Initial certbot failure

The website has been running without https for awhile.
I just installed certbot, following directions at https://certbot.eff.org/lets-encrypt/ubuntufocal-apache.
https://letsdebug.net says everything is OK.
More details below.

My domain is:
marionsculpture.com

I ran this command:
certbot --apache

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): marion@marionsculpture.com


Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory


(A)gree/(C)ancel: a


Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.


(Y)es/(N)o: yes

Which names would you like to activate HTTPS for?


1: marionsculpture.com


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for marionsculpture.com
Waiting for verification...
Challenge failed for domain marionsculpture.com
http-01 challenge for marionsculpture.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: marionsculpture.com
    Type: unauthorized
    Detail: Invalid response from
    http://marionsculpture.com/.well-known/acme-challenge/60in5LUVITC5KZzRpgLSbGZMBncjMFQ57ZdPzDl_lSI
    [73.112.43.149]: "\r\n<html
    lang="en-US">\r\n\r\n<meta charset="UTF-8" />\r\n<meta
    name="viewport" content="width=device-width, initi"

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.

My web server is (include version):
Apache/2.4.41 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 20.04 LTS

My hosting provider, if applicable, is:
Me (machine on home network)

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
1.9.0

===
In the log file, /var/log/letsencrypt/letsencrypt.log,
this seems to be the most important part:

2020-11-21 16:14:20,104:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443
"POST /acme/authz-v3/8769821829 HTTP/1.1" 200 1211
2020-11-21 16:14:20,105:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 21 Nov 2020 21:14:20 GMT
Content-Type: application/json
Content-Length: 1211
Connection: keep-alive
Boulder-Requester: 103103650
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 0103bQ6ZDVAjO04sBMYkeMaqJ27WwMjoPm8FBhiHI_KuVd0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "marionsculpture.com"
},
"status": "invalid",
"expires": "2020-11-28T21:14:15Z",
"challenges": [
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "Invalid response from http://marionsculpture.com/.well-known/acme-challenge/60in5LUVITC5KZzRpgLSbGZMBncjMFQ57ZdPzDl_lSI [73.112.43.149]: "\u003c!DOCTYPE html\u003e\r\n\u003chtml lang=\"en-US\"\u003e\r\n\u003chead\u003e\r\n\u003cmeta charset=\"UTF-8\" /\u003e\r\n\u003cmeta name=\"viewport\" content=\"width=device-width, initi"",
"status": 403
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/8769821829/P64MYw",
"token": "60in5LUVITC5KZzRpgLSbGZMBncjMFQ57ZdPzDl_lSI",
"validationRecord": [
{
"url": "http://marionsculpture.com/.well-known/acme-challenge/60in5LUVITC5KZzRpgLSbGZMBncjMFQ57ZdPzDl_lSI",
"hostname": "marionsculpture.com",
"port": "80",
"addressesResolved": [
"73.112.43.149"
],
"addressUsed": "73.112.43.149"
}
]
}
]
}

Any ideas?

2 Likes

Hi Jan and welcome to the LE community!

Yes, let's start with seeing what names Apache is serving and where.
Please show the output of:
apachectl -S

2 Likes

VirtualHost configuration:
*:80 is a NameVirtualHost
default server marionsculpture.com (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost marionsculpture.com (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost marionsculpture.com (/etc/apache2/sites-enabled/marionsculpture.com.conf:23)
alias marionette
wild alias *.marionsculpture.com
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33 not_used
Group: name="www-data" id=33 not_used

2 Likes

Hi @JanEdler

that's

always wrong.

Every combination of port and domain name must be unique.

So merge these two vHost definitions in one and remove the other.

4 Likes

Thanks, that took care of the problem!

4 Likes