I tried to obtain a new certificate for a lapsed Let’s Encrypt SSL. I’ve never done this before (someone else set up the site and the SSL).
Once I ssh’d into the server, I ran sudo add-apt-repository ppa:certbot/certbot followed by sudo apt-get update and then `sudo apt-get install python-certbot-apache’.
It did its thing. I agreed to terms, etc., and it produced this output.
The file exists within the /.well-known/acme-challenge/ folder, however, the http redirects to https and then produces a 404.
Given that I am a novice at this, I don’t know what to do next and could use any step-by-step instructions.
The site is live on a CloudFlare SSL with weaker settings than it was before the Let’s Encrypt SSL lapsed without warning.
I think there’s a command and maybe some output missing from your description, after sudo apt-get install python-certbot-apache … (mainly I want to know if you actually used the apache plugin, or webroot)
Could you please also answer the other questions from the questionnaire, if you can?
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know):
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
At that point, I input sudo apt-get install python-certbot-apache and it went through a bunch of lines. There are a few questions it asks along the way about continuing, a bunch more lines about unpacking, selecting, preparing, then I input sudo certbot --apache -d smartjusticeaz.org following these instructions.
It asked for my email address, I accepted the terms, declined to share my email address, which leads to the pastebin link output.
Okay, so you used the apache plugin. That should try to temporarily modify one of your Apache VirtualHosts to answer the domain validation challenge. If it doesn’t work as in your case, it may be that it’s picking the wrong one for some reason. Could you share the output of sudo apachectl -S and/or any relevant-looking parts of your Apache configuration?
Alternatively if you know where your DocumentRoot is, you could try the webroot plugin instead, although you would need to install the new certificate yourself if the apache plugin isn’t working. If you want to try that:
Hm. Nothing on port 443 at all? Is Apache even listening on port 443? You weren’t using Cloudflare before? What was handling the HTTPS traffic previously? Do you have a second webserver on the machine?
I don’t know they used CloudFlare prior but it goes domain -> CloudFlare -> DigitalOcean with Let’s Encrypt on DigitalOcean. I set CloudFlare from Full (Strict) to Full to get it back online since the Let’s Encrypt SSL expired.
I don’t know how it was specifically set up previously. When I ls under /var/www/ folders html and wordpress are separate.
I’m not sure how to check how it handles the acme-challenge requests. It comes up as 404 when trying to renew the cert and the http forwards to https then renders 404.
There’s no https vhost, as far as I can see from the apachectl output … HTTPS is being handled by Cloudflare. But - again as far as I can tell from the above - Apache isn’t even listening on port 443, so neither of Cloudflare’s “Full” or “Full (Strict)” modes should be working… Are you sure it’s not set to “Flexible”?
For testing, try adding this ‘1234’ file in expected the challenge folder: mkdir /var/www/wordpress/html/.well-known mkdir /var/www/wordpress/html/.well-known/acme-challenge echo "testing" > /var/www/wordpress/html/.well-known/acme-challenge/1234
With any luck, it will be accessible via (both): http://smartjusticeaz.org/.well-known/acme-challenge/1234
[which should redirect to;} https://smartjusticeaz.org/.well-known/acme-challenge/1234