Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for admin.masshopping.com.ve
http-01 challenge for mail.masshopping.com.ve
http-01 challenge for masshopping.com.ve
http-01 challenge for webmail.masshopping.com.ve
http-01 challenge for www.masshopping.com.ve
Using the webroot path /home/masshing/public_html for all unmatched domains.
Waiting for verification...
Challenge failed for domain admin.masshopping.com.ve
Challenge failed for domain mail.masshopping.com.ve
Challenge failed for domain masshopping.com.ve
Challenge failed for domain webmail.masshopping.com.ve
Challenge failed for domain www.masshopping.com.ve
http-01 challenge for admin.masshopping.com.ve
http-01 challenge for mail.masshopping.com.ve
http-01 challenge for masshopping.com.ve
http-01 challenge for webmail.masshopping.com.ve
http-01 challenge for www.masshopping.com.ve
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
My web server is (include version): Webmin 1.981 / Virtualmin 6.17-3
The operating system my web server runs on is (include version): Ubuntu Linux 20.04.3
My hosting provider, if applicable, is: Contabo (VPS)
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Webmin 1.981 / Virtualmin 6.17-3
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.40.0
Can you show the contents of the /etc/letsencrypt/cli.ini file - if present
Also, the contents of the file in /etc/letsencrypt/renewal/ for your domain names. It will probably be the admin name as that was first.
Lastly, what is the DocumentRoot you currently have in Apache for these VirtualHosts?
It looks to me like the values for the webroot folders are out-of-sync with your current Apache setup. Please format the outputs of each of the above separately with the PreformattedText option (Ctrl-E) in the format menu. Thanks.
Yes, it looks ok. But, does that path really have spaces in between the folder parts? All the other paths look formatted nice. Not sure if font problem or syntax issue.
If you could format it with Preformatted text that would be better. Or place three backticks like ``` before and after the renewal conf contents.
Now we know why Certbot is failing. It is expecting its challenge file there.
Now we have to figure out why that test file gets a 404 Not Found. Could you have other rewrites like in an htaccess? Or, have a stray Alias somewhere for the document root or well-known folders? I only briefly looked at your rewrite statements but need to look harder I suppose.
I see the http headers show Varnish. Could your Fastly CDN be interfering?
Please leave the Test-1234 file in place until this gets resolved. Thanks
UPDATE: @XavierTM Here are the http headers I saw from my attempt earlier. I dont use Varnish but it seems the numbers in X-Varnish header can be used to match to its logs.
That is more for you to sort but I will help if I can. To recap, you placed a file under your Apache DocumentRoot and we cannot see it from the internet using curl. So, something is interfering.
I would look at your htaccess if it has any redirects in it. I am not familiar with Varnish but is it just for caching or is it also like a CDN which it might have rules which could reject URLs not defined in it? Are you using a CDN like Fastly?
In the Varnish docs they say the numbers in X-Varnish header can match to their log. Is that possible for you to do? Maybe it will provide a clue.
And, look at your Apache access logs. See if they show a 404 Not Found as you expect. Just trying to find more info to help identify what is getting in the way of finding a file in that folder.
That's all I can think of for now.
Update: Oh, is your Varnish setup new since you last got fresh certs?
Note it is https - not http. Let's Encrypt will use http first for the http challenge. That is failing with 404.
I have learned Varnish sits "in front" of your server and caches http requests. There must be something in your varnish config (VCL file?) that is blocking the requests to the /.well-known/acme-challenge/ files.
I suppose it could be something else but this seems by far the most likely.
I just deleted everything I had from the Cache Plugin, but I still get an error when trying to renew the certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for admin.masshopping.com.ve
http-01 challenge for mail.masshopping.com.ve
http-01 challenge for masshopping.com.ve
http-01 challenge for webmail.masshopping.com.ve
http-01 challenge for www.masshopping.com.ve
Using the webroot path /home/masshing/public_html for all unmatched domains.
Waiting for verification...
