The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: erica.com

I ran this command: sudo certbot --apache

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?


1: erica.com
2: www.erica.com


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for erica.com

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: erica.com
Type: unauthorized
Detail: Invalid response from http://erica.com/.well-known/acme-challenge/u92-5gqmSCll6-9cWLo0bU1oHG11bxRjVDGQhfXTeeY [104.247.81.50]: 404

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.24.0

The domain you redacted points to an nginx webserver, not an Apache one.

Are you the owner of the domain you are trying to get a certificate for?

4 Likes

Yes, I am the owner of the domain. I am hosting my domain locally in Apache web server

Is your domain actually "myweb.com"? @_az is trying to run useful tests against your real web server.

If you hide your real domain name, we can't help you test it.

2 Likes

Please check the IP of your server against that which DNS returns for your domain.
You can use:
curl -4 ifconfig.co
[The previously listed domain name seems to be hosted on a "parking" site.]

2 Likes

No it was not. I changed that to the original domain now.

I got this when I typed: curl -4 ifconfig.co
132.178.207.16

AND

cat /etc/resolv.conf

# This file is managed by man:systemd-resolved(8). Do not edit.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "resolvectl status" to see details about the uplink DNS servers
# currently in use.
#
# Third party programs must not access this file directly, but only through the
# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
# replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

nameserver 127.0.0.53
options edns0 trust-ad

I changed the domain name to the original one. Can you take a look at that now?

1 Like

This is a problem. Your DNS A records point to a different IP address.

~ $ dig +short a erica.com
185.53.177.50
~ $ dig +short a www.erica.com
185.53.177.50

The IP addresses are very different:

  • 132.178.207.16 is the US;
  • 185.53.177.50 is in Germany.
2 Likes

In the host name file, I used the public IP address against the domain name not this IP address. Is that a problem?

I don't understand what you said. There is no reason to edit either /etc/hosts nor /etc/hostname.

Your server should have one IPv4 address and several IPv6 addresses. One of each should be in the A and AAAA DNS records for the domains and subdomains you want to point to your server.

You learn those IP addresses from your provider panel or using the command @rg305 gave you (use -6 instead of -4 for IPv6)

1 Like

So, when I tried using the command:
curl -6 ifconfig.co
It shows that
curl: (7) Couldn't connect to server

That's unusual. Fine, but unusual.

You're running those commands on your server, right?

1 Like

What the hell is going on here?

~ $ curl -I erica.com
HTTP/1.1 403 Forbidden
Server: nginx
...
1 Like

Can you explain what you mean by 'hosting my domain locally'?

Are you able to change the DNS records for this domain name? Because the DNS A record does not point to the server public IP you showed earlier.

2 Likes

I mean, I am trying hosting Apache web server on Ubuntu. I am not sure how to change the DNS records to point the original IP address.

Yes, I am.

You do that from the control panel in your DNS provider (if you haven't changed it, it's your registrar: the website you bought your domain from)

1 Like

The website I developed in my machine and is hosting by Apache. I am using certbot to get the CA.

Did you actually buy a domain name?

Or at least got a free one from a dynamic DNS provider?

1 Like