New 'Failed authorization procedure' error with Apache

Running 'certbot renew' by crontab,
server grepnik.default.grepnik.uk0.bigv.io,
OS Debian buster.

I use LetsEncrypt certs for my two domains and also for a certificate for the server name grepnik.default.grepnik.uk0.bigv.io which maps to
the webroot.

I run Apache, and installed certbot and used the standard Apache validation.

Acme validation has just returned 'Failed authorization procedure'.

Certbot requested
https://grepnik.default.grepnik.uk0.bigv.io/.well-known/acme-challenge/Xmb....
from the server and it responded with my custom 404 page.

There is no directory called '.well-known' in the webroot, and no file under /etc/apache2 references it or 'acme-challenge'. Nor
in /etc/letsencrypt for that matter.

Renewal of this cert must (I think) have succeeded before, and nothing remotely relevant has changed in the webserver config

How does Apache know what to do with a request for .well-known/acme-challenge/...
Should my certbot invocation contain --apache?
How do I check/test/recreate whatever I did (or should have done) to make Apache aware of acme?
and assuming it ever ran, what's gone wrong with the process?

Let me know what to try and what to report back with. Thanks!

Certbot temporarily modifies your Apache config, in order to "catch" the acme-challenge request and to route it to the right directory.

Once Certbot completes running, the changes get undone, which is probably why you can't find any references to that patch.

If that's not working for you, would you be able to tell us what the output of the following command is:

sudo apachectl -t -D DUMP_VHOSTS

and also your Certbot version:

certbot --version
1 Like

Thanks for swift response _az

apachectl -t -D DUMP_VHOSTS
[Thu Jun 03 04:52:52.065110 2021] [so:warn] [pid 1311] AH01574: module ssl_module is already loaded, skipping
VirtualHost configuration:
: is a NameVirtualHost
default server grepnik.default.grepnik.uk0.bigv.io (/etc/apache2/sites-enabled/000-default.conf:1)
port * namevhost grepnik.default.grepnik.uk0.bigv.io (/etc/apache2/sites-enabled/000-default.conf:1)
port * namevhost www.aeolian.org.uk (/etc/apache2/sites-enabled/000-default.conf:47)
port * namevhost www.notjustcamden.uk (/etc/apache2/sites-enabled/000-default.conf:54)
port * namevhost notjustcamden.uk (/etc/apache2/sites-enabled/000-default.conf:61)
*:80 meet.notjustcamden.uk (/etc/apache2/sites-enabled/meet.notjustcamden.uk.conf:2)
*:443 is a NameVirtualHost
default server www.aeolian.org.uk (/etc/apache2/sites-enabled/000-ssl:2)
port 443 namevhost www.aeolian.org.uk (/etc/apache2/sites-enabled/000-ssl:2)
port 443 namevhost www.notjustcamden.uk (/etc/apache2/sites-enabled/000-ssl:36)
port 443 namevhost meet.notjustcamden.uk (/etc/apache2/sites-enabled/meet.notjustcamden.uk.conf:10)

certbot --version certbot 0.31.0

I now see that the certbot cron job has never renewed grepnik.default.grepnik.uk0.bigv.io. It seems I have always renewed it manually somehow (force renew?) before it was due, as part of investigating renew hook problems.

Hey,

Thanks!

I'm 99% sure this is because you have a mixture of * and *:80 in your bind lines for your non-HTTPS virtualhosts. (Not that you're expected to know that, it's a surprising bug).

If you open /etc/apache2/sites-enabled/000-default.conf and change that first:

<VirtualHost *>

to

<VirtualHost *:80>

does the renewal succeed?

3 Likes

Yes! Simple as that! Many many thanks.

Should I do the same with the two domains as well?

Great! Yeah, I think you'll want to do the same thing for:

port * namevhost www.aeolian.org.uk (/etc/apache2/sites-enabled/000-default.conf:47)
port * namevhost www.notjustcamden.uk (/etc/apache2/sites-enabled/000-default.conf:54)
port * namevhost notjustcamden.uk (/etc/apache2/sites-enabled/000-default.conf:61)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.