Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.
My web server is (include version): Apache latest version
The operating system my web server runs on is (include version): Debian 10 latest patches
My hosting provider, if applicable, is: is me myself
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 1.20.0
The server/website is an internal proxy for an webmail client. I worked fine earlier, it stiil works fine but with a warning certificate expired. Meaning I can still reache the proxied webseite. But can not renew. port 80 and 443 is open from the internet an are leading to the internal private adress of the webserver. Dis not change anting other than regular OS updates.
it is a proxy, port 80 rewrities to port 443
then it proxys to the backend apache server un SUSE Linux.
I do not want direct Internet access, to the backend server for security and other reasons. So I use the proxy.
So the certificate is for the proxy URL.
As I wrote it worked for first issuing the certificate, but it does not work for renewal.
I have the same/similar proxys on nearly identical proxy server setups with Let'encrypt too working fine nclusive renewals since some years now on a customer site.
Here is the output of the command you provided
root@proxy:~# apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
172.16.1.145:80 gwmail.muekno.de (/etc/apache2/sites-enabled/gwmail.conf:2)
172.16.1.245:443 gwmail.muekno.de (/etc/apache2/sites-enabled/gwmail-le-ssl.conf:3)
root@proxy:~#
@muekno The DNS for your domain is 62.54.177.160 and that is the IP the Lets Encrypt challenge was sent to (you see this in the error message).
But, the Apache conf you showed was for different IP addresses. I am not very familiar with IP based Apache virtual hosts, but, shouldn't there be one for the DNS IP? Or, is that just your port forwarding?
Depending on how and when you try renewal, a change between May and now could be important. How do you try renewals - daily, manually?
Would you upload or paste the Certbot renewal conf file? It is located in /etc/letsencrypt/renewal/
If you paste please put three backticks (`) before and after to format it nice.
@muekno Oh, would you also show the details for the Certbot command you tried on the proxy? You only showed certbot -v which is for setting up a cert. Using certbot renew is renewal.
First thank you for excellent support!
I got it the IP was the clue, I just compared my version to the running verson at my customers site. there was no, but instead only " IPVirtualhost *: "
So I modified my apache confs and the renew works.
@muekno The DNS for your domain is 62.54.177.160 and that is the IP the Lets Encrypt challenge was sent to (you see this in the error message).
But, the Apache conf you showed was for different IP addresses. I am not very familiar with IP based Apache virtual hosts, but, shouldn't there be one for the DNS IP? Or, is that just your port forwarding?
I see you last got a cert in May which expired late Aug.
Depending on how and when you try renewal, a change between May and now could be important. How do you try renewals - daily, manually?
Would you upload or paste the Certbot renewal conf file? It is located in /etc/letsencrypt/renewal/
If you paste please put three backticks (`) before and after to format it nice.
If you use the acme challenge endpoint they both resolve to the same server: