Some challenges have failed: Certbot unauthorized

Hi,
I have a domain, "philaupatte.fr" for which I try to get certificate for SSL.
Unfortunately, command certbot certonly --apache fails (idem without certonly)
I try Let'Debug, and it says all is OK.
I have deactivated all SSL for time being ; I can access at my home page (Php Info)
I try curl -vvv http://www.philaupatte.fr, seems to work

Error from certbot (maybe too many attempts, don't know what to do :rofl:)
Result from command

root@freeVM:/etc/apache2/conf-enabled# certbot certonly --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.


1: philaupatte.fr


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Requesting a certificate for philaupatte.fr
Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: philaupatte.fr
Type: unauthorized
Detail: 213.186.33.5: Invalid response from Philaupatte Web Server "\n \n \n Philaupatte Web Server\n "

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Here under Apache2 configuration (Apache2 is running fine without errors)

apache2.conf
ServerName philaupatte.fr
DefaultRuntimeDir ${APACHE_RUN_DIR}
PidFile ${APACHE_PID_FILE}
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 5
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
HostnameLookups Off
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log combined
LogLevel debug
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf
Include ports.conf
<Directory />
  Options FollowSymLinks
  AllowOverride None
  Require all denied
</Directory>
<Directory /usr/share>
  AllowOverride All
  Require all granted
</Directory>
<Directory /var/www/>
  Options Indexes FollowSymLinks
  AllowOverride All
  Require all granted
</Directory>
AccessFileName .htaccess
<FilesMatch "^\.ht">
  Require all denied
</FilesMatch>
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
IncludeOptional conf-enabled/*.conf
IncludeOptional sites-enabled/*.conf
Include /etc/phpmyadmin/apache.conf
 ports.conf
 Listen 80
 <IfModule ssl_module>
 	Listen 443
 </IfModule>
 <IfModule mod_gnutls.c>
 	Listen 443
 </IfModule>
000-default.conf
 <VirtualHost *:80>
   ServerAdmin webmaster.administrator@free.fr
   ServerName philaupatte.fr
   DocumentRoot /var/www
 
   ErrorLog /var/log/apache2/vHosts80/error.log
   CustomLog /var/log/apache2/vHosts80/access.log combined
   LogLevel debug
 </VirtualHost>

 Alias /cpanel /var/www/$cpanel   (Don't missunderstand, this is not cpanel)
 <Directory /var/www/$cpanel>
   Options FollowSymLinks Includes
   AllowOverride None
   DirectoryIndex index.html index.php
 </Directory>
 
 Alias /cda31T /var/www/cda31T> 
 <Directory /var/www/cda31T>
   Options Indexes FollowSymLinks
   AllowOverride All
   Require all granted
 </Directory>
 
 Alias /cda31N /var/www/cda31N
 <Directory /var/www/cda31T>
   Options FollowSymLinks Includes    
   AllowOverride All
   Allow from All
   DirectoryIndex index.html index.php
 </Directory>
 default-ssl.conf   (Engine has been disable)
 <VirtualHost *:443>
   ServerAdmin webmaster.administrator@free.fr
   ServerName philaupatte.fr 
   DocumentRoot /var/www
 
   ErrorLog /var/log/apache2/vHosts443/error.log
   CustomLog /var/log/apache2/vHosts443/access.log combined
   LogLevel debug
 </VirtualHost>

Here under certbot command with -vvv verbose
certbot verbose.txt (9.5 KB)

Here under letsencrypt.log
letsencryptLog.txt (32.6 KB)

Many many thanks.

3 Likes

@Philaupatte , welecome to the community!

There was a questioner when you opened the topic. This was particularly requesting the version of the ACME client. (I find a bit strange that the certbot does not report his own version when called with -vvv, but that is independent of this topic.)

