How to (re)create cert - I just have standard Apache vhost config files for port 80, 443

Help
1

I'm not able renew certs/create them like I used to.

I've provided what the forum template asks for, plus some other command output and logfiles mentioned in security - Unauthorized error when trying to get a ssl certificate with certbot - Server Fault which I think you might go onto ask in response to my initial question, so I wanted to provide this upfront to help progress to the solution.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: thesolentmetropolitan.com

This is accessible from the web at http://thesolentmetropolitan.com (note the absense of the s)

I ran this command:
sudo certbot --apache

It produced this output:

root@server03:/etc/apache2/sites-available# sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: drupalsolent.dev
2: eval1.labs.drupalsolent.dev
3: www.drupalsolent.dev
4: internationalgospelchoir.uk
5: staging.internationalgospelchoir.uk
6: www.internationalgospelchoir.uk
7: thesolentmetropolitan.com
8: www.thesolentmetropolitan.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 7
Requesting a certificate for thesolentmetropolitan.com

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Domain: thesolentmetropolitan.com
  Type:   unauthorized
  Detail: 157.245.32.67: Invalid response from http://thesolentmetropolitan.com/.well-known/acme-challenge/UKxNr-gcgMcMK0uo3H2Udv64VmSf6zf_JtCeAT9GEAI: 400

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
root@server03:/etc/apache2/sites-available# cat thesolentmetropolitan.com.conf
<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    ServerName thesolentmetropolitan.com
    DocumentRoot /var/www/10/thesolentmetropolitan.com/deployment_environments/live/docroot
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    <Directory "/var/www/10/thesolentmetropolitan.com/deployment_environments/live/docroot">
        Options Indexes FollowSymLinks MultiViews
        AllowOverride All
    </Directory>
RewriteEngine on
RewriteCond %{SERVER_NAME} =thesolentmetropolitan.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
root@server03:/etc/apache2/sites-available#

My web server is (include version):
Server version: Apache/2.4.58 (Ubuntu)
Server built: 2024-10-02T12:40:51

The operating system my web server runs on is (include version): Ubuntu 24.04

My hosting provider, if applicable, is: digitalocean.com

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 3.3.0

Other log files / output from commands I've tried:

root@server03:/etc/apache2/sites-available# cat /var/log/letsencrypt/letsencrypt.log
2025-03-21 18:56:36,217:DEBUG:urllib3.connectionpool:http://localhost:None "GET /v2/connections?snap=certbot&interface=content HTTP/1.1" 200 97
2025-03-21 18:56:36,382:DEBUG:certbot._internal.main:certbot version: 3.3.0
2025-03-21 18:56:36,383:DEBUG:certbot._internal.main:Location of certbot entry point: /snap/certbot/4482/bin/certbot
2025-03-21 18:56:36,383:DEBUG:certbot._internal.main:Arguments: ['--apache', '--preconfigured-renewal']
2025-03-21 18:56:36,383:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2025-03-21 18:56:36,408:DEBUG:certbot._internal.log:Root logging level set at 30
2025-03-21 18:56:36,409:DEBUG:certbot._internal.plugins.selection:Requested authenticator apache and installer apache
2025-03-21 18:56:36,463:DEBUG:certbot_apache._internal.configurator:Apache version is 2.4.58
2025-03-21 18:56:36,662:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin
Interfaces: Authenticator, Installer, Plugin
Entry point: EntryPoint(name='apache', value='certbot_apache._internal.entrypoint:ENTRYPOINT', group='certbot.plugins')
Initialized: <certbot_apache._internal.override_debian.DebianConfigurator object at 0x7e3445ec2390>
Prep: True
2025-03-21 18:56:36,662:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_apache._internal.override_debian.DebianConfigurator object at 0x7e3445ec2390> and installer <certbot_apache._internal.override_debian.DebianConfigurator object at 0x7e3445ec2390>
2025-03-21 18:56:36,663:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator apache, Installer apache
2025-03-21 18:56:36,720:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/1808805457', new_authzr_uri=None, terms_of_service=None), 3bc4ddadb9a0963e04960c309045744f, Meta(creation_dt=datetime.datetime(2024, 6, 29, 1, 43, 26, tzinfo=datetime.timezone.utc), creation_host='server03', register_to_eff=None))>
2025-03-21 18:56:36,721:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2025-03-21 18:56:36,723:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2025-03-21 18:56:37,062:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 1042
2025-03-21 18:56:37,063:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 21 Mar 2025 18:56:37 GMT
Content-Type: application/json
Content-Length: 1042
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "profiles": {
      "classic": "https://letsencrypt.org/docs/profiles#classic",
      "shortlived": "https://letsencrypt.org/docs/profiles#shortlived (not yet generally available)",
      "tlsserver": "https://letsencrypt.org/docs/profiles#tlsserver (not yet generally available)"
    },
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "renewalInfo": "https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-03/renewalInfo",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert",
  "wFGQAV4QuhE": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417"
}
2025-03-21 18:56:40,360:DEBUG:certbot._internal.display.obj:Notifying user: Requesting a certificate for thesolentmetropolitan.com
2025-03-21 18:56:40,362:DEBUG:acme.client:Requesting fresh nonce
2025-03-21 18:56:40,363:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2025-03-21 18:56:40,475:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2025-03-21 18:56:40,476:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 21 Mar 2025 18:56:40 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: fM_UWkeuVOZKYkTlJjztfNbsfVjpc-kBo9xxYirTMAA94iyXPmo
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


