Let's encrypt automatic certificate request failed

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: linux.vituscollege.nl

I ran this command: (I've run this manually to see if this might work)
certbot run -a webroot -i apache -w /home/linux.vituscollege.nl/public_html/.well-known/acme-challenge -d linux.vituscollege.nl

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Cert is due for renewal, auto-renewing...
Renewing an existing certificate for linux.vituscollege.nl
Performing the following challenges:
http-01 challenge for linux.vituscollege.nl
Using the webroot path /home/linux.vituscollege.nl/public_html/.well-known/acme-challenge for all unmatched domains.
Waiting for verification...
Challenge failed for domain linux.vituscollege.nl
http-01 challenge for linux.vituscollege.nl
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:

My web server is (include version):
Server version: Apache/2.4.6 (CentOS)
Server built: Dec 13 2020 00:35:05

The operating system my web server runs on is (include version):
CentOS Linux 7.9.2009

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.11.0

I have 2 similar webservers running CentOS 7 with Virtualmin/webmin..
Both are accessible from the outside.

Just this one has this problem as does not want to renew Certificate.
The http://linux.vituscollege.nl/.well-known/acme-challenge folder if for some unknown reason to me inaccessible from the outside,

This has worked before for some time without any problems.
I found it did not work with the last renewal.
The other server has no problems at all, both server are identical and serviced with regular updates.
both are updated and have the same software and versions.

If someone could shine alight on this, because I'm in all the dark about this..

Thank you
Eduard

1 Like
2

Hi @Vituisware, welcome to the LE community forum :slight_smile:

I think you might have been confused by the instructions.
The webroot must match the expected root for the challenge path.
If no specific Location statement was used, then it should match the DocumentRoot for the domain.
Probably just:
-w /home/linux.vituscollege.nl/public_html

2 Likes
3

Hey rg305,

Thank you for your answer.

When I do the exact same thing on my other server it works.
I've tried several things but nothing seems to work anymore.
when I change it as you said, the error is the same:

 Domain: linux.vituscollege.nl
   Type:   unauthorized
   Detail: Invalid response from
   http://linux.vituscollege.nl/.well-known/acme-challenge/jdJUwbOaAwNrpv3oMP90qlEovST1k_K2lRNWZu01f2c
   [145.131.174.122]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

As said for some reason the .well-known/acme-challenge folder is inaccessible from the outside, it is however accessible on the other server.
I've did some test to figure out what could be the problem and found that this is not accessible from the outside.

Automatic updates have worked for more than a year or so without any problems,
so I'm baffled it stopped working on this server.

On the server in Virtualmin I got this report:
Time since last renewal|0.81 months|
Last successful renewal: 20/May/2021 10:54
Last failed renewal: 20/Aug/2021 10:54
Renewal failed due to Web-based validation failed
The error is as reported above

Any advise would be highly appreciated.

Thank you
Eduard

2 Likes
4

@Vituisware Could you try a test file just to check access to that folder?

mkdir /home/linux.vituscollege.nl/public_html/.well-known
mkdir /home/linux.vituscollege.nl/public_html/.well-known/acme-challenge
echo test-data > /home/linux.vituscollege.nl/public_html/.well-known/acme-challenge/test-file

Then, this should work:
http://linux.vituscollege.nl/.well-known/acme-challenge/test-file

1 Like
5

Then I dare say: Apache is likely to blame.
Let's start to unravel this mystery with the output of:
sudo apachectl -t -D DUMP_VHOSTS

1 Like
6

Okay, rg305,

Thanks for this.
For some reason I see this server listed ad ALIAS on another server, first let me check that.

YES!! that was the problem!

For some reason the apache config was corrupted.
I had another server with alias and certificates "listed" as Linux.vitusdcollege.nl

I got into the apache config and deleted all the "weird" entries.
rerun the automatic certificate renewal et voila.. I got a new certificate!

So for some reason it got messed up, no sure why but you were right: Apache was to blame.
The Dump gave a clue that I could not see in the other web-based configs views.
So for some reason I had 2 virtual server claiming they were the one, and there the problems started.

Thank you again for great support.

3 Likes
8

Hey Mike,

Thanks for your reply.
I already tested that, while all the files and folders already existed, I could not get access to it through http(s).

Bottom line it was a apache config corruption as @rg305 pointed out.
" Then I dare say: Apache is likely to blame . "

But thank you for your idea, it's a good one, but not the answer to this particular problem :wink:
Thank you,
Eduard

2 Likes
9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.