Unable to generate a certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: reprotechnique.org

I ran this command: certbot --apache -d reprotechnique.org -d gestsup.reprotechnique.org

It produced this output: root@SRV-GESTSUP-IT:/home/gestsup# certbot --apache -d reprotechnique.org -d gestsup.reprotechnique.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for reprotechnique.org and gestsup.reprotechnique.org

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: reprotechnique.org
Type: unauthorized
Detail: The key authorization file from the server did not match this challenge. Expected "wroYAx7bPmOkhaK5HjrtGCPrxk8eVlv8u_bT0srzPjU.Z0ruE_ldDuHiB12pXSLzUeRZZhHXy37p4Hg_DfJyN2g" (got "wroYAx7bPmOkhaK5HjrtGCPrxk8eVlv8u_bT0srzPjU.4E3VCTFsySjUrqnCg0ooULx-3kbdPBygi0aWkvg5Gd8")

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
root@SRV-GESTSUP-IT:/home/gestsup#

My web server is (include version): Apache2

The operating system my web server runs on is (include version): Debian 12

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): 12.1

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No without control panel

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.1.0

OVH Cloud

An "OVHcloud" server replies to requests to your domain name.

Request to: reprotechnique.org/213.186.33.104, Result: [Address=213.186.33.104,Address Type=IPv4,Server=OVHcloud

To get a cert using --apache method, your Apache system needs to reply. The DNS A record is probably wrong. It should be the public IP for your Apache server.

2 Likes

I don't know what is the 213.186.33.104, I have an another public IP adress
On OVH Cloud provider i have an A registration for gestsup.reprotechnique.org to X.X.X.X the public IP adress.
I can access to the web server on internet with public IP adresse : http://X.X.X.X . I have a NAT to the interface of the firewall X.X.X.X on ports 80 & 443 who is forward to internal ip adress of the web server.

That is the value of the A record in your public DNS right now for your domain. Normally that should be the public IP for your Apache server

reprotechnique.org.	3600	IN	A	213.186.33.104

You didn't provide any details in your description of your network config (just XXXX) so I can't comment on that. Do HTTP requests to your domain show up in your Apache access log?

Like

curl -i http://reprotechnique.org/Test404
2 Likes

Hi @ServiceInformatique,

From the machine running your Apache server
you can check what the Internet visible IP Address are with:

curl -4 ifconfig.me
curl -6 ifconfig.me

and/or

curl -4 ifconfig.co
curl -6 ifconfig.co

and/or

curl -4 ifconfig.io
curl -6 ifconfig.io

And then adjust your DNS A Records and AAAA Records (if any) to match.

2 Likes

Another thing I found here SSL Checker is

Common Name: cluster007.hosting.ovh.net
SANs: DNS:cluster007.hosting.ovh.net

Total number of SANs: 1|

And curl -Ii http://reprotechnique.org/.well-known/acme-challenge/sometestfile I get

HTTP/1.1 404 Not Found
date: Sat, 19 Jul 2025 17:32:51 GMT
content-type: text/html; charset=iso-8859-1
server: OVHcloud
x-iplb-request-id: 49A4D899:7CEE_D5BA2168:0050_687BD6C3_24C83:1D55
x-iplb-instance: 51792

This response I do not believe is from Apache; it says server: OVHcloud, however I do not know if OVH is using Apache or not.

Edit

Yet curl -Ii http://gestsup.reprotechnique.org/.well-known/acme-challenge/sometestfile yields this

HTTP/1.1 404 Not Found
Date: Sat, 19 Jul 2025 17:42:31 GMT
Server: Apache
Content-Type: text/html; charset=iso-8859-1
$ nmap -Pn -p80,443 reprotechnique.org
Starting Nmap 7.94 ( https://nmap.org ) at 2025-07-19 10:44 PDT
Nmap scan report for reprotechnique.org (213.186.33.104)
Host is up (0.16s latency).
rDNS record for 213.186.33.104: basic-cdn-01.cluster007.ovh.net

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 1.32 seconds
$ nmap -Pn -p80,443 gestsup.reprotechnique.org
Starting Nmap 7.94 ( https://nmap.org ) at 2025-07-19 10:44 PDT
Nmap scan report for gestsup.reprotechnique.org (157.143.148.200)
Host is up (0.15s latency).

PORT    STATE    SERVICE
80/tcp  open     http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 3.58 seconds

It seems they are different machines, which is fine if they each respond properly for the ACME Challenges.

2 Likes

Yeah, the x-iplb is likely replies from a Load Balancer (ipLB)

If their Apache sits behind one we need to know that so can explain how to handle that. But, it sounds to me like they just haven't updated the DNS for their Apache.

We need more info :slight_smile:

2 Likes

Hello,

We have this domain for the customer “REPROTECHNIQUE SCOP” : reprotechnique.org ; the registrar is OVH

We have a data-center on France (not OVH), on this data-center we have a virtual machine for the ITSM “Gestsup” .

We have make a NAT on IP public address on the firewall 157.143.148.200 => private IP address of the virtual machine. Ports 80 & 443 are opened and forward on the IP private address of the virtual machine 192.168.255.19

We have create an A entry on OVH : IP public address = gestsup and also IP public address = tickets

Actually, we can go the WEB server Gestsup with theses link http://gestsup.reprotechnique.org https://tickets.reprotechnique.org http://157.143.148.200

We can also by the VPN or on site, connect the WEB server with this link : http://192.168.255.19

we are stuck for the certificate part,

Thanks in advance,

Cordialement, Best Regards,

That is the IP address of the apex domain reprotechnique.org.
It is crucial that you must know what server is serving the pages for that domain before attempting to generate certificate for it.

Alternatively, if you do not care about this domain then simply do not try generating certificate for it.

So instead of:

do:
certbot --apache -d gestsup.reprotechnique.org

4 Likes