2025-03-21 18:56:40,476:DEBUG:acme.client:Storing nonce: fM_UWkeuVOZKYkTlJjztfNbsfVjpc-kBo9xxYirTMAA94iyXPmo
2025-03-21 18:56:40,476:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "thesolentmetropolitan.com"\n    }\n  ]\n}'
2025-03-21 18:56:40,479:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTgwODgwNTQ1NyIsICJub25jZSI6ICJmTV9VV2tldVZPWktZa1RsSmp6dGZOYnNmVmpwYy1rQm85eHhZaXJUTUFBOTRpeVhQbW8iLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1vcmRlciJ9",
  "signature": "YvJgo5OuaRZytRPtGVK7becsY35jhJOQD3PtE-nooeiX7_0P-GW5dwYrWekt_XFe2F4QBCKhlLUsDxZewu6B4yC5b-xiSeihbr7tnbClB0BDE96TJS8c8Hm44XBU6obvnB9oorHmwML7XNDGcF_MlOUlomIKbKt7d7nG3q4Uiaek72bvl4HZ2P8K1UxchnT4KSkV8pf1A7r16uDywqkCZOxFbfB1tXFyWac2XaU0EYaSgv2-pp7y9vNWc74ZodKtMkP5PF2ZYfXWHDelkA5XU8oUnDgNEx2hu7hoX2_zqOMMp5N6B4pK8IMPk647GmufI5pX4js_sxzoOD0NKhtX0A",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogInRoZXNvbGVudG1ldHJvcG9saXRhbi5jb20iCiAgICB9CiAgXQp9"
}
2025-03-21 18:56:40,782:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 359
2025-03-21 18:56:40,782:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Fri, 21 Mar 2025 18:56:40 GMT
Content-Type: application/json
Content-Length: 359
Connection: keep-alive
Boulder-Requester: 1808805457
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/1808805457/365961201936
Replay-Nonce: NvirBnUMkN_uKpFnmb0_JyLAGNEq367thAfbuZqiD4EKyzLyRus
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2025-03-28T18:56:40Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "thesolentmetropolitan.com"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz/1808805457/493312813016"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/1808805457/365961201936"
}
2025-03-21 18:56:40,783:DEBUG:acme.client:Storing nonce: NvirBnUMkN_uKpFnmb0_JyLAGNEq367thAfbuZqiD4EKyzLyRus
2025-03-21 18:56:40,783:DEBUG:acme.client:JWS payload:
b''
2025-03-21 18:56:40,785:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz/1808805457/493312813016:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTgwODgwNTQ1NyIsICJub25jZSI6ICJOdmlyQm5VTWtOX3VLcEZubWIwX0p5TEFHTkVxMzY3dGhBZmJ1WnFpRDRFS3l6THlSdXMiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LzE4MDg4MDU0NTcvNDkzMzEyODEzMDE2In0",
  "signature": "C2ltQlCwsbJH5rpbaIm0dSHw1GEGUJHc78l_GK9BnL3Zgl1MMW1qmMeWgMwj4AjOVAVNduQSOlOct4_Tsu4VH3H2sE4I-qdng3qHIovkLUdcCDMLx5ed33pUh3RKe2_4i_pWmwFWU0cLAJ6UT7xSzGhf4xmvUzuZivOD68jTzv_WaoBXs-3eO00FF1QjHgGZvf4j_ymfhyCdV6shUg7ZNAtDiQSJUaKKf2DqnnHdxGg-EEi25TwaiArhvs0rlAwqLQwOSZDk6SlGwFMDw_nSTXubkWfF_vyEbYhjAVft_VoDjfRuVYWB3Fn_d0_pq8RVPlq1zwB7w_LKL7GJImJm2A",
  "payload": ""
}
2025-03-21 18:56:40,903:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz/1808805457/493312813016 HTTP/1.1" 200 833
2025-03-21 18:56:40,903:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 21 Mar 2025 18:56:40 GMT
Content-Type: application/json
Content-Length: 833
Connection: keep-alive
Boulder-Requester: 1808805457
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: NvirBnUMZmHRs8ubLkUELFrFDe1LD75V6Y-gcRMevVwJRBlny20
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "thesolentmetropolitan.com"
  },
  "status": "pending",
  "expires": "2025-03-28T18:56:40Z",
  "challenges": [
    {
      "type": "dns-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall/1808805457/493312813016/r0HTsQ",
      "status": "pending",
      "token": "UKxNr-gcgMcMK0uo3H2Udv64VmSf6zf_JtCeAT9GEAI"
    },
    {
      "type": "tls-alpn-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall/1808805457/493312813016/IlPiWQ",
      "status": "pending",
      "token": "UKxNr-gcgMcMK0uo3H2Udv64VmSf6zf_JtCeAT9GEAI"
    },
    {
      "type": "http-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall/1808805457/493312813016/uCLGuA",
      "status": "pending",
      "token": "UKxNr-gcgMcMK0uo3H2Udv64VmSf6zf_JtCeAT9GEAI"
    }
  ]
}
2025-03-21 18:56:40,903:DEBUG:acme.client:Storing nonce: NvirBnUMZmHRs8ubLkUELFrFDe1LD75V6Y-gcRMevVwJRBlny20
2025-03-21 18:56:40,904:INFO:certbot._internal.auth_handler:Performing the following challenges:
2025-03-21 18:56:40,904:INFO:certbot._internal.auth_handler:http-01 challenge for thesolentmetropolitan.com
2025-03-21 18:56:40,911:DEBUG:certbot_apache._internal.http_01:Adding a temporary challenge validation Include for name: thesolentmetropolitan.com in: /etc/apache2/sites-enabled/thesolentmetropolitan.com.conf
2025-03-21 18:56:40,911:DEBUG:certbot_apache._internal.http_01:Adding a temporary challenge validation Include for name: None in: /etc/apache2/sites-enabled/000-default.conf
2025-03-21 18:56:40,911:DEBUG:certbot_apache._internal.http_01:writing a pre config file with text:
         RewriteEngine on
        RewriteRule ^/\.well-known/acme-challenge/([A-Za-z0-9-_=]+)$ /var/lib/letsencrypt/http_challenges/$1 [END]