Seemingly you have a catch-all web server configuration:

tumbleweed:~ # curl -s -v 'http://www.philaupatte.fr/asfdgafdsg'
* Host www.philaupatte.fr:80 was resolved.
* IPv6: (none)
* IPv4: 213.186.33.5
*   Trying 213.186.33.5:80...
* Connected to www.philaupatte.fr (213.186.33.5) port 80
> GET /asfdgafdsg HTTP/1.1
> Host: www.philaupatte.fr
> User-Agent: curl/8.7.1
> Accept: */*
> 
* Request completely sent off
< HTTP/1.1 200 OK
< server: nginx
< date: Sat, 25 May 2024 07:16:02 GMT
< content-type: text/html; charset=UTF-8
< transfer-encoding: chunked
< x-iplb-request-id: 56C8B8BD:C316_D5BA2105:0050_66519032_5170C3CC:5BC8
< x-iplb-instance: 52217
< set-cookie: SERVERID77446=200178|ZlGQN|ZlGQN; path=/; HttpOnly
< cache-control: private
< 
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html>
        <head>
            <title>Philaupatte Web Server</title>
            <meta name="description" content="">
            <meta name="keywords" content="">
            <meta name="generator" content="ORT - Ovh Redirect Technology">
            <meta name="url" content="http://82.67.90.232:3580/asfdgafdsg">
            <meta name="robots" content="all">
        </head>
        <frameset rows="100%,0" frameborder=no border=0>
            <frame name="ORT" src="http://82.67.90.232:3580/asfdgafdsg">
            <frame name="NONE" src="" scrolling="no" noresize>
            <noframes>
                <body><a href="http://82.67.90.232:3580/asfdgafdsg">Click here</a><hr></body>
            </noframes>
        </frameset>
* Connection #0 to host www.philaupatte.fr left intact
    </html>tumbleweed:~ # 

Did you try to switch that off?

EDIT: Sorry, I was too fast. This reports nginx as server, but you have apache. Likely the IP address in the DNS is not matching your server's actual IP address. You have to have a working web site via HTTP before you can validate the certificate via the web (HTTP-01).

3 Likes

Hello Bruncsak, many thanks for looking at this problem.

Well messages says nginx but it is apache2 that is running :

root@freeVM:~# systemctl status apache2
● apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; preset: enabled)
Active: active (running) since Sat 2024-05-25 07:22:01 CEST; 4h 4min ago
Docs: Apache HTTP Server Version 2.4 Documentation - Apache HTTP Server Version 2.4
Process: 185740 ExecStart=/usr/sbin/apachectl start (code=exited, status=0/SUCCESS)
Main PID: 185744 (apache2)
Tasks: 7 (limit: 2253)
Memory: 31.0M
CPU: 3.144s
CGroup: /system.slice/apache2.service
├─185744 /usr/sbin/apache2 -k start
├─187517 /usr/sbin/apache2 -k start
├─187518 /usr/sbin/apache2 -k start
├─187519 /usr/sbin/apache2 -k start
├─187520 /usr/sbin/apache2 -k start
├─187521 /usr/sbin/apache2 -k start
└─188252 /usr/sbin/apache2 -k start

May 25 07:22:01 freeVM systemd[1]: Starting apache2.service - The Apache HTTP Server...
May 25 07:22:01 freeVM systemd[1]: Started apache2.service - The Apache HTTP Server.

And yes, the website is working fine regarding HTTP. Nothing is settled for HTTPS (SSL)
Try http://www.philaupatte.fr

You can see on fourth line "server API : Apache 2.0 Handler"

But, there is a device "in front of" your Apache that is running nginx. And, it looks to redirect web browsers to a different IP address (82.67.90.232 port 3580). That looks like OVH Redirect Service. Those kinds of services don't usually work to support HTTPS. You should disable that and change the public IP address to your server IP. For Let's Encrypt HTTP Challenge (--apache option), you will need to handle port 80 (and not just 3580)

curl -i http://www.philaupatte.fr/
HTTP/1.1 200 OK
server: nginx
x-iplb-request-id: 03547C91:C75E_D5BA2105:0050_6651E9DF_528D09BB:5BC8
x-iplb-instance: 52217

