Subdomain and Domain Alias on different servers

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: certbot --apache -d

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Requesting a certificate for
Performing the following challenges:
http-01 challenge for
Enabled Apache rewrite module
Waiting for verification...
Challenge failed for domain
http-01 challenge for
Cleaning up challenges
Some challenges have failed.


My web server is (include version): Apache 2.4.54

The operating system my web server runs on is (include version): Debian 11

My hosting provider, if applicable, is: Selfhosting

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.12.0

Servus Community,

I run a server here at one location that hosts only one website under a subdomain ( Other websites of the same domain are on other servers. Can the error in issuing the certificate be because the alias is hosted on another server? Or do I have to look for the error somewhere else?

Thx & Bye Tom

If your server IP is:

then the problem is likely found within the Apache config.

To review that, start with the output of:
apachectl -t -D DUMP_VHOSTS

# apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:80          (/etc/apache2/sites-enabled/

Please note that the domain alias is configured on another server. Isn't this the problem?

Thx & Bye Tom

1 Like

No, that name has nothing to do with a certificate authentication request for

Was that the entire output?

If so, let's review this file:

# cat /etc/apache2/sites-enabled/ 
<VirtualHost *:80>
  DocumentRoot /var/www/
  ErrorLog ${APACHE_LOG_DIR}/kb.kastner.de_error.log
  CustomLog ${APACHE_LOG_DIR}/kb.kastner.de_access.log combined

First I tried it without the line ServerAlias because there is no alternative hostname, but it ends with the same result.

Thx & Bye Tom

You described your server as above in first post but I see Apache 2.4.41 (Ubuntu) in a "not found" error page. (also this version and Ubuntu in server response header)

Can you double check your server IP matches the DNS. What value this command show?

curl -4

I just found a misconfiguration there as well. The server is behind a NAT router and I have only mapped port 443 to the internal IP of the server. Port 80 from the same external IP points to another internal server, which I actually want to replace. I suspect the initial access for the server challenges is handled through port 80. I'm fixing this now and will get back to you in a minute...

Thx & Bye Tom

Yes, an HTTP challenge starts with a request to HTTP:// (port 80). You can redirect it but that's where it starts. The certbot apache plug-in relies on the http challenge (as opposed to a DNS challenge).

Fixing your NAT should resolve this


Fixing your NAT should resolve this

Yes, now it works. Thanks a lot and sorry for the noise :flushed:

Bye Tom


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.