2025-03-21 18:56:40,912:DEBUG:certbot_apache._internal.http_01:writing a post config file with text:
         <Directory /var/lib/letsencrypt/http_challenges>
            Require all granted
        </Directory>
        <Location /.well-known/acme-challenge>
            Require all granted
        </Location>

2025-03-21 18:56:40,933:DEBUG:certbot.reverter:Creating backup of /etc/apache2/sites-enabled/thesolentmetropolitan.com.conf
2025-03-21 18:56:40,934:DEBUG:certbot.reverter:Creating backup of /etc/apache2/sites-enabled/000-default.conf
2025-03-21 18:56:44,055:DEBUG:acme.client:JWS payload:
b'{}'
2025-03-21 18:56:44,057:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall/1808805457/493312813016/uCLGuA:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTgwODgwNTQ1NyIsICJub25jZSI6ICJOdmlyQm5VTVptSFJzOHViTGtVRUxGckZEZTFMRDc1VjZZLWdjUk1ldlZ3SlJCbG55MjAiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2NoYWxsLzE4MDg4MDU0NTcvNDkzMzEyODEzMDE2L3VDTEd1QSJ9",
  "signature": "Td_OT-XN3psSrDHCIlQmWH_bfX-rqIlpaEYuEef0PlJQroYF0KRdf4rksiCL0mY6KPXoh69eAzqZJ4jzhOM5XLLESUxJQtaFf4M_Z9el_BxZF9LCOpDnfV1QzjN78TarmaAYCeuOy09RvO9_3rhzNtAsNUdTgTbKO8fOwB9stznFxhV1vAGg5GefrrogGi8zXUvPbv6ZIWDgz2oa9G92uu3qQYvtf9WV67IBeFjiVcFQgswAY38vRlkiKw2ziHjtkrWxuaIGeNEm31nDYXLihjFA-axuY3dAQZAO-2EjsjOUt8EyIGHCPi-FSdvuobdB69fCV7b3izA82La4SPDKjQ",
  "payload": "e30"
}
2025-03-21 18:56:44,191:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall/1808805457/493312813016/uCLGuA HTTP/1.1" 200 195
2025-03-21 18:56:44,191:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 21 Mar 2025 18:56:44 GMT
Content-Type: application/json
Content-Length: 195
Connection: keep-alive
Boulder-Requester: 1808805457
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz/1808805457/493312813016>;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall/1808805457/493312813016/uCLGuA
Replay-Nonce: NvirBnUMzBui8kz0SwlwDwrx_ThKUEVvWCbMwflWRsSqE98-Lqc
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "http-01",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall/1808805457/493312813016/uCLGuA",
  "status": "pending",
  "token": "UKxNr-gcgMcMK0uo3H2Udv64VmSf6zf_JtCeAT9GEAI"
}
2025-03-21 18:56:44,192:DEBUG:acme.client:Storing nonce: NvirBnUMzBui8kz0SwlwDwrx_ThKUEVvWCbMwflWRsSqE98-Lqc
2025-03-21 18:56:44,192:INFO:certbot._internal.auth_handler:Waiting for verification...
2025-03-21 18:56:45,192:DEBUG:acme.client:JWS payload:
b''
2025-03-21 18:56:45,194:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz/1808805457/493312813016:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTgwODgwNTQ1NyIsICJub25jZSI6ICJOdmlyQm5VTXpCdWk4a3owU3dsd0R3cnhfVGhLVUVWdldDYk13ZmxXUnNTcUU5OC1McWMiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LzE4MDg4MDU0NTcvNDkzMzEyODEzMDE2In0",
  "signature": "YvzCT9R9JqQggFAa7gL4c8nW2WcDIpJEY7qbfj0Fh7hrEHed4So-Yy99iqglblWyJC-glYmHLfjSv2GqGXa-_UiqwUWUbOqPHwqKFgBX34EPX7ZuQ7knxl_z-ivR38lcITY7w5W-ldIgLGVTBHMZSj-g-rtdZNIWeZk10TG77G-PbLylYCYuBTdDxQz1XsWABAegUSdBxsrHFUXb74x7z5ntlFvniUEaEpNYtdMo5IaEhc19eaRAS_uqCNbgjZ5g15UHlec83TPnXioswcPzI1hw9D--Msu3bEkafTis1yjHewCjPfBYQ7ecjcGF0Qson1M3r9-ye9lRRX30UmfKXQ",
  "payload": ""
}
2025-03-21 18:56:45,310:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz/1808805457/493312813016 HTTP/1.1" 200 1076
2025-03-21 18:56:45,311:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 21 Mar 2025 18:56:45 GMT
Content-Type: application/json
Content-Length: 1076
Connection: keep-alive
Boulder-Requester: 1808805457
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: fM_UWkeuhMq9dp-e_3kvFitsoaWTB-xG951jLSDPPY4EzhoPJ4E
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "thesolentmetropolitan.com"
  },
  "status": "invalid",
  "expires": "2025-03-28T18:56:40Z",
  "challenges": [
    {
      "type": "http-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall/1808805457/493312813016/uCLGuA",
      "status": "invalid",
      "validated": "2025-03-21T18:56:44Z",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "157.245.32.67: Invalid response from http://thesolentmetropolitan.com/.well-known/acme-challenge/UKxNr-gcgMcMK0uo3H2Udv64VmSf6zf_JtCeAT9GEAI: 400",
        "status": 403
      },
      "token": "UKxNr-gcgMcMK0uo3H2Udv64VmSf6zf_JtCeAT9GEAI",
      "validationRecord": [
        {
          "url": "http://thesolentmetropolitan.com/.well-known/acme-challenge/UKxNr-gcgMcMK0uo3H2Udv64VmSf6zf_JtCeAT9GEAI",
          "hostname": "thesolentmetropolitan.com",
          "port": "80",
          "addressesResolved": [
            "157.245.32.67"
          ],
          "addressUsed": "157.245.32.67"
        }
      ]
    }
  ]
}
2025-03-21 18:56:45,311:DEBUG:acme.client:Storing nonce: fM_UWkeuhMq9dp-e_3kvFitsoaWTB-xG951jLSDPPY4EzhoPJ4E
2025-03-21 18:56:45,311:INFO:certbot._internal.auth_handler:Challenge failed for domain thesolentmetropolitan.com
2025-03-21 18:56:45,311:INFO:certbot._internal.auth_handler:http-01 challenge for thesolentmetropolitan.com
2025-03-21 18:56:45,311:DEBUG:certbot._internal.display.obj:Notifying user:
Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Domain: thesolentmetropolitan.com
  Type:   unauthorized
  Detail: 157.245.32.67: Invalid response from http://thesolentmetropolitan.com/.well-known/acme-challenge/UKxNr-gcgMcMK0uo3H2Udv64VmSf6zf_JtCeAT9GEAI: 400

