Http-01 challenge failed

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: nicoll.ac.nz

I ran this command: sudo certbot --apache

It produced this output:
Which names would you like to activate HTTPS for?


1: media.nicoll.ac.nz


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for media.nicoll.ac.nz
Waiting for verification…
Challenge failed for domain media.nicoll.ac.nz
http-01 challenge for media.nicoll.ac.nz
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

My web server is (include version): apache2

The operating system my web server runs on is (include version): ubuntu server 20.4

My hosting provider, if applicable, is:https://spark.server-access.com/clientarea.php

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):https://spark.server-access.com/clientarea.php

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):1.7.0

Could you please share your virtual host list?

sudo apachectl -t -D DUMP_VHOSTS

I get 403 forbidden error for any/all paths.
The /.well-known/acme-challenge/ path must be publicly accessible.

Virtual Host list is:
VirtualHost configuration:
*:80 is a NameVirtualHost
default server media.nicoll.ac.nz (/etc/apache2/sites-enabled/000-defau lt.conf:1)
port 80 namevhost media.nicoll.ac.nz (/etc/apache2/sites-enabled/000-de fault.conf:1)
port 80 namevhost media.nicoll.ac.nz (/etc/apache2/sites-enabled/ampach e.conf:1)

The well-known path may be the problem. I can’t find it at all and I assumed it was installed by certbot/ACME client. Excuse my abysmal ignorance.

You have the same FQDN in two different and active files.

Should I delete namevhost media.nicoll.ac.nz … default.conf:1?
I am trying to set up an ampache server.

I don’t know what is in that file.
But you shouldn’t delete it either way.
You can simply disable it if you think you don’t need it.

Try

sudo a2dissite 000-default

and see whether Certbot works then:

sudo certbot certonly --apache -d media.nicoll.ac.nz --dry-run

Great! I get:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for media.nicoll.ac.nz
Waiting for verification…
Cleaning up challenges

IMPORTANT NOTES:

  • The dry run was successful.
  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.

That is good news.
Were you following a tutorial guide or are you going this on your own?

So, again thanks, am I right in thinking I have the certificate and just need to renew it at a later time? I was expecting to have to provide further information to the CA? Contact details etc. Again excuse my ignorance.

NO that was a dry run - only testing the validation process.
Which we now know that it works.

You now need to decide if you want cerbot to create the TLS enabled vhost for you or if you want to do that yourself.

OK thanks again. I was following an Ampache guide but it didn’t work for me.

The part that was broken may have been fixed with the disabling of that default vhost.
You could try to continue along with the guide.