Unable to get certificate for subdomain

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ampache.sopel.dev

I ran this command: sudo certbot

It produced this output:

**http-01 challenge for ampache.sopel.dev**
**Waiting for verification...**
**Challenge failed for domain ampache.sopel.dev**
**http-01 challenge for ampache.sopel.dev**
**Cleaning up challenges**
**Some challenges have failed.**

**IMPORTANT NOTES:**
** - The following errors were reported by the server:**

**   Domain: ampache.sopel.dev**
**   Type:   unauthorized**
**   Detail: 185.222.21.139: Invalid response from**
**   http://ampache.sopel.dev/.well-known/acme-challenge/DPlm-LIGhhMcmLsLJR7jKbH72cWaUt0ErBELD28ZMKU:**
**   404**

**   To fix these errors, please make sure that your domain name was**
**   entered correctly and the DNS A/AAAA record(s) for that domain**
**   contain(s) the right IP address.**
**s0ap@ampache:~$**

My web server is (include version):

Server version: Apache/2.4.48 (Ubuntu)

The operating system my web server runs on is (include version):

Ubuntu 21.10 x86_64

My hosting provider, if applicable, is:

Domain host is Njal.la

I can login to a root shell on my machine (yes or no, or I don't know):

Yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 1.12.0

More information:

Hello- thank you for helping! I've only found about certbot a few weeks ago and I am very grateful that this project exists as all of my previous ventures involved purchasing SSL's... So what I did prior to setting up all my stuff, I started by creating a nextcloud server. Instead of adding an A record for my domain only and CNAME for nextcloud I have added two A records, one for sopel.dev and one for nextcloud.sopel.dev. When I generated my certificate for nextcloud it worked fine until I wanted to generate another one. I have realised what boo boo I've done and I have changed my DNS settings to only have one A record and everything else as CNAMES. When I tried generating a certificate for the issue above, it just fails. My CNAME domain for ampache resolves correctly so that record is working. Any ideas on what to do? I have read about changing domains using certbot switches but I am unsure about the whole process and I don't want to mess any more things up.

Thank you for the help.

EDIT: I have port 80/443 forwarded on my webserver so it's not an issue at this stage.

2

We need the output lines before, where it says "authenticator xxx, installer yyy"

And you should check your virtualhosts, if your apps respond to .well-known/acme-challenge instead of certbot you can get errors like that.

1 Like
3

Thanks for getting back. there are no other output lines containing what you mentioned, it's the usual certbot stuff, the actual log starts as I copied it.

1 Like
4

You ran sudo certbot and that's all the output? Certbot would've asked you some stuff, I think.

2 Likes
5

Like I said, the usual certbot stuff:

s0ap@ampache:/etc/apache2$ sudo certbot
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): sopeluk@hotmail.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
Account registered.

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: ampache.sopel.dev
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for ampache.sopel.dev
Performing the following challenges:
http-01 challenge for ampache.sopel.dev
Waiting for verification...
Challenge failed for domain ampache.sopel.dev
http-01 challenge for ampache.sopel.dev
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: ampache.sopel.dev
   Type:   unauthorized
   Detail: 185.222.21.139: Invalid response from
   http://ampache.sopel.dev/.well-known/acme-challenge/g_sJsAaEIuhe-awKH3wyxpMCxkfJ6lzF2peJ3BunG0Y:
   404

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
6

ok. now check /etc/apache2

grep -ir location /etc/apache2

1 Like
7

That's what I can see by running the command, it doesn't produce anything meaningful.

