I can't get a new or renew certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: http://nextcloud-pijuv.jujumediacenter.com

I ran this command:
certbot run

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?


1: nextcloud-pijuv.jujumediacenter.com


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 1
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for nextcloud-pijuv.jujumediacenter.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. nextcloud-pijuv.jujumediacenter.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://nextcloud-pijuv.jujumediacenter.com/.well-known/acme-challenge/71rcvlLyoH7a30DJDMLInE-nbZXaVKg3-yF3j5iFhU4 [XX.XX.XX.XX]: “\n\n404 Not Found\n\n

Not Found

\n<p”

IMPORTANT NOTES:

My web server is (include version):
Apache2

I ran this command:
cat /etc/apache2/sites-available/nextcloud.conf

It produced this output:
<VirtualHost *:80>
DocumentRoot “/var/www/nextcloud”
ServerName nextcloud-pijuv.jujumediacenter.com

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    <Directory /var/www/nextcloud/>
            Options +FollowSymlinks
            AllowOverride All

            <IfModule mod_dav.c>
                    Dav off
            </IfModule>

            SetEnv HOME /var/www/nextcloud
            SetEnv HTTP_HOME /var/www/nextcloud

    </Directory>

RewriteEngine on
RewriteCond %{SERVER_NAME} =nextcloud-pijuv.jujumediacenter.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]

The operating system my web server runs on is (include version):
PRETTY_NAME=“Raspbian GNU/Linux 9 (stretch)”
NAME=“Raspbian GNU/Linux”
VERSION_ID=“9”
VERSION=“9 (stretch)”
ID=raspbian
ID_LIKE=debian

My hosting provider, if applicable, is:
My hosting domain name is ovh.com

My DSN conf on ovh.com is:
DOMAIN: nextcloud-pijuv.jujumediacenter.com.
TTL: 0
TYPE: CNAME
TARGET: jujumediacenter.com

DOMAIN: jujumediacenter.com
TTL: 0
TYPE: A
TARGET: XX.XX.XX.XX (my IP address)

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.28.0

When navigate to http://nextcloud-pijuv.jujumediacenter.com/.well-known/acme-challenge/1234 after created /.well-known/acme-challenge/1234 directories and file, I get a HTTP 404

Thanks for any help
Julien

Hi @Julien

where did you create the /.well-known/...?

Your DocumentRoot is

so the complete path would be

/var/www/nextcloud/.well-known/acme-challenge/1234

If that works, that's your correct webroot. So use it (not the apache authenticator):

certbot run -a webroot -i apache -w /var/www/nextcloud -d nextcloud-pijuv.jujumediacenter.com

PS: There are a lot of older certificates, started 2017-12-19 ( https://check-your-website.server-daten.de/?q=nextcloud-pijuv.jujumediacenter.com#ct-logs ).

Looks like you have used tls-sni-01 validation, that's not longer supported.

But your http port is open, there is a correct answer. So http-01 validation should work.

1 Like

Thanks for your reply !

yes, exactly, I created that path: /var/www/nextcloud/.well-known/acme-challenge/1234
But i get a HTTP 404 with http://nextcloud-pijuv.jujumediacenter.com/.well-known/acme-challenge/1234

I still tried your command:
certtbot run -a webroot -i apache -w /var/www/nextcloud -d nextcloud-pijuv.jujumediacenter.com

I have the same error

1 Like

Then you may have additional location definitions.

Or there is another rule. Perhaps try

/var/www/.well-known/acme-challenge/1234

There are other users: /var/www/nextcloud didn't work, /var/www worked.

1 Like

I understood and I was able to resolve my problem :

I have 2 Web servers at home, behind a ADSL box.
One listening on port 80, and the other on 8080.

My Website nextcloud-pijuv.jujumediacenter.com is managed by the second Web server on 8080 port.
So, I have to reconfigure the server to change the port from 8080 to 80.

So, now I have another question: I’d like to renew automatically each certificate for my several websites on each Web server.
Since each web server has it’s own listening port, how to do define another port (80 used by default) ?

I saw this option in the man page of certbot, but it’s for testing purposes only
–http-01-port HTTP01_PORT

Thanks

2 Likes

That's not possible. If you want to use http-01 validation, the first GET-request is via port 80.

So you need one instance after your router and a port forwarding extern 80 -> intern 80.

But isn't it possible to define two vHosts? That's the standard solution, so the webserver sends domain A or domain B, but there is only one port used.

1 Like

Yes exactly, I have to use vHosts, but actually, I have 2 web servers on 2 physical machines.

