Unable to renew certificate (The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot.)

a6man · March 22, 2023, 10:34pm

I ran this command: sudo certbot renew --dry-run -v

It produced this output:

user@server:/etc/apache2/sites-available$ sudo certbot renew --dry-run -v
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/charteredsearch.com.conf

Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Simulating renewal of an existing certificate for charteredsearch.com and www.charteredsearch.com
Performing the following challenges:
http-01 challenge for charteredsearch.com
http-01 challenge for www.charteredsearch.com
Waiting for verification...
Challenge failed for domain charteredsearch.com
http-01 challenge for charteredsearch.com

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: charteredsearch.com
Type: unauthorized
Detail: The key authorization file from the server did not match this challenge "TKl-8kNQ-NRqFscTDQUAzHD1KS1JijsZGDKEK0oaelQ.iBER-mypngI1OmA8F_CAhUvqMj0awYC0hIlqFmZh5ck" != ""

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges
Failed to renew certificate charteredsearch.com with error: Some challenges have failed.

All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/charteredsearch.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
ceadm@li678-158:/etc/apache2/sites-available$

My web server is (include version):
Operating System: Debian GNU/Linux 10 (buster)
Kernel: Linux 4.19.0-23-amd64
Architecture: x86-64

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don't know): Yes

The version of my client is: certbot 2.4.0

_az · March 22, 2023, 10:41pm

It looks like visiting http://www.charteredsearch.com (on port 80, not 443) results in a blank HTTP 200 response, no matter what URL is requested:

$ curl -i charteredsearch.com/.well-known/acme-challenge/blah
HTTP/1.1 200 OK
date: Wed, 22 Mar 2023 22:39:49 GMT
content-type: text/html
content-length: 0
server: Apache
x-provided-by: StackCDN 1.0
last-modified: Sun, 05 Mar 2023 09:11:32 GMT
x-origin-cache-status: MISS
x-cdn-cache-status: MISS
accept-ranges: bytes
x-via: SYD1

How do you have StackPath CDN configured?

You should at least have it redirect your port 80 requests to port 443. I think, in that case, your Certbot renewal would probably succeed.

a6man · March 22, 2023, 10:58pm

No configuration on stackCDN - i dont use a CDN at all so unsure as to where this is coming from! I have changed DNS recently - pointing to the same server, but different nameservers (previous was 'stack' - current is 'google')

_az · March 22, 2023, 11:08pm

Something is up for sure, but I'm not sure what.

When I access your site from my local computer in Australia, I see StackPath CDN:

$ curl -v -4 charteredsearch.com
*   Trying 88.80.185.158:80...
* Connected to charteredsearch.com (88.80.185.158) port 80 (#0)
> GET / HTTP/1.1
> Host: charteredsearch.com
> User-Agent: curl/7.86.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< date: Wed, 22 Mar 2023 23:05:49 GMT
< content-type: text/html
< content-length: 0
< server: Apache
< x-provided-by: StackCDN 1.0
< last-modified: Sun, 05 Mar 2023 09:11:32 GMT
< x-origin-cache-status: MISS
< x-cdn-cache-status: MISS
< accept-ranges: bytes
< x-via: SYD1
<
* Connection #0 to host charteredsearch.com left intact

When I make the same request from a server in USA, I see your normal Apache server:

# curl -v -4 charteredsearch.com
*   Trying 88.80.185.158...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x55aaa53e1110)
* Connected to charteredsearch.com (88.80.185.158) port 80 (#0)
> GET / HTTP/1.1
> Host: charteredsearch.com
> User-Agent: curl/7.64.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Date: Wed, 22 Mar 2023 23:06:53 GMT
< Server: Apache/2.4.38 (Debian)
< X-Redirect-By: WordPress
< Location: https://www.charteredsearch.com/
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8

Same server IP address, but totally different responses. Are you sure you're not using StackPath anywhere, or having any kind of geographical-based rules in place?

a6man · March 22, 2023, 11:10pm

_az:

58:80...
* Connected to charteredsearch.com (88.80.185.158) port 80 (#0)
> GET / HTTP/1.1
> Host: charteredsearch.com
> User-Agent: curl/7.86.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< date: Wed, 22 Mar 2023 23:05:49 GMT
< content-type: text/html

no CDN or geo rules in place - its a really basic setup

_az · March 22, 2023, 11:14pm

Posting your Apache virtual host configuration file might help illuminate what's going on.

a6man · March 22, 2023, 11:15pm

<Directory /var/www/wordpress/>
    Options Indexes FollowSymLinks
    AllowOverride All
    Require all granted
</Directory>
<VirtualHost *:80>
    ServerName www.charteredsearch.com
    ServerAlias www.charteredsearch.com
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/wordpress/
    ErrorLog /var/log/apache2/wordpress/error.log
    CustomLog /var/log/apache2/wordpress/access.log combined
    <files xmlrpc.php>
    order allow,deny
    deny from all
    </files>
RewriteEngine on
RewriteCond %{SERVER_NAME} =staging.charteredsearch.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

_az · March 22, 2023, 11:30pm

Sorry, I'm not going to do a screenshare.

The one idea I have is that you might need to get rid of the old DNS AAAA (IPv6) record you have on your domain:

# dig +noall +answer charteredsearch.com aaaa
charteredsearch.com.    3502    IN      AAAA    2a07:7800::130

It seems to point to your old host (20i, which also seems to be using StackPath CDN).

Your new host (Linode) is unrelated to that IPv6 address. You should login to Google DNS and remove that record.

It could be having the effect we're observing.

rg305 · March 23, 2023, 12:38am

The alias has the same FQDN.
One of those should not have www.

Osiris · March 23, 2023, 7:10am

I'm pretty sure it is. Using the -4 option of curl, I'm getting a nice and good 404 file not found, but when using -6, I'll get the StackCDN weird HTTP 200 reply.

system · April 22, 2023, 7:11am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Certbot Renew Fails The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet Help	8	2100	May 18, 2024
Problem with auto-renew on apache Help	6	30	December 2, 2024
* Certificate renewal failed * Help	5	95	September 7, 2024
[Failed to renew certificate] - Some challenges have failed Help	3	76	December 8, 2024
Problem on certbot dry run Help	4	707	February 16, 2023

Unable to renew certificate (The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot.)

Related topics