Setting up Let's Encrypt on Ubuntu 22.04/Apache2

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
https://patrickmckenneylandscaping.com
https://www.patrickmckenneylandscaping.com
https://scsiraidguru.com
https://www.scsiraidguru.com
https://mc.scsiraidguru.com

I use IPv4 and IPv6. Let's Encrypt is accessing as IPv6
I don't allow http only https. Any way to use port 443?

I ran this command:
I followed the Digital Ocean document

I manually created ,well-known/acme-challenge and set it to www-data:www-data.

It produced this output:

My web server is (include version):
Ubuntu 22.04
Apache2

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems :
Domain: mc.scsiraidguru.com
Type: connection
Detail: 2601:402:8200:d410:20c:29ff:fea5:7fec: Fetching http://mc.scsiraidguru.com/.well-known/acme-challenge/eSIr76 BguewqfNuW0yrv8cf3XYT1091OhxtzM9fnfPM: Connection reset by peer

Domain: patrickmckenneylandscaping.com
Type: connection
Detail: 2601:402:8200:d410:20c:29ff:fea5:7fec: Fetching http://patrickmckenneylandscaping.com/.well-known/acme-chall enge/afTNPnRnt0Bi3o5I9z3oZ_qakOELfLCZr1_z7eVvb80: Connection reset by peer

Domain: scsiraidguru.com
Type: connection
Detail: 2601:402:8200:d410:20c:29ff:fea5:7fec: Fetching http://scsiraidguru.com/.well-known/acme-challenge/4NgM3fuTo _-5vJh9xc3Dky-b4EqtUZedmi6-T2NCRkc: Connection reset by peer

Domain: www.patrickmckenneylandscaping.com
Type: connection
Detail: 2601:402:8200:d410:20c:29ff:fea5:7fec: Fetching http://www.patrickmckenneylandscaping.com/.well-known/acme-c hallenge/1i3NNlSbpB5oeHkY2CSeglzB-TKXl-qEpmpkrs1L21A: Connection reset by peer

Domain: www.scsiraidguru.com
Type: connection
Detail: 2601:402:8200:d410:20c:29ff:fea5:7fec: Fetching http://www.scsiraidguru.com/.well-known/acme-challenge/6C22e gYfI2dNaEmq5G8q7PPQTwCJuGgdL9pkbl3IPuU: Connection reset by peer

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure th at the listed domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsen crypt.log or re-run Certbot with -v for more details.
michael@wpmm22:/var/www/wp.scsiraidguru.com/public_html$

Certbot 1.21.0

Is the IPv6 address correct? Because 2601:402:8200:d410:20c:29ff:fea5:7fec seems to be a ComCast address while your IPv4 address 99.158.235.35 seems to be an AT&T address.

2 Likes

I agree with Osiris that your IPv6 address looks wrong.

You currently allow HTTP on IPv4. I don't see any reason to intentionally block that. But, other options are the DNS Challenge or TLS-ALPN which uses port 443. Apache supports TLS-ALPN in its mod_md feature. See the Apache docs or I like these GitHub docs

3 Likes

I have a Fortinet 60E firewall with SD-WAN. WAN1 is AT&T. WAN2 is Comcast. Godaddy has both IPv4 and IPv6 configured. SSL Labs gives me A+ for my IPv4 and IPv6.

1 Like

I missed this earlier. But Certbot does not support the tls-alpn-01 challenge, which uses port 443. I believe Apaches mod_md module however does support that challenge.

But why isn't HTTP open? It's required for any HTTP to HTTPS redirect, if necessary. I believe only Chrome starts with HTTPS by default, so other browsers would require a HTTP to HTTPS redirect for your site to work.

See also:

2 Likes

http translates to https. I have Godaddy certs on the web sites currently.

SSLProtocol -all +TLSv1.3 +TLSv1.2
Protocols h2 h2c

OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022): TLS-ALPN is part of it.

The IPv6 address is a delegated address from Comcast.

Apache 2 blocks the apache version and php version from being shown to prevent certain hacks

What does that even mean?

The tls-alpn-01 challenge is a feature of the ACME protocol and does not have much relation to OpenSSL.

1 Like

HTTP is being redirected to HTTPS. So, you do allow it and it should work for an HTTP Challenge if done right. See my prior post about mod_md docs to use TLS-ALPN as your ACME Client must support that and Certbot does not.

Further, once the "connection reset" problem is fixed you will need to change your CAA records as they currently only allow GoDaddy issuance (Let's Debug link).

