I deleted my ssl cert and now certbot won't let me get another one

zeesteve1 · May 1, 2021, 11:12am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: cozybroadcast.stream

I ran this command: sudo certbot --apache

It produced this output:

Challenge failed for domain cozybroadcast.stream
Challenge failed for domain www.cozybroadcast.stream
http-01 challenge for cozybroadcast.stream
http-01 challenge for www.cozybroadcast.stream
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: cozybroadcast.stream
Type: unauthorized
Detail: Invalid response from
http://cozybroadcast.stream/.well-known/acme-challenge/RmsYdO8LO8LdK0F9hEt-YT-63ztN-CZi92GPZMnO85k
[72.167.33.188]: "\n\n403
Forbidden\n\n

Forbidden
\n<p"

Domain: www.cozybroadcast.stream
Type: unauthorized
Detail: Invalid response from
http://www.cozybroadcast.stream/.well-known/acme-challenge/jLh_t-WCCDK8BJS8aWpbYCG-TTx4Jp13FjILQ7ObMGw
[72.167.33.188]: "\n\n403
Forbidden\n\n

Forbidden
\n<p"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

My web server is (include version): apache

The operating system my web server runs on is (include version): ubuntu 20.0.4

My hosting provider, if applicable, is: godaddy

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.14.0

Note: I already received SSL cert for this domain, but I rebuilt the server and wiped it, so I no longer have the files.

griffin · May 1, 2021, 6:17pm

Welcome to the Let's Encrypt Community, Steve

I just ran several tests and got a proper 404 response rather than the 403 response. It's possible that a directive/rule in your apache configuration is preventing access to the ACME authentication files when they do actually exist.

What is the output of this command?

sudo apachectl -S

Please put three backticks above and below the output, like this:

```
output
```

zeesteve1 · May 1, 2021, 6:21pm

VirtualHost configuration:
*:80                   ip-72-167-33-188.ip.secureserver.net (/etc/apache2/sites-enabled/000-default.conf:1)
*:80                 cozybroadcast.stream (/etc/apache2/sites-enabled/cozybroadcast.stream.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex watchdog-callback: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

griffin · May 1, 2021, 6:35pm

What are the contents of these files?

/etc/apache2/sites-enabled/000-default.conf
/etc/apache2/sites-enabled/cozybroadcast.stream.conf

As before, please put three backticks above and below each content.

Is the port actually 80 or 3000?

zeesteve1 · May 1, 2021, 6:46pm

the website is running on port 3000, so at one point I experimented with changing the heading of /etc/apache2/sites-enabled/cozybroadcast.stream.conf to <VirtualHost *:3000> but I changed it back when it didn't help.

Also I have /etc/apache2/sites-enabled/cozybroadcast.stream.conf not /etc/apache2/sites-enabled/cozybroadcast.stream.conf.conf

/etc/apache2/sites-enabled/000-default.conf
contents:

<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port t>
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port t>
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerAdmin campervan@cozybroadcast.stream
        DocumentRoot /var/www/cozybroadcast.stream/
        ServerName cozybroadcast.stream
        ServerAlias www.cozybroadcast.stream

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

griffin · May 1, 2021, 7:01pm

Is it still running on port 3000? That would definitely not work for Let's Encrypt to verify domain control via an http-01 challenge.

That's my bad. I fixed my post.

Regarding /etc/apache2/sites-enabled/000-default.conf ...

That file contains no ServerName or ServerAlias and thus is likely just acting as a catch as the default server.

Unless you really need it, I would recommend disabling it with:

sudo a2dissite 000-default.conf

Then reloading apache with:

sudo apachectl -k graceful

Regarding /etc/apache2/sites-enabled/cozybroadcast.stream.conf ...

Things are generally looking good. I'm assuming that the DocumentRoot is correct.

You might want to check the permissions on the .well-known and .well-known/acme-challenge directories in /var/www/cozybroadcast.stream/ to ensure their files are accessible from the internet.

zeesteve1 · May 1, 2021, 7:18pm

OK I changed main.js so it runs on port 80
I dissabled 000-default.conf and reloaded apache
The root exists, but it is empty because I thought it was for putting index.html in and don't want it to serve an html file. It is an express app which renders a .pug file.
I don't have .well-known and .well-known/acme-challenge directories

griffin · May 1, 2021, 7:21pm

Let's test it:

sudo certbot certonly --apache -d "cozybroadcast.stream,www.cozybroadcast.stream" --dry-run

