Problem get certbot working under Debian Apache Typo3

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:hpalthoff.althoff-fam.de

I ran this command:sudo certbot --apache --agree-tos --no-eff-email --redirect --hsts --staple-ocsp --email hans-georg@althoff-fam.de -d hpalthoff.althoff-fam.de

It produced this output:Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for hpalthoff.althoff-fam.de

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: hpalthoff.althoff-fam.de
Type: unauthorized
Detail: 85.182.222.24: Invalid response from https://hpalthoff.althoff-fam.de:443/.well-known/acme-challenge/242yiaIrWsIPnYYduN6wFWVaYRD9DpsJnyVWGUmaWLM: 403

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):Apache/2.4.62 (Debian)

The operating system my web server runs on is (include version): Debian 12.11

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.1.0

Some additional information. My Apache .conf file:

<VirtualHost *:80>
    ServerAdmin hans-georg@althoff-fam.de
    DocumentRoot /var/www/typo3/public
    ServerName hpalthoff.althoff-fam.de

     <Directory /var/www/typo3/public/>
          Options FollowSymlinks
          AllowOverride All
          Require all granted
     </Directory>

     ErrorLog ${APACHE_LOG_DIR}/error.log
     CustomLog ${APACHE_LOG_DIR}/access.log combined
    
     <Directory /var/www/typo3/public/>
            RewriteEngine on
            RewriteBase /
            RewriteCond %{REQUEST_FILENAME} !-f
            RewriteRule ^(.*) index.php [PT,L]
    </Directory>
</VirtualHost>

Output apachectl -S

VirtualHost configuration:
*:80 is a NameVirtualHost
default server hpalthoff.althoff-fam.de (/etc/apache2/sites-enabled/hpalthoff.conf:1)
port 80 namevhost hpalthoff.althoff-fam.de (/etc/apache2/sites-enabled/hpalthoff.conf:1)
port 80 namevhost hpalthoff.althoff-fam.de (/etc/apache2/sites-enabled/hpalthoff.conf:23)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

Was that the entire contents of that conf file?

Because from your -S output Apache thinks there are two VirtualHost in that same config file for the same domain. One starting on line 1 and another on line 23

Where's the HTTPS virtualhost?

Also, currently your HTTPS site already has a valid Let's Encrypt certificate issued yesterday. What's wrong with that one?

Note that Let's Encrypt doesn't include any OCSP URIs any longer, so OCSP stapling doesn't do anything any more.

No, here the rest.

VirtualHost *:80>
    ServerAdmin hans-georg@althoff-fam.de
    DocumentRoot /var/www/html
    ServerName hpalthoff.althoff-fam.de
</VirtualHost>

So I can delete it?
But this part would not create any problem?
Just not working anymore?

You should delete the second one from that config file. You can only have one VirtualHost for the same port and domain name. Sadly, Apache will startup even with that but you will not get correct results. And, it will cause problems with the Certbot --apache plugin you are using.

More important, that is not the Apache system that is replying to requests for your domain.

An HTTP request gets redirected to HTTPS. But, there is no redirection in that config file. So, some other Apache system is doing that.

curl -i http://hpalthoff.althoff-fam.de
HTTP/1.1 301 Moved Permanently
Date: Wed, 16 Jul 2025 17:30:47 GMT
Server: Apache
Location: https://hpalthoff.althoff-fam.de:443/

What does this show?

curl -4 https://ifconfig.io

Maybe I should mention, that in front there is a Sophos UTM9 firewall which is converting von http to https.

And as long there is no certificate, https is not working, or is that not the case.
Than I have to add the 443 to the config file.

Yes, that is important You should still remove that duplicate VirtualHost in any case

Does your Sophos also handle HTTPS ? Because as noted earlier something is replying to HTTPS requests but your Apache -S output did not show anything listening on port 443

curl -i https://hpalthoff.althoff-fam.de
HTTP/1.1 403 Forbidden
Date: Wed, 16 Jul 2025 18:32:57 GMT
Server: Apache

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>

<p>Additionally, a 503 Service Unavailable
error was encountered while trying to use an ErrorDocument to handle the request.</p>

It shows my fix IP-Address!

Yes, Sophos is handle http & https: If it is http it is converted to htpps and there is also included a letsencrypt certificate for hpalthoff.althoff-fam.de.

I have changed the virtualhost file:

<VirtualHost *:443>

    ServerAdmin hans-georg@althoff-fam.de
    DocumentRoot /var/www/typo3/public
    ServerName hpalthoff.althoff-fam.de

     <Directory /var/www/typo3/public/>
          Options FollowSymlinks
          AllowOverride All
          Require all granted
     </Directory>

     ErrorLog ${APACHE_LOG_DIR}/error.log
     CustomLog ${APACHE_LOG_DIR}/access.log combined
    
     <Directory /var/www/typo3/public/>
            RewriteEngine on
            RewriteBase /
            RewriteCond %{REQUEST_FILENAME} !-f
            RewriteRule ^(.*) index.php [PT,L]
    </Directory>
</VirtualHost>

Is that correct?

I have replaced the first line of the .conf File with.

<VirtualHost *:80 *:443>

Now I can access the hpalthoff,althoff-fam.de with http but not with https.

No, that is a horrible idea.

I don't have time to address any other concerns

If your firewall is already terminating TLS for you, why do you need a certificate for the server itself?

Good question!
But Apache get a 443 request and has to answer.
How can I achieve it?

Again, why? If your Sophos is terminating TLS, proxy it to port 80 on your Apache server. There's no reason I can see that your Apache server needs to touch TLS or port 443 in any way.