"The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot."

Hi,
when I run the command sudo certbot --apache for all virtualhosts in my ubuntu/apache, I get the invalid / unauthorized as a response for each virtual host. If I head to let'sdebug.net to check the mobilitx.net url, I get this:

My domain is: mobilitx.net, mobilitx.org, mobilitx.it

certbot version: 2.1.0

Appreciate any heads-up!

You need to fix your webserver configuration like the error tells you. You may get better results here if you complete all of the help template as requested instead of deleting it.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

3 Likes

As the LD error message shows, the HTTP port is speaking HTTPS.
AND
The HTTPS port is speaking HTTP.

The port forwarding is crisscrossed.

HTTP to port 443:

curl -Iik http://mobilitx.net:443
HTTP/1.1 200 OK
Date: Mon, 01 Apr 2024 14:53:43 GMT
Server: Apache/2.4.57 (Ubuntu)
Last-Modified: Sun, 31 Mar 2024 22:32:30 GMT
ETag: "29af-614fc72c6b2bd"
Accept-Ranges: bytes
Content-Length: 10671
Vary: Accept-Encoding
Content-Type: text/html

HTTPS to port 80:

curl -Iik https://mobilitx.net:80
HTTP/1.1 200 OK
Date: Mon, 01 Apr 2024 14:53:47 GMT
Server: Apache/2.4.57 (Ubuntu)
Last-Modified: Mon, 01 Apr 2024 08:40:51 GMT
ETag: "29c1-61504f2718814"
Accept-Ranges: bytes
Content-Length: 10689
Vary: Accept-Encoding
Content-Type: text/html
3 Likes

Hi @linkp
here's the list of context data - I am still investigating how to solve this port forwarding criss-crossed, but no luck so far.

My domain are:

I ran this command:

sudo certbot --apache

It produced this output:

Domain: mobilitx.net
Type:   unauthorized
Detail: 217.182.68.2: Invalid response from http://mobilitx.net/.well-known/acme-challenge/5ov_7puJH8yeukmgHkD4DKzQZ3BgQD-Bs84gghf6o7w: 400

Domain: www.mobilitx.net
Type:   unauthorized
Detail: 217.182.68.2: Invalid response from http://www.mobilitx.net/.well-known/acme-challenge/GOED10tkBQgasm_2Cd_bKWq7xWmPfzavAH9Oo_J0fio: 400

Domain: 01.mobilitx.net
Type:   unauthorized
Detail: 217.182.68.2: Invalid response from http://01.mobilitx.net/.well-known/acme-challenge/sN6uWrVQRHIznLH4GmLr9SlydJLjzN6b9skbrW9Rmo8: 400

Domain: www.01.mobilitx.net
Type:   unauthorized
Detail: 217.182.68.2: Invalid response from http://www.01.mobilitx.net/.well-known/acme-challenge/anhVdRTB1bKj1xC7WE8lObemZJnFtHThCLaE_gzEyN0: 400

My web server is (include version): Apache/2.4.57 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 23.10 (GNU/Linux 6.5.0-26-generic x86_64)

My hosting provider, if applicable, is: GoDaddy

I can login to a root shell on my machine (yes or no, or I don't know): yes.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): yes, webmin.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.1.0

the mobilitx.net.conf in sites-available looks like this (note that I have all these dns set up correctly on GoDaddy):

`<VirtualHost *:80>

    ServerAdmin federico.marcantognini@gmail.com
    ServerName mobilitx.net
    ServerAlias www.mobilitx.net
    DocumentRoot /var/www/00
    
    <Directory /var/www/00>
        Options -Indexes +FollowSymLinks +MultiViews
        AllowOverride All
        Require all granted
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    
   SSLEngine on
   SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
   SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
</VirtualHost>`

Oh, it may not be port forwarding criss-cross. You have SSL enabled in your port 80 VirtualHost. You should not.

And, I'm guessing you pre-coded a VirtualHost for port 443 but do not have SSL enabled in it. Is that right?

3 Likes

Not sure if I get the question right, I coded the virtual host .conf file as shown above, that's all I can say I guess. Shall I change the port 80 with 443?
I followed this guide:

How To Create a Self-Signed SSL Certificate for Apache in Ubuntu 20.04 | DigitalOcean

update: I changed the port 80 with 443 in the conf file shown above, but now the command:

sudo certbot --apache

returns this:

An unexpected error occurred:
AttributeError: can't set attribute

I am lost, please assist thank you

Yes. That will fix your HTTPS and leave you without HTTP. Be sure to follow through and create the necessary HTTP vhosts on port 80.

You missed a couple of key steps in that guide. I added the emphasis in the excerpt below.

Make sure that you have valid configurations for both HTTP and HTTPS and you should find things starting to work as expected.

Once you have your Let's Encrypt certificates, be sure to update your HTTPS vhost configurations to point to the appropriate certificate symlinks under /etc/letsencrypt/live/$domain.

3 Likes

Thank you, @linkp. All domains work as expected now.

4 Likes