Please Help SSL keeps failing

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: raybuilders.com

I ran this command: Lets Encrypt Get Certificate

It produced this output:
Requesting a certificate for raybuilders.com, www.raybuilders.com from Let's Encrypt ..
.. request failed : Web-based validation failed :

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate for raybuilders.com and www.raybuilders.com
Reusing existing private key from /etc/letsencrypt/live/raybuilders.com/privkey.pem.
Performing the following challenges:
http-01 challenge for raybuilders.com
http-01 challenge for www.raybuilders.com
Using the webroot path /home/raybuilders/public_html for all unmatched domains.
Waiting for verification...
Challenge failed for domain raybuilders.com
Challenge failed for domain www.raybuilders.com
http-01 challenge for raybuilders.com
http-01 challenge for www.raybuilders.com
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: raybuilders.com
  Type: unauthorized
  Detail: 5.189.166.189: Invalid response from
  https://raybuilders.com: "\n<html
  lang="en">\n\n <meta charset="utf-8" />\n\t\t

  Ray Builders\n "

  Domain: www.raybuilders.com
  Type: unauthorized
  Detail: 5.189.166.189: Invalid response from
  https://raybuilders.com: "\n<html
  lang="en">\n\n <meta charset="utf-8" />\n\t\t

  Ray Builders\n "

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address.

My web server is (include version):

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Virtualmin

THE OLD CERTIFICATES STILL HAVE 15 DAYS LEFT
but the renwal seems to have strated autonatically and I'm getting many emails that this has failed and so I thought I'd try and get fresh certificates for just raybuilders.com and www.raybuilders.com
but keep getting this problem - have checked the AA records and they are all fine - I just can't figure it out

I'm having the same problem with another website as well
PLEASE HELP
Thanks
Pappaji

If you can login as root, and Virtualmin is based on Apache [not sure about that part].
Try showing:
sudo apachectl -t -D DUMP_VHOSTS

port 80 namevhost raybuilders.com (/etc/httpd/conf/httpd.conf:2790)
                 alias www.raybuilders.com
                 alias mail.raybuilders.com
                 alias webmail.raybuilders.com
                 alias admin.raybuilders.com

then I did the sudo command again it says

         port 443 namevhost raybuilders.com (/etc/httpd/conf/httpd.conf:5149)
                 alias www.raybuilders.com
                 alias mail.raybuilders.com
                 alias webmail.raybuilders.com
                 alias admin.raybuilders.com

[root@vmi431722 ~]# sudo apachectl -t -D DUMP_VHOSTS
Passing arguments to httpd using apachectl is no longer supported.
You can only start/stop/restart httpd using this script.
If you want to pass extra arguments to httpd, edit the
/etc/sysconfig/httpd config file.

then it follows as:

         port 80 namevhost raybuilders.com (/etc/httpd/conf/httpd.conf:2790)
                 alias www.raybuilders.com
                 alias mail.raybuilders.com
                 alias webmail.raybuilders.com
                 alias admin.raybuilders.com

and
         port 443 namevhost raybuilders.com (/etc/httpd/conf/httpd.conf:5149)
                 alias www.raybuilders.com
                 alias mail.raybuilders.com
                 alias webmail.raybuilders.com
                 alias admin.raybuilders.com

[root@vmi431722 ~]#

Your server is wrongly redirecting the HTTP Challenge request from the Let's Encrypt server. You redirect the HTTP request to your home page using HTTPS.

You either need to stop redirecting these challenges (which is best) or redirect using the full URI of the HTTP request

curl -i http://raybuilders.com/.well-known/acme-challenge/Test123

HTTP/1.1 301 Moved Permanently
Server: Apache
Location: https://raybuilders.com

The Location should look like:
Location: https://raybuilders.com/.well-known/acme-challenge/Test123

If you need help with that please show the VirtualHost that starts at line 2790 in /etc/httpd/conf/httpd.conf

It is also possible your redirects are set by VirtualMin or maybe a .htaccess file or something similar.

Holy carp!
Seems that VirtualMin puts everything into one single config file.

