To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
The interesting thing is that only those 2 domains fail. I have other domains on the same server that an correctly be authenticated. Even other subdomains of the same domain!. I didn’t find any.well-known somewhere (and also rannot remember having created one anywhere).
Can someone help me here, what can be wrong with these 2 domains?
port 80 namevhost mantis.poiu.de (/etc/apache2/sites-enabled/mantis.poiu.de.conf:1)
port 80 namevhost poiu.de (/etc/apache2/sites-enabled/poiu.de.conf:1)
port 80 namevhost mad.poiu.de (/etc/apache2/sites-enabled/poiu.de.conf:29)
port 80 namevhost blog.poiu.de (/etc/apache2/sites-enabled/poiu.de.conf:71)
port 80 namevhost kilt.poiu.de (/etc/apache2/sites-enabled/poiu.de.conf:112)
port 80 namevhost apron.poiu.de (/etc/apache2/sites-enabled/poiu.de.conf:127)
port 80 namevhost fez.poiu.de (/etc/apache2/sites-enabled/poiu.de.conf:142)
port 443 namevhost mantis.poiu.de (/etc/apache2/sites-enabled/mantis.poiu.de.conf:8)
port 443 namevhost poiu.de (/etc/apache2/sites-enabled/poiu.de.conf:1)
port 443 namevhost mad.poiu.de (/etc/apache2/sites-enabled/poiu.de.conf:36)
port 443 namevhost blog.poiu.de (/etc/apache2/sites-enabled/poiu.de.conf:77)
port 443 namevhost kilt.poiu.de (/etc/apache2/sites-enabled/poiu.de.conf:118)
port 443 namevhost apron.poiu.de (/etc/apache2/sites-enabled/poiu.de.conf:133)
port 443 namevhost fez.poiu.de (/etc/apache2/sites-enabled/poiu.de.conf:148)
Thanks. That also looks totally fine , so it looks like my suspicion was wrong.
I guess it’s possible that the temporary changes made by Certbot’s Apache authenticator to the VirtualHost (the first one in poiu.de.conf at line 1) don’t work properly.
It seems unlikely for a simple VirtualHost (e.g. no reverse proxying or mod_access or anything like that) - but it would be helpful to see how it is configured.
Something that may help you is the --debug-challenges flag. What it does is pause Certbot’s execution AFTER it modifies your VirtualHost, but before it submits the order to Let’s Encrypt. This way, you will be able to open up poiu.de.conf and see what changes were made, and whether they actually work.
Interesting. Your suggestion for using --debug-challenges was the right one. It actually did not stop the process, but I had enough time hitting Ctrl-Z to stop execution and investigate the temporary changes.
And I found that the non-working subdomains were the only ones that had HTTP and HTTPS in the same VirtualHost directive:
I wouldn’t call it a bug per se, but it’s a weird situation that it should probably detect and explicitly report on. But having the same VirtualHost try to respond on both ports 80 and 443 is almost never a good idea, since Apache doesn’t allow you to selectively enable HTTPS on one port and disable it on the other - you have to have them in separate VirtualHosts for that. (Sometimes it works anyway because another VirtualHost’s configuration takes precedence, and sometimes it doesn’t).