Retrieving new certificate failing - Please help

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.kaprion.de

I ran this command: sudo /usr/local/bin/certbot-auto --apache (on debian jessie)

It produced this output:
…
Challenge failed for domain www.kaprion.de
http-01 challenge for www.kaprion.de
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: www.kaprion.de
  Type: unauthorized
  Detail: Invalid response from https://www.kaprion.de/
  [212.111.236.194]: “\n<html
  lang=“de-DE”>\n\n\t<meta charset=“UTF-8” />\n\t<meta
  http-equiv=“X-UA-Compatible” content=“IE=10” />\n\t<ti”

My web server is (include version):
apache2
The operating system my web server runs on is (include version):
Debian Jessie
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.37.1

According to this site: https://check-your-website.server-daten.de/?q=kaprion.de
the https-site as well as the http-site have the following status:
https://www.kaprion.de/ -->http-status 200
http://www.kaprion.de/ --> http-status 302

I guess it should be ok but the challenge is failing (so far the certificate was renewed manually, now we want to switch to automatic).

Could somebody please help and tell me what is going wrong and how to fix it?

Hi @sdittrich

please read the complete output:

Fatal: All checks of /.well-known/acme-challenge/random-filename have a redirect, destination doesn't have the random filename. Creating a Letsencrypt certificate via http-01 challenge may not work.

Checking the standard urls:

It's curious that you use --apache, but there is a redirect to the /. Looks like the apache authenticator doesn't understand your configuration.

What says

apachectl -S

PS: There are two different Apache:

Port 80:

Server: Apache/2.4.25 (Debian)

Port 443:

Server: Apache/2.4.10 (Debian)

Looks like Certbot picks the wrong Apache, so --apache doesn't work.

Ok, thanks, @JuergenAuer. I will try to resolve it. I will give feedback when I got it done or need some more help.

You have different options.

One - create a correct redirect http -> https with http + folder+file -> https + folder+file.

Then use the webroot of your https and webroot as authenticator.

Looks, that your Certbot picks the https Apache to add the location definition, but that’s ignored because the other Apache answers.

@JuergenAuer, that's a very clever thing to test for in your tool!

Thanks for the help, it was the SNI preventing the challenge from successfully running.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.