Invalid response?

My domain is: bobsberriesfl.com

I ran this command: sudo /usr/local/bin/certbot-auto --apache

It produced this output: challenge failed for domain… all 4 domains

My web server is (include version): apache 2

The operating system my web server runs on is (include version): raspbian jesse

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): not sure, just installed today so assuming its most recent version

Domain: bobsberriesfl.com
Type: unauthorized
detail: invalid response from
https://bobsberriesfl.com/.well-knwn/acme-challenge/H0ZyrFlprtFccyqDNVSGVM1NFrv1-0xwaZ2h5KQR_pm [47.196.3.41]: “<DOCTYPE HTML PUBLIC “-//IETF//DTD HTML
2.0//EN”>\n\n403
Forbidden<\n\n

Forbidden

\n<p”

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

confirmed the DNS A record is pointing to the correct IP address. the site works when queried without using the secure HTTPS tag. im running 2 sites on the same server via virtual hosts config. trying to get certificates for www.bobsberriesfl.com and bobsberriesfl.com along with www.clemonsac.com and clemonsac.com. same error is generated for all 4.

forgive my ignorance, im new to this. just been fighting with it for hours and cant figure out what im missing? maybe something in the server config? i assume that was all done by the install.

1 Like

(if possible) Please show the output of:
apachectl -S
Otherwise, the main http.conf file and any (relevant) included files.

1 Like

:confused: $ apachectl -S
AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.0.1. Set the ‘ServerName’ directive globally to suppress this message
VirtualHost configuration:
*:80 is a NameVirtualHost
default server www.clemonsac.com (/etc/apache2/sites-enabled/000-default.conf:2)
port 80 namevhost www.clemonsac.com (/etc/apache2/sites-enabled/000-default.conf:2)
alias clemonsac.com
wild alias *.clemonsac.com
port 80 namevhost www.bobsberriesfl.com (/etc/apache2/sites-enabled/000-default.conf:55)
alias bobsberriesfl.com
wild alias *.bobsberriesfl.com
ServerRoot: “/etc/apache2”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/var/log/apache2/error.log”
Mutex default: dir="/var/lock/apache2" mechanism=fcntl
Mutex watchdog-callback: using_defaults
PidFile: “/var/run/apache2/apache2.pid”
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“www-data” id=33 not_used
Group: name=“www-data” id=33 not_used

1 Like

Racking my brain…

does this every time:

Jabba@HanSolo:/etc/apache2/mods-enabled $ sudo /usr/local/bin/certbot-auto --apache
/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/cryptography/hazmat/bindings/openssl/binding.py:163: CryptographyDeprecationWarning: OpenSSL version 1.0.1 is no longer supported by the OpenSSL project, please upgrade. The next version of cryptography will drop support for it.
utils.CryptographyDeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?


1: bobsberriesfl.com
2: www.bobsberriesfl.com
3: clemonsac.com
4: www.clemonsac.com


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 1 2
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for bobsberriesfl.com
http-01 challenge for www.bobsberriesfl.com
Enabled Apache rewrite module
Waiting for verification…
Challenge failed for domain bobsberriesfl.com
Challenge failed for domain www.bobsberriesfl.com
http-01 challenge for bobsberriesfl.com
http-01 challenge for www.bobsberriesfl.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

1 Like

So after a ton of reading what i gather is certbot is trying to create a file in my web directory so that it can test to see that i own the directory. for whatever reason, certbot isnt authorized to modify the directory and so it cannot place the key there for it to verify. am i on the right track here?

1 Like

Possibly…
Let’s have a look at this file:

That’s what would happen with --webroot, but with --apache, Certbot is trying to reconfigure your Apache server temporarily so that requests for a specific path are handled specially. You could look at the log in /var/log/apache2/error.log and /var/log/letsencrypt/letsencrypt.log to see more about what Certbot was trying to do and what happened.

