Retrieving new certificate failing - Please help

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.kaprion.de

I ran this command: sudo /usr/local/bin/certbot-auto --apache (on debian jessie)

It produced this output:

Challenge failed for domain www.kaprion.de
http-01 challenge for www.kaprion.de
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.kaprion.de
    Type: unauthorized
    Detail: Invalid response from https://www.kaprion.de/
    [212.111.236.194]: “\n<html
    lang=“de-DE”>\n\n\t<meta charset=“UTF-8” />\n\t<meta
    http-equiv=“X-UA-Compatible” content=“IE=10” />\n\t<ti”

My web server is (include version):
apache2
The operating system my web server runs on is (include version):
Debian Jessie
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.37.1

According to this site: https://check-your-website.server-daten.de/?q=kaprion.de
the https-site as well as the http-site have the following status:
https://www.kaprion.de/ -->http-status 200
http://www.kaprion.de/ --> http-status 302

I guess it should be ok but the challenge is failing (so far the certificate was renewed manually, now we want to switch to automatic).

Could somebody please help and tell me what is going wrong and how to fix it?

Hi @sdittrich

please read the complete output:

Fatal: All checks of /.well-known/acme-challenge/random-filename have a redirect, destination doesn't have the random filename. Creating a Letsencrypt certificate via http-01 challenge may not work.

Checking the standard urls:

Domainname Http-Status redirect Sec. G
http://kaprion.de/
212.111.236.194 302 https://kaprion.de/index.php 0.030 A
http://www.kaprion.de/
212.111.236.194 302 KAPRION Technologies GmbH 3.030 A
https://kaprion.de/
212.111.236.194 301 https://www.kaprion.de/ 9.157 B
https://kaprion.de/index.php 301 https://www.kaprion.de/ 9.160 B
KAPRION Technologies GmbH 301 https://www.kaprion.de/ 9.150 B
https://www.kaprion.de/
212.111.236.194 -14 10.030 T
Timeout - The operation has timed out
http://kaprion.de/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
212.111.236.194 302 https://kaprion.de/index.php 0.030 A
Visible Content: Found The document has moved here . Apache/2.4.25 (Debian) Server at kaprion.de Port 80
http://www.kaprion.de/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
212.111.236.194 302 KAPRION Technologies GmbH 3.033 A
Visible Content: Found The document has moved here . Apache/2.4.25 (Debian) Server at www.kaprion.de Port 80

It's curious that you use --apache, but there is a redirect to the /. Looks like the apache authenticator doesn't understand your configuration.

What says

apachectl -S
1 Like

PS: There are two different Apache:

Port 80:

Server: Apache/2.4.25 (Debian)

Port 443:

Server: Apache/2.4.10 (Debian)

Looks like Certbot picks the wrong Apache, so --apache doesn’t work.

1 Like

Ok, thanks, @JuergenAuer. I will try to resolve it. I will give feedback when I got it done or need some more help.

1 Like

You have different options.

One - create a correct redirect http -> https with http + folder+file -> https + folder+file.

Then use the webroot of your https and webroot as authenticator.

Looks, that your Certbot picks the https Apache to add the location definition, but that’s ignored because the other Apache answers.

1 Like

@JuergenAuer, that’s a very clever thing to test for in your tool!

2 Likes

Thanks for the help, it was the SNI preventing the challenge from successfully running.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.