I'm so sorry I'm new to this to do this change
Should I put that in the cmd?
like:

curl -i http://raybuilders.com/.well-known/acme-challenge/Test123

HTTP/1.1 301 Moved Permanently
Server: Apache
Location: https://raybuilders.com

the 2790 line is as below:

<VirtualHost 5.189.166.189:80>

then it carries on as:

<VirtualHost 5.189.166.189:80>
    SuexecUserGroup "#1079" "#1056"
    ServerName raybuilders.com
    ServerAlias www.raybuilders.com
    ServerAlias mail.raybuilders.com
    ServerAlias webmail.raybuilders.com
    ServerAlias admin.raybuilders.com
    DocumentRoot /home/raybuilders/public_html
    ErrorLog /var/log/virtualmin/raybuilders.com_error_log
    CustomLog /var/log/virtualmin/raybuilders.com_access_log combined
    ScriptAlias /cgi-bin/ /home/raybuilders/cgi-bin/
    DirectoryIndex index.html index.htm index.php index.php4 index.php5
    <Directory /home/raybuilders/public_html>

I don't see any problem in those lines. In fact, there is no redirect of any kind. Which means either that VirtualHost is not processing the request or something was missing.

Was there anything after the <directory /home... line through the ending </VirtualHost>?

You should add 3 backticks before and after those contents so nothing is lost to formatting. Like
```
contents
```

2788 </Location>

</VirtualHost>
<VirtualHost 5.189.166.189:80>
    SuexecUserGroup "#1079" "#1056"
    ServerName raybuilders.com
    ServerAlias www.raybuilders.com
    ServerAlias mail.raybuilders.com
    ServerAlias webmail.raybuilders.com
    ServerAlias admin.raybuilders.com
    DocumentRoot /home/raybuilders/public_html
    ErrorLog /var/log/virtualmin/raybuilders.com_error_log
    CustomLog /var/log/virtualmin/raybuilders.com_access_log combined
    ScriptAlias /cgi-bin/ /home/raybuilders/cgi-bin/
    DirectoryIndex index.html index.htm index.php index.php4 index.php5
    <Directory /home/raybuilders/public_html>
        Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
        allow from all
        AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
        Require all granted
        AddType application/x-httpd-php .php
        AddHandler fcgid-script .php
        AddHandler fcgid-script .php5
        AddHandler fcgid-script .php7.2
        FCGIWrapper /home/raybuilders/fcgi-bin/php7.2.fcgi .php
        FCGIWrapper /home/raybuilders/fcgi-bin/php5.fcgi .php5
        FCGIWrapper /home/raybuilders/fcgi-bin/php7.2.fcgi .php7.2
    </Directory>
    <Directory /home/raybuilders/cgi-bin>
        allow from all
        AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
        Require all granted
    </Directory>
    RewriteEngine on
    RewriteCond %{HTTP_HOST} =webmail.raybuilders.com
    RewriteRule ^(?!/.well-known)(.*) https://raybuilders.com:20000/ [R]
    RewriteCond %{HTTP_HOST} =admin.raybuilders.com
    RewriteRule ^(?!/.well-known)(.*) https://raybuilders.com:10000/ [R]
    RemoveHandler .php
    RemoveHandler .php5
    RemoveHandler .php7.2
    FcgidMaxRequestLen 1073741824
    Alias /dav /home/raybuilders/public_html
    <Location /dav>
        DAV on
        AuthType Basic
        AuthName "raybuilders.com"
        AuthUserFile /home/raybuilders/etc/dav.digest.passwd
        Require valid-user
        ForceType text/plain
        Satisfy All
        RemoveHandler .php
        RemoveHandler .php5
        RemoveHandler .php7.2
        RewriteEngine off
    </Location>
    RedirectMatch 301 /(.*)$ https://raybuilders.com

This line is the problem. You are not preserving the URI of the original request (the part after the domain name)

There are many ways to do what you want. But, I think if you remove that line and add this to your RewriteCond group it should work

RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge
RewriteRule ^/(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]

You may need to check if this works for your mail subdomain

You should show everything from
<virtualhost ...>
to
</virtualhost>

I just noticed this line is in 2 places
there is a lot of other domains mentioned in this file but for this particular domain its mentioned in two places once as mentioned above then at the very end line 5148 onwards:

