Reconstructing a failed server

My domain is: www.hiltech.com.au

I ran this command: cerbot --apache -d www.hiltech.com.au

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.hiltech.com.au
Waiting for verification...
Challenge failed for domain www.hiltech.com.au
http-01 challenge for www.hiltech.com.au
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

My web server is (include version):
Server version: Apache/2.4.41 (Ubuntu)
Server built: 2023-03-08T17:32:54

The operating system my web server runs on is (include version):
Ubuntu Server 20.04

Self hosted

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.40.0

When the original web server failed (HDD death and failed backup) I moved the web service from one server onto a different host computer with a different IP address. I changed the DNS tables to define the new server as www and removed the entry for the previous server. Certbot does not want to let me generate a certificate for the new www server even though it is in the same class-C address range.

The version of certbot you are using is apparently from 2016. Best upgrade that (generally using the snap version) then try again.

2 Likes

Thanks for your comment.

I keep the servers up to date with the required patches.

I however can´t upgrade that server to the latest revision of Ubuntu server because it has a service on it which will not run on Ubuntu server revision 22.04

Kind Regards,
Ian Hilliard

1 Like

Cerbot moved to using snap as the package management for many distros a few years ago, the version of certbot in the ubuntu apt store is too old for anyone to support.

This particular problem may be fixable some other way but you'd need to wait for a certbot + apache export to help figure that out. I'd suggest that cerbot isn't performing the required integration with apache, possibly due to the site hostname not matching the site definition you expect it to. You could try the webroot method of using certbot so you can serve the challenge responses via apache: User Guide — Certbot 2.6.0 documentation

1 Like

First, aren't you interested in getting a cert with the root domain name as well? Why requesting only the www sub domain?

But the problem is most likely an Apache configuration issue. Please show us the output of this

apachectl -t -D DUMP_VHOSTS
5 Likes

This is still a stock standard install so it has the two default virtual hosts.

VirtualHost configuration:
*:443 www.hiltech.com.au (/etc/apache2/sites-enabled/000-default-ssl.conf:2)
*:80 www.hiltech.com.au (/etc/apache2/sites-enabled/000-default.conf:3)

The issue seems to be that Letsencrypt is looking for something which does not exist;

http://www.hiltech.com.au/.well-known/acme-challenge/jjJauo0jWK6fbnDHlaZMxdlmlkXMD7zPzGurCwrv1e8:

Isn't Letsencrypt suppose to create this?

Regards,

Ian

| MikeMcQ Regular
July 30 |

  • | - |

First, aren't you interested in getting a cert with the root domain name as well? Why requesting only the www sub domain?

But the problem is most likely an Apache configuration issue. Please show us the output of this

apachectl -t -D DUMP_VHOSTS


Kind Regards,
Ian Hilliard

Correct. The Certbot -apache plug-in makes a temp change to your Apache config. Certbot then requests the cert from Let's Encrypt and the LE Servers look for the token created by Certbot.

  1. Are you running Certbot on the same machine as your new Apache server?

  2. Can you show us result of this?

curl -4 http://ifconfig.io
  1. And perhaps most important please show contents of below file. Please add 3 backticks before and after the contents to preserve all the tags like:
    ```
    contents of: /etc/apache2/sites-enabled/000-default.conf
    ```
5 Likes

Your post has an email unsubscribe link, which I’ve edited so nobody accidentally clicks and unsubscribes you.

7 Likes

Thank You Mike,

The result of curl -4 http://ifconfig.io is:

203.31.84.6

Which is the correct IP address for that server.

The contents of 000-default.conf are pretty much stock standard out of the box with a few local tweaks.

--- Begin ---

ServerName www.hiltech.com.au

<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com

ServerAdmin webmaster@hiltech.com.au
DocumentRoot /var/www/html

# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.hiltech.com.au
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

--- End ---

Kind Regards,
Ian

1 Like

If you move the ServerName below the VirtualHost line I am pretty sure it will work :slight_smile:

Certbot did not see a VirtualHost for that name so it would setup a default VirtualHost temporarily. But, Apache might use yours instead. I didn't test it but I am pretty confident.