Challenge failed for domain admin.masshopping.com.ve
Challenge failed for domain mail.masshopping.com.ve
Challenge failed for domain masshopping.com.ve
Challenge failed for domain webmail.masshopping.com.ve
Challenge failed for domain www.masshopping.com.ve
http-01 challenge for admin.masshopping.com.ve
http-01 challenge for mail.masshopping.com.ve
http-01 challenge for masshopping.com.ve
http-01 challenge for webmail.masshopping.com.ve
http-01 challenge for www.masshopping.com.ve
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: admin.masshopping.com.ve
Type: unauthorized
Detail: Invalid response from
http://admin.masshopping.com.ve/.well-known/acme-challenge/wALsPWosQ1Xfk_ACeaE1WgK260N3Behq8PMC0zoCrWc
[193.34.144.174]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
2.0//EN\">\n<html><head>\n<title>404 Not
Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"
Domain: mail.masshopping.com.ve
Type: unauthorized
Detail: Invalid response from
http://mail.masshopping.com.ve/.well-known/acme-challenge/JMXnkHWM3LxXYDxlDNTc2n_IzNb-QurVGqSIoSM4A9k
[193.34.144.174]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
2.0//EN\">\n<html><head>\n<title>404 Not
Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"
Domain: masshopping.com.ve
Type: unauthorized
Detail: Invalid response from
http://masshopping.com.ve/.well-known/acme-challenge/0BI62GGrfIMPsa3Sof-bMwpt4-a4_j34E0pltFSR6x0
[193.34.144.174]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
2.0//EN\">\n<html><head>\n<title>404 Not
Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"
Domain: webmail.masshopping.com.ve
Type: unauthorized
Detail: Invalid response from
http://webmail.masshopping.com.ve/.well-known/acme-challenge/7PTPMlWEsspIqvah0l-QE55c83p81c2sEmb1Ifbe5rg
[193.34.144.174]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
2.0//EN\">\n<html><head>\n<title>404 Not
Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"
Domain: www.masshopping.com.ve
Type: unauthorized
Detail: Invalid response from
http://www.masshopping.com.ve/.well-known/acme-challenge/xwSlox4Boso61zaOR_IhokotLJaaocC2ohGktBZQv9U
[193.34.144.174]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
2.0//EN\">\n<html><head>\n<title>404 Not
Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
That indicates that Varnish is still active but is not getting a response from your Apache server. Note that the curl response headers now say Server is Varnish - not Apache.
#
# This is an example VCL file for Varnish.
#
# It does not do anything by default, delegating control to the
# builtin VCL. The builtin VCL is called when there is no explicit
# return statement.
#
# See the VCL chapters in the Users Guide at https://www.varnish-cache.org/docs/
# and https://www.varnish-cache.org/trac/wiki/VCLExamples for more examples.
# Marker to tell the VCL compiler that this VCL has been adapted to the
# new 4.0 format.
vcl 4.0;
# Default backend definition. Set this to point to your content server.
backend default {
.host = "172.0.0.1";
.port = "8080";
}
sub vcl_recv {
# Happens before we check if we have this in cache already.
#
# Typically you clean up the request here, removing cookies you don't need,
# rewriting the request, etc.
}
sub vcl_backend_response {
# Happens after we have read the response headers from the backend.
#
# Here you clean the response headers, removing silly Set-Cookie headers
# and other mistakes your backend does.
}
sub vcl_deliver {
# Happens when we have all the pieces we need, and are about to send the
# response to the client.
#
# You can do accounting or modifying the final object here.
}
Hmm. Is Varnish new since you setup the certs before?
That Varnish config points to a server that you have not yet shown. Note the host IP and the port 8080. The Apache config you showed does not have such a server.
And, you have gone backwards in that I cannot connect to your site with http now at all. I get a curl (7) connection refused message. (https still works with the -k)
I strongly believe Varnish is the cause of your problems but I am afraid I am not helping you in a productive way. Perhaps you could try a Varnish forum or whatever you are using to configure your system. I don't mind helping with this - I just don't think it is working well.