1 Like
<VirtualHost *:80>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	
#	ServerName bobsberriesfl.com

	ServerName www.clemonsac.com
	ServerAlias clemonsac.com *.clemonsac.com
	ServerAdmin info@clemonsac.com
	DocumentRoot /var/www/clemonsac.com/
	<Directory />
		Options FollowSymLinks
		AllowOverride None
		Order Deny,Allow
		Deny from All
	</Directory>

	<Directory /var/www/clemonsac.com>
		Options Indexes FollowSymLinks MultiViews
		AllowOverride None
		Order Allow,Deny
		Allow from All
	</Directory>

#	<Location /server-status>
#		SetHandler server-status
#		Order Allow,deny
#		Deny from all
#		Allow from clemonsac.com
#	</Location>
	

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
#	LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	Include conf-available/serve-cgi-bin.conf
</VirtualHost>

<VirtualHost *:80>
	ServerName www.bobsberriesfl.com
	ServerAlias bobsberriesfl.com *.bobsberriesfl.com
	ServerAdmin info@bobsberriesfl.com
	DocumentRoot /var/www/bobsberriesfl.com/
	<Directory />
		Options FollowSymLinks
		AllowOverride None
		Order Deny,Allow
		Deny from All
	</Directory>

	<Directory /var/www/bobsberriesfl.com>
		Options Indexes FollowSymLinks MultiViews
		AllowOverride None
		Order Allow,Deny
		Allow from all
	</Directory>

#	<Location server-status>
#		SetHandler server-status
#		Order Allow,Deny
#		Allow from bobsberriesfl.com
#	</Location>

#	LogLevel info ssl:warn
	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	Include conf-available/serve-cgi-bin.conf
</VirtualHost>

<virtualHost *:443>
	ServerName www.bobsberriesfl.com:443
	serverAlias bobsberriesfl.com:443, *.bobsberriesfl.com:443
	Serveradmin info@bobsberriesfl.com
	DocumentRoot /var/www/bobsberriesfl.com/

	<Directory />
		Options FollowSymLinks
		AllowOverride None
		Order Deny,Allow
		Deny from All
	</Directory>

	<Directory /var/www/bobsberriesfl.com>
		Options Indexes FollowSymLinks MultiViews
		AllowOverride None
		Order Allow,Deny
		Allow from All
	</Directory>
	
#	LogLevel info ssl:warn
	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined
	
	Include conf-available/serve-cgi-bin.conf
</VirtualHost>



# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
1 Like

Please show:
ls -l /var/www/bobsberriesfl.com/

1 Like
Jabba@HanSolo:/var/log $ sudo apache2
[Fri Feb 21 20:03:08.741135 2020] [core:warn] [pid 2850] AH00111: Config variable ${APACHE_LOCK_DIR} is not defined
[Fri Feb 21 20:03:08.741564 2020] [core:warn] [pid 2850] AH00111: Config variable ${APACHE_PID_FILE} is not defined
[Fri Feb 21 20:03:08.741722 2020] [core:warn] [pid 2850] AH00111: Config variable ${APACHE_RUN_USER} is not defined
[Fri Feb 21 20:03:08.741769 2020] [core:warn] [pid 2850] AH00111: Config variable ${APACHE_RUN_GROUP} is not defined
[Fri Feb 21 20:03:08.741886 2020] [core:warn] [pid 2850] AH00111: Config variable ${APACHE_LOG_DIR} is not defined
[Fri Feb 21 20:03:08.800019 2020] [core:warn] [pid 2850:tid 1995632640] AH00111: Config variable ${APACHE_RUN_DIR} is not defined
[Fri Feb 21 20:03:08.802727 2020] [core:warn] [pid 2850:tid 1995632640] AH00111: Config variable ${APACHE_LOG_DIR} is not defined
[Fri Feb 21 20:03:08.804486 2020] [core:warn] [pid 2850:tid 1995632640] AH00111: Config variable ${APACHE_LOG_DIR} is not defined
[Fri Feb 21 20:03:08.804599 2020] [core:warn] [pid 2850:tid 1995632640] AH00111: Config variable ${APACHE_LOG_DIR} is not defined
[Fri Feb 21 20:03:08.805611 2020] [core:warn] [pid 2850:tid 1995632640] AH00111: Config variable ${APACHE_LOG_DIR} is not defined
[Fri Feb 21 20:03:08.805716 2020] [core:warn] [pid 2850:tid 1995632640] AH00111: Config variable ${APACHE_LOG_DIR} is not defined
[Fri Feb 21 20:03:08.806767 2020] [core:warn] [pid 2850:tid 1995632640] AH00111: Config variable ${APACHE_LOG_DIR} is not defined
[Fri Feb 21 20:03:08.806868 2020] [core:warn] [pid 2850:tid 1995632640] AH00111: Config variable ${APACHE_LOG_DIR} is not defined
AH00526: Syntax error on line 74 of /etc/apache2/apache2.conf:
Invalid Mutex directory in argument file:${APACHE_LOCK_DIR}
Jabba@HanSolo:/var/log $

