Http-01 Challenge failed for domain

Help
1

My domain is: locutus.sorcerer.co.uk

I ran this command: /usr/local/bin/certbot-auto --apache

It produced this output:

http-01 challenge for locutus.sorcerer.co.uk
Waiting for verification...
Challenge failed for domain locutus.sorcerer.co.uk
http-01 challenge for locutus.sorcerer.co.uk
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: locutus.sorcerer.co.uk
   Type:   unauthorized
   Detail: Invalid response from
   http://locutus.sorcerer.co.uk/.well-known/acme-challenge/2BTdG5clellmOZ4rCHlNUmgy-H5ozr7_Q7w0yGoQYic
   [192.81.223.51]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

My web server is (include version):
Apache/2.2.22 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 12.10 (GNU/Linux 3.5.0-17-generic x86_64)

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 1.3.0

I wondered if my version of apache is too old to see the config changes made during the process of challenging the domain?

1 Like
2

WTF? Are you really using an 8 year old Ubuntu OS?

first of all, why are you validating the same domain twice?

you may want to use --webroot, but you need to read how it works. certbot -a webroot -w {fill this up} [-i apache]...

1 Like
3

Hi @Mehuge

if --apache doesn't work, it may be

  • your apache is too old
  • your config is buggy (more then one combination port + domain)

What says

apachectl -S
2 Likes
4 
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
*:80                   is a NameVirtualHost
         default server locutus.sorcerer.co.uk (/etc/apache2/sites-enabled/000-default:1)
         port 80 namevhost locutus.sorcerer.co.uk (/etc/apache2/sites-enabled/000-default:1)
         port 80 namevhost www.bakedbeanandtomatosoup.org.uk (/etc/apache2/sites-enabled/bb:2)
         port 80 namevhost clock.sorcerer.co.uk (/etc/apache2/sites-enabled/cl:1)
         port 80 namevhost tracker.sorcerer.co.uk (/etc/apache2/sites-enabled/cu:1)
Syntax OK
1 Like
5

That

looks ok. May be Certbot has a problem because it's the default server.

Try to add a new vHost, define that as default host with a dummy name (localhos etc.).

If that doesn't work, switch to webroot. That should always work.

https://certbot.eff.org/docs/using.html

2 Likes
6

Note that this operating system has been out of support (and not receiving security updates) for about three years:

https://en.wikipedia.org/wiki/Ubuntu_version_history#1204

1 Like
7

That did not work. Will switch to webroot. Thanks

1 Like
8

wait.

your server is serving http on port 443: http://locutus.sorcerer.co.uk:443/

check the virtualhosts again, and make sure to have an SSLEngine on directive for port 443

https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html

1 Like
9

Is there any way to get certbot to create the apache configs?

I ran certbot-auto certonly --webroot -w /var/www -d locutus.sorcerer.co.uk but I didn’t end up with any apache config for that domain.

1 Like
10

yes. certbot install --apache [-d domain.tld]

2 Likes
11

Thanks all. Sorted now.
I hand crafted the apache config in the end, it was fairly obvious given an example and the certificate file names.

1 Like
12

certbot didn’t install the cert because you explicitly asked it not to, by using certonly: had you not, certbot would have installed your cert.

you may want to look at this website: https://ssl-config.mozilla.org/

1 Like
13

especially because of this: SSL Server Test: locutus.sorcerer.co.uk (Powered by Qualys SSL Labs)

and, oh, upgrade your os :smiley:

1 Like
14

Nahh. It’s a noddy test / dev server used for mostly ad-hoc dev stuff non of which is critical or at risk. Hell the login form for one of the sites pre-fills the user name and password for you (demo/demo) :slight_smile:

I do plan to spin up a new server at some point, but its way down the priority list atm.

Thanks for all your help though.

15

well… your tls keys are on that server. they might be for non-important sites, but they are secrets to be guarded.

1 Like
17

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.