Renewal fails behind NAT

My domain is: gwmail.muekno.de

I ran this command: certbot -v

It produced this output:
Challenge failed for domain gwmail.muekno.de
http-01 challenge for gwmail.muekno.de

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: gwmail.muekno.de
Type: unauthorized
Detail: Invalid response from http://gwmail.muekno.de/.well-known/acme-challenge/ZK5RVOsjSNbiKfJUhP1ibQT0euxcdJhtErQrnYBf4Xs [62.54.177.160]: "\n\n404 Not Found\n\n

Not Found

\n<p"

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

My web server is (include version): Apache latest version

The operating system my web server runs on is (include version): Debian 10 latest patches

My hosting provider, if applicable, is: is me myself

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 1.20.0

The server/website is an internal proxy for an webmail client. I worked fine earlier, it stiil works fine but with a warning certificate expired. Meaning I can still reache the proxied webseite. But can not renew. port 80 and 443 is open from the internet an are leading to the internal private adress of the webserver. Dis not change anting other than regular OS updates.

Thanks for help or hint
Rainer

1 Like

I would start to unravel this mystery with the output of:
sudo apachectl -t -D DUMP_VHOSTS

1 Like

On further review...

But there are different Apache response seen on HTTP and HTTPS:

curl -Ii http://gwmail.muekno.de/
Server: Apache/2.4.38 (Debian)

curl -Iki https://gwmail.muekno.de/
Server: Apache/2.2.12 (Linux/SUSE)

Maybe that is a clue for you.

1 Like

Hi Rudy,

Thank you for quick response!

it is a proxy, port 80 rewrities to port 443
then it proxys to the backend apache server un SUSE Linux.
I do not want direct Internet access, to the backend server for security and other reasons. So I use the proxy.
So the certificate is for the proxy URL.
As I wrote it worked for first issuing the certificate, but it does not work for renewal.
I have the same/similar proxys on nearly identical proxy server setups with Let'encrypt too working fine nclusive renewals since some years now on a customer site.

Here is the output of the command you provided
root@proxy:~# apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
172.16.1.145:80 gwmail.muekno.de (/etc/apache2/sites-enabled/gwmail.conf:2)
172.16.1.245:443 gwmail.muekno.de (/etc/apache2/sites-enabled/gwmail-le-ssl.conf:3)
root@proxy:~#

Kind regards
Rainer

1 Like

@muekno The DNS for your domain is 62.54.177.160 and that is the IP the Lets Encrypt challenge was sent to (you see this in the error message).

But, the Apache conf you showed was for different IP addresses. I am not very familiar with IP based Apache virtual hosts, but, shouldn't there be one for the DNS IP? Or, is that just your port forwarding?

I see you last got a cert in May which expired late Aug.
https://crt.sh/?Identity=gwmail.muekno.de&deduplicate=Y

Depending on how and when you try renewal, a change between May and now could be important. How do you try renewals - daily, manually?

Would you upload or paste the Certbot renewal conf file? It is located in /etc/letsencrypt/renewal/
If you paste please put three backticks (`) before and after to format it nice.

1 Like

@muekno Oh, would you also show the details for the Certbot command you tried on the proxy? You only showed certbot -v which is for setting up a cert. Using certbot renew is renewal.

@rg305

You broke the rule you taught me :slight_smile: If you use the acme challenge endpoint they both resolve to the same server:

curl -I http://gwmail.muekno.de/.well-known/acme-challenge/Test-Forum
HTTP/1.1 404 Not Found
Date: Sat, 09 Oct 2021 14:31:28 GMT
Server: Apache/2.4.38 (Debian)
Content-Type: text/html; charset=iso-8859-1

curl -Ik https://gwmail.muekno.de/.well-known/acme-challenge/Test-Forum
HTTP/1.1 404 Not Found
Date: Sat, 09 Oct 2021 14:31:34 GMT
Server: Apache/2.4.38 (Debian)
Content-Type: text/html; charset=iso-8859-1
1 Like

First thank you for excellent support!
I got it the IP was the clue, I just compared my version to the running verson at my customers site. there was no, but instead only " IPVirtualhost *: "
So I modified my apache confs and the renew works.

Thanks again and have a nice weekend

Rainer

Mike McQ via Let's Encrypt Community Support letsencrypt@discoursemail.com 16:21 09.10.2021 >>>

@muekno The DNS for your domain is 62.54.177.160 and that is the IP the Lets Encrypt challenge was sent to (you see this in the error message).

But, the Apache conf you showed was for different IP addresses. I am not very familiar with IP based Apache virtual hosts, but, shouldn't there be one for the DNS IP? Or, is that just your port forwarding?

I see you last got a cert in May which expired late Aug.
https://crt.sh/?Identity=gwmail.muekno.de&deduplicate=Y

Depending on how and when you try renewal, a change between May and now could be important. How do you try renewals - daily, manually?

Would you upload or paste the Certbot renewal conf file? It is located in /etc/letsencrypt/renewal/
If you paste please put three backticks (`) before and after to format it nice.

2 Likes

I see HTTP in the failure...
So check your rewrite.

1 Like

Thank you, I have fixed it.

I appreciate your excellent support.

Kind regards Rainer

Rudy Gomez via Let's Encrypt Community Support letsencrypt@discoursemail.com 19:01 09.10.2021 >>>

I see HTTP in the failure...
So check your rewrite.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.