so this is interesting

1 Like

wow it really jacks up the formatting when pasting huh. sorry about that. makes my eyes hurt. i appreciate you going through this with me.

Reduced to the “important stuff”:

{APACHE_LOCK_DIR} is not defined
{APACHE_PID_FILE} is not defined 
{APACHE_RUN_USER} is not defined
{APACHE_RUN_GROUP} is not defined 
{APACHE_LOG_DIR} is not defined
{APACHE_RUN_DIR} is not defined 
Invalid Mutex directory in argument file:{APACHE_LOCK_DIR} 
1 Like

Yeah.
Try adding three back ticks before and after your posted text (on separate lines).
Like:
```
stuff stuff stuff
ooo lots of unformatted stuffs
```

2 Likes

im not sure why none of that is defined, hasnt presented a problem until now i guess. damn things been running for 3 years or something with no issues.

@HanSolo:/var/log $ ls -l /var/www/bobsberriesfl.com/
total 1852
-rwxr--r-- 1 jabba jabba   6963 Feb 21 10:11 about.html
-rwxr--r-- 1 jabba jabba   6308 Feb 21 10:11 advantages.html
-rwxr--r-- 1 jabba jabba   6822 Feb 21 10:11 affiliates.html
-rwxr--r-- 1 jabba jabba  17462 Feb 21 10:11 agritourism.html
-rwxr--r-- 1 jabba jabba 659298 Jan 15  2016 agronomy-03-00757.pdf
-rwxr--r-- 1 jabba jabba 521337 Feb 10  2017 agtaxexempt.pdf
-rwxr--r-- 1 jabba jabba 101273 Jan 15  2016 Blueberries_Standards.pdf
-rwxr--r-- 1 jabba jabba   7526 Feb 21 10:11 bluehealth.html
-rwxr--r-- 1 jabba jabba   7379 Feb 21 10:11 bluehistory.html
-rwxr--r-- 1 jabba jabba  70845 Jan 22  2016 Bobs Berries Farm 388413, 1-21-16, Well Water.pdf
-rwxr--r-- 1 jabba jabba  22671 Feb 21 10:11 brixinfo.html
-rwxr--r-- 1 jabba jabba   6195 Feb 21 10:11 careblueberry.html
-rwxr--r-- 1 jabba jabba   5732 Feb 21 10:11 caredmulberry.html
-rwxr--r-- 1 jabba jabba   6406 Feb 21 10:11 caregoji.html
-rwxr--r-- 1 jabba jabba   6123 Feb 21 10:11 careguava.html
-rwxr--r-- 1 jabba jabba   6153 Feb 21 10:11 carelemongrass.html
-rwxr--r-- 1 jabba jabba   6375 Feb 21 10:11 carephalsa.html
-rwxr--r-- 1 jabba jabba   6301 Feb 21 10:11 careraspberry.html
-rwxr--r-- 1 jabba jabba   5980 Feb 21 10:11 carestrawberry.html
drwxr-xr-x 2 jabba root    4096 Dec 21  2015 cgi-bin
-rwxr--r-- 1 jabba jabba   7044 Feb 21 10:11 contact.html
drwxr-xr-x 4 jabba jabba   4096 Feb 25  2016 data0
-rwxr--r-- 1 jabba jabba   2062 Feb 16  2017 default.css
-rwxr--r-- 1 jabba jabba   7051 Feb 21 10:11 emerald.html
drwxr-xr-x 2 jabba jabba   4096 Aug  7  2016 engine0
-rwxr--r-- 1 jabba jabba   8638 Jan  8  2016 favicon.ico
-rwxr--r-- 1 jabba jabba     53 Feb 21 10:36 google00c72e804e0a48f3.html
-rwxr--r-- 1 jabba jabba   8412 Feb 21 10:11 Honey.html
drwxr-xr-x 2 jabba root    4096 Dec 21  2015 htdocs
drwxr-xr-x 2 jabba jabba   4096 Feb 18 18:24 images
