Unable to pass challnge test to obtain new certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: bulutum.duranonline.net

I ran this command: sudo certbot --apache

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?

1: bulutum.duranonline.net
2: www.bulutum.duranonline.net

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for bulutum.duranonline.net
Waiting for verification…
Challenge failed for domain bulutum.duranonline.net
http-01 challenge for bulutum.duranonline.net
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: bulutum.duranonline.net
  Type: unauthorized
  Detail: Invalid response from
  http://bulutum.duranonline.net/.well-known/acme-challenge/0KoLPQXexsRQFgTpJLZ9FTyWxrt-EHzZFwkDzIFgFDI
  [173.30.4.117]: "<?xml version=“1.0”
  encoding=“UTF-8”?>\n<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0
  Strict//EN”\n “http://www.w3.org/TR/xhtml1/D”

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address.

My web server is (include version): apache 2.4.41-1

The operating system my web server runs on is (include version): Manjaro linux (arch derivative / rolling release, up-to-date)

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.39.0, certbot-apache 0.39.0-1

Having read some previously posted questions with similar problems, I can access test.txt by http://bulutum.duranonline.net/test.txt, which is placed under my web root (/srv/http).

Additionally, I deleted the AAAA record from my DNS provider (dyn.com) which contained an IPv6 address, with no avail. IPv4 address is spelled correctly in my DNS record, and I pass http-01 and dns-01 tests at letsdebug.net but fail the tls test obviously.

Your help and guidance will be very much appreciated!

Hi @hakayova

checking your configuration that looks ok - https://check-your-website.server-daten.de/?q=bulutum.duranonline.net

It's your first certificate, no older found. http / port 80 answers, /.well-known/acme-challenge/random-filename has the expected result http status 404 - Not Found.

If that doesn't work, Certbot may not understand your vHost configuration.

What says

apachectl -S

PS: One problem: Your vHost has two domain names (non-www and www). But you have only the non-www dns entry. So Certbot may not find a vHost with the same set of domain names you want to use to create your certificate.

• Remove the ServerAlias with the www (or)
• Add a new DNS A-record with the www

Thank you so much @JuergenAuer for your quick response.

$sudo apachectl -S
VirtualHost configuration:
127.0.0.1:80           bulutum.duranonline.net (/etc/httpd/conf/extra/httpd-vhosts.conf:40)
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/srv/http"
Main ErrorLog: "/var/log/httpd/error_log"
Mutex ssl-stapling-refresh: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/httpd/" mechanism=default 
PidFile: "/run/httpd/httpd.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="http" id=33
Group: name="http" id=33

I commented out the server alias from the virtual server config file and restarted the httpd service and retried certbot but it failed with a similar message:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?

1: bulutum.duranonline.net

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for bulutum.duranonline.net
Waiting for verification…
Challenge failed for domain bulutum.duranonline.net
http-01 challenge for bulutum.duranonline.net
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: bulutum.duranonline.net
  Type: unauthorized
  Detail: Invalid response from
  http://bulutum.duranonline.net/.well-known/acme-challenge/yQtSvJs3_Tm-CXNaj2l4n0fejgk5PMBzA2hhe2SFR3M
  [173.30.4.117]: "<?xml version=“1.0”
  encoding=“UTF-8”?>\n<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0
  Strict//EN”\n “http://www.w3.org/TR/xhtml1/D”

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address.

That

looks wrong.

Use

*:80

so every ip address is used.

PS: The config looks ok, no duplicated vHosts.

Genius! Thank you so much @JuergenAuer . I truly appreciate the expertise and quick responses!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.