My domain is: mztest.mizoram.gov.in
I ran this command: sudo certbot certonly --webroot -w /site/mztest/public_html -d mztest.mizoram.gov.in --dry-run
It produced this output:http://mztest.mizoram.gov.in/.well-known/acme-challenge/8PRZOxEg0EExOffN5yx_yS80YS31-uC0q8nxmbf9q3E: 404
My web server is (include version): Apache 2.4
The operating system my web server runs on is (include version): Cent OS7
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): WHM Cpanel
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.6.0
The 404 error is Not Found. This is often caused by the -w folder not matching the DocumentRoot in the VirtualHost for this domain.
You could also try this instead. The --apache plug-in will setup the responses for you.
sudo certbot certonly --apache -d mztest.mizoram.gov.in --dry-run
5 Likes
rg305
July 11, 2023, 10:35pm
3
And since we are talking about Apache, I would also like to review the output of:sudo apachectl -t -D DUMP_VHOSTS
3 Likes
[root@server ~]# sudo certbot certonly --apache -d mztest.mizoram.gov.in --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Unable to read ssl_module file; not disabling session tickets.
Simulating a certificate request for mztest.mizoram.gov.in
Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: mztest.mizoram.gov.in
Type: unauthorized
Detail: 182.18.146.106: Invalid response from http://mztest.mizoram.gov.in/.well-known/acme-challenge/kvCBF3vPDAG7EQfRxELhvmT_fqwnGc_CIbjssb0wH4o: 404
Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org . See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
[root@server ~]# httpd -M | grep ssl
ssl _module (shared)
Output for sudo apachectl -t -D DUMP_VHOSTS
(I just give the respective domain output)
VirtualHost configuration:
192.168.100.106:443 is a NameVirtualHost
Do you control this entire server? Because line #81 ,879 is a lot of lines
Can you post the VirtualHosts for those two? Please put 3 backticks before and after so all the tags are retained. Like this:
4 Likes
We are using using dedicated cloud hosting with WHM Cpanel. we manage more than 300+ sub-domains of the government of mizoram.
Here is the virtual host config detail"
<VirtualHost 192.168.100.106:80>
ServerName mztest.mizoram.gov.in
ServerAlias mail.mztest.mizoram.gov.in www.mztest.mizoram.gov.in
DocumentRoot /site/mztest/public_html
ServerAdmin webmaster@mztest.mizoram.gov.in
UseCanonicalName Off
## User mztest # Needed for Cpanel::ApacheConf
<IfModule userdir_module>
<IfModule !mpm_itk.c>
<IfModule !ruid2_module>
<IfModule !mod_passenger.c>
UserDir disabled
UserDir enabled mztest
</IfModule>
</IfModule>
</IfModule>
# Enable backwards compatible Server Side Include expression parser for Apache versions >= 2.4.
# To selectively use the newer Apache 2.4 expression parser, disable SSILegacyExprParser in
# the user's .htaccess file. For more information, please read:
# http://httpd.apache.org/docs/2.4/mod/mod_include.html#ssilegacyexprparser
<IfModule include_module>
<Directory "/site/mztest/public_html">
SSILegacyExprParser On
</Directory>
</IfModule>
<IfModule suphp_module>
suPHP_UserGroup mztest mztest
</IfModule>
<IfModule suexec_module>
<IfModule !mod_ruid2.c>
SuexecUserGroup mztest mztest
</IfModule>
</IfModule>
<IfModule ruid2_module>
RMode config
RUidGid mztest mztest
</IfModule>
<IfModule mpm_itk.c>
# For more information on MPM ITK, please read:
# http://mpm-itk.sesse.net/
AssignUserID mztest mztest
</IfModule>
<IfModule mod_passenger.c>
PassengerUser mztest
PassengerGroup mztest
</IfModule>
<IfModule alias_module>
ScriptAlias /cgi-bin/ /site/mztest/public_html/cgi-bin/
</IfModule>
# Global DCV Rewrite Exclude
<IfModule rewrite_module>
RewriteOptions Inherit
</IfModule>
<IfModule proxy_fcgi_module>
<FilesMatch \.(phtml|php[0-9]*)$>
SetHandler proxy:unix:/opt/cpanel/ea-php56/root/usr/var/run/php-fpm/9d7a3d47898ca8b21f22a0c9275cea82e9b00da9.sock|fcgi://mztest.mizo$
</FilesMatch>
</IfModule>
# To customize this VirtualHost use an include file at the following location
# Include "/etc/apache2/conf.d/userdata/std/2_4/mztest/mztest.mizoram.gov.in/*.conf"
</VirtualHost>
<VirtualHost 192.168.100.106:443>
ServerName mztest.mizoram.gov.in
ServerAlias mail.mztest.mizoram.gov.in www.mztest.mizoram.gov.in cpanel.mztest.mizoram.gov.in cpcalendars.mztest.mizoram.gov.in webdisk.mztest$
