Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: loncapa.winona.edu
I ran this command: sudo certbot renew
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/loncapa.winona.edu.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for loncapa.winona.edu
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (loncapa.winona.edu) from /etc/letsencrypt/renewal/loncapa.winona.edu.conf produced an unexpected error: Failed authorization procedure. loncapa.winona.edu (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://loncapa.winona.edu/.well-known/acme-challenge/8VYiRsr_G9bonKMnbn0BDKTp575tOmSplyxrPKNwibw [52.162.238.218]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p". Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/loncapa.winona.edu/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/loncapa.winona.edu/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: loncapa.winona.edu
Type: unauthorized
Detail: Invalid response from
http://loncapa.winona.edu/.well-known/acme-challenge/8VYiRsr_G9bonKMnbn0BDKTp575tOmSplyxrPKNwibw
[52.162.238.218]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
2.0//EN\">\n<html><head>\n<title>404 Not
Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
My web server is (include version):
/usr/sbin/apache2 -v
Server version: Apache/2.4.18 (Ubuntu)
Server built: 2018-06-07T19:43:03
The operating system my web server runs on is (include version): Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-1040-azure x86_64)
My hosting provider, if applicable, is: vm via Azure
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.28.0
[Sun Mar 10 08:36:36.768592 2019] [alias:warn] [pid 6061] AH00671: The ScriptAlias directive in /etc/apache2/conf-enabled/serve-cgi-bin.conf at line 12 will probably never match because it overlaps an earlier ScriptAlias.
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 10.1.0.4. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:80 10.1.0.4 (/etc/apache2/sites-enabled/000-default.conf:1)
*:443 loncapa.winona.edu (/etc/apache2/sites-enabled/loncapa-le-ssl.conf:2)
Note, the system is an Azure VM, so the hostname is bananas,
Thanks @JuergenAuer . Yes, that old thread was mine. I had some trouble getting the system working initially, but the problem then seemed to be some local DNS settings within my institution. Those were resolved, certbot worked fine, and I was actually quite surprised when the renew command initially failed last week.
with regard to your suggestion, do I understand you correctly?
sudo certbot run -a webroot -i apache -w documentRoot -d loncapa.winona.edu
documentRoot does not exist or is not a directory
Visible Content: Not Found The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server. Apache/2.4.18 (Ubuntu) Server at loncapa.winona.edu Port 80
I think this has the appropriate document root specified:
certbot run -a webroot -i apache -w /home/httpd/ -d loncapa.winona.edu
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for loncapa.winona.edu
Using the webroot path /home/httpd for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. loncapa.winona.edu (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://loncapa.winona.edu/.well-known/acme-challenge/pa77F24k5VbsmDjqRQwLyR79jr_XNvntugIKI_ySvng [52.162.238.218]: "\n\n404 Not Found\n\n
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
Visible Content: Not Found The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server. Apache/2.4.18 (Ubuntu) Server at loncapa.winona.edu Port 80
If a user starts with http, he will never see your https - version.
So check your port 80 vHost and add a redirect.
RewriteEngine on
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]