Renew a certificate

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: fad1.omegaformazione.it

I ran this command: certbot renew

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/fad1.omegaformazione.it.conf

Renewing an existing certificate for fad1.omegaformazione.it

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: fad1.omegaformazione.it
Type: unauthorized
Detail: 79.3.250.85: Invalid response from http://fad1.omegaformazione.it/.well-known/acme-challenge/FW6pqYuFip29h2hgqRjUJYCmHjBoI1Ng7hMHFvCBQ4c: 404

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Failed to renew certificate fad1.omegaformazione.it with error: Some challenges have failed.

All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/fad1.omegaformazione.it/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): apache 2.4.58-1ubuntu8.8

The operating system my web server runs on is (include version): Ubuntu 24.04.2 LTS

My hosting provider, if applicable, is: I'm hosting this VM in my small data center

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 4.2.0

Everything looks fine so I'm missing something. I run a Let's Debug test and it says Test OK.
I installed the certificate in May, had to leave my office per few days and I forgot to check the certificate, which expired on August 6th.
Renewing it gave me the error shown above. Do you have any suggestion?
Thank you a lot - Luca

2

The obvious question is, what changes have you made to your server configuration since early May? Added a virtual host, perhaps? Other changes to Apache configuration?

4 Likes
3

The verbose output of Let's Debug shows this from your server's response headers

Request to: fad1.omegaformazione.it/79.3.250.85, Result: [Address=79.3.250.85,Address Type=IPv4,Server=Apache/2.4.52 (Ubuntu)

Notice the slightly different version than you report. Was that just a typo? Or, do you have multiple Apache systems?

2 Likes
4

Good question but unfortunately, as far as I remember, I made no change. The server hosts a Moodle site, once configured I dealt only with Moodle stuff. I'm still checking if I made some change but I don't think so.

5

The 404 in the error message is an HTTP Not Found.

The Certbot renew uses the identical options as the original successful cert. In this case it updates the Apache config to satisfy the challenge. But, when the Let's Encrypt server sent the HTTP request to verify the challenge your Apache replied with a 404 Not Found.

So, something has definitely changed.

A good place to start is reviewing output of:

sudo apache2ctl -t -D DUMP_VHOSTS
3 Likes
6

Very likely. This is the output.

root@omega:~# sudo apache2ctl -t -D DUMP_VHOSTS

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:443                  fad1.omegaformazione.it (/etc/apache2/sites-enabled/fad1-ssl.conf:1)
*:80                   is a NameVirtualHost
         default server 127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost 127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost fad1.omegaformazione.it (/etc/apache2/sites-enabled/fad1.conf:1)
7

Hmm. I do see two different Apache versions.

The one handling HTTP is different than the one for HTTPS. Something is wrong with your local network routing or port configuration / mapping.

curl -I http://fad1.omegaformazione.it:80
HTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)

 curl -Ik https://fad1.omegaformazione.it:443
HTTP/1.1 200 OK
Server: Apache/2.4.58 (Ubuntu)

The one replying to HTTP (port 80) shows a default "home" page. The other shows your intended website

3 Likes
8

I see, thank you for pointing it out, but I can't figure where this second apache version is. If I list what's installed this is what I get
root@omega:~# apt list -a apache2
Listing... Done
apache2/noble-updates,noble-security,now 2.4.58-1ubuntu8.8 amd64 [installed]
apache2/noble 2.4.58-1ubuntu8 amd64

9

root@omega:/usr/sbin# ps -ef|grep apache
root 845 1 0 19:30 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 1342 845 0 19:33 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 1343 845 0 19:33 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 1344 845 0 19:33 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 1345 845 0 19:33 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 1346 845 0 19:33 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 1352 845 0 19:34 ? 00:00:00 /usr/sbin/apache2 -k start

10

something is happening between internet and my server. If I ask the version locally I get
root@omega:/usr/sbin# curl -I http://localhost:80/
HTTP/1.1 200 OK
Date: Sat, 23 Aug 2025 20:18:14 GMT
Server: Apache/2.4.58 (Ubuntu)
Last-Modified: Mon, 03 Mar 2025 15:13:07 GMT
ETag: "29af-62f7197f8ded0"
Accept-Ranges: bytes
Content-Length: 10671
Vary: Accept-Encoding
Content-Type: text/html

root@omega:/usr/sbin# curl -Ik https://localhost:443/
HTTP/1.1 303 See Other
Date: Sat, 23 Aug 2025 20:18:24 GMT
Server: Apache/2.4.58 (Ubuntu)
X-Redirect-By: Moodle
Location: https://fad1.omegaformazione.it/
Content-Language: it
Content-Type: text/html; charset=UTF-8

If I ask from internet instead
Athena-3:~ luca$ curl -I http://fad1.omegaformazione.it:80/
HTTP/1.1 200 OK
Date: Sat, 23 Aug 2025 20:19:13 GMT
Server: Apache/2.4.52 (Ubuntu)
Last-Modified: Sat, 30 Apr 2022 13:42:52 GMT
ETag: "2aa6-5dddf55f31081"
Accept-Ranges: bytes
Content-Length: 10918
Vary: Accept-Encoding
Content-Type: text/html

Athena-3:~ luca$ curl -Ik http://fad1.omegaformazione.it:443/
HTTP/1.1 400 Bad Request
Date: Sat, 23 Aug 2025 20:21:55 GMT
Server: Apache/2.4.58 (Ubuntu)
Content-Length: 451
Connection: close
Content-Type: text/html; charset=iso-8859-1

I have to investigate the issue with my internet provider

1 Like
11

Do you have a router of some sort at your network access? Perhaps it is directing port 80 to one local IP and port 443 to a different local IP?

2 Likes
12

I still have to speak with my provider's technical support but yes, the 79.3.250.85:80 is sent to a different server which is not the same as 79.3.250.85:443. I found the server and asked the provider to fix this NAT issue.
Thank you all for helping me solve this riddle. Grazie mille.

4 Likes
13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.