5148

</VirtualHost>
<VirtualHost 5.189.166.189:443>
    SuexecUserGroup "#1079" "#1056"
    ServerName raybuilders.com
    ServerAlias www.raybuilders.com
    ServerAlias mail.raybuilders.com
    ServerAlias webmail.raybuilders.com
    ServerAlias admin.raybuilders.com
    DocumentRoot /home/raybuilders/public_html
    ErrorLog /var/log/virtualmin/raybuilders.com_error_log
    CustomLog /var/log/virtualmin/raybuilders.com_access_log combined
    ScriptAlias /cgi-bin/ /home/raybuilders/cgi-bin/
    DirectoryIndex index.html index.htm index.php index.php4 index.php5
    <Directory /home/raybuilders/public_html>
        Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
        allow from all
        AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
        Require all granted
        AddType application/x-httpd-php .php
        AddHandler fcgid-script .php
        AddHandler fcgid-script .php5
        AddHandler fcgid-script .php7.2
        FCGIWrapper /home/raybuilders/fcgi-bin/php7.2.fcgi .php
        FCGIWrapper /home/raybuilders/fcgi-bin/php5.fcgi .php5
        FCGIWrapper /home/raybuilders/fcgi-bin/php7.2.fcgi .php7.2
    </Directory>
    <Directory /home/raybuilders/cgi-bin>
        allow from all
        AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
        Require all granted
    </Directory>
    RewriteEngine on
    RewriteCond %{HTTP_HOST} =webmail.raybuilders.com
    RewriteRule ^(?!/.well-known)(.*) https://raybuilders.com:20000/ [R]
    RewriteCond %{HTTP_HOST} =admin.raybuilders.com
    RewriteRule ^(?!/.well-known)(.*) https://raybuilders.com:10000/ [R]
    RemoveHandler .php
    RemoveHandler .php5
    RemoveHandler .php7.2
    FcgidMaxRequestLen 1073741824
    Alias /dav /home/raybuilders/public_html
    <Location /dav>
        DAV on
        AuthType Basic
        AuthName "raybuilders.com"
        AuthUserFile /home/raybuilders/etc/dav.digest.passwd
        Require valid-user
        ForceType text/plain
        Satisfy All
        RemoveHandler .php
        RemoveHandler .php5
        RemoveHandler .php7.2
        RewriteEngine off
    </Location>
    SSLEngine on
    SSLCertificateFile /home/raybuilders/ssl.combined
    SSLCertificateKeyFile /home/raybuilders/ssl.key
    SSLCACertificateFile /home/raybuilders/ssl.ca
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    RedirectMatch 301 /(.*)$ https://raybuilders.com
</VirtualHost>

I'm not really into coding at all so please help
do I change both instances?

All instances of:

are probably wrong [causing problems].

It won't affect the rest of the domains mentioned here in this I hope... trying it now

If you are in doubt, show us the changes you are going to make first.

OK changed both instances and tried again here's what I got

Requesting a certificate for raybuilders.com, www.raybuilders.com from Let's Encrypt ..
.. request failed : Web-based validation failed :

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate for raybuilders.com and www.raybuilders.com
Reusing existing private key from /etc/letsencrypt/live/raybuilders.com/privkey.pem.
Performing the following challenges:
http-01 challenge for raybuilders.com
http-01 challenge for www.raybuilders.com
Using the webroot path /home/raybuilders/public_html for all unmatched domains.
Waiting for verification...
Challenge failed for domain raybuilders.com
Challenge failed for domain www.raybuilders.com
http-01 challenge for raybuilders.com
http-01 challenge for www.raybuilders.com
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: raybuilders.com
  Type: unauthorized
  Detail: 5.189.166.189: Invalid response from
  https://raybuilders.com: "\n<html
  lang="en">\n\n <meta charset="utf-8" />\n\t\t

  Ray Builders\n "

  Domain: www.raybuilders.com
  Type: unauthorized
  Detail: 5.189.166.189: Invalid response from
  https://raybuilders.com: "\n<html
  lang="en">\n\n <meta charset="utf-8" />\n\t\t

  Ray Builders\n "

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address.

That redirection is unnecessary.