Issue using certbot on CIS ubuntu image

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
http://stagingcis.lendingwise.com/

I ran this command:
sudo certbot --apache

It produced this output:

Requesting a certificate for stagingcis.lendingwise.com

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Domain: stagingcis.lendingwise.com
  Type:   unauthorized
  Detail: 3.137.36.62: Invalid response from http://stagingcis.lendingwise.com/.well-known/acme-challenge/zess7bFkXUqLv8G8Dc7uHKMWFzpbijowVHxWPSDixcY: 403

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

============================================================
2022-10-03 22:45:50,828:DEBUG:urllib3.connectionpool:http://localhost:None "GET /v2/connections?snap=certbot&interface=content HTTP/1.1" 200 97
2022-10-03 22:45:51,238:DEBUG:certbot._internal.main:certbot version: 1.30.0
2022-10-03 22:45:51,239:DEBUG:certbot._internal.main:Location of certbot entry point: /snap/certbot/2344/bin/certbot
2022-10-03 22:45:51,239:DEBUG:certbot._internal.main:Arguments: ['--apache', '--preconfigured-renewal']
2022-10-03 22:45:51,239:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2022-10-03 22:45:51,252:DEBUG:certbot._internal.log:Root logging level set at 30
2022-10-03 22:45:51,253:DEBUG:certbot._internal.plugins.selection:Requested authenticator apache and installer apache
2022-10-03 22:45:51,307:DEBUG:certbot_apache._internal.configurator:Apache version is 2.4.54
2022-10-03 22:45:51,475:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin
Interfaces: Installer, Authenticator, Plugin
Entry point: apache = certbot_apache._internal.entrypoint:ENTRYPOINT
Initialized: <certbot_apache._internal.override_debian.DebianConfigurator object at 0x7fa6e5e45430>
Prep: True
2022-10-03 22:45:51,476:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_apache._internal.override_debian.DebianConfigurator object at 0x7fa6e5e45430> and installer <certbot_apache._internal.override_debian.DebianConfigurato>2022-10-03 22:45:51,476:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator apache, Installer apache
2022-10-03 22:45:51,528:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding>2022-10-03 22:45:51,529:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2022-10-03 22:45:51,531:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2022-10-03 22:45:51,640:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 659
2022-10-03 22:45:51,641:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 03 Oct 2022 22:45:51 GMT
Content-Type: application/json
Content-Length: 659
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert",
  "wq5N0e-juOs": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417"
}
2022-10-03 22:45:53,927:DEBUG:certbot._internal.display.obj:Notifying user: Requesting a certificate for stagingcis.lendingwise.com
2022-10-03 22:45:54,454:DEBUG:certbot.crypto_util:Generating RSA key (2048 bits): /etc/letsencrypt/keys/0007_key-certbot.pem
2022-10-03 22:45:54,460:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0007_csr-certbot.pem
2022-10-03 22:45:54,461:DEBUG:acme.client:Requesting fresh nonce
2022-10-03 22:45:54,461:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2022-10-03 22:45:54,496:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2022-10-03 22:45:54,496:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 03 Oct 2022 22:45:54 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 5CA2E4Qxw5yhqwbqZ3AnvUIZHsegzpJprB6oCYtuuh6Ohh0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


