Multiple Web Applications with one IP, different domains

Hi there!

My domain is: searxwibastr.ddnss.de

I ran this command:
sudo certbot renew

It produced this output:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/searxwibastr.ddnss.de.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for searxwibastr.ddnss.de
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (searxwibastr.ddnss.de) from /etc/letsencrypt/renewal/searxwibastr.ddnss.de.conf produced an unexpected error: Failed authorization procedure. searxwibastr.ddnss.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://searxwibastr.ddnss.de/.well-known/acme-challenge/1KorcrObBJUg1509WdqR9UtV0enOPwGnJ4CtqMPIbfQ [79.241.250.34]: “\n<html xmlns=“http://www.w3.org/1999/xhtml” lang=“en” xml:lang=“en”>\n\n <meta charset=“UTF-8” />\n <met”. Skipping.


IMPORTANT NOTES:

My web server is (include version):
Apache 2.4

The operating system my web server runs on is (include version):
Ubuntu 18.04 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
0.28.0

I am running a searx-instance and nextcloud on my server. For my nextcloud certbot works fine. Only for searx there are the above mentioned errors.

I got a certificate for the searx domain once but renewal wont work.

My vhosts are seperated and my config is consistent (both with <VirtualHost *:80> and same for 443).

What else can go wrong?

Thanks in advance!

There are some circumstances where Certbot<0.31 may fail to effectively configure the challenge response in the correct virtualhost.

Could you show us:

apachectl -t -D DUMP_VHOSTS

as well as the port 80 virtualhost block for your searx subdomain?

Thanks!

Thanks for your reply!

Action '-t -D DUMP_VHOSTS' failed.
The Apache error log may have more information.

<VirtualHost *:80>
    ServerAdmin svenerichsen@mail.de
    ServerName searxwibastr.ddnss.de
    DocumentRoot /var/www/searx/
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    Options FollowSymLinks Indexes
    SetHandler uwsgi-handler
    uWSGISocket /run/uwsgi/app/searx/socket
        <Directory /var/www/searx>
          Options Indexes FollowSymLinks MultiViews
          AllowOverride All
          Require all granted
        </Directory>
RewriteEngine on
RewriteCond %{SERVER_NAME} =searxwibastr.ddnss.de
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

This is the whole content of searx.conf

How do I update certbot btw.?
I added the repository but if I try to force the update by executing
sudo apt-get install --only-upgrade certbot
it tells me that I am using the latest version, which is not true.

It's true in a sense - the Ubuntu PPA is not updated with 0.31 yet.

That's weird. What does the Apache error log (/var/log/apache2/error_log) say when you run this? Perhaps your current Apache config is not valid.

This is the most common log entry:
[Fri Mar 01 06:25:02.158428 2019] [mpm_prefork:notice] [pid 3975] AH00171: Graceful restart reque
sted, doing restart
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 20
03:d8:2bfe:5400:20c:29ff:fe67:aa00. Set the 'ServerName' directive globally to suppress this mess
age

Also there are tons of entrys like this:
[Fri Mar 01 03:14:44.464416 2019] [php7:error] [pid 9447] [client 132.232.88.174:13980] script '/
var/www/html/index.php' not found or unable to stat

I forget some output from dump_vhosts:
AH00526: Syntax error on line 18 of /etc/apache2/sites-enabled/nextcloud-le-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/wibastr.ddnss.de/fullchain.pem' does not exist or is empty

But that's strange. For my nextcloud domain certbot runs as expected.

Hmm.

Did you run the DUMP_VHOSTS command as root/sudo? Or does this file really not exist?

Shame on me.
Here's the output with sudo:

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 2003:d8:2bfe:5400:20c:29ff:fe67:aa00. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:443                  is a NameVirtualHost
         default server wibastr.ddnss.de (/etc/apache2/sites-enabled/nextcloud-le-ssl.conf:2)
         port 443 namevhost wibastr.ddnss.de (/etc/apache2/sites-enabled/nextcloud-le-ssl.conf:2)
         port 443 namevhost searxwibastr.ddnss.de (/etc/apache2/sites-enabled/searx-le-ssl.conf:2)
*:80                   is a NameVirtualHost
         default server 2003:d8:2bfe:5400:20c:29ff:fe67:aa00 (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost 2003:d8:2bfe:5400:20c:29ff:fe67:aa00 (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost wibastr.ddnss.de (/etc/apache2/sites-enabled/nextcloud.conf:1)
         port 80 namevhost searxwibastr.ddnss.de (/etc/apache2/sites-enabled/searx.conf:1)

OK, I tried replicating your setup. I ended up with the identical behavior that you experience.

It seems like Certbot’s Apache authenticator can’t properly handle mod_uwsgi. Probably worth filing a bug over.

I came up with this workaround:

Below:

    SetHandler uwsgi-handler
    uWSGISocket /run/uwsgi/app/searx/socket

Add:

    <LocationMatch "/\.well-known/">
        SetHandler default-handler
    </LocationMatch>

and give it another go.

2 Likes

Congratulations, all renewals succeeded.

That worked for me. Still I had to try renewing twice. The first attempt failed.
Let’s see if the next automated renewal succeeds.

Thank you very much for your great help!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.