd-ssl.conf 
Listen 443
SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLHonorCipherOrder on 
SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3
SSLPassPhraseDialog  builtin
SSLSessionCache        "shmcb:/run/httpd/ssl_scache(512000)"
SSLSessionCacheTimeout  300
<VirtualHost _default_:443>
    DocumentRoot "/var/www/dotOrg"
    ServerName jasonrhardman.org
    ServerAlias www.jasonrhardman.org
    ServerAdmin jasonrhardman@gmail.com
    ErrorLog "/var/log/httpd/jasonrhardman.org-error_log"
    TransferLog "/var/log/httpd/access_log"
    SSLEngine on
    SSLCACertificateFile "/etc/letsencrypt/live/jasonrhardman.org/fullchain.pem"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory "<REDACTED>">
    SSLOptions +StdEnvVars
</Directory>
    BrowserMatch "MSIE [2-5]"nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
    CustomLog "/var/log/httpd/ssl_request_log""%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    SSLCertificateFile /etc/letsencrypt/live/jasonrhardman.org/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/jasonrhardman.org/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>                                  
<VirtualHost *:443>
    DocumentRoot "/var/www/dotInfo"
    ServerName jasonrhardman.info
    ServerAlias www.jasonrhardman.info
    ServerAdmin jasonrhardman@gmail.com
    ErrorLog "/var/log/httpd/jasonrhardman.info-error_log"
    TransferLog "/var/log/httpd/access_log"
    SSLEngine on
    SSLCACertificateFile "/etc/letsencrypt/live/jasonrhardman.org/fullchain.pem"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory "<REDACTED>">
    SSLOptions +StdEnvVars
</Directory>
    BrowserMatch "MSIE [2-5]"nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
    CustomLog "/var/log/httpd/ssl_request_log""%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    SSLCertificateFile /etc/letsencrypt/live/jasonrhardman.org/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/jasonrhardman.org/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

@Osiris @webprofusion

Okay, so I'm an idiot. After pouring over my configs, modifying this commenting that, excluding and including this and that. I finally thought I'd start over with my letsencrypt configs all together, so I uninstalled it and removed the /etc/letsencrypt dir. things got worse.

My website stopped working all together. apparently even an expired cert was better than no cert. I commented everything in my config referring to SSL and still, I could not get to just http://jasonrhardman.org. I even spun up tails OS, connected through some TOR relays and tried to curl my website through port 80 with http... and I kept getting connection refused, and the TOR browser kept changing http to https... It was infuriating... Then I realized, I hadn't checked my router setting this whole time... so.

There it was. My router was forwarding all port 80 requests to port 443 on my web server. Some idiot (me, btw) thought that might be a good idea. Well, not when certbot is trying to renew a cert by authenticating over port 80. The way I had it configured, it had no way of getting to my server's port 80.

In summary, if you want to use letsencryt and have certbot renew a cert by authenticating through port 80, don't forward port 80 to 443 on your router!

Anyway, issue resolved.

1 Like

Glad you got it fixed! I really do recommend using DNS validation over http validation for any tricky scenarios.

1 Like

Forwarding port 80 to 443 in a router should never be done! That won't only impaire authentication by Let's Encrypt, but also any user surfing to your site!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.