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html>
        <head>
            <title>Philaupatte Web Server</title>
            <meta name="generator" content="ORT - Ovh Redirect Technology">
            <meta name="url" content="http://82.67.90.232:3580">
        </head>
        <frameset rows="100%,0" frameborder=no border=0>
            <frame name="ORT" src="http://82.67.90.232:3580">
            <frame name="NONE" src="" scrolling="no" noresize>
            <noframes>
                <body><a href="http://82.67.90.232:3580">Click here</a><hr></body>
            </noframes>
        </frameset>
    </html>

# The public DNS uses this IP for this domain
nslookup www.philaupatte.fr
Address: 213.186.33.5
4 Likes

Hi, Many thanks, I don't have this level of expertise and I appreciate your explanations.

So far, I don't know what to do. I may explain overall definitions

I have two domains, philaupatte.com and philaupatte.fr

philaupatte.com is working magic with SSL.

  1. It is hold by IONOS from where there is a redirection to philaupatte.freeboxos.fr
  2. This domain philaupatte.freeboxos.fr is attached to my personnel box (FREE) IP 82.67.90.232 (This is a feature offers by FREE Company)
  3. It holds TLS certificates (PEM)
  4. Within the FREEBOX (router) there is a port forwarding from (incoming) 80-> (outgoing) 80 on my BEELINK machine holding the website (DEBIAN/APACHE)

philaupatte.fr is not working

  1. It is hold by OVH from where there is a redirection to 82.67.90.232:3580 (I can't use 80 as it is already used in my FREEBOX
  2. Within the FREEBOX (router) there is a port forwarding from (incoming) 3580-> (outgoing) 80 on my FREEBOX virtual machine (this is as well a feature of FREE company) running as well (DEBIAN/APACHE)

Look's like I am stuck for making this domain working with SSL :melting_face: :melting_face: :melting_face:

2 Likes

No, the .com domain is not working well. You have various problems. I'll just focus on your .com name in this post.

HTTP requests to .com domain do redirect using HTTPS to philaupatte.freeboxos.fr. But, that freeboxos domain only works with IPv4. Using IPv6 fails.

And, if someone used HTTPS for your .com domain that fails.

# HTTP to .com redirects properly for IPv4 and IPv6
# (just showing IPv4 here but -i6 works the same) 
curl -i4 http://philaupatte.com
HTTP/1.1 302 Found
Server: Apache
Location: https://philaupatte.freeboxos.fr

# HTTPS requests to .com fail on both IPv4/6
curl -i4 https://philaupatte.com
curl: (35) error:0A000438:SSL routines::tlsv1 alert internal error
curl -i6 https://philaupatte.com
curl: (35) error:0A000438:SSL routines::tlsv1 alert internal error

# HTTPS to freeboxos.fr connects on IPv4
curl -i4 https://philaupatte.freeboxos.fr
HTTP/1.1 401 Unauthorized
Server: Apache/2.4.59 (Debian)

# But freeboxos.fr fails using IPv6
curl -i6 https://philaupatte.freeboxos.fr
curl: (28) Failed to connect to philaupatte.freeboxos.fr port 443 after 133756 ms:
Connection timed out
5 Likes

Hi,
Yes you are fully right, there are several parts not working properly. I am a dump, I focus only on one part.
I read some documentation regarding "freeboxos.fr" domain management from Freebox company, and it looks like IPV6 cannot be handled. See Freebox Ultimate Server (Sorry, it is in French).

I am going to free port 80 and 443 from philaupatte.com on the Freebox. Then I will fully refresh philaupatte.fr using port 80 and 443, and I will see what's happened.

1 Like

Hi,
Many Many thanks MikeMcQ. I took in consideration your remarks and for my understanding and learning I have used my initial domain philaupatte.ddns.net from NoIp. It seems to respond fine using "curl I4 & I6 for http and https".

Later I will go further on using philaupatte.com and philaupatte.fr using LetsEncrypt certificates.
Really appreciate your support.

3 Likes