2022-10-03 22:45:54,496:DEBUG:acme.client:Storing nonce: 5CA2E4Qxw5yhqwbqZ3AnvUIZHsegzpJprB6oCYtuuh6Ohh0
2022-10-03 22:45:54,497:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "stagingcis.lendingwise.com"\n    }\n  ]\n}'
2022-10-03 22:45:54,499:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNzU5MzUyNDQ2IiwgIm5vbmNlIjogIjVDQTJFNFF4dzV5aHF3YnFaM0FudlVJWkhzZWd6cEpwckI2b0NZdHV1aDZPaGgwIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZ>  "signature": "L7kYroRDOT5NInlW67B9vB8UkshHkoIeTyFo5Kk3ohWiE2xL9Xh9y4dJXVEY_ovy1LpQu-umQpPfplCUQdq6o3H-aV38Ca5CuVgDQAPXh4w0XnZnFXoz48mxtYndd8A4OExpcETvSXFKe-_s6Pyxx7U0Vt4vnfYLMxB-QbELoHJ28hjYbM92NuRQY3-U8Qs31jiTib_kQg7VLp_U4dRicWyl0cw5LwC2GMVxH1jwG>  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogInN0YWdpbmdjaXMubGVuZGluZ3dpc2UuY29tIgogICAgfQogIF0KfQ"
}
2022-10-03 22:45:54,857:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 351
2022-10-03 22:45:54,858:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Mon, 03 Oct 2022 22:45:54 GMT
Content-Type: application/json
Content-Length: 351
Connection: keep-alive
Boulder-Requester: 759352446
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/759352446/131280672216
Replay-Nonce: C878eiAqCFCa9zFgoUpWLozHiP1mwXzfpiHwQA4t8FwWgsw
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2022-10-10T22:45:54Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "stagingcis.lendingwise.com"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/160521436466"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/759352446/131280672216"
}
2022-10-03 22:45:54,858:DEBUG:acme.client:Storing nonce: C878eiAqCFCa9zFgoUpWLozHiP1mwXzfpiHwQA4t8FwWgsw
2022-10-03 22:45:54,858:DEBUG:acme.client:JWS payload:
b''
2022-10-03 22:45:54,860:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/160521436466:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNzU5MzUyNDQ2IiwgIm5vbmNlIjogIkM4NzhlaUFxQ0ZDYTl6RmdvVXBXTG96SGlQMW13WHpmcGlId1FBNHQ4RndXZ3N3IiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZ>  "signature": "fCwxcaA21PE4vzxy7qeTRkQdPtfgA5WGCGhS6j6mbTWi2pdjitEudzMWFCbD3nOkzgptRC8SJZLXmimjquhI7Tay3TUZnlzXdvEtXE8cC-8cEr99ymd8m5jKKHBa2ofJ8k8x0w1HDU_5kyQIrJ9rZGd3TiwKV3NBjytXUhUIkdc8U-NY7UGBjqaMrhOg13PL_wMe45qmTx-uNb2ji6h2GJkxPV69pwvQfXSQdUIqc>  "payload": ""
}
2022-10-03 22:45:54,921:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/160521436466 HTTP/1.1" 200 810
2022-10-03 22:45:54,922:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 03 Oct 2022 22:45:54 GMT
Content-Type: application/json
Content-Length: 810
Connection: keep-alive
Boulder-Requester: 759352446
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 1DFABTSM6avhkbJA48PlGI_F8m7uvrzJ4tzbtcQc0lnL-mI
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "stagingcis.lendingwise.com"
  },
  "status": "pending",
  "expires": "2022-10-10T22:45:54Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/160521436466/C_aoEA",
      "token": "PNJggeojosYOAUEm_loo_gWREIIKMM3hcTG9FS_p7o4"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/160521436466/A5gfag",
      "token": "PNJggeojosYOAUEm_loo_gWREIIKMM3hcTG9FS_p7o4"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/160521436466/B9IguQ",
      "token": "PNJggeojosYOAUEm_loo_gWREIIKMM3hcTG9FS_p7o4"
    }
  ]
}
2022-10-03 22:45:54,922:DEBUG:acme.client:Storing nonce: 1DFABTSM6avhkbJA48PlGI_F8m7uvrzJ4tzbtcQc0lnL-mI
2022-10-03 22:45:54,922:INFO:certbot._internal.auth_handler:Performing the following challenges:
2022-10-03 22:45:54,922:INFO:certbot._internal.auth_handler:http-01 challenge for stagingcis.lendingwise.com
2022-10-03 22:45:54,965:INFO:certbot_apache._internal.override_debian:Enabled Apache rewrite module
2022-10-03 22:45:55,065:DEBUG:certbot_apache._internal.http_01:Adding a temporary challenge validation Include for name: stagingcis.lendingwise.com in: /etc/apache2/sites-enabled/stagecis.lendingwise.conf
2022-10-03 22:45:55,065:DEBUG:certbot_apache._internal.http_01:Adding a temporary challenge validation Include for name: None in: /etc/apache2/sites-enabled/000-default.conf
2022-10-03 22:45:55,066:DEBUG:certbot_apache._internal.http_01:writing a pre config file with text:
         RewriteEngine on
        RewriteRule ^/\.well-known/acme-challenge/([A-Za-z0-9-_=]+)$ /var/lib/letsencrypt/http_challenges/$1 [END]

2022-10-03 22:45:55,066:DEBUG:certbot_apache._internal.http_01:writing a post config file with text:
         <Directory /var/lib/letsencrypt/http_challenges>
            Require all granted
        </Directory>
        <Location /.well-known/acme-challenge>
            Require all granted
        </Location>

