Hey there Let's encrypt / cerbot community. I am coming to you because I'm running into an issue I do not understand. This server is hosting several domains and they all update fine using the apache plugin with certbot, except for one.
There's one virtual host, which (as opposed to the others) is only running as a proxy for another web server so we can actually use a custom domain and add a SSL certificate to this domain. The configuration for this host is attached below.
When I manually add the changes that the plugin is supposed to be making to my host (I got them from here: certbot/http_01.py at master · certbot/certbot · GitHub) I can access files in the .well-known directory just fine. But when certbot renew runs, the server returns a 404 and certbot fails.
I seem to be missing something here, but I'd appreciate any input that I can get to make the server behave normally again. Or maybe some pointers on how to debug this.
Thanks in advance!
C#
My domain is: help.commishes.com
I ran this command: certbot renew
It produced this output:
Attempting to renew cert (help.commishes.com) from /etc/letsencrypt/renewal/help.commishes.com.conf produced an unexpected error: Failed authorization procedure. help.commishes.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://help.commishes.com/.well-known/acme-challenge/Q86ojDIryugEVU71TmBsUBvU3dttKeoTnLMuXqNLot4 [2606:4700:3037::ac43:80da]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p". Skipping.
My web server is (include version):
Server version: Apache/2.4.29 (Ubuntu)
Server built: 2020-08-12T21:33:25
My vhost looks like this:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName help.commishes.com
ServerAdmin patch@magic3w.com
SSLProxyEngine on
SSLProxyVerifyDepth 10
SSLProxyCheckPeerCN on
SSLProxyCheckPeerName on
DocumentRoot /var/www/help.commishes.com/public
RewriteEngine on
<Location "/.well-known">
ProxyPass !
ProxyPassReverse !
</Location>
# The helpcrunch documentation says to set this to on, which makes sense...
# But it seems like the knowledge base servers either refresh this very slowly and
# therefore are currently not publishing the right page, or there's something else
# wrong with it. Regardless, I'll set this to oof, and will revisit this issue
# some time in the future.
#
# I decided to permanently disable it, since we can now use the ProxyCheckPeer directives
# to make sure our proxy does not get MITMed
ProxyPreserveHost Off
ProxyPass / https://commishes.crunch.help/
ProxyPassReverse / https://commishes.crunch.help/
SSLCertificateFile /etc/letsencrypt/live/help.commishes.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/help.commishes.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
The operating system my web server runs on is (include version):
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.5 LTS
Release: 18.04
Codename: bionic
I can login to a root shell on my machine (yes or no, or I don't know): yes
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.27.0