Some challenges have failed

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: aseilasoft.cl

I ran this command: sudo certbot --apache

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?

1: aseilasoft.cl
2: admin.aseilasoft.cl
3: autodiscover.aseilasoft.cl
4: webmail.aseilasoft.cl
5: www.aseilasoft.cl
6: static.59.56.130.94.clients.your-server.de

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1,5
Requesting a certificate for aseilasoft.cl and www.aseilasoft.cl
Performing the following challenges:
http-01 challenge for aseilasoft.cl
http-01 challenge for www.aseilasoft.cl
Enabled Apache rewrite module
Waiting for verification...
Challenge failed for domain aseilasoft.cl
Challenge failed for domain www.aseilasoft.cl
http-01 challenge for aseilasoft.cl
http-01 challenge for www.aseilasoft.cl
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

My web server is (include version): Apache/2.4.29 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 18.04.5 LTS

My hosting provider, if applicable, is: Hetzner

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.13.0

2 Likes
2

Hi @aseilasoft

if --apache doesn't work, Certbot doesn't understand your configuration.

What says

apachectl -S
2 Likes
3

apache -S says:
sergio@aseilasoft:~$ apachectl -S
VirtualHost configuration:
94.130.56.59:80 aseilasoft.cl (/etc/apache2/sites-enabled/aseilasoft.cl.c onf:1)
*:80 aseilasoft.aseilasoft.cl (/etc/apache2/sites-enabled/000- default.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex watchdog-callback: using_defaults
Mutex proxy: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33 not_used
Group: name="www-data" id=33 not_used

1 Like
4

What do these files contain?

/etc/apache2/sites-available/aseilasoft.cl.conf
/etc/apache2/sites-available/000-default.conf

(Please place ``` on a separate line above and below the contents of each file.)

5

The first definition looks wrong. If that is an internal network, the connection isn't via 94.130*, instead, a local ip address is used.

Use *:80 instead.

And why has the second two domain names?

Change the first, restart, then again apachectl -S.

PS: The first doesn't have the www version. So there is no matching vHost with both domain names -> so --apache can't find a matching vHost.

1 Like
6

Thanks JuegenAuer, I'm new in Linux.
I made changes you adviced and now apachectl -S .looks like this:

sergio@aseilasoft:/etc/apache2/sites-enabled$ apachectl -S
VirtualHost configuration:
*:80 www.aseilasoft.cl (/etc/apache2/sites-enabled/aseilasoft.cl.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex watchdog-callback: using_defaults
Mutex proxy: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33 not_used
Group: name="www-data" id=33 not_used

`Could be fine?

7

No. Now the www is defined, but the non-www is missing. If you want to create a certificate with both names, you must have a vHost with both names.

8

I'm confused, this is my VirtualHost
<VirtualHost *:80>
ServerAdmin aseilasoft@gmail.com
ServerName www.aseilasoft.cl
ServerAlias aseilasoft.cl
ServerAlias www.aseilasoft.cl

and this is apachectl -S

sergio@aseilasoft:/etc/apache2/sites-enabled$ sudo apachectl -S
VirtualHost configuration:
*:80 www.aseilasoft.cl (/etc/apache2/sites-enabled/aseilasoft.cl.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex watchdog-callback: using_defaults
Mutex proxy: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

I don't know what is wrong

9

Don't duplicate your www. If you use it as ServerName, don't use it as ServerAlias. That confuses Apache.

Change it, again apachectl -S.

10

<VirtualHost *:80>
ServerAdmin aseilasoft@gmail.com
ServerName www.aseilasoft.cl
ServerAlias aseilasoft.cl

The same error happens
sergio@aseilasoft:/etc/apache2/sites-enabled$ sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?

1: aseilasoft.cl
2: www.aseilasoft.cl

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1 2
Requesting a certificate for aseilasoft.cl and www.aseilasoft.cl
Performing the following challenges:
http-01 challenge for aseilasoft.cl
http-01 challenge for www.aseilasoft.cl
Enabled Apache rewrite module
Waiting for verification...
Challenge failed for domain aseilasoft.cl
Challenge failed for domain www.aseilasoft.cl
http-01 challenge for aseilasoft.cl
http-01 challenge for www.aseilasoft.cl
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

sergio@aseilasoft:/etc/apache2/sites-enabled$ apachectl -S
VirtualHost configuration:
*:80 www.aseilasoft.cl (/etc/apache2/sites-enabled/aseilasoft.cl.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex watchdog-callback: using_defaults
Mutex proxy: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33 not_used
Group: name="www-data" id=33 not_used

11

Please read your output.

That's expected, your output

is the same, no non-www is shown. So you have done something wrong.

12

I remembered that I'm using this in /etc/rc.local

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8069

Could this affect what we are doing?

13

If your iptables is rerouting port 80 to port 8080, your Apache, which is listening on port 80 too, wouldn't work at all.. But as Apache is working properly on port 80 (just not certbot), that's unlikely?

14

Is there some test I can do in order to realice what is wrong? I'm very basic with Linux. Please, I need help.

15

Well, I think you've got a rather non-standard setup. For example, if I look at the headers returned by your webserver, I see:

Server: Werkzeug/0.11.15 Python/3.6.9

Usually, Apache returns with, well, "Apache" and its version. It seems "Werkzeug" can be used through a module in Apache called mod_wsgi. This is all rather non-standard, so it all might interfere with certbot.