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

2025-03-21 18:56:45,312:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/snap/certbot/4482/lib/python3.12/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/snap/certbot/4482/lib/python3.12/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2025-03-21 18:56:45,312:DEBUG:certbot._internal.error_handler:Calling registered functions
2025-03-21 18:56:45,312:INFO:certbot._internal.auth_handler:Cleaning up challenges
2025-03-21 18:56:45,474:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/snap/certbot/4482/bin/certbot", line 8, in <module>
    sys.exit(main())
             ^^^^^^
  File "/snap/certbot/4482/lib/python3.12/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/snap/certbot/4482/lib/python3.12/site-packages/certbot/_internal/main.py", line 1871, in main
    return config.func(config, plugins)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/snap/certbot/4482/lib/python3.12/site-packages/certbot/_internal/main.py", line 1427, in run
    new_lineage = _get_and_save_cert(le_client, config, domains,
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/snap/certbot/4482/lib/python3.12/site-packages/certbot/_internal/main.py", line 142, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/snap/certbot/4482/lib/python3.12/site-packages/certbot/_internal/client.py", line 513, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/snap/certbot/4482/lib/python3.12/site-packages/certbot/_internal/client.py", line 423, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/snap/certbot/4482/lib/python3.12/site-packages/certbot/_internal/client.py", line 492, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/snap/certbot/4482/lib/python3.12/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/snap/certbot/4482/lib/python3.12/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2025-03-21 18:56:45,476:ERROR:certbot._internal.log:Some challenges have failed.
root@server03:/etc/apache2/sites-available#

rob@server03:/var/www/10/thesolentmetropolitan.com/deployment_environments/live$ sudo certbot --apache -v
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: drupalsolent.dev
2: eval1.labs.drupalsolent.dev
3: www.drupalsolent.dev
4: internationalgospelchoir.uk
5: staging.internationalgospelchoir.uk
6: www.internationalgospelchoir.uk
7: thesolentmetropolitan.com
8: www.thesolentmetropolitan.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 7
Requesting a certificate for thesolentmetropolitan.com
Performing the following challenges:
http-01 challenge for thesolentmetropolitan.com
Waiting for verification...
Challenge failed for domain thesolentmetropolitan.com
http-01 challenge for thesolentmetropolitan.com

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Domain: thesolentmetropolitan.com
  Type:   unauthorized
  Detail: 157.245.32.67: Invalid response from http://thesolentmetropolitan.com/.well-known/acme-challenge/CdN2Gl7AN89ItqrmgttPiV52J7bfb4h_rrZ9zQKQNQg: 400

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
rob@server03:/var/www/10/thesolentmetropolitan.com/deployment_environments/live$

rob@server03:/var/www/10/thesolentmetropolitan.com/deployment_environments/live$ apachectl -S
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:443                  is a NameVirtualHost
         default server drupalsolent.dev (/etc/apache2/sites-enabled/drupalsolent.dev-le-ssl.conf:2)
         port 443 namevhost drupalsolent.dev (/etc/apache2/sites-enabled/drupalsolent.dev-le-ssl.conf:2)
         port 443 namevhost www.drupalsolent.dev (/etc/apache2/sites-enabled/drupalsolent.dev-le-ssl.conf:21)
         port 443 namevhost eval1.labs.drupalsolent.dev (/etc/apache2/sites-enabled/eval1.labs.drupalsolent.dev-le-ssl.conf:2)
         port 443 namevhost internationalgospelchoir.uk (/etc/apache2/sites-enabled/internationalgospelchoir.uk-le-ssl.conf:2)
         port 443 namevhost staging.internationalgospelchoir.uk (/etc/apache2/sites-enabled/staging.internationalgospelchoir.uk-le-ssl.conf:2)
         port 443 namevhost www.internationalgospelchoir.uk (/etc/apache2/sites-enabled/www.internationalgospelchoir.uk-le-ssl.conf:2)
*:80                   is a NameVirtualHost
         default server 127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost 127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost drupalsolent.dev (/etc/apache2/sites-enabled/drupalsolent.dev.conf:1)
         port 80 namevhost eval1.labs.drupalsolent.dev (/etc/apache2/sites-enabled/eval1.labs.drupalsolent.dev.conf:1)
         port 80 namevhost internationalgospelchoir.uk (/etc/apache2/sites-enabled/internationalgospelchoir.uk.conf:1)
         port 80 namevhost staging.internationalgospelchoir.uk (/etc/apache2/sites-enabled/staging.internationalgospelchoir.uk.conf:1)
         port 80 namevhost thesolentmetropolitan.com (/etc/apache2/sites-enabled/thesolentmetropolitan.com.conf:1)
         port 80 namevhost www.drupalsolent.dev (/etc/apache2/sites-enabled/www.drupalsolent.dev.conf:1)
         port 80 namevhost www.internationalgospelchoir.uk (/etc/apache2/sites-enabled/www.internationalgospelchoir.uk.conf:1)
         port 80 namevhost www.thesolentmetropolitan.com (/etc/apache2/sites-enabled/www.thesolentmetropolitan.com.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33 not_used
Group: name="www-data" id=33 not_used
rob@server03:/var/www/10/thesolentmetropolitan.com/deployment_environments/live$

