Invalid response from .well-known/acme-challenge 404

First, I already renew and get the new certificate
root@ubuntu-s-1vcpu-1gb-sgp1-01:~# openssl x509 -dates -noout -in/etc/letsencrypt/live/pattayaavenueproperty.xyz/fullchain.pem
notBefore=Nov 29 09:04:49 2023 GMT
notAfter=Feb 27 09:04:48 2024 GMT

and restart it, but my server is not update
root@ubuntu-s-1vcpu-1gb-sgp1-01:~# openssl s_client -connect pattayaavenueproperty.xyz:443 | openssl x509 -noout -dates
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = pattayaavenueproperty.xyz
verify error:num=10:certificate has expired
notAfter=Nov 20 06:16:19 2023 GMT
verify return:1
depth=0 CN = pattayaavenueproperty.xyz
notAfter=Nov 20 06:16:19 2023 GMT
verify return:1
notBefore=Aug 22 06:16:20 2023 GMT
notAfter=Nov 20 06:16:19 2023 GMT

So, I try to use automation of certbot
root@ubuntu-s-1vcpu-1gb-sgp1-01:~# certbot certonly --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
How would you like to authenticate with the ACME CA?


1: Apache Web Server plugin (apache)
2: Runs an HTTP server locally which serves the necessary validation files under
the /.well-known/acme-challenge/ request path. Suitable if there is no HTTP
server already running. HTTP challenge only (wildcards not supported).
(standalone)
3: Saves the necessary validation files to a .well-known/acme-challenge/
directory within the nominated webroot path. A seperate HTTP server must be
running and serving files from the webroot path. HTTP challenge only (wildcards
not supported). (webroot)


Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.


1: pattayaavenueproperty.xyz


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Simulating renewal of an existing certificate for pattayaavenueproperty.xyz
Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: pattayaavenueproperty.xyz
Type: unauthorized
Detail: 188.166.199.40: Invalid response from https://pattayaavenueproperty.xyz/.well-known/acme-challenge/WZojrgp3LFOrBTcg3dFtDLNf_4078PiJSBfUTt85pro: 404
Some challenges have failed.

root@ubuntu-s-1vcpu-1gb-sgp1-01:/# cat etc/apache2/sites-available/000-default-le-ssl.conf

IfModule mod_ssl.c
VirtualHost *:443
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

ServerName pattayaavenueproperty.xyz
SSLCertificateFile /etc/letsencrypt/live/pattayaavenueproperty.xyz/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/pattayaavenueproperty.xyz/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
/VirtualHost
/IfModule

I am stuck in this problem for 10 days, Thank you for help.

Can you show us your port 80 virtualhost for the address you're trying to configure?

4 Likes

Please show the output of:

sudo apachectl -t -D DUMP_VHOSTS

Also, please stop issuing new certificates. Looking at crt.sh | pattayaavenueproperty.xyz you've been issuing many certificates recently and are at risk to hit rate limits. If you have issues, please use the staging for testing.

3 Likes

root@ubuntu-s-1vcpu-1gb-sgp1-01:~# sudo apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:443 pattayaavenueproperty.xyz (/etc/apache2/sites-enabled/000-default-le-ssl.conf:9)
*:80 127.0.0.1 (/etc/apache2/sites-enabled/000-default.conf:1)

I never know about this ( crt.sh | pattayaavenueproperty.xyz) before, Thank you

root@ubuntu-s-1vcpu-1gb-sgp1-01:/etc/apache2/sites-available# cat 000-default.conf

<VirtualHost *:80>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	#ServerName www.example.com

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf
RewriteEngine on
RewriteCond %{SERVER_NAME} =pattayaavenueproperty.xyz
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

They might be the same file - can't tell from where I'm seated.
But those are definitely two separate folder/locations; And may actually be two different files.
Please show us:
cat /etc/apache2/sites-enabled/000-default.conf

Also, you may want to remove all the remarked lines from that config file.

4 Likes

root@ubuntu-s-1vcpu-1gb-sgp1-01:~# cat /etc/apache2/sites-enabled/000-default.conf

<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =pattayaavenueproperty.xyz
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

For Remark I will remove it.

Do you also have an .htaccess control file?

4 Likes

For me, I did not create or make that file but I will try to find if it there.

Try:
sudo find / -name .htaccess

4 Likes

no I don't have it

Try replacing:

With:
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

Then reload/restart Apache.

4 Likes

this is what I fixed :

root@ubuntu-s-1vcpu-1gb-sgp1-01:~# cat /etc/apache2/sites-enabled/000-default.conf
<VirtualHost *:80>
	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	RewriteEngine on
	RewriteCond %{SERVER_NAME} =pattayaavenueproperty.xyz
	RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

After that I reload it then try certbot certonly --dry-run
And this is error :

root@ubuntu-s-1vcpu-1gb-sgp1-01:~# certbot certonly --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Apache Web Server plugin (apache)
2: Runs an HTTP server locally which serves the necessary validation files under
the /.well-known/acme-challenge/ request path. Suitable if there is no HTTP
server already running. HTTP challenge only (wildcards not supported).
(standalone)
3: Saves the necessary validation files to a .well-known/acme-challenge/
directory within the nominated webroot path. A seperate HTTP server must be
running and serving files from the webroot path. HTTP challenge only (wildcards
not supported). (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: pattayaavenueproperty.xyz
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Simulating renewal of an existing certificate for pattayaavenueproperty.xyz

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Domain: pattayaavenueproperty.xyz
  Type:   unauthorized
  Detail: 188.166.199.40: Invalid response from https://pattayaavenueproperty.xyz/.well-known/acme-challenge/x8AKMghN_8Vt2FMHL24YkTt4QI_MAsGHUTQVcECxHTA: 404

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Do you have any kind of load balancer or application firewall in front of your Apache server? Because I don't think HTTP requests to your domain are being processed by that Apache config you show us. Can you explain more about how your system is configured?

Also, let's make sure your IP address is correct. What does this show?

curl https://ifconfig.io

HTTP requests get redirected with a 307 but your Apache config does not use 307.

HTTPS requests return a cert issued Aug22 even though you have gotten 9 new certs since then.

It just doesn't look like you are on the same server pointed to by your DNS. Or, maybe you have multiple Apache systems running.

4 Likes

yes I have load balance


I use load balance from DigitalOcean

and this is firewall that I use

root@ubuntu-s-1vcpu-1gb-sgp1-01:~# ufw status
Status: inactive

I turn oof ufw in anycase.

root@ubuntu-s-1vcpu-1gb-sgp1-01:~# curl https://ifconfig.io
146.190.98.250

I did not config anything because I am new for ssl certificate, in first time I installed certificate but after the first three month of certificate is expired, and I try to renew it in manual it successfully install, but in my server is still expired. So I try to renew it with certbot but it does not go well, and I don't know why.

Your DNS is pointing to 188.166.199.40 which I am guessing is your Load Balancer. And, your LB is routing both HTTP and HTTPS to port 8080. This is probably wrong but you have not shown anything listening on port 8080. This is why the Certbot request fails and why all our sample HTTP (curl) checks get wrong results.

The 146.190.98.250 IP reaches an Apache server. So, if you changed your DNS to point to it Certbot request will probably work. But, this bypasses your Load Balancer.

You need to sort out your traffic flows between your LB and Apache.

5 Likes

I am new, can you give me some example or key word to search about it, Thank you.

1 Like

No, this isn't a general purpose help site for server configuration.

Maybe work with your hosting service. They are the ones providing the load balancer and should be able to help you set it up.

5 Likes

Ok, Thank you for help me. I will try to find the way about it, if it work I will make a solution here.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.