Could you tell us more about that "Werkzeug"?

16

You can see this link and understand better than me. The only thing I can say is that I'm using Odoo ERP and I think this came with it.

https://werkzeug.palletsprojects.com/en/1.0.x/serving/

Attached log from odoo server

sergio@aseilasoft:/etc/apache2/sites-available$ tail -f /var/log/odoo/odoo-server.log
2021-03-23 20:30:28,944 7231 INFO aseilasoft odoo.addons.base.models.ir_cron: Starting job Partner Autocomplete : Sync with remote DB.
2021-03-23 20:30:28,961 7231 INFO aseilasoft odoo.addons.base.models.ir_cron: Job Partner Autocomplete : Sync with remote DB done.
2021-03-23 20:30:28,963 7231 INFO aseilasoft odoo.addons.base.models.ir_cron: Starting job Snailmail: process letters queue.
2021-03-23 20:30:28,974 7231 INFO aseilasoft odoo.addons.base.models.ir_cron: Job Snailma il: process letters queue done.
2021-03-23 20:44:07,720 7231 INFO aseilasoft odoo.addons.base.models.ir_cron: Starting job Calendar: Event Reminder.
2021-03-23 20:44:07,749 7231 INFO aseilasoft odoo.modules.registry: At least one model cac he has been invalidated, signaling through the database.
2021-03-23 20:44:07,753 7231 INFO aseilasoft odoo.addons.base.models.ir_cron: Job Calenda r: Event Reminder done.
2021-03-23 21:14:31,342 7231 INFO aseilasoft odoo.addons.base.models.ir_cron: Starting job Calendar: Event Reminder.
2021-03-23 21:14:31,391 7231 INFO aseilasoft odoo.modules.registry: At least one model cac he has been invalidated, signaling through the database.
2021-03-23 21:14:31,396 7231 INFO aseilasoft odoo.addons.base.models.ir_cron: Job Calenda r: Event Reminder done.
2021-03-23 21:30:32,229 7231 INFO aseilasoft odoo.addons.base.models.ir_cron: Starting job Mail: Email Queu e Manager.
2021-03-23 21:30:32,249 7231 INFO aseilasoft odoo.addons.base.models.ir_cron: Job Mail: Email Queue Manager done.
2021-03-23 21:30:32,251 7231 INFO aseilasoft odoo.addons.base.models.ir_cron: Starting job Partner Autocomp lete : Sync with remote DB.
2021-03-23 21:30:32,264 7231 INFO aseilasoft odoo.addons.base.models.ir_cron: Job Partner Autocomplete : Sy nc with remote DB done.
2021-03-23 21:30:32,266 7231 INFO aseilasoft odoo.addons.base.models.ir_cron: Starting job Snailmail: proce ss letters queue.
2021-03-23 21:30:32,282 7231 INFO aseilasoft odoo.addons.base.models.ir_cron: Job Snailmail: process letter s queue done.
2021-03-23 21:37:39,020 7231 INFO aseilasoft werkzeug: 157.245.89.85 - - [23/Mar/2021 21:37:39] "GET /track/ HTTP/1.1" 404 - 356 0.277 0.561
2021-03-23 21:44:10,088 7231 INFO aseilasoft odoo.addons.base.models.ir_cron: Starting job Calendar: Event Reminder.
2021-03-23 21:44:10,131 7231 INFO aseilasoft odoo.modules.registry: At least one model cache has been invali dated, signaling through the database.
2021-03-23 21:44:10,136 7231 INFO aseilasoft odoo.addons.base.models.ir_cron: Job Calendar: Event Reminder done.
2021-03-23 21:45:10,472 7231 INFO aseilasoft werkzeug: 205.185.122.102 - - [23/Mar/2021 21:45:10] "GET /conf ig/getuser?index=0 HTTP/1.1" 404 - 356 0.289 0.596

17

Would be useful if I send you file /var/log/letsencrypt/letsencrypt.log ?

18

I don't think so.

I think the problem here really is you're not running Apache as the webserver, but (as I understand from your earlier post) just Werkzeug on port 8080, which explains the 80 -> 8080 redirect in iptables.

I'm not sure if there is a straight way to get a certificate with Werkzeug directly, as certbot doesn't interface with it, like it does with Apache or nginx. Also, I'm not sure if the built in webserver you're using for Werkzeug has the capability to serve files from disk, i.e., a webroot, so the webroot method might also be not an option.

Further more, from the link you've pasted earlier about Werkzeug, it seems the built in webserver option mentioned there is just for one connection type: HTTP OR HTTPS. Not both!

This all clearly is very limited. IMO the best option is to put a webserver in front of Werkzeug, which is configured as a reverse proxy and will take care of all the HTTPS stuff, so that Werkzeug can run without HTTPS, but the connection to it, through the reverse proxy, is still secure.

Apache and nginx can be configured as a reverse proxy for this, but those are relative large applications for such a simple job. HAProxy can also do this job and is more suited for it IMO, as it's not a complete webserver, but the experience with it is less on this Community, so we probably wouldn't be able to help you with it that quickly.
Also note that Werkzeug is a WSGI application, so you might want to look into specific WSGI reverse proxies.

19

Ok Osiris, in order not to loose our time I'm going to broke everything and start all over again.
Thanks for your time. Regards.

20

I'm not sure what this entails, but feel free to ask further questions about getting SSL/TLS working.