Invalid response from http://.../.well-known/acme-challenge/W4e

Help
1

Hello, I am really a beginner and I'm getting crazy to have https working on my owncloud ...
Now I'm stuck with let's Encrypt that gives me errors and I really do not know where to start from.

Thanks for your assistance.

My domain is: miazza.no-ip.biz

I ran this command: certbot certonly --webroot

It produced this output:

root@debian:/etc/apache2/sites-available# certbot certonly --webroot
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): miazza.no-ip.biz
Requesting a certificate for miazza.no-ip.biz
Performing the following challenges:
http-01 challenge for miazza.no-ip.biz
Input the webroot for miazza.no-ip.biz: (Enter 'c' to cancel): /var/www/html
Waiting for verification...
Challenge failed for domain miazza.no-ip.biz
http-01 challenge for miazza.no-ip.biz
Cleaning up challenges
Running post-hook command: service apache2 reload
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: miazza.no-ip.biz
   Type:   unauthorized
   Detail: 130.25.219.220: Invalid response from
   http://miazza.no-ip.biz/.well-known/acme-challenge/W4exmJehvW61B4vzY4Q2-07heRtkzGXSwb8qH7z8SRs:
   400

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version):
Apache/2.4.53 (Debian)

The operating system my web server runs on is (include version):
Debian 11
Apache

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.12.0

The log file of the last try:

2022-04-24 19:17:44,092:DEBUG:certbot._internal.main:certbot version: 1.12.0
2022-04-24 19:17:44,096:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2022-04-24 19:17:44,097:DEBUG:certbot._internal.main:Arguments: ['--webroot']
2022-04-24 19:17:44,100:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2022-04-24 19:17:44,260:DEBUG:certbot._internal.log:Root logging level set at 20
2022-04-24 19:17:44,265:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2022-04-24 19:17:44,272:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None
2022-04-24 19:17:44,276:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot._internal.plugins.webroot:Authenticator
Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0x75a57bc8>
Prep: True
2022-04-24 19:17:44,281:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.webroot.Authenticator object at 0x75a57bc8> and installer None
2022-04-24 19:17:44,283:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2022-04-24 19:17:44,466:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/513599947', new_authzr_uri=None, terms_of_service=None), eb11918b2471c3a54a1b1a07a7a4888a, Meta(creation_dt=datetime.datetime(2022, 4, 24, 13, 35, 33, tzinfo=<UTC>), creation_host='debian', register_to_eff=None))>
2022-04-24 19:17:44,475:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2022-04-24 19:17:44,498:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2022-04-24 19:17:45,021:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
2022-04-24 19:17:45,026:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
2

What are you running? Apache or nginx?

Figure it out and use --apache or --nginx instead of --webroot.

If you want to use webroot, you have to find out what the webroot is (for that virtualhost).

3

OR
Use the correct --webroot

1 Like
4

I am using Apache and I do not know why there is nginix in the log.
May be an old installation but now it is uninstalled.

What is the webroot I have to use ?

5

root@debian:/etc/apache2/sites-available# certbot certonly --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Could not choose appropriate plugin: The requested apache plugin does not appear to be installed
The requested apache plugin does not appear to be installed

How can I install it ?

6

How did you install Certbot?

2 Likes
7

with apt.
Unlikely I cannot do it with snap because I have a problem with the install and it fails to start.

8

Then you'll need to install the nginx plugin separately. The package is probably called python3-certbot-apache or something like that, perhaps python-certbot-apache, I dunno.

2 Likes
9

OK. I got it with:

 apt-get install certbot python3-certbot-apache

Now I get:

root@debian:/etc/apt# certbot certonly --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated)  (Enter 'c' to cancel): miazza.no-ip.biz
Requesting a certificate for miazza.no-ip.biz
Performing the following challenges:
http-01 challenge for miazza.no-ip.biz
Cleaning up challenges
Running post-hook command: service apache2 reload
Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.

I have added a virtual host for port 80:

root@debian:/etc/apache2/sites-available# cat 000-default.conf
<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerName mydom.tld

  Alias /.well-known/acme-challenge/ /var/www/letsencrypt/.well-known/acme-challenge/
  <Directory "/var/www/letsencrypt/.well-known/acme-challenge/">
      Options None
      AllowOverride None
      ForceType text/plain
      RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
  </Directory>

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
</VirtualHost>

I have also opened the port 80 on the router and forwarded to the IP of the machine where apache is installed.

10

That's 000-default.conf from the /sites-available/ directory, but is it also enabled?

2 Likes
11

do you mean I have to chmod +x ?

12

No.

Please see generic how-to's about Apache on how to configure Apache, such as https://linuxize.com/post/how-to-set-up-apache-virtual-hosts-on-ubuntu-18-04/#create-a-virtual-hosts. Don't literally follow it, just read that section and notice the part where it starts to talk about the sites-available and sites-enabled directories.

Maybe your site is already enabled, I dunno, I don't use Ubuntu nor those two specific directories.

2 Likes
13

OK. Good to know :slight_smile:
by the way I'm running Debian 11 on kirkwood.
now I have done this:

root@debian:/etc/apache2/sites-available# a2ensite 000-default.conf
Enabling site 000-default.
To activate the new configuration, you need to run:
  systemctl reload apache2
root@debian:/etc/apache2/sites-available# systemctl reload apache2
root@debian:/etc/apache2/sites-available#

we are going better but:

root@debian:/etc/apache2/sites-available# certbot certonly --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: mydom.tld
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Requesting a certificate for mydom.tld
Running post-hook command: service apache2 reload
An unexpected error occurred:
The server will not issue certificates for the identifier :: Error creating new order :: Cannot issue for "mydom.tld": Domain name does not end with a valid public suffix (TLD)
Please see the logfiles in /var/log/letsencrypt for more details.
14

Is the hostname you're using literally mydom.tld? Well, Let's Encrypt only issues certificates for REAL domain names, hostnames that are publicly accessible. Not for fake domains.

Try substituting that fake hostname in your Apache configuration with the actual hostname (miazza.no-ip.biz?).

3 Likes
15

Yes. I got it. I used the script following the owncoud tutorial and now works:

root@debian:/etc/letsencrypt# ./miazza.no-ip.biz.sh
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer None
Requesting a certificate for miazza.no-ip.biz
Performing the following challenges:
http-01 challenge for miazza.no-ip.biz
Waiting for verification...
Cleaning up challenges
Running post-hook command: service apache2 reload

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/miazza.no-ip.biz/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/miazza.no-ip.biz/privkey.pem
   Your certificate will expire on 2022-07-23. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Thank you for your suppport.

3 Likes
16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.