rob@server03:/var/www/10/thesolentmetropolitan.com/deployment_environments/live$ certbot renew --dry-run
The following error was encountered:
[Errno 13] Permission denied: '/var/log/letsencrypt/.certbot.lock'
Either run as root, or set --config-dir, --work-dir, and --logs-dir to writeable paths.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/certbot-log-37tzh26t/log or re-run Certbot with -v for more details.
rob@server03:/var/www/10/thesolentmetropolitan.com/deployment_environments/live$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/drupalsolent.dev.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for drupalsolent.dev and www.drupalsolent.dev

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Domain: drupalsolent.dev
  Type:   unauthorized
  Detail: 157.245.32.67: Invalid response from http://drupalsolent.dev/.well-known/acme-challenge/hBfZQOOhKD4ZW4jNguhFflWVyg9xb9XvMjT4-b8D3-8: 400

  Domain: www.drupalsolent.dev
  Type:   unauthorized
  Detail: 157.245.32.67: Invalid response from http://www.drupalsolent.dev/.well-known/acme-challenge/7nP12V0MlFuorfCVwpNPSds8LHOC0GHDT3LN-yIG4a0: 400

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Failed to renew certificate drupalsolent.dev with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/eval1.labs.drupalsolent.dev.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for eval1.labs.drupalsolent.dev

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Domain: eval1.labs.drupalsolent.dev
  Type:   unauthorized
  Detail: 157.245.32.67: Invalid response from http://eval1.labs.drupalsolent.dev/.well-known/acme-challenge/OUBcEQSIjRXmgXA010BXYYQiSDUAAtZHKhMob8OefxQ: 400

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Failed to renew certificate eval1.labs.drupalsolent.dev with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/internationalgospelchoir.uk.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for internationalgospelchoir.uk

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Domain: internationalgospelchoir.uk
  Type:   unauthorized
  Detail: 157.245.32.67: Invalid response from http://internationalgospelchoir.uk/.well-known/acme-challenge/C_bsCK3C95bMY566ho2otFh0oSCR47EyCSlUJ6nG_ls: 400

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Failed to renew certificate internationalgospelchoir.uk with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/staging.internationalgospelchoir.uk.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for staging.internationalgospelchoir.uk

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Domain: staging.internationalgospelchoir.uk
  Type:   unauthorized
  Detail: 157.245.32.67: Invalid response from http://staging.internationalgospelchoir.uk/.well-known/acme-challenge/Z7_1bkPEIP30eHK9XXcn6R2x8FCjZjE7iVVDoFogb2k: 400

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Failed to renew certificate staging.internationalgospelchoir.uk with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.drupalsolent.dev.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for www.drupalsolent.dev

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Domain: www.drupalsolent.dev
  Type:   unauthorized
  Detail: 157.245.32.67: Invalid response from http://www.drupalsolent.dev/.well-known/acme-challenge/XfTUqneNtdHUMMatwaipr-GOtIG1F5mRZ5O4L1ECy6c: 400

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Failed to renew certificate www.drupalsolent.dev with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.internationalgospelchoir.uk.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for www.internationalgospelchoir.uk

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Domain: www.internationalgospelchoir.uk
  Type:   unauthorized
  Detail: 157.245.32.67: Invalid response from http://www.internationalgospelchoir.uk/.well-known/acme-challenge/V6AwSWajFIFVWGw3PwROxxwn2IJPIdgQdDFX9MDGC84: 400

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Failed to renew certificate www.internationalgospelchoir.uk with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/drupalsolent.dev/fullchain.pem (failure)
  /etc/letsencrypt/live/eval1.labs.drupalsolent.dev/fullchain.pem (failure)
  /etc/letsencrypt/live/internationalgospelchoir.uk/fullchain.pem (failure)
  /etc/letsencrypt/live/staging.internationalgospelchoir.uk/fullchain.pem (failure)
  /etc/letsencrypt/live/www.drupalsolent.dev/fullchain.pem (failure)
  /etc/letsencrypt/live/www.internationalgospelchoir.uk/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
rob@server03:/var/www/10/thesolentmetropolitan.com/deployment_environments/live$

I deleted the cert for thesolentmetropolitan.com in the hope that this might allow a new cert to be created that is compatible with what seems to be the new approach.

Edit: appended the following to the end of this post:

I should note that my webroot/docroot path (i.e. where index.php / index.html is) is a symlink to another folder ( /var/www/10/thesolentmetropolitan.com/deployment_environments/live/docroot ). As follows:

rob@server03:/var/www/10/thesolentmetropolitan.com/deployment_environments/live$ ls -al
total 12
drwxr-xr-x 3 www-data www-data 4096 Jul 26  2024 .
drwxr-xr-x 3 www-data www-data 4096 Jul 25  2024 ..
drwxr-xr-x 3 www-data www-data 4096 Jul 26  2024 assets
lrwxrwxrwx 1 www-data www-data   27 Jul 26  2024 docroot -> ../../releases/0.1/code/web

So the real full absolute path is: /var/www/10/thesolentmetropolitan.com/releases/0.1/code/web

  • this is my rudimentary way of deploying new releases of the code by changing the symlink to a new folder.

But I wonder if use of that symlink that would affect certbot's attempt to create the temporary acme file in my webroot/docroot ?

Some thoughts on the renewal process.

I do appreciate your help but apologies in advance, pardon me for coming across as complaining, but: Why has this got so hard/involved/complicated to just (re)create or renew a cert?