Anyway, I think this architecture give me another error : I tried to install a new certificate for the domain galerie.jujumediacenter.com on the other web server on the other physical machine.
When I check the installation on https://www.ssllabs.com/ssltest/analyze.html?d=galerie.jujumediacenter.com, it give the error:

Certificate name mismatch
Try these other domain names (extracted from the certificates):

  • pijuv
    What does this mean?
    We were able to retrieve a certificate for this site, but the domain names listed in it do not match the domain name you requested us to inspect. It’s possible that:
  • The web site does not use SSL, but shares an IP address with some other site that does.
  • The web site no longer exists, yet the domain name still points to the old IP address, where some other site is now hosted.
  • The web site uses a content delivery network (CDN) that does not support SSL.
  • The domain name is an alias for a web site whose main name is different, but the alias was not included in the certificate by mistake.

Checked the domain via https://check-your-website.server-daten.de/?q=galerie.jujumediacenter.com

It's a self signed certificate:

CN=pijuv
	19.12.2017
	17.12.2027
expires in 3122 days	pijuv - 1 entry

But you have created a Letsencrypt certificate:

CertSpotter-Id Issuer not before not after Domain names LE-Duplicate next LE
941713547 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2019-05-31 16:11:25 2019-08-29 16:11:25 galerie.jujumediacenter.com - 1 entries duplicate nr. 1

So this certificate isn't installed.

How did you create that certificate? With certonly?

PS: There are different Server Headers - http vs. https.

I’ve tried to create this certificate with the command:
certbot run -a webroot -i apache -w /var/www/html/piwigo -d galerie.jujumediacenter.com

1 Like

Looks like Certbot has used the wrong vHost to install.

What says

apachectl -S

Perhaps you have different vHosts with the same port and ServerName / ServerAlias, so Certbot picks the wrong vHost.

Result of the command apachectl -S:
AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.1.1. Set the ‘ServerName’ directive globally to suppress this message
VirtualHost configuration:
*:443 galerie.jujumediacenter.com (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
*:80 is a NameVirtualHost
default server 127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost 127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost galerie.jujumediacenter.com (/etc/apache2/sites-enabled/000-default.conf:31)
port 80 namevhost musique.jujumediacenter.com (/etc/apache2/sites-enabled/000-default.conf:39)
port 80 namevhost wiki.jujumediacenter.com (/etc/apache2/sites-enabled/000-default.conf:45)
ServerRoot: “/etc/apache2”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/var/log/apache2/error.log”
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
PidFile: “/var/run/apache2/apache2.pid”
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“www-data” id=33
Group: name=“www-data” id=33

1 Like

What's the content of that file?

And a really curious thing:

http has ( https://check-your-website.server-daten.de/?q=galerie.jujumediacenter.com#url-checks - then "show header")

Server: Apache/2.4.25 (Debian)

https has

Server: Apache

Looks like another server answers.

The content of the file /etc/apache2/sites-enabled/000-default-le-ssl.conf is:

<VirtualHost *:443>
DocumentRoot /var/www/html/piwigo
ServerName galerie.jujumediacenter.com

SSLCertificateFile /etc/letsencrypt/live/galerie.jujumediacenter.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/galerie.jujumediacenter.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

1 Like

There is a new check of your subdomain - https://check-your-website.server-daten.de/?q=galerie.jujumediacenter.com

Now it’s correct.

You have a Grade B, a correct redirect:

Domainname Http-Status redirect Sec. G
• http://galerie.jujumediacenter.com/
82.240.254.130 301 https://galerie.jujumediacenter.com/ 0.133 A
• https://galerie.jujumediacenter.com/
82.240.254.130 200 1.743 B

And the new certificate is used:

CN=galerie.jujumediacenter.com
	31.05.2019
	29.08.2019
expires in 89 days	galerie.jujumediacenter.com - 1 entry

Houaa, you are already here !

Yes, thanks to your last comment, I understood several things: my other web server (not the one where there is galerie application) answers on behalf of the right web server (the one where there is galerie application).
And another thing, I had to reconfigure my ADSL box to forward 443 port to the right physical machine.

Now I have a valid certificate for galerie.jujumediacenter.com on a web server on a physical machine, and an other valid certificate for nextcloud-pijuv.jujumediacenter.com on an other web server on a other physical machine.

Now I have to understand how to automate the renew process for all these stuffs

1 Like

Is it possible to have different certificates for the same IP address ?

A certificate doesn't know something about an ip address.

Your webserver must support SNI (Server Name Indication), then you can create different vHosts with different certificates.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.