Unable to setup ssl cert

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
apijunction.live

I ran this command:
sudo letsencrypt --apache

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: apijunction.live
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for apijunction.live
Performing the following challenges:
http-01 challenge for apijunction.live
Waiting for verification...
Challenge failed for domain apijunction.live
http-01 challenge for apijunction.live
Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: apijunction.live
Type: unauthorized
Detail: The key authorization file from the server did not match this challenge. Expected "DAzupJ9CepTGoz3EUuRz7UrI6xpgFqFSJNyqTZcdTCM.oJcDdf92HZGlmS7FUduTKJ2G9zfi0gSSwZXuzeI0Gug" (got "DAzupJ9CepTGoz3EUuRz7UrI6xpgFqFSJNyqTZcdTCM")
Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.
Cleaning up challenges
Some challenges have failed.

My web server is (include version):

Server version: Apache/2.4.52 (Ubuntu)
Server built:   2024-04-10T17:45:18

The operating system my web server runs on is (include version):
ubuntu 24.04 lts

My hosting provider, if applicable, is:
i have hosted in my local machine
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

conf file:

<Virtualhost *:80>
    ServerName apijunction.live

    ProxyRequests       Off
    ProxyPreserveHost       On
    AllowEncodedSlashes     NoDecode

    <Proxy http://192.168.1.11:8081/*>
        Order deny,allow
        Allow from all
    </Proxy>

    ProxyPass               /  http://192.168.1.11:8081/ nocanon
    ProxyPassReverse        /  http://192.168.1.11:8081/
    ProxyPassReverse        /  http://apijunction.live/

        RequestHeader set X-Forwarded-Proto "https"
        RequestHeader set X-Forwarded-Port "443"

        RewriteEngine on
        RewriteCond %{SERVER_NAME} =apijunction.live
        RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</Virtualhost>

Hello @maxter125, welcome to the Let's Encrypt community. :slightly_smiling_face:

You are using the HTTP-01 challenge (the most typical) of the Challenge Types - Let's Encrypt, states
"The HTTP-01 challenge can only be done on port 80."

Best Practice - Keep Port 80 Open

Using the online tool Let's Debug show https://letsdebug.net/apijunction.live/1916340

ANotWorking
ERROR
apijunction.live has an A (IPv4) record (116.74.252.185) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.
Get "http://apijunction.live/.well-known/acme-challenge/letsdebug-test": dial tcp 116.74.252.185:80: connect: no route to host

Trace:
@0ms: Making a request to http://apijunction.live/.well-known/acme-challenge/letsdebug-test (using initial IP 116.74.252.185)
@0ms: Dialing 116.74.252.185
@3158ms: Experienced error: dial tcp 116.74.252.185:80: connect: no route to host
IssueFromLetsEncrypt
ERROR
A test authorization for apijunction.live to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.
116.74.252.185: Fetching http://apijunction.live/.well-known/acme-challenge/KNZwws_kjUJaOwllkSHVjGwc-h_Tsa9aQdr8Vup0AoY: Error getting validation data

Also using nmap show Port 80 is Filtered; it is likely a firewall causing the issue.

$ nmap -Pn -p80,443 apijunction.live
Starting Nmap 7.80 ( https://nmap.org ) at 2024-04-30 14:00 PDT
Nmap scan report for apijunction.live (116.74.252.185)
Host is up (0.26s latency).

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp open     https

Nmap done: 1 IP address (1 host up) scanned in 4.58 seconds
2 Likes

@Bruce5051
i checked with nmap cli
Output:
Host is up (0.0020s latency).

PORT STATE SERVICE
80/tcp open http
443/tcp open https

again i tried :
sudo letsencrypt --apache

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?


1: apijunction.live


Select the appropriate numbers separated by commas and/or spaces, or leave input

blank to select all options shown (Enter 'c' to cancel): 1

Requesting a certificate for apijunction.live

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:

Domain: apijunction.live

Type: unauthorized

Detail: The key authorization file from the server did not match this challenge. Expected "oUVWyhOccflBVZln7RQyLH-OArzyxjWoefbr_sOpEWg.oJcDdf92HZGlmS7FUduTKJ2G9zfi0gSSwZXuzeI0Gug" (got "oUVWyhOccflBVZln7RQyLH-OArzyxjWoefbr_sOpEWg")

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.

