My domain is: repo.spirhr.org (which is self hosted, an apache named virtual host reverse proxy for a tomcat server)
I ran this command: sudo certbot certonly --apache
It produced this output:
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for repo.spirhr.org
Waiting for verification...
Challenge failed for domain repo.spirhr.org
http-01 challenge for repo.spirhr.org
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: repo.spirhr.org
Type: connection
Detail: Fetching
http://repo.spirhr.org/.well-known/acme-challenge/xaexeDBv3PdUdSzt4skLft74Xv-KkytDyWj6isaDczw:
Connection reset by peer
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
My web server is (include version): Apache/2.4.41 (Ubuntu)
The operating system my web server runs on is (include version): Ubuntu 20.04.1 LTS (Focal Fossa). It is a Virtualbox VM running on Ubuntu 18.04.3 LTS host.
I can login to a root shell on my machine (yes or no, or I donāt know): Yes
Iām using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if youāre using Certbot): certbot 0.40.0
I have port 80 and 443 open on the server. I have already issued 3 certificates for other configured Apache named virtual hosts on this server (trying to renew these also fails with the same error). The strange thing is I can see the āapacheā plugin is creating the challenge file at /var/lib/letencrypts/http_challenges and also properly modifying the Apache server configuration file for this virtual host. There is no firewall rule that is blocking requests to port 80. I can even access the challenge url (http://repo.spirhr.org/.well-known/acme-challenge/***) from my browser if I stopped certbot in time before it cleans it up and revert the Apache configuration changes. What could be wrong?
That is strange. I have no firewall setup blocking port 80. I donāt see the request in Apache error or access logs. Something must be wrong with my ISP because I can run the same command your are running fine from another host (it gives me 404 not found)
I am not sure if I understand that but It is my understanding that it requires the āHostā header since I have configured named virtual hosts in Apache. It responds to HTTP 1.1 requests with āHostā header as i can view it from my chrome network tab. Can you clarify on this please? Can you access repo.spirhr.org from your browser?
I have also tried it without the host header but in that cases it just returns the response of the first virtual host that is configured on this server (I am not sure if it is supposed to do that but that is another topic)
Well, I am honestly lost at this point (major problem being it is working from my side). Is there a specific configuration in Apache 2.4.41 to enable HTTP 1.1? (I thought that was there out of the box)
I have already issued 3 certificates for this server just a few weeks back and it worked fine then. I havenāt made any changes to its configuration since expect adding this new virtual host.
Apparently some changes are made by my ISP (the details of which I donāt know) but it seems it is, for some reason, blocking http request and only allows https request to sites (that I tried so far) that are using one of IP addresses. This is strange as this blocking seem to be applied only for request that are coming from outside of its service area (i.e from another ISP). This seems why I was able to access the domain at port 80 while others where not able to do so (Where I live there is only one ISP so I am using same ISP as the server hosting the site). I am not sure about how HTTP 1.0 with no Host header was passing through though. Bottom line is letsencrypt canāt access the challenge response from the server using port 80.
I ended up using DNS validation through certbot manual mode for the top level domain and all of the sub-domains (named virtual hosts I have). Since my DNS provider (GoDaddy) was not supported for me to use a pre-existing DNS plugin, I modified the pre validation hook example given at certbot support to utilize the API provided by my DNS provider to automate the creation/update of TXT records. Now certbot renew will be able to renew the certificates automatically (I hope )