Unable to renew cert. Error with invalid host in redirect

Help
1

Hi,
So I am trying to renew my cert for my domain and I did a dry run and I am getting the error below.
My vhost.conf file for port 80 looks like this and I specify the routing for port 443 in vhost-le-ssl.conf- I can post this if needed. I didn’t change any other files that were installed with apache or certbot.

<VirtualHost *:80>

ServerName displayto.com
Redirect permanent / https://displayto.com/

I am using Apache to handle SSL termination and a reverse proxy for my app. For my distro installed httpd and mod_ssl. This is all being run on an EC2.

Not sure if this is relevant but I first installed everything on one EC2 and it was running properly, then I created another EC2 -> installed apache & certbot ->transferred over the letsencrypt files and it was working properly.
But after the cert expired I am having issues with this new one. The dry run renewal works on the old EC2 but not the new EC2. They have identical configurations because I just copied it so not sure what’s going on.

Any help would be appreciated, I’ve been trying to sort this out this whole week! I think I might be overlooking something simple but I'm not sure.

Here's more info~

My domain is: displayto.com

I ran this command: sudo certbot renew –dry-run

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/displayto.com.conf

Simulating renewal of an existing certificate for displayto.com

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: displayto.com
Type: connection
Detail: 54.201.69.89: Fetching https://displayto.com.well-known/acme-challenge/u7lfmWxAtrpnbe3q1tFTHk4vQSgBerIZVzNT6fPVhI8: Invalid host in redirect target "displayto.com.well-known". Check webserver config for missing '/' in redirect target.

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Failed to renew certificate displayto.com with error: Some challenges have failed.

All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/displayto.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Apache/2.4.62 (Amazon Linux)

The operating system my web server runs on is (include version):
Amazon Linux version 2023

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No but my machine is a ec2 so I can set which ports are open in the AWS site.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot version 2.11.0

2

Hi @divya27,

Check that you redirection is correct, it looks like it misses the '/'.

3

Thanks for the reply! That's what I thought too but I have the '/' at the end of my domain in the vhost.conf file for port 80 like so:

<VirtualHost *:80>

ServerName displayto.com
Redirect permanent / https://displayto.com/

</VirtualHost>
1 Like
4

However this is what I see using curl

$ curl -Ii http://displayto.com/.well-known/acme-challenge/sometestfile
HTTP/1.1 301 Moved Permanently
Date: Wed, 09 Apr 2025 21:31:02 GMT
Server: Apache/2.4.62 (Amazon Linux) OpenSSL/3.0.8
Location: https://displayto.com.well-known/acme-challenge/sometestfile
Content-Type: text/html; charset=iso-8859-1

Clearly the Location: https://displayto.com.well-known/acme-challenge/sometestfile isn't what you want the the web server replying with.

And without the ACME HTTP-01 challenge

$ curl -Ii http://displayto.com
HTTP/1.1 301 Moved Permanently
Date: Wed, 09 Apr 2025 21:35:21 GMT
Server: Apache/2.4.62 (Amazon Linux) OpenSSL/3.0.8
Location: https://displayto.com
Content-Type: text/html; charset=iso-8859-1

There is also no '/' at the end on the redirection.

Edit

Please show the output of sudo apachectl -t -D DUMP_VHOSTS

1 Like
5

Here's the output: (I had to run sudo httpd -t -D DUMP_VHOSTS bc that's the apache version i installed)

VirtualHost configuration:
*:443                  is a NameVirtualHost
         default server ip-172-31-31-49.us-west-2.compute.internal (/etc/httpd/conf.d/ssl.conf:56)
         port 443 namevhost ip-172-31-31-49.us-west-2.compute.internal (/etc/httpd/conf.d/ssl.conf:56)
         port 443 namevhost displayto.com (/etc/httpd/conf.d/vhost-le-ssl.conf:2)
*:80                   is a NameVirtualHost
         default server displayto.com (/etc/httpd/conf.d/vhost copy.conf:1)
         port 80 namevhost displayto.com (/etc/httpd/conf.d/vhost copy.conf:1)
         port 80 namevhost displayto.com (/etc/httpd/conf.d/vhost.conf:1)
1 Like
6

Kindly wait for more knowledgeable Let's Encrypt community volunteers to assist.

3 Likes
7

Looks like you have two config for the same domain name and port. While Apache does not display an error for this it won't likely produce the correct results.

Perhaps your vhost copy.conf file has an invalid redirect ?

In any case, you should review them both and remove the one you don't need.

2 Likes
8

@divya27, I would make a copy of it in a tmp directory somewhere just incase . . .

1 Like
9

Thank you so much that worked!!!

I had the vhost copy.conf file as a backup and didn't realize apache was even reading that (I'm still pretty new to this), the command @Bruce5051 gave brought some clarity to what was happening.
So I removed the vhost copy.conf, and did the dry run again and it worked!

4 Likes