Unauthorized when trying to generate certificate from certbot

My domain is: mztest.mizoram.gov.in

I ran this command: sudo certbot certonly --webroot -w /site/mztest/public_html -d mztest.mizoram.gov.in --dry-run

It produced this output:
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: mztest.mizoram.gov.in
Type: unauthorized
Detail: 182.18.146.106: Invalid response from http://mztest.mizoram.gov.in/.well-known/acme-challenge/8PRZOxEg0EExOffN5yx_yS80YS31-uC0q8nxmbf9q3E: 404

My web server is (include version): Apache 2.4

The operating system my web server runs on is (include version): Cent OS7

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): WHM Cpanel

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.6.0

The 404 error is Not Found. This is often caused by the -w folder not matching the DocumentRoot in the VirtualHost for this domain.

You could also try this instead. The --apache plug-in will setup the responses for you.

sudo certbot certonly --apache -d mztest.mizoram.gov.in --dry-run
5 Likes

And since we are talking about Apache, I would also like to review the output of:
sudo apachectl -t -D DUMP_VHOSTS

3 Likes

[root@server ~]# sudo certbot certonly --apache -d mztest.mizoram.gov.in --dry-run

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Unable to read ssl_module file; not disabling session tickets.

Simulating a certificate request for mztest.mizoram.gov.in

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:

Domain: mztest.mizoram.gov.in

Type: unauthorized

Detail: 182.18.146.106: Invalid response from http://mztest.mizoram.gov.in/.well-known/acme-challenge/kvCBF3vPDAG7EQfRxELhvmT_fqwnGc_CIbjssb0wH4o: 404

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

[root@server ~]# httpd -M | grep ssl

ssl_module (shared)

Output for sudo apachectl -t -D DUMP_VHOSTS

(I just give the respective domain output)

VirtualHost configuration:
192.168.100.106:80 is a NameVirtualHost
port 80 namevhost mztest.mizoram.gov.in (/etc/apache2/conf/httpd.conf:81879)
alias mail.mztest.mizoram.gov.in
alias www.mztest.mizoram.gov.in

192.168.100.106:443 is a NameVirtualHost
port 443 namevhost mztest.mizoram.gov.in (/etc/apache2/conf/httpd.conf:81957)
alias mail.mztest.mizoram.gov.in
alias www.mztest.mizoram.gov.in
alias cpcontacts.mztest.mizoram.gov.in
alias cpanel.mztest.mizoram.gov.in
alias webmail.mztest.mizoram.gov.in
alias webdisk.mztest.mizoram.gov.in
alias cpcalendars.mztest.mizoram.gov.in

Do you control this entire server? Because line #81,879 is a lot of lines :slight_smile:

Can you post the VirtualHosts for those two? Please put 3 backticks before and after so all the tags are retained. Like this:
```
VirtualHost config
```

4 Likes

We are using using dedicated cloud hosting with WHM Cpanel. we manage more than 300+ sub-domains of the government of mizoram.

Here is the virtual host config detail"

<VirtualHost 192.168.100.106:80>
  ServerName mztest.mizoram.gov.in
    ServerAlias mail.mztest.mizoram.gov.in www.mztest.mizoram.gov.in
  DocumentRoot /site/mztest/public_html
  ServerAdmin webmaster@mztest.mizoram.gov.in
  UseCanonicalName Off

  ## User mztest # Needed for Cpanel::ApacheConf
  <IfModule userdir_module>
    <IfModule !mpm_itk.c>
      <IfModule !ruid2_module>
        <IfModule !mod_passenger.c>
          UserDir disabled
          UserDir enabled mztest
        </IfModule>
  </IfModule>
</IfModule>

# Enable backwards compatible Server Side Include expression parser for Apache versions >= 2.4.
# To selectively use the newer Apache 2.4 expression parser, disable SSILegacyExprParser in
# the user's .htaccess file.  For more information, please read:
#    http://httpd.apache.org/docs/2.4/mod/mod_include.html#ssilegacyexprparser
<IfModule include_module>
  <Directory "/site/mztest/public_html">
    SSILegacyExprParser On
  </Directory>
</IfModule>



<IfModule suphp_module>
  suPHP_UserGroup mztest mztest
</IfModule>
<IfModule suexec_module>
  <IfModule !mod_ruid2.c>
    SuexecUserGroup mztest mztest
  </IfModule>
</IfModule>
<IfModule ruid2_module>
   RMode config
  RUidGid mztest mztest
</IfModule>
<IfModule mpm_itk.c>
  # For more information on MPM ITK, please read:
  #   http://mpm-itk.sesse.net/
  AssignUserID mztest mztest
</IfModule>
<IfModule mod_passenger.c>
  PassengerUser mztest
  PassengerGroup mztest
</IfModule>

