How do I fix this problem

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:bokmanmd.com

I ran this command: sudo certbot-auto renew --dry-run --cert-name bokmanmd.com

It produced this output:Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/bokmanmd.com.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for bokmanmd.com
http-01 challenge for www.bokmanmd.com
Waiting for verification…
Challenge failed for domain bokmanmd.com
Challenge failed for domain www.bokmanmd.com
http-01 challenge for bokmanmd.com
http-01 challenge for www.bokmanmd.com
Cleaning up challenges
Attempting to renew cert (bokmanmd.com) from /etc/letsencrypt/renewal/bokmanmd.com.conf produced an unexpected error: Some challenges have failed… Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/bokmanmd.com/fullchain.pem (failure)


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/bokmanmd.com/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version):apache

The operating system my web server runs on is (include version):ubuntu 18.04.4

My hosting provider, if applicable, is: home network

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):1.5.0

  1. Content- and Performance-critical Checks
    http://bokmanmd.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 71.208.149.212 400 Fatal: Check of /.well-known/acme-challenge/random-filename has a http status between 400 and 499, but not 404 - Not Found. Creating a Letsencrypt certificate via http-01 challenge may not work. Trouble creating a certificate? Use https://community.letsencrypt.org/ to ask.

http://www.bokmanmd.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 71.208.149.212 400 Fatal: Check of /.well-known/acme-challenge/random-filename has a http status between 400 and 499, but not 404 - Not Found. Creating a Letsencrypt certificate via http-01 challenge may not work. Trouble creating a certificate? Use https://community.letsencrypt.org/ to ask.

I don’t understand why it worked fine when I created the cert but now will not let me renew the same cert.

Also I just noticed the above is using HTTP:// for the acme-challenge. It must fail because my site redirects HTTP to HTTPS

Hi @tombokman

that’s wrong. That requires a working http port.

Your port 80 / http is a https port, so https://www.bokmanmd.com:80/ works, but http://www.bokmanmd.com/ sends that error message

http://bokmanmd.com/.well-known/acme-challenge/Ut7P1nI6OTJL26nw7ZN_tJwEG-oU-k_6behfyuvwdkw

Bad Request

Your browser sent a request that this server could not understand.
Reason: You’re speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.

Apache/2.4.29 (Ubuntu) Server at bokmanmd.com Port 443

Looks like you have a wrong port forwarding port 80 extern -> port 443 intern, because port 80 is connected, but port 443 answers.

So you don’t have a correct port 80, so you can’t have a correct redirect port 80 -> port 443.

PS: Same question there - Cannot renew my certificate - same answer. Please fix your wrong configuration.

PS: You have a valid certificate:

CN=bokmanmd.com
	01.07.2020
	29.09.2020
expires in 85 days	bokmanmd.com, www.bokmanmd.com - 2 entries

So you don’t need to create a new certificate. But you have to fix your configuration.

2 Likes

Well, this might need some nuancing, because if you read it like I’ve quoted without more information about the situation, some might think @JuergenAuer is saying “redirecting HTTP to HTTPS is wrong”, which obviously isn’t the case.

  • A HTTP request on port 80 answered by a HTTP redirect to HTTPS on port 443 is a good thing.
  • Redirecting port 80 to port 443, for example, in your NAT router or firewall, is a bad thing, leading to issued like in this thread.

My external router is set to forward ports 80 and 443 to the internal IP address of my webserver. Is there something wrong here that is causing this problem. The webserver is apache2 and the website is Wordpress. The apache has files in /etc/apache/sites-enabled that control ports 80 and 443. Wordpress has .htaccess that control redirect http to https. What wrong with this configuration?

Port 80 extern -> port 80 intern.

The answer says: Port 80 extern -> port 443 intern, that’s wrong.

2 Likes

Why is it wrong? I want my server to always use SSL. If it’s wrong then how do I fix it? Please be specific like a file name that contains the incorrect settings. Thanks

The problem is that a lot of software—including browsers and the Let’s Encrypt validation agent—is hard-coded to assume that port 80 uses HTTP, not HTTPS. This is related to Let’s Encrypt’s advice at

Basically, if you don’t want your site to be accessed by other people’s web browsers or by the Let’s Encrypt HTTP-01 validator, then you don’t need it to speak HTTP on port 80, but if you do, then you do. :slight_smile:

1 Like

Finally fixed!! HOW?

Edit apache sites-enabled config file. Change <VirtualHost *:80 *:443> to <VirtualHost *:80> and comment out rewrite rule that forced HTTPS. Ran certbot-auto and no more “Challenge failed for domain”

After renewing cert changed sites-enabled back to original. Life is good again! For another 90 days.

1 Like

No it’s not. New visitors won’t see your site AT ALL when surfing to http://bokmanmd.com/ ! Please read the above answers again carefully and see what you’re doing wrong.

1 Like

Nothing fixed. The same error:

http://bokmanmd.com/.well-known/acme-challenge/Ut7P1nI6OTJL26nw7ZN_tJwEG-oU-k_6behfyuvwdkw

Bad Request

Your browser sent a request that this server could not understand.
Reason: You’re speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.