Multiple Web Applications with one IP, different domains


Hi there!

My domain is:

I ran this command:
sudo certbot renew

It produced this output:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for
Waiting for verification…
Cleaning up challenges
Attempting to renew cert ( from /etc/letsencrypt/renewal/ produced an unexpected error: Failed authorization procedure. (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from []: “\n<html xmlns=“” lang=“en” xml:lang=“en”>\n\n <meta charset=“UTF-8” />\n <met”. Skipping.


My web server is (include version):
Apache 2.4

The operating system my web server runs on is (include version):
Ubuntu 18.04 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

I am running a searx-instance and nextcloud on my server. For my nextcloud certbot works fine. Only for searx there are the above mentioned errors.

I got a certificate for the searx domain once but renewal wont work.

My vhosts are seperated and my config is consistent (both with <VirtualHost *:80> and same for 443).

What else can go wrong?

Thanks in advance!


There are some circumstances where Certbot<0.31 may fail to effectively configure the challenge response in the correct virtualhost.

Could you show us:

apachectl -t -D DUMP_VHOSTS

as well as the port 80 virtualhost block for your searx subdomain?



Thanks for your reply!

Action '-t -D DUMP_VHOSTS' failed.
The Apache error log may have more information.

<VirtualHost *:80>
    DocumentRoot /var/www/searx/
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    Options FollowSymLinks Indexes
    SetHandler uwsgi-handler
    uWSGISocket /run/uwsgi/app/searx/socket
        <Directory /var/www/searx>
          Options Indexes FollowSymLinks MultiViews
          AllowOverride All
          Require all granted
RewriteEngine on
RewriteCond %{SERVER_NAME}
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

This is the whole content of searx.conf


How do I update certbot btw.?
I added the repository but if I try to force the update by executing
sudo apt-get install --only-upgrade certbot
it tells me that I am using the latest version, which is not true.


It’s true in a sense - the Ubuntu PPA is not updated with 0.31 yet.

That’s weird. What does the Apache error log (/var/log/apache2/error_log) say when you run this? Perhaps your current Apache config is not valid.


This is the most common log entry:
[Fri Mar 01 06:25:02.158428 2019] [mpm_prefork:notice] [pid 3975] AH00171: Graceful restart reque
sted, doing restart
AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using 20
03:d8:2bfe:5400:20c:29ff:fe67:aa00. Set the ‘ServerName’ directive globally to suppress this mess

Also there are tons of entrys like this:
[Fri Mar 01 03:14:44.464416 2019] [php7:error] [pid 9447] [client] script ‘/
var/www/html/index.php’ not found or unable to stat

I forget some output from dump_vhosts:
AH00526: Syntax error on line 18 of /etc/apache2/sites-enabled/nextcloud-le-ssl.conf:
SSLCertificateFile: file ‘/etc/letsencrypt/live/’ does not exist or is empty

But that’s strange. For my nextcloud domain certbot runs as expected.



Did you run the DUMP_VHOSTS command as root/sudo? Or does this file really not exist?


Shame on me.
Here’s the output with sudo:

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 2003:d8:2bfe:5400:20c:29ff:fe67:aa00. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:443                  is a NameVirtualHost
         default server (/etc/apache2/sites-enabled/nextcloud-le-ssl.conf:2)
         port 443 namevhost (/etc/apache2/sites-enabled/nextcloud-le-ssl.conf:2)
         port 443 namevhost (/etc/apache2/sites-enabled/searx-le-ssl.conf:2)
*:80                   is a NameVirtualHost
         default server 2003:d8:2bfe:5400:20c:29ff:fe67:aa00 (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost 2003:d8:2bfe:5400:20c:29ff:fe67:aa00 (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost (/etc/apache2/sites-enabled/nextcloud.conf:1)
         port 80 namevhost (/etc/apache2/sites-enabled/searx.conf:1)


OK, I tried replicating your setup. I ended up with the identical behavior that you experience.

It seems like Certbot’s Apache authenticator can’t properly handle mod_uwsgi. Probably worth filing a bug over.

I came up with this workaround:


    SetHandler uwsgi-handler
    uWSGISocket /run/uwsgi/app/searx/socket


    <LocationMatch "/\.well-known/">
        SetHandler default-handler

and give it another go.


Congratulations, all renewals succeeded.

That worked for me. Still I had to try renewing twice. The first attempt failed.
Let’s see if the next automated renewal succeeds.

Thank you very much for your great help!

closed #11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.