5 Likes

Thanks again Mike,

I moved the servername into the VirtualHost section.

The response to: certbot --apache -d www.hiltech.com.au -d hiltech.com.au

Was:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.hiltech.com.au
Waiting for verification...
Challenge failed for domain www.hiltech.com.au
http-01 challenge for www.hiltech.com.au
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

Domain: www.hiltech.com.au
Type: unauthorized
Detail: 203.31.84.6: Invalid response from
http://www.hiltech.com.au/.well-known/acme-challenge/d7bN-oLIazinbBu2l7LyNyLPsAyqR19k-KaUWu6jRnQ:
404

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

It would appear that certbot can't get around the host not being already configured for letsencrypt.

Kind Regards,
Ian Hilliard

What do you mean by that?

Because I see HTTPS requests working and with a valid cert that expires Aug11. It is due for renewal but at least there is time for that.

That is for your www domain. I can connect to the root domain but the cert fails because it only includes the www domain name in it.

What I do see is you now also used the root name in the command. But, I did not see a ServerAlias for it in that VirtualHost or your DUMP_VHOSTS output. Using both those names is the usual way so that's good. But, the rest so far has not been using both.

Can you post the updated VirtualHost ? And please use 3 backticks before and after for formatting purposes. On a US keyboard it's the character under the squiggle key in the upper left of the keyboard.

3 Likes

Hello Mike,

Originally www was a CNAME for AUSGATE [203.31.84.1]

When that server died and it turned out that the backup was faulty, I rebuilt the secondary web server [www2] to become the primary web server [www].

Letsencrypt is not allowing me to get a certificate for www on this new web server [203.31.84.6].

I can't do a certbot delete on the old server, because I don't have the cert as the server had to be rebuilt from scratch.

Kind Regards,
Ian

1 Like

I understand the problem I am just trying to understand what you have.

I think we will need to see the Certbot log file. Can you copy the /var/log/letsencrypt/letsencrypt.log file to a .txt file and then use the upload button on this forum post menu to upload it?

It will be very long

A 404 error with the --apache plug-in is almost always something unusual with the Apache config. That is why I focused there first.

Sometimes it is because people run Certbot on a system other than the one the DNS points to.

And, if you want to try getting a cert with your root domain like shown in your last command you should also include that domain name in your VirtualHost. And, you should adjust the rewrite rules for it too.

Let's look at the log and maybe there will be a clue.

Does your Apache access log show any requests for a URI containing /.well-known/acme-challenge ?

4 Likes

Because your site is called hiltech.com.au and www.hiltech.com.au you need to tell apache all the names it will match against, so as far as I know you can declare one ServerName then the rest of the names are a whitespace-separated list under ServerAlias. I don't really use Apache much.

So your VirtualHost section should probably look like

<VirtualHost *:80>
ServerName hiltech.com.au
ServerAlias www.hiltech.com.au

...
...
</VirtualHost>

As an aside, if you're not hosting any other sites on the same server you should also look at free/cheap static website hosting (for instance Cloudflare Pages is free and you can drag and drop a zip file to upload it) as running your own servers from your home/office will be costing you electricity at least. Some website hosts also offer content management systems so you can edit the content directly using pre-built templates without knowing HTML.

2 Likes

If you make that change [which I think so should], you should also update this section to include the alias:

3 Likes

Thanks everyone,

I copied the site configuration from another one of the servers which I then tweaked for the correct host name.

Then I had Letsencrypt recreate the certificates.

I have since put the above change into the configuration for www-hiltech.conf and applied for a certificate for hiltech.com.au.

It is all good now and the server test at:

https://www.ssllabs.com/ssltest/analyze.html?d=hiltech.com.au

came back good.

Kind Regards,
Ian Hilliard

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.