I used to:

  • be able to just run sudo certbot --apache which would list the domains I'd like to renew, pick them, confirm and all done - renewed
  • be able to create a cert for a new site/domain by just creating a standard vhost conf file for port 80 in /etc/apache2/sites-available pointing at a webroot on the server where the site files/code was , a2ensite the conf file, point the domain at my server IP (or instead via digital ocean DNS settings), again run sudo certbot --apache to create the new cert.

But now, it seems way more complicated and there seem to be loads of forum posts about this problem. I can't see where there is a definitive guide to enabling https for a site that's accessible from the web via http (note the missing s).

Once again sorry for my thoughts on how it seems to be much harder. I'd be most grateful for your help. There's so much noise in the forum and elsewhere about this issue (when you search for the error messages seen) it seems about the similar issues being faced, so it's really hard to know which to try.

I note the article: Unexpected renewal failures since April 2024? Please read this!

I've also looked at: Certificate Authority failed to verify the temporary Apache configuration - #4 by rene33 and security - Unauthorized error when trying to get a ssl certificate with certbot - Server Fault

There seem to be too many places to look with all posts.

2

Well, that's a lot to digest but welcome back @therobyouknow

The process you describe at the top of your post seems fine. It should be that easy.

Keep in mind Let's Encrypt issues over 5 million certs / day and often more than 6 million / day. So, the handful of problems we see daily is an exceedingly small ratio. And, most are commonly made config problems. But, yes, there are many ways to break it. People are clever :slight_smile:

I think in this case it is also probably a simple config problem. HTTP requests to your domain thesolentmetropolitan.com are getting an HTTP error status of '400'. Looks like requests to port 80 are being sent to something configured for port 443. Perhaps a port routing (or NAT) error. See: Let's Debug

I get the same error for even your home page using HTTP (port 80). So, once requests like this get a normal reply (like 200 OK or 404 Not Found) the cert request should be fine

curl -i http://thesolentmetropolitan.com
HTTP/1.1 400 Bad Request
Date: Fri, 21 Mar 2025 19:37:00 GMT
Server: Apache/2.4.58 (Ubuntu)
Content-Length: 437
Connection: close
Content-Type: text/html; charset=iso-8859-1

<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
Reason: You're speaking plain HTTP to an SSL-enabled server port.<br />
 Instead use the HTTPS scheme to access this URL, please.<br />
</p>
2 Likes
3

Thank you @MikeMcQ for the warm welcome back and suggestion.

My vhost file, /etc/apache2/sites-enabled/thesolentmetropolitan.com.conf contents are as follows:

<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    ServerName thesolentmetropolitan.com
    DocumentRoot /var/www/10/thesolentmetropolitan.com/deployment_environments/live/docroot
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    <Directory "/var/www/10/thesolentmetropolitan.com/deployment_environments/live/docroot">
        Options Indexes FollowSymLinks MultiViews
        AllowOverride All
    </Directory>
</VirtualHost>

I'ts configured for port 80 as shown, so I'm puzzled why http://thesolentmetropolitan.com would give a 400 error as you say - but you're right, it is happening:

image
image653×292 12.3 KB

and as the debug shows, I've re-run it: Let's Debug

I've disabled all other permutations of the domain www / without www, https / https and move the conf files out of the /etc/apache2/sites-enabled/ folder and restarted apache.

I don't what else to do / where else to look to be able to get my server to handle the incoming http://thesolentmetropolitan.com/ at port 80 instead of 443 - as said the vhost file is for port 80.

In digital ocean, I've reduced the TTL down to 60 from 3600 to see if that helps.

image
image1327×134 4.77 KB

So I'm stuck at the moment. I agree with you that an 80 request is being sent to 443 but my vhost is for 80, so what else would I need to do?

4

Check any network settings "in front of" your server. If a residential setting I'd say this is a router problem and your port forwarding is wrong. Make sure port 80 goes to port 80 and 443->443. Sometimes people mix these up. Yours looks like hosting service so doesn't apply - just giving example.

For a hosting service, sometimes they have something similar. Are there network settings / routing config at your hosting service?

Do you have anything like iptables that might be "crisscrossing" the ports?

Your Apache looks fine. Likely something in front of it that's gone awry.

2 Likes
5

Here is another tool confirming that HTTP port 80 is being sent to your Apache as port 443. This perhaps gives a clearer picture of what exactly is happening.

I set the openssl command to connect using HTTPS but to port 80 (not 443). See your drupal certificate? That is your default port 443 server so is the expected one when Apache sees an inbound port 443 request that isn't for one of your other port 443 VirtualHost domains.

Adding a port 443 VirtualHost for thesolentmetropolitan won't help. You need to get port 80 requests going to the port 80 VirtualHost.

echo | openssl s_client -connect thesolentmetropolitan.com:80
...
Certificate chain
 0 s:CN = drupalsolent.dev
   i:C = US, O = Let's Encrypt, CN = E6
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA384
   v:NotBefore: Jan 16 00:03:28 2025 GMT; NotAfter: Apr 16 00:03:27 2025 GMT
 1 s:C = US, O = Let's Encrypt, CN = E6
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT
2 Likes
6

Thanks again @MikeMcQ

I would suggest router settings in my residential setting would not apply:

Check any network settings "in front of" your server. If a residential setting I'd say this is a router problem and your port forwarding is wrong.

I say this on the basis that you are also seeing this issue. Additionally I have seen the same error on networks other than my wired internet connection - "Bad Request Your browser sent a request that this server could not understand. Reason: You're speaking plain HTTP to an SSL-enabled server port. Instead use the HTTPS scheme to access this URL, please." Those other networks were EE and Three mobile networks.

My guess is it's something on the server, Digital Ocean droplet itself or on the Digital Ocean control panel.

