Issue getting certificate (initial)

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ingest.wmssfm.com

I ran this command: Several variations:

certbot certonly --webroot --webroot-path / -d ingest.wmssfm.com --dry-run
certbot certonly --webroot --webroot-path /var/www/ -d ingest.wmssfm.com --dry-run
certbot certonly --webroot --webroot-path /var/www/owncloud -d ingest.wmssfm.com

It produced this output: Same output for all three variations (with the exception of the actual challenge name). The "invalid response" path is always shown as http://ingest.wmssfm.com/.well_known/acme-challenge/:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Simulating a certificate request for ingest.wmssfm.com

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: ingest.wmssfm.com
Type: unauthorized
Detail: 108.11.218.172: Invalid response from http://ingest.wmssfm.com/.well-known/acme-challenge/8RVmfP068pOdJtR_-PwhFOBfPmhtpEHD4qriqkpEPB0: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):

Server version: Apache/2.4.62 (Debian)
Server built: 2024-10-04T15:21:08

The operating system my web server runs on is (include version):

PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="Debian -- User Support"
BUG_REPORT_URL="https://bugs.debian.org/"

My hosting provider, if applicable, is: Self-Hosted (static IP, NAT via pfSense firewall, DNS from r4l.com)

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 3.0.1

I have confirmed that my server is accessible from the internet via TCP/80, I can get to the login page of the server. I am running OwnCloud on this server as the front-end to an automated program ingestion for a school radio station automation system. The configuration I have for port 80 is:

<VirtualHost *:80>
ServerName ingest.wmssfm.com
ServerAlias owncloud.wmssfm.com

Alias /.well-known/acme-challenge/ /var/www/letsencrypt/acme-challenge/
<directory /var/www/letsencrypt/acme-challenge/>
   AllowOverride None
   ForceType text/plain
   #RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
</directory>

Alias / "/var/www/owncloud/"
<Directory /var/www/owncloud/>
   Options +FollowSymlinks
   AllowOverride All
   <IfModule mod_dav.c>
        Dav off
   </IfModule>
</Directory>

RewriteEngine On
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]

(note the rewrite at the end have been commented out for testing several times. Same errors occur)

At this point, I do not even know if the rewrite is working. I do know that regardless of the webroot, the error always shows a 404 for http://..../.well-known/acme-challenge/..... - I have yet to see the webroot in the request.

The /var/www/letsencrypt/acme-challenge/ directory exists. Everything is readable or owned by the www-data user that Apache is running under. I placed a file, test.txt, in the acme-challenge directory, I am not able to access that, either. I get a 404.

From the console, I ran watch on the acme-challenge directory, executing an ls -al every second. I only see my test file - never anything else. I believe the challenge is never being written, in addition to the access issue from the internet/intranet.

I have confirmed that the requests are making it to the server. The traffic passes the firewall with no issue, and I see it when monitoring /var/log/apache2/other_vhosts_sccess.log. I also see my traffic to the OwnCloud instance.

At one point, this was working. Something happened to where the certificates would no longer update, certbot was failing completely to do anything but crash (no actual error message, just stopping and exiting). No logs written. I ripped certbot out, went back to the pages in the OwnCloud and Certbot documentation to get the two installed and working. The first part is accomplished, the latter - not so much. I am able to access the site with no problem, the issue seems to be twofold - when requesting a certificate, nothing appears to be written to the acme-challenge directory. When requesting the challenge, a 404 is returned.

Any help is welcome!

Edited to add: I am posting this request for help in multiple places - including the OwnCloud forum and this forum, plus reaching out for some assistance privately. All shall be updated with the fix, if and when one is identified!

This alias doesn't work well with Certbot, as Certbot automatically appends .well-known/acme-challenge/ to the webroot path. And as the destination of the Alias directive doesn't contain .well-known, it would never work.

You could try

Alias /.well-known/acme-challenge/ /var/www/letsencrypt/.well-known/acme-challenge/

And then

certbot certonly --webroot --webroot-path /var/www/letsencrypt -d ingest.wmssfm.com --dry-run

You probably want to re-enable those RewriteCond so the challenge doesn't redirect to HTTPS: it isn't needed, the http-01 challenge only requires HTTP. And I have no clue how your HTTPS VirtualHost is configured, so better to be safe and just use HTTP.

@MikeMcQ Certbot actually wants the "root" as the --webroot-path.

Yep, sorry, brain cramp.

Your response would actually work

There is no .well-known in /var/www/letsencrypt/

root@wmssfs00:/var/log# ls -al /var/www/letsencrypt
total 12
drwxr-xr-x 3 www-data www-data 4096 May 7 2023 .
drwxr-xr-x 8 root root 4096 Dec 7 14:53 ..
drwxr-xr-x 2 www-data www-data 4096 Dec 7 13:28 acme-challenge
root@wmssfs00:/var/log#

The path I used is the path that actually exists. Normally I would just use ls here, as I have an alias set up where ls = ls -al, but figured I would show the all switch here to avoid confusion.

This is the directory path that was created on installation somewhere - I did not create it. When I started, the only thing in /var/www/ was the owncloud directory.

Why do I hit the submit button before I am ready. Ugh.

I will update the alias, and manually create the .well-known directory with acme-challenge inside and try again. Stay tuned!

That's OK and to be expected, Certbot will create it.

Ok. I will update the alias and report back!

Dontcha just hate when that happens?

After making the path changes (in the alias directive and in the 'directory' section), the dry run appears to have worked! I need to make a script adjustment, and make sure that works before I configure the cron job to run.

Thanks @Osiris and @MikeMcQ .

Now to figure out what is up with Owncloud itself....can't log into that at all now....if it isn't one thing it's another!

I will mark the solution as the accepted solution.

I had those disabled specifically while testing. Started with them enabled, then started paring things down while testing. They will be reenabled, another test run, then the real thing.

Thanks for pointing it out, though.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.