If that works, this should do it:

sudo certbot --apache -d "cozybroadcast.stream,www.cozybroadcast.stream"

zeesteve1 · May 1, 2021, 7:26pm

root@ip-72-167-33-188:/var/www/cozybroadcast.stream# sudo certbot certonly --apache -d "cozybroadcast.stream,www.cozybroadcast.stream" --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Account registered.
Simulating a certificate request for cozybroadcast.stream and www.cozybroadcast.stream
Performing the following challenges:
http-01 challenge for cozybroadcast.stream
http-01 challenge for www.cozybroadcast.stream
Enabled Apache rewrite module
Waiting for verification...
Challenge failed for domain www.cozybroadcast.stream
Challenge failed for domain cozybroadcast.stream
http-01 challenge for www.cozybroadcast.stream
http-01 challenge for cozybroadcast.stream
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.cozybroadcast.stream
   Type:   unauthorized
   Detail: Invalid response from
   http://www.cozybroadcast.stream/.well-known/acme-challenge/2udZxSZJwljQBgt9gvtgTfKA08XjEh1IZmuublCIinE
   [72.167.33.188]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>403
   Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p"

   Domain: cozybroadcast.stream
   Type:   unauthorized
   Detail: Invalid response from
   http://cozybroadcast.stream/.well-known/acme-challenge/sJzT0CcMYJbRwyoH6l1qCH4psRGD9F_mhKKDH3WCRvE
   [72.167.33.188]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>403
   Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

griffin · May 1, 2021, 7:34pm

Now I'm starting to wonder.

Do you have a .htaccess file in /var/www/cozybroadcast.stream?

zeesteve1 · May 1, 2021, 7:35pm

no the directory is empty

griffin · May 1, 2021, 7:48pm

Let's try creating a test file in /var/www/cozybroadcast.stream containing "1234".

zeesteve1 · May 1, 2021, 7:50pm

what should the file extension be

griffin · May 1, 2021, 7:55pm

no extension, which is how the authentication files are

zeesteve1 · May 1, 2021, 8:04pm

ok, file test is created in /var/www/cozybroadcast.stream containing 1234 and I rerun the command -dry-run and it appears to return the same error:

root@ip-72-167-33-188:/var/www/cozybroadcast.stream# vi test
root@ip-72-167-33-188:/var/www/cozybroadcast.stream# sudo certbot certonly --apache -d "cozybroadcast.stream,www.cozybroadcast.stream" --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Simulating a certificate request for cozybroadcast.stream and www.cozybroadcast.stream
Performing the following challenges:
http-01 challenge for cozybroadcast.stream
http-01 challenge for www.cozybroadcast.stream
Enabled Apache rewrite module
Waiting for verification...
Challenge failed for domain www.cozybroadcast.stream
Challenge failed for domain cozybroadcast.stream
http-01 challenge for www.cozybroadcast.stream
http-01 challenge for cozybroadcast.stream
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.cozybroadcast.stream
   Type:   unauthorized
   Detail: Invalid response from
   http://www.cozybroadcast.stream/.well-known/acme-challenge/3kEgB9RtF0CW_Zq_k9n4yODNFHWcImda5-6moJJLzJc
   [72.167.33.188]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>403
   Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p"

   Domain: cozybroadcast.stream
   Type:   unauthorized
   Detail: Invalid response from
   http://cozybroadcast.stream/.well-known/acme-challenge/pvhR1kbsYji3lyhTrTqPQe6w9CqCqFUHtdvrHpCBOUg
   [72.167.33.188]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>403
   Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.```

griffin · May 1, 2021, 8:30pm

The test file returns 403 as well. Your apache webserver seems to be currently incapable of serving files. Check the permissions of the /var/www/cozybroadcast.stream directory itself.

zeesteve1 · May 1, 2021, 8:33pm

total 4
-rw------- 1 root root 5 May  1 19:51 test

griffin · May 1, 2021, 8:50pm

That's the file. What about the permissions of the /var/www/cozybroadcast.stream directory itself?

zeesteve1 · May 1, 2021, 8:52pm

root@ip-72-167-33-188:/var/www# ls -l
total 8
drwx------ 2 www-data www-data 4096 May  1 19:51 cozybroadcast.stream
drwxr-xr-x 2 root     root     4096 May  1 08:54 html

griffin · May 1, 2021, 8:56pm

In both cases (test file and /var/www/cozybroadcast.stream), the world and group have no access. The permissions for the test file should be 644 (user rw, group r, world r) and the permissions for the directory should be 755 (user rwx, group rx, world rx). Just like the html directory.

Topic		Replies	Views
Unable to use SSL certificate Help	4	728	November 26, 2020
69.49.228.234: Invalid response Help	6	410	November 2, 2023
Cannot obtain a certificate Help	2	963	December 14, 2021
[SOLVED] Some challenges have failed Help	4	3328	January 4, 2023
Challenge failed for domain Help	2	1402	May 24, 2019

I deleted my ssl cert and now certbot won't let me get another one

Forbidden

Forbidden

Related topics