Issues renewing a domain with proxypass and certbot-apache

Hey there Let's encrypt / cerbot community. I am coming to you because I'm running into an issue I do not understand. This server is hosting several domains and they all update fine using the apache plugin with certbot, except for one.

There's one virtual host, which (as opposed to the others) is only running as a proxy for another web server so we can actually use a custom domain and add a SSL certificate to this domain. The configuration for this host is attached below.

When I manually add the changes that the plugin is supposed to be making to my host (I got them from here: certbot/ at master · certbot/certbot · GitHub) I can access files in the .well-known directory just fine. But when certbot renew runs, the server returns a 404 and certbot fails.

I seem to be missing something here, but I'd appreciate any input that I can get to make the server behave normally again. Or maybe some pointers on how to debug this.

Thanks in advance!


My domain is:

I ran this command: certbot renew

It produced this output:

Attempting to renew cert ( from /etc/letsencrypt/renewal/ produced an unexpected error: Failed authorization procedure. (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from [2606:4700:3037::ac43:80da]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p". Skipping.

My web server is (include version):

Server version: Apache/2.4.29 (Ubuntu)
Server built:   2020-08-12T21:33:25

My vhost looks like this:

<IfModule mod_ssl.c>
<VirtualHost *:443>

  SSLProxyEngine on
  SSLProxyVerifyDepth 10
  SSLProxyCheckPeerCN on
  SSLProxyCheckPeerName on

  DocumentRoot /var/www/

  RewriteEngine on

  <Location "/.well-known">
    ProxyPass !
    ProxyPassReverse !

  # The helpcrunch documentation says to set this to on, which makes sense...
  # But it seems like the knowledge base servers either refresh this very slowly and
  # therefore are currently not publishing the right page, or there's something else
  # wrong with it. Regardless, I'll set this to oof, and will revisit this issue 
  # some time in the future.
  # I decided to permanently disable it, since we can now use the ProxyCheckPeer directives
  # to make sure our proxy does not get MITMed
  ProxyPreserveHost Off
  ProxyPass /
  ProxyPassReverse /

  SSLCertificateFile /etc/letsencrypt/live/
  SSLCertificateKeyFile /etc/letsencrypt/live/
  Include /etc/letsencrypt/options-ssl-apache.conf

The operating system my web server runs on is (include version):

No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 18.04.5 LTS
Release:	18.04
Codename:	bionic

I can login to a root shell on my machine (yes or no, or I don't know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.27.0

If you have Cloudflare's SSL setting on to Full or Full (Strict) mode, that could explain things.

Before Certbot 0.31.0, the Certbot Apache plugin would only configure the HTTP virtualhost when responding to the Let's Encrypt challenge.

If your server is only servicing requests from its HTTPS virtualhost because of Cloudflare, this probably won't work.

Does the issue persist if you try renew from an up-to-date version of Certbot (i.e. from snap or pip)?

Hey there!

Thanks for the reply. Sorry I missed it (due to the Discourse email not getting through to me). The issue was indeed due to the fact that I have a "HTTPS Everywhere" page rule for all sites. Disabling the Cloudflare proxying did the trick.

I will see that I get the certbot version bumped to a higher version.

Thanks for the help! <3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.