DocumentRoot /site/mztest/public_html
ServerAdmin webmaster@mztest.mizoram.gov.in
UseCanonicalName Off
## User mztest # Needed for Cpanel::ApacheConf
<IfModule userdir_module>
<IfModule !mpm_itk.c>
<IfModule !ruid2_module>
<IfModule !mod_passenger.c>
UserDir disabled
UserDir enabled mztest
</IfModule>
</IfModule>
</IfModule>
</IfModule>
# Enable backwards compatible Server Side Include expression parser for Apache versions >= 2.4.
# To selectively use the newer Apache 2.4 expression parser, disable SSILegacyExprParser in
# the user's .htaccess file. For more information, please read:
# http://httpd.apache.org/docs/2.4/mod/mod_include.html#ssilegacyexprparser
<IfModule mod_include.c>
<Directory "/site/mztest/public_html">
SSILegacyExprParser On
</Directory>
</IfModule>
<Proxymatch ^https?://127\.0\.0\.1:(2082|2083|2077|2078|2079|2080|2086|2087|2095|2096)/>
<IfModule security2_module>
SecRuleEngine Off
</IfModule>
<IfModule security3_module>
modsecurity_rules 'SecRuleEngine Off'
</IfModule>
</Proxymatch>
<IfModule mod_suphp.c>
suPHP_UserGroup mztest mztest
</IfModule>
<IfModule suexec_module>
<IfModule !mod_ruid2.c>
SuexecUserGroup mztest mztest
</IfModule>
</IfModule>
<IfModule ruid2_module>
RMode config
RUidGid mztest mztest
</IfModule>
<IfModule mpm_itk.c>
# For more information on MPM ITK, please read:
# http://mpm-itk.sesse.net/
AssignUserID mztest mztest
</IfModule>
<IfModule mod_passenger.c>
PassengerUser mztest
PassengerGroup mztest
</IfModule>
<IfModule alias_module>
ScriptAlias /cgi-bin/ /site/mztest/public_html/cgi-bin/
</IfModule>
<IfModule ssl_module>
SSLEngine on
SSLCertificateFile /var/cpanel/ssl/apache_tls/mztest.mizoram.gov.in/combined
SSLUseStapling off
<Directory "/site/mztest/public_html/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
</IfModule>
<IfModule proxy_fcgi_module>
<FilesMatch \.(phtml|php[0-9]*)$>
SetHandler proxy:unix:/opt/cpanel/ea-php56/root/usr/var/run/php-fpm/9d7a3d47898ca8b21f22a0c9275cea82e9b00da9.sock|fcgi://mztest.mizo$
</FilesMatch>
</IfModule>
# To customize this VirtualHost use an include file at the following location
# Include "/etc/apache2/conf.d/userdata/ssl/2_4/mztest/mztest.mizoram.gov.in/*.conf"
<IfModule headers_module>
RequestHeader set X-HTTPS 1
</IfModule>
RewriteEngine On
RewriteCond %{HTTP_HOST} =cpanel.mztest.mizoram.gov.in [OR]
RewriteCond %{HTTP_HOST} =cpanel.mztest.mizoram.gov.in:443
RewriteCond %{HTTP:Upgrade} !websocket [nocase]
RewriteRule ^/(.*) /___proxy_subdomain_cpanel/$1 [PT]
ProxyPass "/___proxy_subdomain_cpanel" "http://127.0.0.1:2082" max=1 retry=0
RewriteCond %{HTTP_HOST} =cpcalendars.mztest.mizoram.gov.in [OR]
RewriteCond %{HTTP_HOST} =cpcalendars.mztest.mizoram.gov.in:443
RewriteCond %{HTTP:Upgrade} !websocket [nocase]
RewriteRule ^/(.*) /___proxy_subdomain_cpcalendars/$1 [PT]
ProxyPass "/___proxy_subdomain_cpcalendars" "http://127.0.0.1:2079" max=1 retry=0
RewriteCond %{HTTP_HOST} =cpcontacts.mztest.mizoram.gov.in [OR]
RewriteCond %{HTTP_HOST} =cpcontacts.mztest.mizoram.gov.in:443
RewriteCond %{HTTP:Upgrade} !websocket [nocase]
RewriteRule ^/(.*) /___proxy_subdomain_cpcontacts/$1 [PT]
ProxyPass "/___proxy_subdomain_cpcontacts" "http://127.0.0.1:2079" max=1 retry=0
RewriteCond %{HTTP_HOST} =webdisk.mztest.mizoram.gov.in [OR]
RewriteCond %{HTTP_HOST} =webdisk.mztest.mizoram.gov.in:443
RewriteCond %{HTTP:Upgrade} !websocket [nocase]