2022-10-03 22:45:55,094:DEBUG:certbot.reverter:Creating backup of /etc/apache2/sites-enabled/000-default.conf
2022-10-03 22:45:55,094:DEBUG:certbot.reverter:Creating backup of /etc/apache2/sites-enabled/stagecis.lendingwise.conf
2022-10-03 22:45:58,218:DEBUG:acme.client:JWS payload:
b'{}'
2022-10-03 22:45:58,220:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/160521436466/C_aoEA:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNzU5MzUyNDQ2IiwgIm5vbmNlIjogIjFERkFCVFNNNmF2aGtiSkE0OFBsR0lfRjhtN3V2cnpKNHR6YnRjUWMwbG5MLW1JIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZ>  "signature": "CND-YzvxYyC-2T40SDFjWlSZ99W7zF5vPs3hZLbeuzGiQ4YLpLMHPemNNpNEH0ru57gQZ2zJAisRxgi317ransktyZAaTd2P1_nWK_V9ZNB8ZeZk6maWI0Tpf38J-HWdGYEQuwrL5MfNtE1HhV4xeBeLAPFLsLnz-UFFTWJqOeuH7JbCA7iGrNchyNFisQU3VE0WMlcxVXExPsRean2cpLeUoNWSKRyx2MvbNNP0A>  "payload": "e30"
}
2022-10-03 22:45:58,283:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/160521436466/C_aoEA HTTP/1.1" 200 187
2022-10-03 22:45:58,284:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 03 Oct 2022 22:45:58 GMT
Content-Type: application/json
Content-Length: 187
Connection: keep-alive
Boulder-Requester: 759352446
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz-v3/160521436466>;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/160521436466/C_aoEA
Replay-Nonce: 5CA2J3fhx1EeYvJZ9Mcc8cQ_RfCq0fqlT_GWGMK09bBob4M
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/160521436466/C_aoEA",
  "token": "PNJggeojosYOAUEm_loo_gWREIIKMM3hcTG9FS_p7o4"
}
2022-10-03 22:45:58,284:DEBUG:acme.client:Storing nonce: 5CA2J3fhx1EeYvJZ9Mcc8cQ_RfCq0fqlT_GWGMK09bBob4M
2022-10-03 22:45:58,285:INFO:certbot._internal.auth_handler:Waiting for verification...
2022-10-03 22:45:59,286:DEBUG:acme.client:JWS payload:
b''
2022-10-03 22:45:59,288:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/160521436466:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNzU5MzUyNDQ2IiwgIm5vbmNlIjogIjVDQTJKM2ZoeDFFZVl2Slo5TWNjOGNRX1JmQ3EwZnFsVF9HV0dNSzA5YkJvYjRNIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZ>  "signature": "IVCmui2Hnwap6VSl7gIl47IF_IfLjF73OVsP-dBenWstzP9eoyyLMrUMfkl8ju2dTwBrTxiD8OFkFrHww-TmGtfXTySLxEh6UeNIlNJnnyx4lugP8p3GtVudgNh7alLp1OwM7zxwun29tVEc92shtC3dydx9ASHEJsDpBF-XWrlkM78vpPzlm_2BYGqHFadlQIqrWVqfYaEaeg0SYhQWD2U9ZrNPB1B5xln3Vsq5M>  "payload": ""
}
2022-10-03 22:45:59,336:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/160521436466 HTTP/1.1" 200 1066
2022-10-03 22:45:59,336:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 03 Oct 2022 22:45:59 GMT
Content-Type: application/json
Content-Length: 1066
Connection: keep-alive
Boulder-Requester: 759352446
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 891Fd4iHh01RMXyCSZrt0kT7wY2_bg6BNjTXxUMaqXEwdKI
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "stagingcis.lendingwise.com"
  },
  "status": "invalid",
  "expires": "2022-10-10T22:45:54Z",
  "challenges": [
        "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "3.137.36.62: Invalid response from http://stagingcis.lendingwise.com/.well-known/acme-challenge/PNJggeojosYOAUEm_loo_gWREIIKMM3hcTG9FS_p7o4: 403",
        "status": 403
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/160521436466/C_aoEA",
      "token": "PNJggeojosYOAUEm_loo_gWREIIKMM3hcTG9FS_p7o4",
      "validationRecord": [
        {
          "url": "http://stagingcis.lendingwise.com/.well-known/acme-challenge/PNJggeojosYOAUEm_loo_gWREIIKMM3hcTG9FS_p7o4",
          "hostname": "stagingcis.lendingwise.com",
          "port": "80",
          "addressesResolved": [
            "3.137.36.62"
          ],
          "addressUsed": "3.137.36.62"
        }
      ],
      "validated": "2022-10-03T22:45:58Z"
    }
  ]
}
2022-10-03 22:45:59,336:DEBUG:acme.client:Storing nonce: 891Fd4iHh01RMXyCSZrt0kT7wY2_bg6BNjTXxUMaqXEwdKI
2022-10-03 22:45:59,337:INFO:certbot._internal.auth_handler:Challenge failed for domain stagingcis.lendingwise.com
2022-10-03 22:45:59,337:INFO:certbot._internal.auth_handler:http-01 challenge for stagingcis.lendingwise.com
2022-10-03 22:45:59,337:DEBUG:certbot._internal.display.obj:Notifying user:
Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Domain: stagingcis.lendingwise.com
  Type:   unauthorized
  Detail: 3.137.36.62: Invalid response from http://stagingcis.lendingwise.com/.well-known/acme-challenge/PNJggeojosYOAUEm_loo_gWREIIKMM3hcTG9FS_p7o4: 403

