I deleted my ssl cert and now certbot won't let me get another one

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: cozybroadcast.stream

I ran this command: sudo certbot --apache

It produced this output:

Challenge failed for domain cozybroadcast.stream
Challenge failed for domain www.cozybroadcast.stream
http-01 challenge for cozybroadcast.stream
http-01 challenge for www.cozybroadcast.stream
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

My web server is (include version): apache

The operating system my web server runs on is (include version): ubuntu 20.0.4

My hosting provider, if applicable, is: godaddy

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.14.0

Note: I already received SSL cert for this domain, but I rebuilt the server and wiped it, so I no longer have the files.

2 Likes

Welcome to the Let's Encrypt Community, Steve :slightly_smiling_face:

I just ran several tests and got a proper 404 response rather than the 403 response. It's possible that a directive/rule in your apache configuration is preventing access to the ACME authentication files when they do actually exist.

What is the output of this command?

sudo apachectl -S

Please put three backticks above and below the output, like this:

```
output
```

2 Likes
VirtualHost configuration:
*:80                   ip-72-167-33-188.ip.secureserver.net (/etc/apache2/sites-enabled/000-default.conf:1)
*:80                 cozybroadcast.stream (/etc/apache2/sites-enabled/cozybroadcast.stream.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex watchdog-callback: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33
2 Likes

What are the contents of these files?

/etc/apache2/sites-enabled/000-default.conf
/etc/apache2/sites-enabled/cozybroadcast.stream.conf

As before, please put three backticks above and below each content.

Is the port actually 80 or 3000?

2 Likes

the website is running on port 3000, so at one point I experimented with changing the heading of /etc/apache2/sites-enabled/cozybroadcast.stream.conf to <VirtualHost *:3000> but I changed it back when it didn't help.

Also I have /etc/apache2/sites-enabled/cozybroadcast.stream.conf not /etc/apache2/sites-enabled/cozybroadcast.stream.conf.conf

/etc/apache2/sites-enabled/000-default.conf
contents:

<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port t>
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port t>
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerAdmin campervan@cozybroadcast.stream
        DocumentRoot /var/www/cozybroadcast.stream/
        ServerName cozybroadcast.stream
        ServerAlias www.cozybroadcast.stream

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
2 Likes

Is it still running on port 3000? That would definitely not work for Let's Encrypt to verify domain control via an http-01 challenge.


That's my bad. I fixed my post. :sweat_smile:


Regarding /etc/apache2/sites-enabled/000-default.conf ...

That file contains no ServerName or ServerAlias and thus is likely just acting as a catch as the default server.

Unless you really need it, I would recommend disabling it with:

sudo a2dissite 000-default.conf

Then reloading apache with:

sudo apachectl -k graceful


Regarding /etc/apache2/sites-enabled/cozybroadcast.stream.conf ...

Things are generally looking good. I'm assuming that the DocumentRoot is correct.


You might want to check the permissions on the .well-known and .well-known/acme-challenge directories in /var/www/cozybroadcast.stream/ to ensure their files are accessible from the internet.

2 Likes

OK I changed main.js so it runs on port 80
I dissabled 000-default.conf and reloaded apache
The root exists, but it is empty because I thought it was for putting index.html in and don't want it to serve an html file. It is an express app which renders a .pug file.
I don't have .well-known and .well-known/acme-challenge directories

2 Likes

Let's test it:

sudo certbot certonly --apache -d "cozybroadcast.stream,www.cozybroadcast.stream" --dry-run

If that works, this should do it:

sudo certbot --apache -d "cozybroadcast.stream,www.cozybroadcast.stream"

2 Likes
root@ip-72-167-33-188:/var/www/cozybroadcast.stream# sudo certbot certonly --apache -d "cozybroadcast.stream,www.cozybroadcast.stream" --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Account registered.
Simulating a certificate request for cozybroadcast.stream and www.cozybroadcast.stream
Performing the following challenges:
http-01 challenge for cozybroadcast.stream
http-01 challenge for www.cozybroadcast.stream
Enabled Apache rewrite module
Waiting for verification...
Challenge failed for domain www.cozybroadcast.stream
Challenge failed for domain cozybroadcast.stream
http-01 challenge for www.cozybroadcast.stream
http-01 challenge for cozybroadcast.stream
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.cozybroadcast.stream
   Type:   unauthorized
   Detail: Invalid response from
   http://www.cozybroadcast.stream/.well-known/acme-challenge/2udZxSZJwljQBgt9gvtgTfKA08XjEh1IZmuublCIinE
   [72.167.33.188]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>403
   Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p"

   Domain: cozybroadcast.stream
   Type:   unauthorized
   Detail: Invalid response from
   http://cozybroadcast.stream/.well-known/acme-challenge/sJzT0CcMYJbRwyoH6l1qCH4psRGD9F_mhKKDH3WCRvE
   [72.167.33.188]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>403
   Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
2 Likes

Now I'm starting to wonder.

Do you have a .htaccess file in /var/www/cozybroadcast.stream?

2 Likes

no the directory is empty

2 Likes

Let's try creating a test file in /var/www/cozybroadcast.stream containing "1234".

2 Likes

what should the file extension be

2 Likes

no extension, which is how the authentication files are

2 Likes

ok, file test is created in /var/www/cozybroadcast.stream containing 1234 and I rerun the command -dry-run and it appears to return the same error:

root@ip-72-167-33-188:/var/www/cozybroadcast.stream# vi test
root@ip-72-167-33-188:/var/www/cozybroadcast.stream# sudo certbot certonly --apache -d "cozybroadcast.stream,www.cozybroadcast.stream" --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Simulating a certificate request for cozybroadcast.stream and www.cozybroadcast.stream
Performing the following challenges:
http-01 challenge for cozybroadcast.stream
http-01 challenge for www.cozybroadcast.stream
Enabled Apache rewrite module
Waiting for verification...
Challenge failed for domain www.cozybroadcast.stream
Challenge failed for domain cozybroadcast.stream
http-01 challenge for www.cozybroadcast.stream
http-01 challenge for cozybroadcast.stream
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.cozybroadcast.stream
   Type:   unauthorized
   Detail: Invalid response from
   http://www.cozybroadcast.stream/.well-known/acme-challenge/3kEgB9RtF0CW_Zq_k9n4yODNFHWcImda5-6moJJLzJc
   [72.167.33.188]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>403
   Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p"

   Domain: cozybroadcast.stream
   Type:   unauthorized
   Detail: Invalid response from
   http://cozybroadcast.stream/.well-known/acme-challenge/pvhR1kbsYji3lyhTrTqPQe6w9CqCqFUHtdvrHpCBOUg
   [72.167.33.188]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>403
   Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.```
2 Likes

The test file returns 403 as well. Your apache webserver seems to be currently incapable of serving files. Check the permissions of the /var/www/cozybroadcast.stream directory itself.

2 Likes
total 4
-rw------- 1 root root 5 May  1 19:51 test
2 Likes

That's the file. What about the permissions of the /var/www/cozybroadcast.stream directory itself?

2 Likes
root@ip-72-167-33-188:/var/www# ls -l
total 8
drwx------ 2 www-data www-data 4096 May  1 19:51 cozybroadcast.stream
drwxr-xr-x 2 root     root     4096 May  1 08:54 html
2 Likes

In both cases (test file and /var/www/cozybroadcast.stream), the world and group have no access. The permissions for the test file should be 644 (user rw, group r, world r) and the permissions for the directory should be 755 (user rwx, group rx, world rx). Just like the html directory.

2 Likes