I can not create a certificate when using --webroot plugin

My domain is: scribblersathome.com

I ran this command:

certbot certonly --webroot -w /var/www/scribblersathome/

It produced this output:

2023-01-16 21:30:37,548:DEBUG:certbot._internal.main:Arguments: ['--webroot', '-w', '/var/www/scribblersathome/', '--preconfigured-renewal']
2023-01-16 21:31:21,564:DEBUG:certbot._internal.display.obj:Notifying user: Requesting a certificate for scribblersathome.com and www.scribblersathome.com
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "scribblersathome.com"\n    },\n    {\n      "type": "dns",\n      "value": "www.scribblersathome.com"\n    }\n  ]\n}'
      "value": "scribblersathome.com"
      "value": "www.scribblersathome.com"
    "value": "scribblersathome.com"
    "value": "www.scribblersathome.com"
2023-01-16 21:31:21,957:INFO:certbot._internal.auth_handler:http-01 challenge for scribblersathome.com
2023-01-16 21:31:21,957:INFO:certbot._internal.auth_handler:http-01 challenge for www.scribblersathome.com
2023-01-16 21:31:21,957:INFO:certbot._internal.plugins.webroot:Using the webroot path /var/www/scribblersathome for all unmatched domains.
2023-01-16 21:31:21,957:DEBUG:certbot._internal.plugins.webroot:Creating root challenges validation dir at /var/www/scribblersathome/.well-known/acme-challenge
2023-01-16 21:31:21,957:DEBUG:certbot._internal.plugins.webroot:Creating root challenges validation dir at /var/www/scribblersathome/.well-known/acme-challenge
2023-01-16 21:31:21,958:DEBUG:certbot._internal.plugins.webroot:Attempting to save validation to /var/www/scribblersathome/.well-known/acme-challenge/rSBeoZjsO3JkCGP2IrGZ9T3POjQDml95Uzl2KjBjkuY
2023-01-16 21:31:21,959:DEBUG:certbot._internal.plugins.webroot:Attempting to save validation to /var/www/scribblersathome/.well-known/acme-challenge/7O5R9-Diq-hk-ghulOOBycDbqqUG5yywhc_68G1SynQ
    "value": "scribblersathome.com"
        "detail": "54.172.83.145: Invalid response from http://scribblersathome.com/.well-known/acme-challenge/rSBeoZjsO3JkCGP2IrGZ9T3POjQDml95Uzl2KjBjkuY: 404",
          "url": "http://scribblersathome.com/.well-known/acme-challenge/rSBeoZjsO3JkCGP2IrGZ9T3POjQDml95Uzl2KjBjkuY",
          "hostname": "scribblersathome.com",
    "value": "www.scribblersathome.com"
        "detail": "54.172.83.145: Invalid response from http://www.scribblersathome.com/.well-known/acme-challenge/7O5R9-Diq-hk-ghulOOBycDbqqUG5yywhc_68G1SynQ: 404",
          "url": "http://www.scribblersathome.com/.well-known/acme-challenge/7O5R9-Diq-hk-ghulOOBycDbqqUG5yywhc_68G1SynQ",
          "hostname": "www.scribblersathome.com",
2023-01-16 21:31:23,211:INFO:certbot._internal.auth_handler:Challenge failed for domain scribblersathome.com
2023-01-16 21:31:23,211:INFO:certbot._internal.auth_handler:Challenge failed for domain www.scribblersathome.com
2023-01-16 21:31:23,211:INFO:certbot._internal.auth_handler:http-01 challenge for scribblersathome.com
2023-01-16 21:31:23,211:INFO:certbot._internal.auth_handler:http-01 challenge for www.scribblersathome.com
  Domain: scribblersathome.com
  Detail: 54.172.83.145: Invalid response from http://scribblersathome.com/.well-known/acme-challenge/rSBeoZjsO3JkCGP2IrGZ9T3POjQDml95Uzl2KjBjkuY: 404
  Domain: www.scribblersathome.com
  Detail: 54.172.83.145: Invalid response from http://www.scribblersathome.com/.well-known/acme-challenge/7O5R9-Diq-hk-ghulOOBycDbqqUG5yywhc_68G1SynQ: 404
2023-01-16 21:31:23,212:DEBUG:certbot._internal.plugins.webroot:Removing /var/www/scribblersathome/.well-known/acme-challenge/rSBeoZjsO3JkCGP2IrGZ9T3POjQDml95Uzl2KjBjkuY
2023-01-16 21:31:23,213:DEBUG:certbot._internal.plugins.webroot:Removing /var/www/scribblersathome/.well-known/acme-challenge/7O5R9-Diq-hk-ghulOOBycDbqqUG5yywhc_68G1SynQ