I've used sudo lsof -i -n on the server:

rob@server03:/var/www/09/drupalsolent/drupalsolent.dev$ sudo lsof -i -n | grep https
apache2   520640            root    6u  IPv6 4829014      0t0  TCP *:https (LISTEN)
apache2   520645        www-data    6u  IPv6 4829014      0t0  TCP *:https (LISTEN)
apache2   520662        www-data    6u  IPv6 4829014      0t0  TCP *:https (LISTEN)
apache2   520705        www-data    6u  IPv6 4829014      0t0  TCP *:https (LISTEN)
apache2   520706        www-data    6u  IPv6 4829014      0t0  TCP *:https (LISTEN)
apache2   520707        www-data    6u  IPv6 4829014      0t0  TCP *:https (LISTEN)
apache2   520708        www-data    6u  IPv6 4829014      0t0  TCP *:https (LISTEN)
apache2   520741        www-data    6u  IPv6 4829014      0t0  TCP *:https (LISTEN)
apache2   520743        www-data    6u  IPv6 4829014      0t0  TCP *:https (LISTEN)
apache2   520981        www-data    6u  IPv6 4829014      0t0  TCP *:https (LISTEN)
apache2   520982        www-data    6u  IPv6 4829014      0t0  TCP *:https (LISTEN)

But don't know what to do with this. Ref: command line - List ports forwarded by myself from ssh? - Ask Ubuntu

Thanks again for your input Mike. It's encouraging to know perhaps the issue isn't with LetsEncrypt and that it hasn't got more complex as I though it had.

Just so weird that something somewhere is causing a port 80 request to be sent to a port 443.

7

Just checking that any stray, "global" port config hasn't crept into any of the other vhosts, doesn't seem so but I will study further:

root@server03:/etc/apache2/sites-available# grep -rnw . -e '443'
./drupalsolent.dev-le-ssl.conf:2:<VirtualHost *:443>
./drupalsolent.dev-le-ssl.conf:21:<VirtualHost *:443>
./eval1.labs.drupalsolent.dev-le-ssl.conf:2:<VirtualHost *:443>
./staging.internationalgospelchoir.uk-le-ssl.conf:2:<VirtualHost *:443>
./internationalgospelchoir.uk-le-ssl.conf:2:<VirtualHost *:443>
./www.internationalgospelchoir.uk-le-ssl.conf:2:<VirtualHost *:443>

root@server03:/etc/apache2/sites-available# grep -rnw . -e '80'
./drupalsolent.dev.conf:1:<VirtualHost *:80>
./www.drupalsolent.dev.conf:1:<VirtualHost *:80>
./staging.internationalgospelchoir.uk.conf:1:<VirtualHost *:80>
./internationalgospelchoir.uk.conf:1:<VirtualHost *:80>
./eval1.labs.drupalsolent.dev.conf:1:<VirtualHost *:80>
./thesolentmetropolitan.com.conf:1:<VirtualHost *:80>
./www.internationalgospelchoir.uk.conf:1:<VirtualHost *:80>
./000-default.conf:1:<VirtualHost *:80>
root@server03:/etc/apache2/sites-available#

This Q&A seems like a discussion with some similarities to my issue: ssl - Serving port 443 over http creates 400 Bad Request Error instead of redirect - Server Fault

8

There is a lot of nonsense in that thread. Or, some horribly wrong Apache configs that people fixed and tout as magic answer. I recommend ignoring it. None of that applies here.

Looking at some of your other domains ALL of them suffer the same faulty port handling (or , at least the several I checked).

This points, again, to something between Apache and the public internet.

Your Apache config looks fine. That lsof output is not helpful. My own servers look just like that.

You should trace the flow of an HTTP request (port 80) from the public internet to your Apache. Review every device or software config in between. Even use a cell phone with wifi disabled or some computer apart from your hosting service.

Your server is hosted at digital ocean - yes?

So, request arrives to the "edge" of the network at d/o. Probably network settings there that instruct d/o where to send it. Review droplets or load balancers or whatever you have to ensure HTTP on port 80 does not get wrongly directed to port 443.

Perhaps this page gives ideas of things to look at: Networking | DigitalOcean Documentation

You might need to consult with d/o support

Here's examples of your other domains that fail too.

curl -i http://www.drupalsolent.dev
HTTP/1.1 400 Bad Request
Date: Fri, 21 Mar 2025 21:48:43 GMT
Server: Apache/2.4.58 (Ubuntu)

curl -i http://drupalsolent.dev
HTTP/1.1 400 Bad Request
Date: Fri, 21 Mar 2025 21:48:35 GMT
Server: Apache/2.4.58 (Ubuntu)

curl -i http://internationalgospelchoir.uk
HTTP/1.1 400 Bad Request
Date: Fri, 21 Mar 2025 21:49:19 GMT
Server: Apache/2.4.58 (Ubuntu)

These are some specific examples of how your O/S iptables or D/O settings can cause ports to get crisscrossed. If you didn't do these things then nevermind. They are just suggestions of things that can cause the symptoms we see.

Digital Ocean TCP Forwarding Rules
How to Balance TCP Traffic | DigitalOcean Documentation.

2 Likes
9

Thanks Mike.

I'm grateful for your analysis and direction of the port forwarding.

Based on your comments which I'm happy to accept, it would appear that there is a flaw in what I was trying to do with the thesolentmetropolitan.com and other domains.

For each domain I have been trying to have:
https://thedomain.com as the "main" domain
other permutations redirect to it (including any path following the domain e.g. /events ), like so:
http://thedomain.com redirects to https://thedomain.com
http://www.thedomain.com redirects to https://thedomain.com
https://www.thedomain.com redirects to https://thedomain.com

for the non-main https I had got LetsEncrypt to create a cert for them, so they are fully valid/cert https domains, with a redirect in the vhost to https://thedomain.com

I've checked on mobile networks and see the same issue.

