Unable to install cerbot on ubuntu 22.04 apacher

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: djt.asia and www.djt.asia

I ran this command: sudo certbot certonly --apache -v

It produced this output:
HTTP 200
Server: nginx
Date: Tue, 19 Nov 2024 13:49:08 GMT
Content-Type: application/json
Content-Length: 800
Connection: keep-alive
Boulder-Requester: 2064688647
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: nHAuMvoxn8NN97zbC_Q_kgkDXAZZoa30XRGc_IfdRIV6SVpwjpw
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "djt.asia"
},
"status": "valid",
"expires": "2024-12-19T13:44:23Z",
"challenges": [
{
"type": "http-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/432425620327/b42Gnw",
"status": "valid",
"validated": "2024-11-19T13:44:22Z",
"token": "AIWHD7EBZW0ldMonOOeH_y2l_t-he1eTPg0kobAnt5k",
"validationRecord": [
{
"url": "http://djt.asia/.well-known/acme-challenge/AIWHD7EBZW0ldMonOOeH_y2l_t-he1eTPg0kobAnt5k",
"hostname": "djt.asia",
"port": "80",
"addressesResolved": [
"103.172.237.210",
"3.33.130.190",
"15.197.148.33"
],
"addressUsed": "103.172.237.210"
}
]
}
]
}
2024-11-19 13:49:08,490:DEBUG:acme.client:Storing nonce: nHAuMvoxn8NN97zbC_Q_kgkDXAZZoa30XRGc_IfdRIV6SVpwjpw
2024-11-19 13:49:08,491:DEBUG:acme.client:JWS payload:
b''
2024-11-19 13:49:08,495:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/432427101087:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMjA2NDY4ODY0NyIsICJub25jZSI6ICJuSEF1TXZveG44Tk45N3piQ19RX2tna0RYQVpab2EzMFhSR2NfSWZkUklWNlNWcHdqcHciLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzQzMjQyNzEwMTA4NyJ9",
"signature": "R_Je0RD1wKJUOk1rID8gv4C_8zSco_ba0LEqDnnHXP44T75BcP-hkXPCT5pa3rup4N13sJgqXy5tFV_QfRCE4Zz9nt_ZtC8fRRSZvuOeMJAgRakO6O3oYMo38oQu9ZRcWqj_3ajVh_TdSAzfsmrS6vyjHqwH_ZHwZy72-ExPzuGydQ1n0ApOpKkZp4VYgsFJQFB-qGpCbzfdZLfSsTGbkCTK1a0KzAUUWwfQJxS3RcrYtae4uH5HH-1BbapKV9pKSUIvt_VSTXnuRUGkBbhdevFEO0URDsnSnZUmv75nRRRplSCsJQalucpfIYJZSwYFvkK9RIDMP17tb5P1TaW1Eg",
"payload": ""
}
2024-11-19 13:49:08,701:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/432427101087 HTTP/1.1" 200 1117
2024-11-19 13:49:08,703:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 19 Nov 2024 13:49:08 GMT
Content-Type: application/json
Content-Length: 1117
Connection: keep-alive
Boulder-Requester: 2064688647
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: nHAuMvoxPSgUbKOk5x_VW_LkpErBeXweCwGgPQujL9nz57RNbhg
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "www.djt.asia"
},
"status": "invalid",
"expires": "2024-11-26T13:49:02Z",
"challenges": [
{
"type": "http-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/432427101087/vzX3Kg",
"status": "invalid",
"validated": "2024-11-19T13:49:07Z",
"error": {
"type": "urn:ietf:params:acme:error:connection",
"detail": "During secondary validation: 15.197.148.33: Fetching http://www.djt.asia/.well-known/acme-challenge/FTaQbUayjM8dXkscncfHZqmwF6YUUwjr2E0S839TTcY: Error getting validation data",
"status": 400
},
"token": "FTaQbUayjM8dXkscncfHZqmwF6YUUwjr2E0S839TTcY",
"validationRecord": [
{
"url": "http://www.djt.asia/.well-known/acme-challenge/FTaQbUayjM8dXkscncfHZqmwF6YUUwjr2E0S839TTcY",
"hostname": "www.djt.asia",
"port": "80",
"addressesResolved": [
"103.172.237.210",
"3.33.130.190",
"15.197.148.33"
],
"addressUsed": "103.172.237.210"
}
]
}
]
}
2024-11-19 13:49:08,703:DEBUG:acme.client:Storing nonce: nHAuMvoxPSgUbKOk5x_VW_LkpErBeXweCwGgPQujL9nz57RNbhg
2024-11-19 13:49:08,704:INFO:certbot._internal.auth_handler:Challenge failed for domain www.djt.asia
2024-11-19 13:49:08,705:INFO:certbot._internal.auth_handler:http-01 challenge for www.djt.asia
2024-11-19 13:49:08,705:DEBUG:certbot._internal.display.obj:Notifying user:
Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: www.djt.asia
Type: connection
Detail: During secondary validation: 15.197.148.33: Fetching http://www.djt.asia/.well-known/acme-challenge/FTaQbUayjM8dXkscncfHZqmwF6YUUwjr2E0S839TTcY: Error getting validation data

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

My web server is (include version): Apache/2.4.52 (Ubuntu

The operating system my web server runs on is (include version): Ubuntu 22.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.21.0

Hi @nguyencongtriet, and welcome to the LE community forum :slight_smile:

That usually means some sort of Geo-Blocking is in place.
The HTTP ACME challenge requests must be allowed from the entire Internet.

That being said, why are there three IPs?:

3 Likes

The IPs appear to belong to AWS Global Accelerator. If it works like Cloudflare, it shouldn't be a problem in its own, although it is possible that it has geo-blocking rules configured.

3 Likes

Yes, at least the bottom 2. We often see this with people hosting on GoDaddy. Their DNS is setup in Wild West Domains which, I believe, is owned by GoDaddy.

They need to remove that feature so that there is just the public IP for their server. Maybe this post will help them:

3 Likes

Hi
I have used Godaddy as my domain name and I did change my A record to new IP 103.172.237.210, however, I don't know why it is till be there.
I have checked with Gaddady and confirm they did remove 2 old IPs but it till there when I tried to apply Cert
Any advise for me please

Be appreciated

Did you try the advice in this post? Especially the part about removing the "parking" A record?

Because you still have 3 IP in your DNS
https://unboundtest.com/m/A/djt.asia/VDANQ2FW

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.