My web server is (include version): OpenLiteSpeed 1.7.16

The operating system my web server runs on is (include version): Linux Ubuntu 20.04

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 2.2.0

I don't know if I am misunderstanding the process, but this is a problem that I have some time ago everytime I need to get a new certificates using --webroot plugin. My webserver is in production and I prefer to don't stop it but unfortunately I always have to do it when adding a new certificate.

this command always failed when I needed to create a new cert and keep my web server running

certbot certonly --webroot -w /var/www/scribblersathome/

So, for now (I would like to dont do it any more), I have to stop the web server and run this command:

certbot certonly --standalone

Without problem I can create the new cert and once the cert is created, I run the next command to change the pluggin and renew the cert unnecessary, but I do this to dont have problems when is time for renewal and it run automatically and does not need to stop the web server.

certbot certonly --cert-name scribblersathome.com --webroot -w /var/www/scribblersathome/

Please let me know what I am doing wrong, I am sure that there is a better way. Thanks.

Could be anything. Incorrect webroot location, some strange webserver configuration. Without details of the webserver configuration it's impossible to tell.

Hello @bayardo.rivas, welcome to the Let's Encrypt community.

Let's Debug gets these results https://letsdebug.net/scribblersathome.com/1344105, please click through to see. It is a WARNING about CloudflareCDN.

Kindly wait for more knowledgeable Let's Encrypt community volunteers to assist.
(I am not knowledgeable about the CloudflareCDN WARNING. Sorry! )

That's wierd because the IP shown by that Let's Debug test is in AWS EC2 and not related to Cloudflare. It is the same IP shown in the certbot log in post 1.

The DNS has some problems but does not seem to be causing the reported problems (maybe it is confusing Let's Debug?). Still, they should be fixed. The DNSViz report shows them clearly (link here)

@bayardo.rivas As Osiris said, what does your Virtual Host config look like? Sending various requests to your domain looks like it should work. So we need more info to help.

Tagging @_az about the Cloudflare warning vs. actual AWS IP address of the site.

The Let's Debug code for determining if it's a Cloudflare CDN operated site seems to be checking for a server header with cloudflare in it.. Which is not the case here? The Server HTTP header mentions "LiteSpeed" and nothing else from my point of view.

That said, that probably isn't the issue in this case.

@MikeMcQ , as I said it is in producttion now, so its a littble complicated for me to replicate the problem, but it happens always that I need a new cert.

Please, asume that the path used with --webroot -w is correct, because once the cert is created using the standalone plugin, I make a second run of this command and just add --cert-name scribblersathome.com to change how this cert will be renewed.

Easy question, assuming the path is correct: Is this command correct to create a new cert for a domain? certbot certonly --webroot -w /var/www/scribblersathome/

There is no domain mentioned in that command.
add to it:
-d scribblersathome.com -d www.scribblersathome.com

Presuming that secific webroot is only good for those specific domains.
And that each (set of) domain(s) uses a different webroot path [or they would all be serving the exact same content].

I used this command, copied from my history commands on the server just to try to get my error:

certbot certonly --webroot -w /var/www/scribblersathome/ -d scribblersathome.com -d www.scribblersathome.com

In the letsencrypt log is the request. Thanks guys for your help.

Add --debug-challenges -v --dry-run to your command to help debug why it failed.

The --dry-run will use the Let's Encrypt staging system and will not interfere with your production certs.

The other two options will pause Certbot so you can evaluate the webroot folder to see if it has what you expect.

You can also review your webserver access / error logs for key info.

When we have to assume all is correct yet it still fails then we have to challenge assumptions to see what's wrong. Hopefully the above gives you the clue you need.

What error are you having?
Pleased show the letsencrypt log file.

@rg305 , sorry for so much inconvenience. Maybe my english is not good enough to express my problem.

I ran this command:

certbot certonly --webroot -w /var/www/scribblersathome/ -d scribblersathome.com -d www.scribblersathome.com

And I receive this in logs.