Sorry about my bad info using my VPN earlier. It's IPv6 was broken and led to my wrong conclusions. But, something seems wrong with your IPv6 in relation to the HTTP Challenge. I don't get a connection failure but get this from the LE staging system

Authority reported these problems:
  Domain: mc.scsiraidguru.com
  Type:   connection
  Detail: 2601:402:8200:d410:20c:29ff:fea5:7fec: 
Fetching https://mc.scsiraidguru.com.well-known/acme-challenge/L6Ce3Ad3JNqv0u5YNy-u_BB6bhhhsyIYEkMzkJYDASk: 
Invalid host in redirect target "mc.scsiraidguru.com.well-known". 
Check webserver config for missing '/' in redirect target.
3 Likes

I changed the configuration to

SSLProtocol -all +TLSv1.3 +TLSv1.2
Protocols h2 h2c http/1.1 acme-tls/1

LE prefers IPv6 over IPv4.
This "broken redirection" is a problem:

As the message clearly states:

2 Likes

I fixed the / in the redirect on mc.scsiraidguru.com and checked the other two web sites.

To all who have made suggestions, a Big Thank You. I need to add a CAA record to Godaddy for Let's Encrypt. Can I keep both CAA records for Godaddy and Let's Encrypt?

Where I am at now.

Which names would you like to activate HTTPS for?


1: patrickmckenneylandscaping.com
2: wp.patrickmckenneylandscaping.com
3: www.patrickmckenneylandscaping.com
4: scsiraidguru.com
5: mc.scsiraidguru.com
6: wp.scsiraidguru.com
7: www.scsiraidguru.com


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1 3 4 5 7
Requesting a certificate for patrickmckenneylandscaping.com and 4 more domains
Performing the following challenges:
http-01 challenge for mc.scsiraidguru.com
http-01 challenge for patrickmckenneylandscaping.com
http-01 challenge for scsiraidguru.com
http-01 challenge for www.patrickmckenneylandscaping.com
http-01 challenge for www.scsiraidguru.com
Enabled Apache rewrite module
Waiting for verification...
Challenge failed for domain mc.scsiraidguru.com
Challenge failed for domain patrickmckenneylandscaping.com
Challenge failed for domain scsiraidguru.com
Challenge failed for domain www.patrickmckenneylandscaping.com
Challenge failed for domain www.scsiraidguru.com
http-01 challenge for mc.scsiraidguru.com
http-01 challenge for patrickmckenneylandscaping.com
http-01 challenge for scsiraidguru.com
http-01 challenge for www.patrickmckenneylandscaping.com
http-01 challenge for www.scsiraidguru.com

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: mc.scsiraidguru.com
Type: caa
Detail: CAA record for scsiraidguru.com prevents issuance

Domain: patrickmckenneylandscaping.com
Type: caa
Detail: CAA record for patrickmckenneylandscaping.com prevents issuance

Domain: scsiraidguru.com
Type: caa
Detail: CAA record for scsiraidguru.com prevents issuance

Domain: www.patrickmckenneylandscaping.com
Type: caa
Detail: CAA record for patrickmckenneylandscaping.com prevents issuance

Domain: www.scsiraidguru.com
Type: caa
Detail: CAA record for scsiraidguru.com prevents issuance

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
michael@wpmm22:/etc/apache2/conf-available$

1 Like

Great progress. And, yes, to multiple CA's in CAA

Here is a good configurator
https://sslmate.com/caa/

from here:

3 Likes

The current CAA record is
caa @ godaddy.com 0 issue

So I created the same record for Let's Encrypt
caa @ letsencrypt.org 0 issue

It will be for each of the domains.

1 Like

So is everything working then?

Note the CAA IODEF record is ignored by Let's Encrypt. I see you have it so just wanted to alert that it won't provide any benefit from LE (and probably never did with GoDaddy either).

3 Likes

I logged into work to check the certificates. My workstation runs Avast.

They showed up Let's Encrypt
SSLLabs gave me A+ after I uploaded the chain.pem to my Fortinet 60E firewall as a CA Cert

Tomorrow, I will finish cleaning up Godaddy DNS for an old URL no longer in use.

michael@wpmm22:~$ sudo systemctl status certbot.timer
[sudo] password for michael:
● certbot.timer - Run certbot twice daily
Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset:>
Active: active (waiting) since Sun 2023-12-10 12:39:23 EST; 7h ago
Trigger: Mon 2023-12-11 11:10:27 EST; 15h left
Triggers: ● certbot.service

Dec 10 12:39:23 wpmm22 systemd[1]: Started Run certbot twice daily.

michael@wpmm22:~$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/patrickmckenneylandscaping.com.conf


Account registered.
Simulating renewal of an existing certificate for patrickmckenneylandscaping.com and 4 more domains


Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/patrickmckenneylandscaping.com/fullchain.pem (success)


michael@wpmm22:~$

The last of the errors seem to be resolved. Tested the renewal and timer.

Anything else I need to do?

Thank you everyone for your help. Godaddy was renewing in 120 days, $400-$500.

2 Likes

It was never in Godaddy either. I just added it to be complete. I can remove it tomorrow.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.