I ran this command: cerbot --apache -d www.hiltech.com.au
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.hiltech.com.au
Waiting for verification...
Challenge failed for domain www.hiltech.com.au
http-01 challenge for www.hiltech.com.au
Cleaning up challenges
Some challenges have failed.
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
My web server is (include version):
Server version: Apache/2.4.41 (Ubuntu)
Server built: 2023-03-08T17:32:54
The operating system my web server runs on is (include version):
Ubuntu Server 20.04
Self hosted
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.40.0
When the original web server failed (HDD death and failed backup) I moved the web service from one server onto a different host computer with a different IP address. I changed the DNS tables to define the new server as www and removed the entry for the previous server. Certbot does not want to let me generate a certificate for the new www server even though it is in the same class-C address range.
I keep the servers up to date with the required patches.
I however can´t upgrade that server to the latest revision of Ubuntu server because it has a service on it which will not run on Ubuntu server revision 22.04
Cerbot moved to using snap as the package management for many distros a few years ago, the version of certbot in the ubuntu apt store is too old for anyone to support.
This particular problem may be fixable some other way but you'd need to wait for a certbot + apache export to help figure that out. I'd suggest that cerbot isn't performing the required integration with apache, possibly due to the site hostname not matching the site definition you expect it to. You could try the webroot method of using certbot so you can serve the challenge responses via apache: User Guide — Certbot 2.6.0 documentation
Correct. The Certbot -apache plug-in makes a temp change to your Apache config. Certbot then requests the cert from Let's Encrypt and the LE Servers look for the token created by Certbot.
Are you running Certbot on the same machine as your new Apache server?
Can you show us result of this?
curl -4 http://ifconfig.io
And perhaps most important please show contents of below file. Please add 3 backticks before and after the contents to preserve all the tags like:
```
contents of: /etc/apache2/sites-enabled/000-default.conf
```
The contents of 000-default.conf are pretty much stock standard out of the box with a few local tweaks.
--- Begin ---
ServerName www.hiltech.com.au
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerAdmin webmaster@hiltech.com.au
DocumentRoot /var/www/html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.hiltech.com.au
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
If you move the ServerName below the VirtualHost line I am pretty sure it will work
Certbot did not see a VirtualHost for that name so it would setup a default VirtualHost temporarily. But, Apache might use yours instead. I didn't test it but I am pretty confident.
I moved the servername into the VirtualHost section.
The response to: certbot --apache -d www.hiltech.com.au -d hiltech.com.au
Was:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.hiltech.com.au
Waiting for verification...
Challenge failed for domain www.hiltech.com.au
http-01 challenge for www.hiltech.com.au
Cleaning up challenges
Some challenges have failed.
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
It would appear that certbot can't get around the host not being already configured for letsencrypt.
Because I see HTTPS requests working and with a valid cert that expires Aug11. It is due for renewal but at least there is time for that.
That is for your www domain. I can connect to the root domain but the cert fails because it only includes the www domain name in it.
What I do see is you now also used the root name in the command. But, I did not see a ServerAlias for it in that VirtualHost or your DUMP_VHOSTS output. Using both those names is the usual way so that's good. But, the rest so far has not been using both.
Can you post the updated VirtualHost ? And please use 3 backticks before and after for formatting purposes. On a US keyboard it's the character under the squiggle key in the upper left of the keyboard.
I understand the problem I am just trying to understand what you have.
I think we will need to see the Certbot log file. Can you copy the /var/log/letsencrypt/letsencrypt.log file to a .txt file and then use the upload button on this forum post menu to upload it?
It will be very long
A 404 error with the --apache plug-in is almost always something unusual with the Apache config. That is why I focused there first.
Sometimes it is because people run Certbot on a system other than the one the DNS points to.
And, if you want to try getting a cert with your root domain like shown in your last command you should also include that domain name in your VirtualHost. And, you should adjust the rewrite rules for it too.
Let's look at the log and maybe there will be a clue.
Does your Apache access log show any requests for a URI containing /.well-known/acme-challenge ?
Because your site is called hiltech.com.au and www.hiltech.com.au you need to tell apache all the names it will match against, so as far as I know you can declare one ServerName then the rest of the names are a whitespace-separated list under ServerAlias. I don't really use Apache much.
So your VirtualHost section should probably look like
As an aside, if you're not hosting any other sites on the same server you should also look at free/cheap static website hosting (for instance Cloudflare Pages is free and you can drag and drop a zip file to upload it) as running your own servers from your home/office will be costing you electricity at least. Some website hosts also offer content management systems so you can edit the content directly using pre-built templates without knowing HTML.
| 