-rwxr--r-- 1 jabba jabba   3791 Feb  4  2016 index - Copy.html.bak
-rwxr--r-- 1 jabba jabba   7508 Feb 21 10:12 index.html
-rwxr--r-- 1 jabba jabba   2315 Dec 31  2015 index.htmla
-rwxr--r-- 1 jabba jabba   5791 Feb 21 10:11 jewel.html
-rwxr--r-- 1 jabba jabba    269 Dec 27  2015 license info.txt
-rwxr--r-- 1 jabba jabba  13901 Apr 22  2009 license.txt
-rwxr--r-- 1 jabba jabba 113557 Feb 25  2016 LikeUsOnFacebook_Icon.jpg
drwxr-xr-x 2 jabba root    4096 Dec 21  2015 logs
-rwxr--r-- 1 jabba jabba   5989 Feb 21 10:12 photos.html
-rwxr--r-- 1 jabba jabba  13915 Feb 21 10:11 plantcare.html
-rwxr--r-- 1 jabba jabba  13249 Feb 21 10:11 practices.html
-rwxr--r-- 1 jabba jabba  12431 Feb 21 10:11 privacy.html
-rwxr--r-- 1 jabba jabba  10674 Feb 21 10:11 products.html
-rwxr--r-- 1 jabba jabba   7742 Aug  7  2016 ror.xml
-rwxr--r-- 1 jabba jabba   7469 Feb 21 10:11 rules.html
-rwxr--r-- 1 jabba jabba   6410 Feb 21 10:11 Sapphire.html
-rwxr--r-- 1 jabba jabba   5211 Aug  7  2016 sitemap.html
-rwxr--r-- 1 jabba jabba   3606 Aug  7  2016 sitemap.xml
-rwxr--r-- 1 jabba jabba    601 Aug  7  2016 sitemap.xml.gz
-rwxr--r-- 1 jabba jabba   5559 Feb 21 10:14 Social.html
drwxr-xr-x 3 jabba jabba   4096 Feb 18 20:02 Templates
-rwxr--r-- 1 jabba jabba  15812 Feb 21 10:12 terms.html
-rwxr--r-- 1 jabba jabba    950 Aug  7  2016 urllist.txt
-rwxr--r-- 1 jabba jabba   5539 Feb 21 10:11 watertest.html
Jabba@HanSolo:/var/log $
1 Like

My takeaway there is that I only see “root” 3 times; all others are “jabba jabba”.
I think cerbot runs as “root”…

combined with no Apache global variables found…
And I think cerbot doesn’t know what to do or doesn’t have sufficient access to the location it needs.

We can tackle those one at a time.
I would start with the access.
But not by giving certbot access to that folder.
I would create a new dedicated folder for certbot to use for challenge files.

1 Like

That’s what would happen with --webroot, but with --apache, Certbot is trying to reconfigure your Apache server temporarily so that requests for a specific path are handled specially. You could look at the log in /var/log/apache2/error.log and /var/log/letsencrypt/letsencrypt.log to see more about what Certbot was trying to do and what happened.
[/quote]

is there an easy way to paste that log from putty into here? its really long and im not sure how to copy text from there.

should i create a challenge folder inside the /var/www/bobsberriesfl.com folder?

1 Like

To that end, I would create something like: /ACMEchallenges/
Ensure that “root” has full permissions to it.
Then add a location “redirect” to steer all authentication requests to that folder.

1 Like

ok where should i put that challenge folder? anywhere in particular?