Getting CHALLENGE FAILED

Help
1

I can't seem to get past this error. I can't find anything I did wrong. The site works in http in a browser but certbot can't seem to find it. I have done many certs already so the ports are not blocked.

My domain is: dashboard.covenantjourney.org

I ran this command:
certbot certonly --apache --dry-run --agree-tos -m liberty@lc.org -d dashboard.covenantjourney.org

It produced this output:
certbot certonly --apache --dry-run --agree-tos -m liberty@lc.org -d dashboard.covenantjourney.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for dashboard.covenantjourney.org
Waiting for verification...
Challenge failed for domain dashboard.covenantjourney.org
http-01 challenge for dashboard.covenantjourney.org
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

My web server is (include version):
Apache/2.4.41 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 20.04.2

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.40.0

Here is my apache config:
<VirtualHost *:80>
ServerName dashboard.covenantjourney.org
DocumentRoot /var/www/html/webroot
LogLevel info
ErrorLog ${APACHE_LOG_DIR}/lc-error.log
CustomLog ${APACHE_LOG_DIR}/lc-access.log combined

1 Like
2

Hi :slightly_smiling_face:

I'm not initially seeing anything too troubling. There is a 302 (temporary) redirect from http to https where there should be a 301 (permanent) redirect.

What is the output of:

sudo apachectl -S

3

Also, what is the output of:

sudo certbot certonly --webroot -w /var/www/html/webroot -d "dashboard.covenantjourney.org" --dry-run

4

sudo apachectl -S output is (excess domains deleted)

VirtualHost configuration:
*:443 is a NameVirtualHost
default server cidisrael.org (/etc/apache2/sites-enabled/cidisraelDotOrg-le-ssl.conf:2)
...
port 443 namevhost covenantjourney.org (/etc/apache2/sites-enabled/covenantjourneyDotOrg-le-ssl.conf:2)
alias www.covenantjourney.org
...
*:80 is a NameVirtualHost
...
port 80 namevhost dashboard.covenantjourney.org (/etc/apache2/sites-enabled/100-dashDotCJdotOrg.conf:1)
port 80 namevhost covenantjourney.org (/etc/apache2/sites-enabled/covenantjourneyDotOrg.conf:1)
alias www.covenantjourney.org
...
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex fcgid-proctbl: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex fcgid-pipe: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33

1 Like
5

dry-run command yielded the same results as before:

sudo certbot certonly --webroot -w /var/www/html/webroot -d "dashboard.covenantjourney.org" --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for dashboard.covenantjourney.org
Using the webroot path /var/www/html/webroot for all unmatched domains.
Waiting for verification...
Challenge failed for domain dashboard.covenantjourney.org
http-01 challenge for dashboard.covenantjourney.org
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

1 Like
6

Something odd is happening here...

Notice that both of these are http addresses:

Yet it is quite clear from testing that there is a 302 http to https redirect in place. Since dashboard.covenantjourney.org does not have a port 443 (https) VirtualHost, the default port 443 (https) VirtualHost (for cidisrael.org) responds, thus explaining why the challenge file can't be found (because it's being written to the DocumentRoot for cidisrael.org instead of dashboard.covenantjourney.org). Simply commenting-out or removing the 302 redirect for dashboard.covenantjourney.org should fix it. I think said redirect might be in an .htaccess file though rather than the port 80 (http) VirtualHost for dashboard.covenantjourney.org.

Screenshot_20210831-175918_Samsung Internet
Screenshot_20210831-175918_Samsung Internet1440×2722 510 KB

Screenshot_20210831-175924_Samsung Internet
Screenshot_20210831-175924_Samsung Internet1440×2722 330 KB

7

Thanks.
What you say makes sense but I cannot find a redirect.
There is no .htaccess in /var/www/html
There is one in /var/www/html/webroot but no mention of dashboard
There are no redirects in /etc/apache2/available-sites
Could there be other locations?

1 Like
8

I think though that the real problem here is a location directive somewhere mapping requests in /.well-known/acme-challenge/ to a generic location.

9

I have done many successful certs on this server so I don't think there is anything interfering with .well-known/acme-challenge

1 Like
10

Please post the complete contents of /etc/apache2/sites-enabled/100-dashDotCJdotOrg.conf with three backticks before and after, like this:

```
contents
```

11 
<VirtualHost *:80>
ServerName dashboard.covenantjourney.org
ServerAdmin liberty@lc.org
DocumentRoot /var/www/html/webroot
#Available loglevels: trace8, ..., trace1, debug, info, notice, warn, error, crit, alert, emerg
LogLevel info
ErrorLog ${APACHE_LOG_DIR}/lc-error.log
CustomLog ${APACHE_LOG_DIR}/lc-access.log combined
#DirectoryIndex index.php
#<Directory /var/www/html/webroot/>
#AllowOverride None
#Options None
#Order allow,deny
#Allow from all
#</Directory>
</VirtualHost>
# --- the following sets vi / vim options for this file
# --- ts = tab stop, sw = shiftwidth, sts = softtabstop, sr = shiftround, noet = noexpandtab
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
1 Like
12

oops ... I did dots instead of backticks ... trying again

<VirtualHost *:80>
ServerName dashboard.covenantjourney.org
ServerAdmin liberty@lc.org
DocumentRoot /var/www/html/webroot
#Available loglevels: trace8, ..., trace1, debug, info, notice, warn, error, crit, alert, emerg
LogLevel info
ErrorLog ${APACHE_LOG_DIR}/lc-error.log
CustomLog ${APACHE_LOG_DIR}/lc-access.log combined
#DirectoryIndex index.php
#<Directory /var/www/html/webroot/>
#AllowOverride None
#Options None
#Order allow,deny
#Allow from all
#</Directory>
</VirtualHost>
# --- the following sets vi / vim options for this file
# --- ts = tab stop, sw = shiftwidth, sts = softtabstop, sr = shiftround, noet = noexpandtab
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
1 Like
13

I need the backticks so our community website software doesn't remove things thinking they're HTML.

14

Thanks. :slightly_smiling_face:

15

fixed it.

1 Like
16

Hmm... so not there...

:thinking:

17

There is also a cert for covenantjourney.org but that should not interfere.
and www.covenantjourney.org

1 Like
18

From my screenshots, the cert for cidisrael.org is currently being served when visiting challenge files for dashboard.covenantjourney.org, indicating that the port 443 vHost for cidisrael.org is responding for https requests for dashboard.covenantjourney.org.

19

Let's try something. What's the DocumentRoot in here:

/etc/apache2/sites-enabled/cidisraelDotOrg-le-ssl.conf

20

DocumentRoot /var/www/html/webroot

1 Like