Problem with Renewing all websites

Help
1

Hello,

my Debian 8 + Apache server runs multiple domains and automatically redirects http to https. From time to time, I want to renew my SSL certificates. So I manually run “sudo /usr/local/bin/certbot-auto --apache”, and it asks me “Which names would you like to activate HTTPS for?”

Strangely, one of the domains it recognizes is: “7: xxx.xxx.xxx.xxx”

If I only renew domains 1-6, everything works. If I renew all domains, including 7, it doesn’t work. It tries to renew domain 7’s certificate first and gives the following error:

(E)xpand/©ancel: e
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for xxx.xxx.xxx.xxx
Waiting for verification…
Challenge failed for domain xxx.xxx.xxx.xxx
http-01 challenge for xxx.xxx.xxx.xxx
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: xxx.xxx.xxx.xxx
   Type:   unauthorized
   Detail: Invalid response from
   https://www.xxx.xxx/.well-known/acme-challenge/6PbO5eGCNPkqtDwzpjGN3xMOnuepoZ                                                                                                             Saq8g1RA6P2Qk
   [52.206.55.67]: "<!DOCTYPE html>\n<html>\n  <head>\n    <!-- Google
   Tag Manager -->\n
   <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.s"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

Can someone please help me fixing this? Thanks!
I think I must delete some file or entry or folder to get rid of domain 7 (which is actually not a real domain, but some strange thing that letsencrypt recognizes)…
As a result, I also can’t auto-refresh my certificates …

1 Like
2

Hi @feufu

please answer all of the following questions:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

1 Like
3

Hi, here is the data:

My domain is: One of the websites is tplinvestors.com

I ran this command: See above, “sudo /usr/local/bin/certbot-auto --apache”

It produced this output: See above

My web server is (include version): Debian 8.11

The operating system my web server runs on is (include version): Debian 8.11

My hosting provider, if applicable, is: Netcup

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 1.0.0

4

What's the xxx - domain? Is this a masked domain or is this really xxx.xxx?

Checking your main domain there is one certificate with 6 domain names, that looks ok ( https://check-your-website.server-daten.de/?q=tplinvestors.com ).

Last from 2019-11-22.

Ah - the xxx.xxx.xxx.xxx domain has two ip addresses - https://check-your-website.server-daten.de/?q=xxx.xxx.xxx.xxx

Host T IP-Address is auth. ∑ Queries ∑ Timeout
xxx.xxx.xxx.xxx A 52.22.77.136 Ashburn/Virginia/United States (US) - Amazon.com, Inc. Hostname: ec2-52-22-77-136.compute-1.amazonaws.com yes 1 0
A 52.206.55.67 Ashburn/Virginia/United States (US) - Amazon.com, Inc. Hostname: ec2-52-206-55-67.compute-1.amazonaws.com yes 1 0
AAAA yes
www.xxx.xxx.xxx.xxx A 52.22.77.136 Ashburn/Virginia/United States (US) - Amazon.com, Inc. Hostname: ec2-52-22-77-136.compute-1.amazonaws.com yes 1 0
A 52.206.55.67 Ashburn/Virginia/United States (US) - Amazon.com, Inc. Hostname: ec2-52-206-55-67.compute-1.amazonaws.com yes 1 0
AAAA yes

The ip 52.206.55.67 is checked, see your error message:

And your own domain has a completely different ip address:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
tplinvestors.com A 93.177.65.12 Karlsruhe/Baden-Württemberg/Germany (DE) - netcup GmbH Hostname: v22019074412592395.happysrv.de yes 1 0
AAAA yes
www.tplinvestors.com A 93.177.65.12 Karlsruhe/Baden-Württemberg/Germany (DE) - netcup GmbH Hostname: v22019074412592395.happysrv.de yes 1 0
AAAA yes

So it's something like a wrong sample domain in your config file.

What says

apachectl -S

There you should see the vHost definition with the xxx.xxx domain.

  • If it is a ServerAlias -> remove it.
  • If it is a vHost, disable that vHost
  • Restart your server

Then again apachectl -S to see, if it had worked.

1 Like
5

Thanks, the "apachectl -S" command helped me a lot! I think it was a vHost definition that shouldn't be there, some files in the folder. I removed those files, now the vHost isn't defined any more and renew works perfectly! Thanks again, Jürgen!

2 Likes
6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.