The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot

Help
1

When I try to add a new SSL certificate or renew the existing one, I receive the following error:

"The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet."

I had installed it without any issues three months ago. I tried solutions from similar topics, reinstalled Certbot and Apache (along with all settings), but I couldn't resolve the issue.

There is only one site running on the server. What could be the problem?

Thanks in advance.

Note: If I manually add a file to the .well-known/acme-challenge/ folder, I can access it via HTTP.

This is the VirtualHost setting:

<VirtualHost *:80>
    ServerAdmin webmaster@example.com
    ServerName bote1.hacettepe.edu.tr
    ServerAlias bote1.hacettepe.edu.tr

    DocumentRoot /var/www/html
    DirectoryIndex index.html index.php

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    <Directory /var/www/html>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>
</VirtualHost>

My domain is: bote1.hacettepe.edu.tr

I ran this command: sudo certbot --apache

It produced this output: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

My web server is (include version): Apache/2.4.58 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 24.04

My hosting provider, if applicable, is: -

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): na

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 3.0.1

2

It is some kind of connection problem on your end. Likely a firewall or similar.

The Let's Debug test site cannot reach you with HTTP (port 80): Let's Debug

And, SSL Labs test for HTTPS (port 443) also fails: SSL Server Test: bote1.hacettepe.edu.tr (Powered by Qualys SSL Labs)

It looks like all connections from the public internet are failing. You should probably contact network support at the university.

2 Likes
3

Oh, I see now the problem with HTTP (port 80) is due to a Palo Alto brand firewall. If you don't know about one your network support will.

I can reach your domain using a test URL similar to an HTTP Challenge. But, if I have a user-agent string similar to Let's Encrypt the request fails.

You must enable the "acme-protocol" in the Palo Alto's Applications setting.

We have seen many of these problems but not that many this year. Although, we have now seen a few in recent months so I hope this again does not become frequent. For another recent thread see: Renewal stopped working - #5 by MikeMcQ

Show this to your network support. Both of these curl requests should get a '404'

# Default curl user-agent gets expected 404
curl -i http://bote1.hacettepe.edu.tr/.well-known/acme-challenge/Test404
HTTP/1.1 404 Not Found
Server: Apache/2.4.58 (Ubuntu)

# With a Let's Encrypt user-agent it fails
curl -i http://bote1.hacettepe.edu.tr/.well-known/acme-challenge/Test404 -A "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
curl: (56) Recv failure: Connection reset by peer
4 Likes
4

Thank you Mike. This was very helpful. It also explains why it suddenly stopped working. I will ask network support to enable acme-protocol.

1 Like
5

Dear Mike, IT enabled acme-protocol, but the problem still exists. Now I get a 404 error when I try with the Let's Encrypt user-agent. I have also checked Apache's access log, but there are no requests to the temporary URL generated by Certbot. It seems the issue is still related to the firewall. Do you have any other suggestions I can check? Thanks.

6

That is not the same problem but it is good the request now reaches your server.

Let's review your Apache config. What does this show

sudo apache2ctl -t -D DUMP_VHOSTS
3 Likes
7

Here is the result:

VirtualHost configuration:
*:443                  bote1.hacettepe.edu.tr (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
*:80                   bote1.hacettepe.edu.tr (/etc/apache2/sites-enabled/000-default.conf:1)
8

Now I can also confirm that it is not related to the firewall, as I have another server in the network that renewed its certificate successfully.

1 Like
9

Before we proceed, do you need a new cert just for that domain?

Because HTTPS requests to your domain are using a wildcard cert for the university. See: https://decoder.link/sslchecker/bote1.hacettepe.edu.tr/443

Have you decided to use that instead?

If you don't see any requests in the access log then maybe the domain name DNS IP is no longer pointing to your Apache server? Is that possible?

2 Likes
10

Yes, while discussing with the IT department, we found this solution. Students need to access the server, and the Let's Encrypt certificate was set to expire in two days.

The server's DNS settings were as follows at first, but later I also tried with the default DNS settings. Could this be related?

DNS=1.1.1.1 1.0.0.1
FallbackDNS=8.8.8.8 8.8.4.4

In any case I will work on it again after the semester ends. Thanks again for your time.

2 Likes
11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.