Invalid response from


#1

Hey there,

I’m new here and hope you can help me. I have an server running with 1 Domain and 4 Subdomains that all have a running Let’s Encrypt TLS Certificate.

Now I want to add a new Domain and a Subdomain to my certificate by running the command

certbot --expand -d [Domain] -d [Subdomain]

These command runs all the time ago with my old Domain and the Subdomains.
This time I got an Error that there is no valid response. Certbot also creates no ./well-known folder inside the root direktory of this domain.

Here my virtual-host file

<VirtualHost *:80 *:443>
ServerName [Domain]:443
ServerName [Subdomain]:443
DocumentRoot "/var/www/html/workaround/"

# SSL configuration, you may want to take the easy route instead and use Lets Encrypt!
SSLEngine on
Include /etc/letsencrypt/options-ssl-apache.conf
SSLProtocol -all +TLSv1.2 +TLSv1.1
#SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256

SSLHonorCipherOrder on

# Encoded slashes need to be allowed
AllowEncodedSlashes             NoDecode

# Container uses a unique non-signed certificate
SSLProxyEngine On
SSLProxyVerify     None
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off

# keep the host
ProxyPreserveHost On

ServerAlias   [Domain]
ServerAlias           [Subdomain]
SSLCertificateFile    /etc/letsencrypt/live/adminroot.de-0001/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/adminroot.de-0001/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/adminroot.de-0001/chain.pem
</VirtualHost>

And here my .htaccess

# BEGIN 
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END 

I am using an Centos 7 with certbot 0.29.1 and an apache 2.4.6

Hope someone can help me.

Tanks Adminroot


#2

Hi @Adminroot,

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


#3

This is very confusing (and may not be providing your desired result):


#4

Ok, sorry.

My domain is: sc-workarounds.de, www.sc-workarounds.de

I ran this command:

certbot --expand -d sc-workarounds.de www.sc-workarounds.de

It produced this output: yes

My web server is (include version): apache 2.4.6

The operating system my web server runs on is (include version): CentOS Linux release 7.6.1810 (Core)

My hosting provider, if applicable, is: vServer on 1blu

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Website using Wordpress 5.0.2.

Hope this helps.


#5

@rg305 was expressing some concern about this, and I’m concerned about it too—are you sure that this is valid Apache configuration syntax? What I normally see is two separate virtual hosts, one for port 80 and one for port 443, with the port specified in the VirtualHost line but not in the ServerName line. (Also the second ServerName line should probably be ServerAlias.)

Could you double-check whether your Apache configuration is really valid and doesn’t produce any errors in Apache? This might be related to the problems you’re having if the configuration isn’t completely valid.


#6

It’s syntactically valid - I’m not sure how useful it is to specify the port number in the ServerName, but it’s permitted. However, there are two bits that probably won’t produce the intended results.

Apache doesn’t allow you to have HTTPS both enabled and disabled on different ports within the same VirtualHost. So the SSLEngine on directive in that VirtualHost would try to enable HTTPS on port 80 as well. From checking your domain it doesn’t seem like that’s happened (probably another VirtualHost on port 80 is overriding it), but I don’t know if that could possibly confuse Certbot when it tried to figure out which VirtualHost to use for validation.

The second thing is that the second ServerName should indeed be ServerAlias; specifying a second ServerName is allowed, but it overrides the first one instead of adding to it.

@Adminroot if the above doesn’t help, could you please post the full output from the certbot command that you ran?