RewriteRule ^/(.*) /___proxy_subdomain_webdisk/$1 [PT]
ProxyPass "/___proxy_subdomain_webdisk" "http://127.0.0.1:2077" max=1 retry=0
RewriteCond %{HTTP_HOST} =webmail.mztest.mizoram.gov.in [OR]
RewriteCond %{HTTP_HOST} =webmail.mztest.mizoram.gov.in:443
RewriteCond %{HTTP:Upgrade} !websocket [nocase]
RewriteRule ^/(.*) /___proxy_subdomain_webmail/$1 [PT]
ProxyPass "/___proxy_subdomain_webmail" "http://127.0.0.1:2095" max=1 retry=0
RewriteCond %{HTTP:Upgrade} websocket [nocase]
RewriteCond %{HTTP_HOST} =cpanel.mztest.mizoram.gov.in [OR]
RewriteCond %{HTTP_HOST} =cpanel.mztest.mizoram.gov.in:443
RewriteRule ^/(.*) /___proxy_subdomain_ws_cpanel/$1 [PT]
RewriteCond %{HTTP:Upgrade} websocket [nocase]
RewriteCond %{HTTP_HOST} =webmail.mztest.mizoram.gov.in [OR]
RewriteCond %{HTTP_HOST} =webmail.mztest.mizoram.gov.in:443
RewriteRule ^/(.*) /___proxy_subdomain_ws_webmail/$1 [PT]
RewriteRule ^/Microsoft-Server-ActiveSync /___proxy_activesync/$1 [PT]
ProxyPass "/___proxy_activesync" "http://127.0.0.1:2090/Microsoft-Server-ActiveSync" max=1 retry=0
</VirtualHost>
We always generate each Certificate for the individual sub-domain manually. Certbot was working until two or three days ago and we could not figure out why.
rg305
July 12, 2023, 4:57am
10
Apache and an 80K+ config file ...name:port overlap that has slipped in and is creating this problem./.well-known/acme-challenge/ requests.
You should:
put a test file in the expected challenge location
try accessing it from the Internet
review the Apache log files to see which vhost is handling that request
5 Likes
I am able to access the directory and file from browser if i created manually.
http://mztest.mizoram.gov.in/.well-known/acme-challenge/
However, when i run the certbot command, it is still not working and apache error log is not having anything about this.
Can you create a file named letsdebug-test in the ACME challenge folder. It looks like this would do that:
echo Test123 >/site/mztest/public_html/.well-known/acme-challenge/letsdebug-test
Also, can you show the error message when you try this again (you just said it didn't work but want to be sure it's same reason)
sudo certbot certonly --webroot -w /site/mztest/public_html -d mztest.mizoram.gov.in --dry-run
3 Likes
rg305
July 12, 2023, 5:14pm
13
Have your tried using --webroot ?
3 Likes
Hi Guys,
After trying out all suggestions, nothing works.
However, we notice one thing that on our Cpanel IPV6 is enabled by default. When we disable IPV6, the command run successfully and everything still works.
So, it looks like in my case, the culprit was IPv6 being enabled. So we have disable IPv6 for now. However, i do not think this is the ideal situation.
Can any one help me understand why IPV6 enabled server cannot complete certbot command?
I doubt the IPv6 is working in general and Certbot is just the first time you've noticed.
You could try the following commands from outside your local network to check each
curl -I4 http://(domain)
curl -I6 http://(domain)
But, if I had to guess what is wrong with your IPv6, I'd start with changing
to
Lalrinfela:
<VirtualHost *:80>
5 Likes
We have settled for disabling IPv6 for now. But will consider your solutions for future reference.
Thank you guys for your help.
3 Likes
system
August 13, 2023, 3:23am
17
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.
