Renew with certbot fails on apache2

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

ravebuddies.de

I ran this command:

certbot renew --apache

It produced this output:

2022-05-31 08:37:22,247:WARNING:certbot._internal.auth_handler:Challenge failed for domain ravebuddies.de
2022-05-31 08:37:22,247:INFO:certbot._internal.auth_handler:http-01 challenge for ravebuddies.de
2022-05-31 08:37:22,248:DEBUG:certbot._internal.reporter:Reporting to user: The following errors were reported by the server:

Domain: ravebuddies.de
Type:   unauthorized
Detail: 78.47.35.172: Invalid response from http://ravebuddies.de/.well-known/acme-challenge/cwecbE2MivkgzuPaTjuB6BbJ3oiuldOSzh7mdoNP76g: 404

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
2022-05-31 08:37:22,249:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2022-05-31 08:37:22,249:DEBUG:certbot._internal.error_handler:Calling registered functions
2022-05-31 08:37:22,249:INFO:certbot._internal.auth_handler:Cleaning up challenges
2022-05-31 08:37:22,497:ERROR:certbot._internal.renewal:Failed to renew certificate ravebuddies.de with error: Some challenges have failed.
2022-05-31 08:37:22,499:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/_internal/renewal.py", line 485, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1234, in renew_cert
    renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 123, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/usr/lib/python3/dist-packages/certbot/_internal/renewal.py", line 345, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
  File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 374, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 421, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

My Apache2 vHost config:

<VirtualHost *:80>
  ServerName www.ravebuddies.de
  ServerAlias ravebuddies.de

  Include inc.d/noindex.conf

  DocumentRoot /var/www/ravebuddies.de/htdocs/

  Alias /.well-known/ "/var/www/letsencrypt/.well-known/"

  <Directory "/var/www/letsencrypt/">
    AllowOverride None
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    Require method GET POST OPTIONS
  </Directory>

  #Include /etc/apache2/inc.d/acme-challenge.conf

  RewriteEngine on
  RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
  RewriteRule "^/?(.*)" "https://ravebuddies.de/$1" [L,R,NE]

  # LOGGING
  CustomLog ${APACHE_LOG_DIR}/ravebuddies.de_access.log combined
  ErrorLog ${APACHE_LOG_DIR}/ravebuddies.de_error.log
</VirtualHost>

<VirtualHost *:443>
  ServerName www.ravebuddies.de
  ServerAlias ravebuddies.de

  CustomLog ${APACHE_LOG_DIR}/ravebuddies.de_access.log combined
  ErrorLog ${APACHE_LOG_DIR}/ravebuddies.de_error.log

  Include inc.d/noindex.conf

  SSLEngine on
  SSLCertificateChainFile	/etc/letsencrypt/live/ravebuddies.de/fullchain.pem
  SSLCertificateKeyFile		/etc/letsencrypt/live/ravebuddies.de/privkey.pem
  SSLCertificateFile		/etc/letsencrypt/live/ravebuddies.de/cert.pem

  # Possible values include: debug, info, notice, warn, error, crit,
  # alert, emerg.
  LogLevel info ssl:warn

  DocumentRoot /var/www/ravebuddies.de/htdocs/

  <Directory /var/www/ravebuddies.de/htdocs/>
    Options FollowSymlinks
    AllowOverride All
    Require all granted
  </Directory>
</VirtualHost>

My web server is (include version):

Server version: Apache/2.4.52 (Debian)

The operating system my web server runs on is (include version):

Linux ravebuddies.de 5.10.0-11-amd64 #1 SMP Debian 5.10.92-1 (2022-01-18) x86_64

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

No, ssh with terminal

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
1.12.0

2

Hi @viktorisacenko, and welcome to the LE community forum :slight_smile:

Thanks for all the details.

Please show full output of:
apachectl -t -D DUMP_VHOSTS

1 Like
3

Thx :slight_smile:

VirtualHost configuration:
*:80                   is a NameVirtualHost
         default server ravebuddies.de (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost ravebuddies.de (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost www.ravebuddies.de (/etc/apache2/sites-enabled/ravebuddies.de.conf:1)
                 alias ravebuddies.de
         port 80 namevhost staging.ravebuddies.de (/etc/apache2/sites-enabled/staging.ravebuddies.de.conf:1)
*:443                  is a NameVirtualHost
         default server www.ravebuddies.de (/etc/apache2/sites-enabled/ravebuddies.de.conf:28)
         port 443 namevhost www.ravebuddies.de (/etc/apache2/sites-enabled/ravebuddies.de.conf:28)
                 alias ravebuddies.de
         port 443 namevhost staging.ravebuddies.de (/etc/apache2/sites-enabled/staging.ravebuddies.de.conf:13)
4

You showed this in your first post.

But, you have a duplicate config file for ravebuddies.de. My guess is you should disable (or remove) your 000-default.conf file as that is not the one you thought you were using in your first post.

2 Likes
5

lol, wtf.
Didn't noticed that 000-default.conf was enabled

Disabling default host was the result. Thank you very much <3

1 Like
6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.