Ubuntu 22.04 Failed Authentication 404

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ajb.rocks

I ran this command: sudo certbot --apache

It produced this output:

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: ajb.rocks
Type: unauthorized
Detail: 15.197.142.173: Invalid response from http://ajb.rocks/.well-known/acme-challenge/InCaFCHI0Xqhjr44NJOCLLsfQSIXAnYfc-YLy3rtSTc: 404

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Apache/2.4.52 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 22.04 LTS

My hosting provider, if applicable, is: None. Self hosted.

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): cerbot 1.21.0

Your DNS is pointing to AWS Global Accelerator (a Load Balancer). It looks like your DNS needs updating for your new self-hosted server.

nslookup ajb.rocks

Non-authoritative answer:
Name:   ajb.rocks
Address: 3.33.152.147
Name:   ajb.rocks
Address: 15.197.142.173

I'm just getting started on learning Linux and about self hosting, so I am quite ignorant to most of this. How would I go about updating my DNS?

Who is your domain name registrar? Setup your DNS there.

You may have bought a service that uses AWS "underneath". If that's the case your questions are best addressed to that service provider.

I got the domain through GoDaddy.

How did the DNS get pointed to AWS Global?

The only thing that I have messed with that possibly could have pointed it to AWS is my attempt at resolving this by using Bind9 and following the direction here Service - Domain Name Service (DNS) | Ubuntu

It did tell me to change my DNS to my ISP's DNS server.

Other then that, I don't know.

I don't know how to help you. To use the HTTP challenge to get a cert you must have a working website accessible using HTTP. But, AWS is responding to http requests, not your Apache server on Ubuntu. See curl test below.

As another note, normally with AWS Global Accel it terminates SSL (TLS) connections at its edge. I think you are better off asking GoDaddy some questions how this got setup.

curl -i ajb.rocks/.well-known/acme-challenge/ForumTest123

HTTP/1.1 404 Not Found
Date: Fri, 10 Jun 2022 02:37:53 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 125
Connection: keep-alive
Server: ip-10-123-123-198.ec2.internal
X-Request-Id: 32995df2-23e5-4662-90d3-0e45bf1a0a2a

<!DOCTYPE HTML><html lang='en-us'><head><title>** Not Found **</title></head><body>HTTP Status: 404 (not found)</body></html>

Thanks for the effort and guidance. I'll see if this post gets any more input from others before I reach out to GoDaddy.

Does the below page mean anything to you? Especially 5e.Tools. This is what your domain is replying with as a "home page".

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head>
<title>** Private clone of 5e.Tools **</title>
<meta name="description" content="This is a website is for private use only." /><meta name="keywords" content="" /></head>
<frameset rows="100%,*" border="0">
<frame src="http://45.23.186.64" frameborder="0" /></frameset></html>

Yeah, that information was input by me in the Forwarding options for the domain on GoDaddy's website.The 5e.tools is the website I'm rehosting on my own box.

Are you using some sort of "URL Redirect" at GoDaddy DNS?

If so, you need to change that to use A records to point to your server IP directly.

Possibly? I think what I filled out was how to point the domain to a specific IP address. The field is specifically called Forwarding, Domain, which gives me an option to forward an http:// and/or an https://. So far, I've only forwarded an http:// to my IP address and have done nothing with the https:// option.

That sounds like URL forwarding. Your domain name must point to a specific IP address and you use A (and AAAA records for IPv6) to do that. You don't have that so contact GoDaddy on how to do it.

Will do. Thanks.

I'm looking at the DNS records on the Domain Settings in GoDaddy's panel. I see the two IP address you referred to as AWS IPs. When I contact GoDaddy, what should I request them changed to?

The two IPS are:
15.197.142.173
3.33.152.147

The public IP for your self-hosted server.

Resolved!

The DNS Records for Type A and Type AAAA were un-editable on the GoDaddy site because I had a Forwarding rule set up. Once I deleted that rule, I was able to edit my A and AAAA DNS settings successfully. After the changes took effect, certbot was able to successfully deploy a certificate.

Well good. But did you change anything after getting the cert? Because a Let's Debug test currently fails so future renewals don't look like they would work

For me...
IPv4 works, but IPv6 fails:

curl -Ii4 ajb.rocks
HTTP/1.1 301 Moved Permanently
Date: Fri, 10 Jun 2022 13:39:54 GMT
Server: Apache/2.4.52 (Ubuntu)
Location: https://ajb.rocks/
Content-Type: text/html; charset=iso-8859-1

curl -Ii6 ajb.rocks
curl: (56) Recv failure: Connection reset by peer

Name:      ajb.rocks
Addresses: 2600:1700:4420:f010:766:1af:33b9:40a5
           45.23.186.64
Aliases:   www.ajb.rocks