For thesolentmetropolitan.com I've a2dissite disabled all the permutations except for port 80 / http://thesolentmetropolitan.com itself. So would not expect the redirect arrangement to be the cause of the issue.

10

That is all perfectly normal and fine.

The problem isn't with the idea it is with port 80 routing. HTTP requests are not reaching your Apache VirtualHosts for port 80 so will never redirect from HTTP to HTTPS

It looks like somewhere port 80 got sent to port 443 in hopes of "redirecting" HTTP to HTTPS. That won't work. Apache needs to see the HTTP request so it can redirect it. The "400" status code says it is not.

You are also using an HTTP Challenge to get the cert so HTTP requests on port 80 need a proper reply.

Not sure what more I can say or how I can say it. I think there is a fundamental flaw in the network config somewhere. We're not a general purpose server / networking help site although we often help guide people with common problems. I've done all I can do.

Perhaps someone else will volunteer assistance.

3 Likes
11

That's fine @MikeMcQ I'm very grateful for your insights and time so far! Thank you very much. It is helpful for my ongoing investigation.

12

Do you have more than one Apache system running?

Because I just noticed something I did not earlier. The error message about speaking HTTP to an HTTPS comes from Apache. But, the bottom part of the message says port 80. Which kind of indicates port 80 was configured for HTTPS (using: SSLEngine On). This rather than a misdirected port 80 to a port 443.

But, the VirtualHost you showed has no SSL (HTTPS) related configuration. There is no reason Apache would require HTTPS for such a VirtualHost. So, something is mixed up.

Could the Apache system actually replying to port 80 be different than the one you showed the VirtualHost for? That is, is there more than one active?

2 Likes
13

Good morning Mike, I tried stopping apache and then starting it again, following your suggestion. I still see the same error with http://thesolentmetropolitan.com afterwards.

rob@server03:/var/www$ sudo service apache2 stop
rob@server03:/var/www$ ps -ef | grep apache2
rob       530313  530140  0 09:09 pts/0    00:00:00 grep --color=auto apache2
rob@server03:/var/www$ sudo service apache2 start
rob@server03:/var/www$ ps -ef | grep apache
root      530328       1  0 09:09 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  530330  530328  0 09:09 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  530331  530328  0 09:09 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  530332  530328  0 09:09 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  530333  530328  0 09:09 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  530334  530328  0 09:09 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  530336  530328  0 09:09 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  530337  530328  0 09:09 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  530338  530328  0 09:09 ?        00:00:00 /usr/sbin/apache2 -k start
rob       530350  530140  0 09:10 pts/0    00:00:00 grep --color=auto apache
rob@server03:/var/www$

image
image660×298 15.4 KB

Also, I have started asking about the issue on serverfault because I do appreciate that it is outside of the LetsEncrypt remit as you rightly advise. I want to be respectful in disclosing/advising of all the help I'm asking for.

Moreover because I'm really stuck, it is a bizarre issue.

One of the other sites is nearing its LetsEncrypt renewal date on 26 March, internationalgospelchoir.uk so to stop that running into similar problems with renewal, at the moment the only solution I can think of is that I'm going to have to build a new Digital Ocean droplet this weekend and move that site to it. I could still keep the current server for ongoing troubleshooting - it's worthwhile me trying to pursue that because the problem could come up again and finding the root cause could benefit others as well I would hope.

Thank you for your further follow up.

14

Nevermind below. I see on stackoverflow you have since modified your conf file layout

Hmmm. Would you show the contents of this file?

And also the one below?

/etc/apache2/sites-enabled/000-default.conf
1 Like
15

Have you forced HTTPS for port 80 in Apache port configuration?

Please show output of this

sudo grep -Ri listen /etc/apache2
1 Like
16

Have you forced HTTPS for port 80 in Apache port configuration?

Please show output of this

sudo grep -Ri listen /etc/apache2

@MikeMcQ here is the requested output for sudo grep -Ri listen /etc/apache2

rob@server03:/var/www$ sudo grep -Ri listen /etc/apache2
/etc/apache2/apache2.conf:#   supposed to determine listening ports for incoming connections which can be
/etc/apache2/apache2.conf:# Include list of ports to listen on
/etc/apache2/ports.conf:Listen 80
/etc/apache2/ports.conf:	Listen 443
/etc/apache2/ports.conf:	Listen 443
grep: /etc/apache2/sites-enabled/000-default-le-ssl.conf: No such file or directory
rob@server03:/var/www$
17

and for drupalsolent.dev.conf

root@server03:/etc/apache2/sites-enabled# cat drupalsolent.dev.conf 
<VirtualHost *:80>
  ServerName drupalsolent.dev
  RedirectPermanent / https://drupalsolent.dev/
</VirtualHost>
root@server03:/etc/apache2/sites-enabled#

And also the one below?

/etc/apache2/sites-enabled/000-default.conf

This is a broken symlink - /etc/apache2/sites-available/000-default-le-ssl.conf* does not exist. I may have deleted it in attempting to resolve this issue.

lrwxrwxrwx 1 root root 52 Jun 29 2024 **000-default-le-ssl.conf** -> **/etc/apache2/sites-available/000-default-le-ssl.conf**
18

Would you show entire contents of that?

1 Like
19

@MikeMcQ sure:

root@server03:/home/rob# cat /etc/apache2/ports.conf
# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf

Listen 80

<IfModule ssl_module>
        Listen 443
</IfModule>

<IfModule mod_gnutls.c>
        Listen 443
</IfModule>
root@server03:/home/rob#

thanks for following up

20

it looks like the above file says listen on 443 if the ssl module is enabled/present. Always listen on 443 I wonder? If that's the case then that's not what we would want. We also want to be able to listen on 80 as in my case even if the ssl module is enabled/present. Of course for https traffic then yes we would want to listen on 443.

I haven't changed this file, it's how I found it.