@Bruce5051 can you help me with this

As with all things Apache [on this forum], I would suggest we begin at the beginning, with the output of:
sudo apachectl -t -D DUMP_VHOSTS

2 Likes

@rg305

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:80 is a NameVirtualHost
default server 127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost 127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost apijunction.live (/etc/apache2/sites-enabled/test.conf:1)

Let's see this file:

2 Likes
<Virtualhost *:80>
    ServerName apijunction.live

    ProxyRequests       Off
    ProxyPreserveHost       On
    AllowEncodedSlashes     NoDecode

    <Proxy http://192.168.1.11:8081/*>
        Order deny,allow
        Allow from all
    </Proxy>

    ProxyPass               /  http://192.168.1.11:8081/ nocanon
    ProxyPassReverse        /  http://192.168.1.11:8081/
    ProxyPassReverse        /  http://apijunction.live/

        RequestHeader set X-Forwarded-Proto "https"
        RequestHeader set X-Forwarded-Port "443"

        RewriteEngine off
        RewriteCond %{SERVER_NAME} =apijunction.live
        RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</Virtualhost>

And what shows?:

2 Likes

letsencrypt --version

certbot 1.21.0

That could use an update.
The latest version is: 2.10.0

2 Likes

okay let me try

Since the rewrite is off:

all requests are being proxied:

I'd suggest that you add a location section to handle the ACME challenge requests.

2 Likes

OR:

2 Likes

have updated the version to certbot 2.11.0.dev0

as per above thread i have updated to RewriteEngine on

but still i'm getting the same issue, do you any other idea what could be wrong here?

2 Likes

I bet you checked from the local network the server is on;
I still see

$ nmap -Pn -p80,443 apijunction.live
Starting Nmap 7.80 ( https://nmap.org ) at 2024-05-01 08:23 PDT
Nmap scan report for apijunction.live (116.74.252.185)
Host is up (0.34s latency).

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp open     https

Nmap done: 1 IP address (1 host up) scanned in 4.17 seconds
2 Likes

@Bruce5051
yeah you were right, well i think now its open for port 80

mirai@mirai:~$ nmap -Pn -p80,443 apijunction.live
Starting Nmap 7.80 ( https://nmap.org ) at 2024-05-02 19:44 IST
Nmap scan report for apijunction.live (116.74.252.185)
Host is up (0.0016s latency).

PORT STATE SERVICE
80/tcp open http
443/tcp open https

Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds
i also checked with ufw cli
mirai@mirai:~$ sudo ufw status
[sudo] password for mirai:
Status: active

To Action From


22/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
80/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)

but when I again tried executing sudo letsencrypt --apache
I got this:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Enter email address (used for urgent renewal and security notices)

(Enter 'c' to cancel): jmaheshkumar13@gmail.com


Please read the Terms of Service at

https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf. You must agree in

order to register with the ACME server. Do you agree?


(Y)es/(N)o: y


Would you be willing, once your first certificate is successfully issued, to

share your email address with the Electronic Frontier Foundation, a founding

partner of the Let's Encrypt project and the non-profit organization that

develops Certbot? We'd like to send you email about our work encrypting the web,

EFF news, campaigns, and ways to support digital freedom.


(Y)es/(N)o: y

Account registered.

Which names would you like to activate HTTPS for?


1: apijunction.live


Select the appropriate numbers separated by commas and/or spaces, or leave input

blank to select all options shown (Enter 'c' to cancel): 1

Requesting a certificate for apijunction.live

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:

Domain: apijunction.live

Type: connection

Detail: 116.74.252.185: Fetching http://apijunction.live/.well-known/acme-challenge/46RrTvlY9WE2UlXtGLBS6xWGQLgn5dJ75Vue8u2bM1o: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.
for some reason i cant hit my api now it seems still request getting blocked

@maxter125 presently I still see filtered now for both Ports 80 & 443.

$ nmap -Pn -p80,443 apijunction.live
Starting Nmap 7.80 ( https://nmap.org ) at 2024-05-02 09:15 PDT
Nmap scan report for apijunction.live (116.74.252.185)
Host is up.

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 3.95 seconds

If that is a from anywhere [don't see the heading - but it should be], then there must be some other firewall [or such type system] blocking the incoming HTTP requests from particular sources/countries.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.