s0ap@ampache:/etc/apache2$ sudo grep -ir location /etc/apache2
/etc/apache2/conf-available/localized-error-pages.conf:#                  SetHandler directive in a <Location /> context somewhere. Adding
/etc/apache2/conf-available/localized-error-pages.conf:#                  the following three lines AFTER the <Location /> context should
/etc/apache2/conf-available/localized-error-pages.conf:#                  <Location /error/>
/etc/apache2/conf-available/localized-error-pages.conf:#                  </Location>
/etc/apache2/envvars:# temporary state file location. This might be changed to /run in Wheezy+1
/etc/apache2/apache2.conf:# ErrorLog: The location of the error log file.
/etc/apache2/mods-available/ldap.conf:<Location /ldap-status>
/etc/apache2/mods-available/ldap.conf:</Location>
/etc/apache2/mods-available/actions.conf:# Format: Action media/type /cgi-script/location
/etc/apache2/mods-available/actions.conf:# Format: Action handler-name /cgi-script/location
/etc/apache2/mods-available/status.conf:        <Location /server-status>
/etc/apache2/mods-available/status.conf:        </Location>
/etc/apache2/mods-available/proxy_balancer.conf:        #   <Location /balancer-manager>
/etc/apache2/mods-available/proxy_balancer.conf:        #   </Location>
/etc/apache2/mods-available/proxy_html.conf:# at top level, but can also be used in a <Location>.
/etc/apache2/mods-available/proxy_html.conf:# <Location /my-gateway/>
/etc/apache2/mods-available/proxy_html.conf:# </Location>
/etc/apache2/mods-available/info.conf:  <Location /server-info>
/etc/apache2/mods-available/info.conf:  </Location>
8

Ok, check where is your virtualhost defined. It should be somewhere in /etc/apache2/sites-enabled

2 Likes
9 
s0ap@ampache:/etc/apache2/sites-enabled$ ls
000-default.conf  ampache.conf
s0ap@ampache:/etc/apache2/sites-enabled$ cat ampache.conf 
<VirtualHost *:80>

    ServerName ampache.sopel.dev
    DocumentRoot /var/www/html/ampache

    <Directory /var/www/html/ampache/>
        AllowOverride All
        Require all granted
    </Directory>

    RewriteEngine on
    CustomLog /var/log/apache2/ampache.access.log common
    ErrorLog  /var/log/apache2/ampache.error.log

</VirtualHost>
s0ap@ampache:/etc/apache2/sites-enabled$
10

Ok, try this:

certbot -a webroot -i apache -w /var/www/html/ampache -d ampache.sopel.dev

1 Like
11

Tried the command, this is the output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer apache
Requesting a certificate for ampache.sopel.dev
Performing the following challenges:
http-01 challenge for ampache.sopel.dev
Using the webroot path /var/www/html/ampache for all unmatched domains.
Waiting for verification...
Challenge failed for domain ampache.sopel.dev
http-01 challenge for ampache.sopel.dev
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: ampache.sopel.dev
   Type:   unauthorized
   Detail: 185.222.21.139: Invalid response from
   http://ampache.sopel.dev/.well-known/acme-challenge/8uybqe4jkYxp4zkVC0Z1ZFCZXV3q_BHDyNHmv4hltMk:
   404

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
12

Uhm. Check if there's a .htaccess in /var/www/html/ampache

13

There isn't one- should I make one?

14

No, and check the parent directory too. Something in there is breaking this validation.

Or maybe in /var/www/html/ampache/.well-known, if it exists.

1 Like
15

I have found the .htaccess file here:

s0ap@ampache:/var/www/html/ampache/rest$ ls -la
total 20
drwxr-xr-x  2 www-data www-data 4096 May  1 15:56 .
drwxr-xr-x 22 www-data www-data 4096 May  1 16:35 ..
-rw-r--r--  1 www-data www-data  253 Jan  8  2020 .htaccess
-rw-r--r--  1 www-data www-data 6917 Jan 30  2020 index.php
s0ap@ampache:/var/www/html/ampache/rest$
16

That shouldn't do anything.

Let's see:

grep -ir '<location ' /var/www/html

1 Like
17

Nothing found.

18

What does this show? (you never showed contents of the 000-default.conf so this might show something)

apachectl -t -D DUMP_VHOSTS
2 Likes
19

That's the result of your command


s0ap@ampache:~$ sudo apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:80                   is a NameVirtualHost
         default server localhost (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost localhost (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost ampache.sopel.dev (/etc/apache2/sites-enabled/ampache.conf:1)

Contents of 000-default.conf

s0ap@ampache:~$ cat /etc/apache2/sites-enabled/000-default.conf 
<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
1 Like
20

Somehow that's not being followed. Are you sure you're working on the right server? Check if curl -4 ifconfig.co and nslookup ampache.sopel.dev give the same address.

1 Like