Installing across 2 servers

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

graywitch.co.nz

I ran this command:

certbot --apache -d graywitch.co.nz

It produced this output:

Account registered.
Requesting a certificate for graywitch.co.nz

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: graywitch.co.nz
Type: unauthorized
Detail: 101.100.139.35: Invalid response from http://graywitch.co.nz/.well-known/acme-challenge/CH1cdkmxeWlr9DFBUi-W-4k65ZL8PrYzqzs8rxAtJLA: 404

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):

root@email-001:/etc/apache2# apache2 -v
Server version: Apache/2.4.67 (Debian)
Server built: 2026-06-05T10:55:53
root@email-001:/etc/apache2#

The operating system my web server runs on is (include version):

debconf.conf debian_version
root@email-001:/etc/apache2# cat /etc/debian_version
13.5
root@email-001:/etc/apache2#

My hosting provider, if applicable, is:

n/a

I can login to a root shell on my machine (yes or no, or I don't know):

yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

no CLi

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

root@email-001:/etc/apache2# certbot --version
certbot 4.0.0
root@email-001:/etc/apache2#

Hi,

I have port 80 on one VM and port443 on another VM with a re-direction via the firewall.

Hence why I get this failure I assume.

How do I? or can I? run a let's encrypt setup like this for 443 only?

You can use mod_md mod_md - Apache HTTP Server Version 2.4 to get a certificate through the tls-alpn-01 challenge.

If all HTTP requests get sent to HTTPS on your other VM it should be fine to run Certbot on the VM that handles port 443. The --apache plugin should insert the same temp code into your Apache for VirtualHosts on both ports. Or, use --webroot for the DocumentRoot path on your port 443 VHost.

But, I also like to recommend Apache mod_md

EDIT: I just noticed the URL in the error message was for HTTP. That request was not redirected to HTTPS. Can you explain more what you mean by "re-direction via the firewall"?

The firewall port forwards port 80 incoming to port 80 on one VM. but port forwards icoming port 443 to another VM. hence 2 different instances of Apache2.

Okay, then running Certbot on the VM that handles port 80 should have worked. Is that the VM you ran it on?

Note that places the cert on that VM. So, you'll need to copy it to the other.

To avoid that, use mod_md with the tls-alpn challenge on port 443. Setup mod_md on the Apache VM for that port.

Just curious ... what benefit do you get from splitting port 80 to a separate VM than port 443?

No I ran it one the port443 VM. I can do it on the port80 VM. The port80 VM holds simple historic flat html while the 443 machine is webmail running PHP. At the time it was run on very limited hardware ( 2 Pi2's) as CPu was so limited and I am crap at Apache config. I do have to migrate to one VM at some stage but my Apache skills are minimal.

You can also move your DNS to a DNS provider that supports automation (like cloudflare, which has free dns hosting services) and use a DNS challenge with an API key etc. That way it doesn't matter where your cert is being used.

Should work on the port 80 VM. Certbot's --apache option makes changes to the Apache VirtualHost config, reloads Apache and requests the cert. After that Certbot reverses those changes and reload Apache again.

Note the --apache option also creates a VirtualHost for port 443. So, you'll see one of those in the VM for port 80 it just won't ever see any traffic so is not harmful.

To avoid Certbot making changes to your Apache you should use --webroot option instead.

If you aren't sure how to use --webroot please post the contents of your VirtualHost for port 80 for this domain and I'll give you the command.

Well, any cert can be "used" anywhere But, you are right that a DNS Challenge would allow them to run Certbot on the port 443 VM which is where they want to use it. Switching DNS providers may be more than they want to take on. But is certainly another option.