Some challenges are failed

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: camera.wiki.br

I ran this command: certbot --apache --domain camera.wiki.br

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for camera.wiki.br

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: camera.wiki.br
Type: unauthorized
Detail: 206.189.225.129: Invalid response from http://camera.wiki.br/.well-known/acme-challenge/mCMim_XASHwXkh4Wd5fScMOSsdkO1YV5qx0vEj4m55k: 404

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

My web server is (include version): apache 2.4.58

The operating system my web server runs on is (include version): ubuntu 24.04

My hosting provider, if applicable, is: DigitalOcean

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.9.0

Welcome back @klebermo

The "404" error with the --apache plugin means it did not setup the HTTP Challenge properly and the Let's Encrypt server got the 404 Not Found response instead of the proper challenge token.

Let's review your Apache config. Would you show output of this

sudo apache2ctl -t -D DUMP_VHOSTS
4 Likes
apache2ctl -t -D DUMP_VHOSTS

this command list the virtualhosts enabled on the server, it listed 7 on port 443 and 9 on port 80 (as it should).

Is there some reason you cannot show the output of the command? Often we see something that may have been missed.

It is also the first step to see which config files are used so we can ask to see further details.

4 Likes
root@ubuntu-s-1vcpu-1gb-nyc1-01:~# apache2ctl -t -D DUMP_VHOSTS
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:443                  is a NameVirtualHost
         default server cienciapratica.blog.br (/etc/apache2/sites-enabled/cienciapratica.blog.br-le-ssl.conf:2)
         port 443 namevhost cienciapratica.blog.br (/etc/apache2/sites-enabled/cienciapratica.blog.br-le-ssl.conf:2)
         port 443 namevhost kleber.app.br (/etc/apache2/sites-enabled/kleber.app.br-le-ssl.conf:2)
         port 443 namevhost kleber.blog.br (/etc/apache2/sites-enabled/kleber.blog.br-le-ssl.conf:2)
         port 443 namevhost kleber.flog.br (/etc/apache2/sites-enabled/kleber.flog.br-le-ssl.conf:2)
         port 443 namevhost kleber.vlog.br (/etc/apache2/sites-enabled/kleber.vlog.br-le-ssl.conf:2)
         port 443 namevhost robotica.blog.br (/etc/apache2/sites-enabled/robotica.blog.br-le-ssl.conf:2)
         port 443 namevhost vidacrista.blog.br (/etc/apache2/sites-enabled/vidacrista.blog.br-le-ssl.conf:2)
*:80                   is a NameVirtualHost
         default server camera.wiki.br (/etc/apache2/sites-enabled/camera.wiki.br.conf:1)
         port 80 namevhost camera.wiki.br (/etc/apache2/sites-enabled/camera.wiki.br.conf:1)
         port 80 namevhost cienciapratica.blog.br (/etc/apache2/sites-enabled/cienciapratica.blog.br.conf:1)
         port 80 namevhost kleber.app.br (/etc/apache2/sites-enabled/kleber.app.br.conf:1)
         port 80 namevhost kleber.blog.br (/etc/apache2/sites-enabled/kleber.blog.br.conf:1)
         port 80 namevhost kleber.flog.br (/etc/apache2/sites-enabled/kleber.flog.br.conf:1)
         port 80 namevhost kleber.vlog.br (/etc/apache2/sites-enabled/kleber.vlog.br.conf:1)
         port 80 namevhost opengl.wiki.br (/etc/apache2/sites-enabled/opengl.wiki.br.conf:1)
         port 80 namevhost robotica.blog.br (/etc/apache2/sites-enabled/robotica.blog.br.conf:1)
         port 80 namevhost vidacrista.blog.br (/etc/apache2/sites-enabled/vidacrista.blog.br.conf:1)

Would you now show the contents of that file? Getting a "404" with --apache plugin is always something unusual with the Apache config.

Are you using Apache Tomcat?

Did you use the --apache option when getting certs for your other domains like cienciapratica?

4 Likes

yes, I am using Apache Tomcat through the modulo jk enabled on the apache httpserver. and yes, I used the --apache option for all other domains. The ones with this error are only camera.wiki.br and opengl.wiki.br

2 Likes
<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerAdmin webmaster@localhost
        ServerName camera.wiki.br
        DocumentRoot /var/www/app
        JkMount /* ajp13_worker

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
</VirtualHost>
1 Like

I don't think the --apache plugin supports Tomcat syntax. Do both of your failing domains have the JkMount statement? Do the ones that work have that?

I think in the long-run you would be better off using the --webroot option with Tomcat. The --webroot will not read or update your Tomcat config at all. Which also means you need to manually make the port 443 VirtualHosts. Use the ones you already have as a template for new ones. There is also Mozilla's configurator (Certbot follows that configurator too). https://ssl-config.mozilla.org/ Avoid HSTS and Stapling until you fully understand what those do. Can easily cause trouble.

You can test --webroot for camera with

sudo certbot certonly --dry-run --webroot -w /var/www/app -d camera.wiki.br

If that works remove --dry-run and add --deploy-hook to reload Tomcat when you get a fresh cert like

sudo certbot certonly --webroot -w /var/www/app -d camera.wiki.br --deploy-hook 'Tomcat-Command'

Where Tomcat-Command is whatever you need for a graceful reload of Tomcat

Also refer to this thread for suggestions on setting up port 80 VirtualHost for redirects and HTTP Challenge.

3 Likes

What I try to do, and at least the certificate was installed successfully: coment the line with 'JkMount' in the apache VirtualHost configuration file and run 'certbot --apache --domain camera.wiki.br'. after that, I uncommented again the JkMount line, and reload apache. Now when I access the url in the browser, looks secured but it is not reaching the tomcat context.

Certbot creates the port 443 VirtualHost using the port 80 VirtualHost as a template. Since it did not have the JkMount line it was not included in your port 443 VirtualHost. You now need to modify the VirtualHost for port 443 manually.

Also, the JkMount line won't allow the cert renewal to work either. You really should start using --webroot method for Tomcat. The --apache plugin was not designed for that.

3 Likes

that worked! now I wonder what I did to make work with the other domains.

You should test the renewal process for all of them using:

sudo certbot renew --dry-run

The --dry-run will not modify your existing certs but will show whether the renewal would work.

4 Likes
certbot renew --dry-run

this command give me the same error I was getting to create the certificate. I believe that when the time to renew comes, I will need to comment the JkMount line again (probably I should make this easier by creating some script to make this in batch)

certbot certonly --dry-run --webroot -w /var/www/app -d camera.wiki.br

with this command the same error ocurred too.

Yes, with your JkMount in the port 80 host that changes where Tomcat looks for files. Just leave that out of your port 80 VirtualHost permanently.

Leaving it out of port 80 might allow the --apache to work too. But, the Apache plugin also tries to (at least temporarily) update the port 443 VirtualHost too. It is possible other Tomcat syntax will further confuse it. You need to keep it there for your normal operation.

Once you have the cert the port 80 VirtualHost only handles the HTTP Challenge and redirects all other requests to HTTPS. See the link to my example earlier

1 Like

Another option is to use a DNS Challenge. This does not involve HTTP(s) requests to your Tomcat server.

You use Digital Ocean DNS servers which is supported by Certbot. A DNS Challenge is often harder to setup but should be reliable once you do.

https://certbot-dns-digitalocean.readthedocs.io/en/stable/

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.