Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: camera.wiki.br
I ran this command: certbot --apache --domain camera.wiki.br
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for camera.wiki.br
Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.
My web server is (include version): apache 2.4.58
The operating system my web server runs on is (include version): ubuntu 24.04
My hosting provider, if applicable, is: DigitalOcean
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.9.0
The "404" error with the --apache plugin means it did not setup the HTTP Challenge properly and the Let's Encrypt server got the 404 Not Found response instead of the proper challenge token.
Let's review your Apache config. Would you show output of this
root@ubuntu-s-1vcpu-1gb-nyc1-01:~# apache2ctl -t -D DUMP_VHOSTS
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:443 is a NameVirtualHost
default server cienciapratica.blog.br (/etc/apache2/sites-enabled/cienciapratica.blog.br-le-ssl.conf:2)
port 443 namevhost cienciapratica.blog.br (/etc/apache2/sites-enabled/cienciapratica.blog.br-le-ssl.conf:2)
port 443 namevhost kleber.app.br (/etc/apache2/sites-enabled/kleber.app.br-le-ssl.conf:2)
port 443 namevhost kleber.blog.br (/etc/apache2/sites-enabled/kleber.blog.br-le-ssl.conf:2)
port 443 namevhost kleber.flog.br (/etc/apache2/sites-enabled/kleber.flog.br-le-ssl.conf:2)
port 443 namevhost kleber.vlog.br (/etc/apache2/sites-enabled/kleber.vlog.br-le-ssl.conf:2)
port 443 namevhost robotica.blog.br (/etc/apache2/sites-enabled/robotica.blog.br-le-ssl.conf:2)
port 443 namevhost vidacrista.blog.br (/etc/apache2/sites-enabled/vidacrista.blog.br-le-ssl.conf:2)
*:80 is a NameVirtualHost
default server camera.wiki.br (/etc/apache2/sites-enabled/camera.wiki.br.conf:1)
port 80 namevhost camera.wiki.br (/etc/apache2/sites-enabled/camera.wiki.br.conf:1)
port 80 namevhost cienciapratica.blog.br (/etc/apache2/sites-enabled/cienciapratica.blog.br.conf:1)
port 80 namevhost kleber.app.br (/etc/apache2/sites-enabled/kleber.app.br.conf:1)
port 80 namevhost kleber.blog.br (/etc/apache2/sites-enabled/kleber.blog.br.conf:1)
port 80 namevhost kleber.flog.br (/etc/apache2/sites-enabled/kleber.flog.br.conf:1)
port 80 namevhost kleber.vlog.br (/etc/apache2/sites-enabled/kleber.vlog.br.conf:1)
port 80 namevhost opengl.wiki.br (/etc/apache2/sites-enabled/opengl.wiki.br.conf:1)
port 80 namevhost robotica.blog.br (/etc/apache2/sites-enabled/robotica.blog.br.conf:1)
port 80 namevhost vidacrista.blog.br (/etc/apache2/sites-enabled/vidacrista.blog.br.conf:1)
yes, I am using Apache Tomcat through the modulo jk enabled on the apache httpserver. and yes, I used the --apache option for all other domains. The ones with this error are only camera.wiki.br and opengl.wiki.br
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerAdmin webmaster@localhost
ServerName camera.wiki.br
DocumentRoot /var/www/app
JkMount /* ajp13_worker
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
</VirtualHost>
I don't think the --apache plugin supports Tomcat syntax. Do both of your failing domains have the JkMount statement? Do the ones that work have that?
I think in the long-run you would be better off using the --webroot option with Tomcat. The --webroot will not read or update your Tomcat config at all. Which also means you need to manually make the port 443 VirtualHosts. Use the ones you already have as a template for new ones. There is also Mozilla's configurator (Certbot follows that configurator too). https://ssl-config.mozilla.org/ Avoid HSTS and Stapling until you fully understand what those do. Can easily cause trouble.
What I try to do, and at least the certificate was installed successfully: coment the line with 'JkMount' in the apache VirtualHost configuration file and run 'certbot --apache --domain camera.wiki.br'. after that, I uncommented again the JkMount line, and reload apache. Now when I access the url in the browser, looks secured but it is not reaching the tomcat context.
Certbot creates the port 443 VirtualHost using the port 80 VirtualHost as a template. Since it did not have the JkMount line it was not included in your port 443 VirtualHost. You now need to modify the VirtualHost for port 443 manually.
Also, the JkMount line won't allow the cert renewal to work either. You really should start using --webroot method for Tomcat. The --apache plugin was not designed for that.
this command give me the same error I was getting to create the certificate. I believe that when the time to renew comes, I will need to comment the JkMount line again (probably I should make this easier by creating some script to make this in batch)
Yes, with your JkMount in the port 80 host that changes where Tomcat looks for files. Just leave that out of your port 80 VirtualHost permanently.
Leaving it out of port 80 might allow the --apache to work too. But, the Apache plugin also tries to (at least temporarily) update the port 443 VirtualHost too. It is possible other Tomcat syntax will further confuse it. You need to keep it there for your normal operation.
Once you have the cert the port 80 VirtualHost only handles the HTTP Challenge and redirects all other requests to HTTPS. See the link to my example earlier