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

2022-10-03 22:45:59,338:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/snap/certbot/2344/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 106, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/snap/certbot/2344/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 206, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2022-10-03 22:45:59,338:DEBUG:certbot._internal.error_handler:Calling registered functions
2022-10-03 22:45:59,338:INFO:certbot._internal.auth_handler:Cleaning up challenges
2022-10-03 22:45:59,515:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/snap/certbot/2344/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/snap/certbot/2344/lib/python3.8/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
  File "/snap/certbot/2344/lib/python3.8/site-packages/certbot/_internal/main.py", line 1744, in main
    return config.func(config, plugins)
  File "/snap/certbot/2344/lib/python3.8/site-packages/certbot/_internal/main.py", line 1441, in run
    new_lineage = _get_and_save_cert(le_client, config, domains,
  File "/snap/certbot/2344/lib/python3.8/site-packages/certbot/_internal/main.py", line 141, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/snap/certbot/2344/lib/python3.8/site-packages/certbot/_internal/client.py", line 530, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/snap/certbot/2344/lib/python3.8/site-packages/certbot/_internal/client.py", line 442, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/snap/certbot/2344/lib/python3.8/site-packages/certbot/_internal/client.py", line 510, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "/snap/certbot/2344/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 106, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/snap/certbot/2344/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 206, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2022-10-03 22:45:59,517:ERROR:certbot._internal.log:Some challenges have failed.

My web server is (include version):
Server version: Apache/2.4.54 (Ubuntu)
Server built: 2022-06-08T15:59:07

The operating system my web server runs on is (include version):
CIS Ubuntu 20.04 LTS Benchmark

My hosting provider, if applicable, is:
AWS

I can login to a root shell on my machine (yes or no, or I don't know):
YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.30.0

Try check your Apache error_log for errors related to this request. Probably in /var/log/apache2/error_log.

2 Likes

[Mon Oct 03 23:06:43.166813 2022] [core:error] [pid 1532] (13)Permission denied: [client 3.135.17.41:27500] AH00035: access to /.well-known/acme-challenge/EePksl7BbSJpmKH7jobt4u1aXc3n_wOPd8hXvV14Ux8 denied (filesystem path '/var/lib/letsencrypt/http_challenges') because search permissions are missing on a component of the path
[Mon Oct 03 23:06:43.251635 2022] [core:error] [pid 1533] (13)Permission denied: [client 23.178.112.202:12256] AH00035: access to /.well-known/acme-challenge/EePksl7BbSJpmKH7jobt4u1aXc3n_wOPd8hXvV14Ux8 denied (filesystem path '/var/lib/letsencrypt/http_challenges') because search permissions are missing on a component of the path
[Mon Oct 03 23:06:43.312714 2022] [core:error] [pid 1534] (13)Permission denied: [client 18.185.49.122:50968] AH00035: access to /.well-known/acme-challenge/EePksl7BbSJpmKH7jobt4u1aXc3n_wOPd8hXvV14Ux8 denied (filesystem path '/var/lib/letsencrypt/http_challenges') because search permissions are missing on a component of the path
[Mon Oct 03 23:30:42.462243 2022] [negotiation:error] [pid 1636] [client 104.28.90.40:21142] AH00687: Negotiation: discovered file(s) matching request: /var/www/stagecis/public/favicon.ico (None could be negotiated)., referer: http://stagingcis.lendingwise.com/.well-known/acme-challenge/zess7bFkXUqLv8G8Dc7uHKMWFzpbijowVHxWPSDixcY:

Weird. This is probably a permission issue on the way those directories were created, which shouldn't happen.

Check it with:

sudo namei -l /var/lib/letsencrypt/http_challenges/.well-known/acme-challenge

You may need to add the +x permission to one of the directories.

2 Likes

ubuntu@ip-10-0-34-63:~$ sudo namei -l /var/lib/letsencrypt/http_challenges/.well-known/acme-challenge
f: /var/lib/letsencrypt/http_challenges/.well-known/acme-challenge
drwxr-xr-x root root /
drwxr-xr-x root root var
drwxr-xr-x root root lib
drwxr-x--- root root letsencrypt
drwxr-xr-x root root http_challenges
.well-known - No such file or directory

do i need to manually create the ".well-known" folder? keep in mind this is a CIS high security image so that is probably why the permission issues

Try

chmod g+r,o+x /var/lib/letsencrypt/

No, it'll be created for you.

4 Likes

wow nice job!! Thank you so much!

2 Likes

I reproduced this on Ubuntu 20.04 with the CIS Server Level 1 profile and have opened Creation of /var/lib/letsencrypt (and other core directories) is affected by umask · Issue #9423 · certbot/certbot · GitHub to track the bug.

5 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.