2023-01-16 21:31:21,959:DEBUG:certbot._internal.plugins.webroot:Attempting to save validation to /var/www/scribblersathome/.well-known/acme-challenge/7O5R9-Diq-hk-ghulOOBycDbqqUG5yywhc_68G1SynQ
    "value": "scribblersathome.com"
        "detail": "54.172.83.145: Invalid response from http://scribblersathome.com/.well-known/acme-challenge/rSBeoZjsO3JkCGP2IrGZ9T3POjQDml95Uzl2KjBjkuY: 404",
          "url": "http://scribblersathome.com/.well-known/acme-challenge/rSBeoZjsO3JkCGP2IrGZ9T3POjQDml95Uzl2KjBjkuY",
          "hostname": "scribblersathome.com",
    "value": "www.scribblersathome.com"
        "detail": "54.172.83.145: Invalid response from http://www.scribblersathome.com/.well-known/acme-challenge/7O5R9-Diq-hk-ghulOOBycDbqqUG5yywhc_68G1SynQ: 404",
          "url": "http://www.scribblersathome.com/.well-known/acme-challenge/7O5R9-Diq-hk-ghulOOBycDbqqUG5yywhc_68G1SynQ",
          "hostname": "www.scribblersathome.com",
2023-01-16 21:31:23,211:INFO:certbot._internal.auth_handler:Challenge failed for domain scribblersathome.com
2023-01-16 21:31:23,211:INFO:certbot._internal.auth_handler:Challenge failed for domain www.scribblersathome.com
2023-01-16 21:31:23,211:INFO:certbot._internal.auth_handler:http-01 challenge for scribblersathome.com
2023-01-16 21:31:23,211:INFO:certbot._internal.auth_handler:http-01 challenge for www.scribblersathome.com
  Domain: scribblersathome.com
  Detail: 54.172.83.145: Invalid response from http://scribblersathome.com/.well-known/acme-challenge/rSBeoZjsO3JkCGP2IrGZ9T3POjQDml95Uzl2KjBjkuY: 404
  Domain: www.scribblersathome.com
  Detail: 54.172.83.145: Invalid response from http://www.scribblersathome.com/.well-known/acme-challenge/7O5R9-Diq-hk-ghulOOBycDbqqUG5yywhc_68G1SynQ: 404

I find something odd about the name servers:

• DNS Spy report for scribblersathome.com OK
• Hardenize Report: scribblersathome.com ERRORS
• scribblersathome.com | DNSViz ERRORS
• DNSSEC Analyzer - scribblersathome.com ERRORS
• Zonemaster ERRORS
• scribblersathome.com - Make your website better - DNS, redirects, mixed content, certificates "DNS-problem - authoritative Nameserver refused, not defined or timeout"

We need to review the configuration to ensure that is the correct web root for those challenge requests.

this is the content of the vhost.conf file :

cat vhost.conf
docRoot                   /var/www/scribblersathome
vhDomain                  scribblersathome.com
vhAliases                 www.scribblersathome.com

index  {
  useServer               0
}

rewrite  {
  enable                  1
  autoLoadHtaccess        1
}

vhssl  {
  keyFile                 /etc/letsencrypt/live/scribblersathome.com/privkey.pem
  certFile                /etc/letsencrypt/live/scribblersathome.com/fullchain.pem
  certChain               1
}

And remember that I used this web root to change the pluging and renewal method once I get the cert with --standalone plugin, then I change to webroot

--standalone plugin uses its' own web service.
So that is unrelated to any webroot being used by your regular web service.

Please add a test text file in that web root.
And then we can check if it can be accessed from the Internet.
Like:
echo "test" > /var/www/scribblersathome/test-file

and:
http://scribblersathome.com/test-file

Should be fixed now, thanks.

/var/www/scribblersathome# echo "Hello LetsEncrypt comunity" > hello.txt

test870×296 22.9 KB

I don't see what you see

curl -Ii http://scribblersathome.com/hello.txt
HTTP/1.1 301 Moved Permanently
date: Fri, 20 Jan 2023 21:09:18 GMT
server: LiteSpeed
location: https://scribblersathome.com/hello.txt
connection: Keep-Alive

the redirection to HTTPS returns another redirection [with "/" appended]:

curl -Ii https://scribblersathome.com/hello.txt
HTTP/2 301
content-type: text/html; charset=UTF-8
x-redirect-by: WordPress
location: https://scribblersathome.com/hello.txt/
date: Fri, 20 Jan 2023 21:11:36 GMT
server: LiteSpeed
alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"

Then that returns 200 - but doesn't look anything like what you see:

curl -Ii https://scribblersathome.com/hello.txt/
HTTP/2 200
content-type: text/html; charset=UTF-8
link: <https://scribblersathome.com/index.php?rest_route=/>; rel="https://api.w.org/"
date: Fri, 20 Jan 2023 21:12:18 GMT
server: LiteSpeed
alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"

image840×487 10.6 KB

Also, community is written with "m" twice

Sorry @rg305 , I removed the hello.txt file maybe seconds before you tried, I dont keep this test files in productions severs. But I will put it again to complete your test. give me a few seconds