I was able to get my initial certs installed without much problem, but renewal, not so much. Perhaps some relevant background...

• I'm using this particular server as one that is failing I have at least 3 others that are doing the same thing.
• These servers are running the network testing suite PerfSonar (https://www.perfsonar.net/), which does automatic updates, including its own updates to the web server configuration. (Is that what happened here? I don't know? And is it relevant?)
• I have two active NICs, both of which are used for different tests. Each of those NICs have both an IPv4 and an IPV6 address.

I've been searching the forums here and haven't found anything useful for me yet.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
ps-grand-bw.perfsonar.kanren.net

I ran this command:
certbot renew

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/ps-grand-bw.perfsonar.kanren.net.conf

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate for ps-grand-bw.perfsonar.kanren.net
Performing the following challenges:
http-01 challenge for ps-grand-bw.perfsonar.kanren.net
Waiting for verification...
Challenge failed for domain ps-grand-bw.perfsonar.kanren.net
http-01 challenge for ps-grand-bw.perfsonar.kanren.net
Cleaning up challenges
Failed to renew certificate ps-grand-bw.perfsonar.kanren.net with error: Some challenges have failed.

All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/ps-grand-bw.perfsonar.kanren.net/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: ps-grand-bw.perfsonar.kanren.net
  Type: unauthorized
  Detail: 2001:49d0:23c0:1::10: Invalid response from
  http://ps-grand-bw.perfsonar.kanren.net/.well-known/acme-challenge/jMQL7CtXPZCFPfspgqMybZs4rJFsDCRoJ6l3yCZloSo:
  404

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address.

My web server is (include version):
Apache 2.4.6-99

The operating system my web server runs on is (include version):
CentOS 7.9

My hosting provider, if applicable, is:
Self

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
1.11.0

Welcome to the community @kylehutson

A 404 with Certbot --apache authenticator usually means something is unusual with the Apache config. The place to start is by showing output of

sudo apachectl -t -D DUMP_VHOSTS

You may need to use httpd or apache2ctl instead of apachectl on your system

I probably should have included that to begin with since I saw it posted earlier...

Passing arguments to httpd using apachectl is no longer supported.
You can only start/stop/restart httpd using this script.
If you want to pass extra arguments to httpd, edit the
/etc/sysconfig/httpd config file.
[Thu Feb 01 11:33:00.937093 2024] [alias:warn] [pid 7234] AH00671: The Alias directive in /etc/httpd/conf.d/apache-toolkit_web_gui.conf at line 11 will probably never match because it overlaps an earlier Alias.
[Thu Feb 01 11:33:00.937361 2024] [alias:warn] [pid 7234] AH00671: The Alias directive in /etc/httpd/conf.d/apache-toolkit_web_services.conf at line 2 will probably never match because it overlaps an earlier Alias.
VirtualHost configuration:
*:80 is a NameVirtualHost
default server ps-grand-bw (/etc/httpd/conf.d/ZZdefault.conf:1)
port 80 namevhost ps-grand-bw (/etc/httpd/conf.d/ZZdefault.conf:1)
port 80 namevhost ps-grand-bw.perfsonar.kanren.net (/etc/httpd/conf.d/apache-toolkit_web_gui.conf:33)
port 80 namevhost ps-grand-bw.perfsonar.kanren.net (/etc/httpd/conf.d/le-redirect-ps-grand-bw.perfsonar.kanren.net.conf:1)
*:443 ps-grand-bw.perfsonar.kanren.net (/etc/httpd/conf.d/ssl.conf:56)

Can that be updated?

ditto

ditto

You have a name / port overlap. You seem to have some skills so you need to merge key parts from both into one or eliminate the "wrong" one.

Whichever conf file has the most recent date is likely the one causing the problem. It still might be the one you need. Only you can know what Apache is supposed to be doing. I just know you can't have two VirtualHost for the same domain name and port.

As an aside, Certbot 1.11 is very old but I don't think it is contributing to the problem. That is probably the latest in your Centos yum(?). Just wanted to point out options are here https://certbot.eff.org

Clearly, the same name is being used in two vhosts.
You need to do one of the following:

• change the host name [in one of the files]
• remove one of the files
• merge the two files into one [keeping only what is needed - and without any duplication]

@rg305
All of these boxes are scheduled for an OS update in the next couple of months. I know I can go outside of the distro for these, but since they're going to be upgraded soon anyway...

@MikeMcQ
I think I may have had to do the "le-redirect" one to get LE working to begin with(?). Removing it, though, seemed to solve my problem.

Thanks all!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.