Me too... Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet

alebal · June 1, 2022, 3:26pm

My domain is:alebalweb.com

I ran this command: sudo certbot renew --dry-run

It produced this output:
Domain: www.alebalweb.com
Type: unauthorized
Detail: 185.217.95.56: Invalid response from https://www.alebalweb.com/.well-known/acme-challenge/PPY0h0Z8qeUjU4SbozmIyLCyCEIsamZmadbLniCi_PA: 404

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

My web server is (include version): apache2

The operating system my web server runs on is (include version):ubuntu 20.04

My hosting provider, if applicable, is:vicetemple, namesilo

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 1.27.0

Hi my server in on vicetemple, i use namesilo dns i create my certbot certificates in this server without problems, but now i can't modify my certbot in any way.

Looks like i miss something... I saw there are a lot of similar questions, i read them, but i don't understand what they do to solve, someone seems to have modified virtual host, some maybe add ipv6, some an AAAA dns record... I don't know what to do...

This is my dns configuration on namesilo

My server often says: sudo: unable to resolve host vicetemple-ubuntu-20-04: Name or service not known could this be a problem?

Can someone help me please?

rg305 · June 1, 2022, 10:23pm

Please show the output of:
certbot certificates

and the LE log file:
cat /var/log/letsencrypt/letsencrypt.log

alebal · June 1, 2022, 11:48pm

Certificate Name: alebalweb.com
    Serial Number: 430cdaef112ad93ffd680a45f2bbd44cc20
    Key Type: RSA
    Domains: alebalweb.com alebalweb-blog.com www.alebalweb-blog.com www.alebalweb.com
    Expiry Date: 2022-08-09 02:26:58+00:00 (VALID: 68 days)
    Certificate Path: /etc/letsencrypt/live/alebalweb.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/alebalweb.com/privkey.pem

sudo cat /var/log/letsencrypt/letsencrypt.log
sudo: unable to resolve host vicetemple-ubuntu-20-04: Name or service not known
2022-06-01 16:45:13,116:DEBUG:urllib3.connectionpool:http://localhost:None "GET /v2/connections?snap=certbot&interface=content HTTP/1.1" 200 97
2022-06-01 16:45:14,884:DEBUG:certbot._internal.main:certbot version: 1.27.0
2022-06-01 16:45:14,884:DEBUG:certbot._internal.main:Location of certbot entry point: /snap/certbot/2035/bin/certbot
2022-06-01 16:45:14,884:DEBUG:certbot._internal.main:Arguments: ['--preconfigured-renewal']
2022-06-01 16:45:14,884:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2022-06-01 16:45:15,047:DEBUG:certbot._internal.log:Root logging level set at 30
2022-06-01 16:45:15,344:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): r3.o.lencr.org:80
2022-06-01 16:45:15,484:DEBUG:urllib3.connectionpool:http://r3.o.lencr.org:80 "POST / HTTP/1.1" 200 503
2022-06-01 16:45:15,485:DEBUG:certbot.ocsp:OCSP response for certificate /etc/letsencrypt/live/alebalweb.com/cert.pem is signed by the certificate's issuer.
2022-06-01 16:45:15,486:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/live/alebalweb.com/cert.pem is: OCSPCertStatus.GOOD
2022-06-01 16:45:15,606:DEBUG:certbot._internal.display.obj:Notifying user: Found the following certs:
  Certificate Name: alebalweb.com
    Serial Number: 430cdaef112ad93ffd680a45f2bbd44cc20
    Key Type: RSA
    Domains: alebalweb.com alebalweb-blog.com www.alebalweb-blog.com www.alebalweb.com
    Expiry Date: 2022-08-09 02:26:58+00:00 (VALID: 68 days)
    Certificate Path: /etc/letsencrypt/live/alebalweb.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/alebalweb.com/privkey.pem

rg305 · June 2, 2022, 3:07am

I don't think that is the actual "problem" that is preventing the certificate issuance.
But you could try adding an entry in the /etc/hosts file to get past it.

That said, are there any other errors in the LE log file?

And in any case, have you tried using --webroot authentication?

alebal · June 2, 2022, 1:41pm

That'all the error i found...

What's ---webroot?

Osiris · June 2, 2022, 1:52pm

OP is showing the log from the cerbot certificates run

alebal · June 2, 2022, 6:37pm

What???

Osiris · June 2, 2022, 7:15pm

When @rg305 asked for other errors in the LE log file, he meant the log file of the renewal attempt. The log file you're showing now is from the certbot certificates command and would not contain an error of the renewal attempt.

rg305 · June 2, 2022, 8:52pm

That's another way of authenticating.
See: User Guide — Certbot 1.27.0 documentation (eff-certbot.readthedocs.io)

alebal · June 2, 2022, 11:15pm

The error is always the same...

alebal · June 3, 2022, 2:40pm

Maybe solved... for now...

server admin (vicetemple) had to do something, they say they do this:

We mannaly created
/.well-known/acme-challenge/0UMHOsrL0Grn-34UtBcF8PlpqT0W4BrUSDON3p5MTXs

now work... but i have no idea what happened... and i would like to understand...

Osiris · June 3, 2022, 2:45pm

It's a terrible idea to add (and remove) the challenge file manually, as this can't be automated.

If you can't find the appropriate log file manually, please follow the following steps:

Run sudo certbot renew --dry-run again; it will most likely fail again;
Don't run certbot after that command again for now;
Show the contents of the file /var/log/letsencrypt/letsencrypt.log here.

rg305 · June 3, 2022, 3:23pm

Two problems:

can't spell "manually"
doing anything "manually" in 2022 is likely unnecessary

alebal · June 3, 2022, 10:52pm

I got some errors...

Simulating renewal of an existing certificate for alebalweb.com 
Failed to renew certificate alebalweb.com with error: urn:ietf:params:acme:error:malformed :: The request message was malformed :: Unable to update challenge :: authorization must be pending

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following simulated renewals failed:
  /etc/letsencrypt/live/alebalweb.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

but i tried a couples of times, the first i get the errors, the second works...

system · July 3, 2022, 10:53pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.