<IfModule alias_module>
    ScriptAlias /cgi-bin/ /site/mztest/public_html/cgi-bin/
</IfModule>


  # Global DCV Rewrite Exclude
  <IfModule rewrite_module>
      RewriteOptions Inherit
  </IfModule>


    <IfModule proxy_fcgi_module>
        <FilesMatch \.(phtml|php[0-9]*)$>
            SetHandler proxy:unix:/opt/cpanel/ea-php56/root/usr/var/run/php-fpm/9d7a3d47898ca8b21f22a0c9275cea82e9b00da9.sock|fcgi://mztest.mizo$
        </FilesMatch>
    </IfModule>


  # To customize this VirtualHost use an include file at the following location
  # Include "/etc/apache2/conf.d/userdata/std/2_4/mztest/mztest.mizoram.gov.in/*.conf"
</VirtualHost>

<VirtualHost 192.168.100.106:443>
  ServerName mztest.mizoram.gov.in
  ServerAlias mail.mztest.mizoram.gov.in www.mztest.mizoram.gov.in cpanel.mztest.mizoram.gov.in cpcalendars.mztest.mizoram.gov.in webdisk.mztest$
  DocumentRoot /site/mztest/public_html
  ServerAdmin webmaster@mztest.mizoram.gov.in
  UseCanonicalName Off

  ## User mztest # Needed for Cpanel::ApacheConf
  <IfModule userdir_module>
    <IfModule !mpm_itk.c>
      <IfModule !ruid2_module>
        <IfModule !mod_passenger.c>
          UserDir disabled
          UserDir enabled mztest
        </IfModule>
      </IfModule>
    </IfModule>
  </IfModule>

  # Enable backwards compatible Server Side Include expression parser for Apache versions >= 2.4.
  # To selectively use the newer Apache 2.4 expression parser, disable SSILegacyExprParser in
  # the user's .htaccess file.  For more information, please read:
  #    http://httpd.apache.org/docs/2.4/mod/mod_include.html#ssilegacyexprparser
  <IfModule mod_include.c>
    <Directory "/site/mztest/public_html">
      SSILegacyExprParser On
    </Directory>
  </IfModule>

   <Proxymatch ^https?://127\.0\.0\.1:(2082|2083|2077|2078|2079|2080|2086|2087|2095|2096)/>
       <IfModule security2_module>
          SecRuleEngine Off
       </IfModule>
       <IfModule security3_module>
          modsecurity_rules 'SecRuleEngine Off'
       </IfModule>
  </Proxymatch>

  <IfModule mod_suphp.c>
    suPHP_UserGroup mztest mztest
  </IfModule>
  <IfModule suexec_module>
    <IfModule !mod_ruid2.c>
      SuexecUserGroup mztest mztest
    </IfModule>
  </IfModule>
  <IfModule ruid2_module>
    RMode config
    RUidGid mztest mztest
  </IfModule>
  <IfModule mpm_itk.c>
    # For more information on MPM ITK, please read:
     #   http://mpm-itk.sesse.net/
    AssignUserID mztest mztest
  </IfModule>
  <IfModule mod_passenger.c>
    PassengerUser mztest
    PassengerGroup mztest
  </IfModule>

  <IfModule alias_module>
    ScriptAlias /cgi-bin/ /site/mztest/public_html/cgi-bin/
  </IfModule>
  <IfModule ssl_module>
    SSLEngine on
    SSLCertificateFile /var/cpanel/ssl/apache_tls/mztest.mizoram.gov.in/combined

    SSLUseStapling off
    <Directory "/site/mztest/public_html/cgi-bin">
      SSLOptions +StdEnvVars
    </Directory>
  </IfModule>

<IfModule proxy_fcgi_module>
    <FilesMatch \.(phtml|php[0-9]*)$>
        SetHandler proxy:unix:/opt/cpanel/ea-php56/root/usr/var/run/php-fpm/9d7a3d47898ca8b21f22a0c9275cea82e9b00da9.sock|fcgi://mztest.mizo$
    </FilesMatch>
</IfModule>

# To customize this VirtualHost use an include file at the following location
  # Include "/etc/apache2/conf.d/userdata/ssl/2_4/mztest/mztest.mizoram.gov.in/*.conf"

    <IfModule headers_module>
    RequestHeader set X-HTTPS 1
    </IfModule>
    RewriteEngine On
        RewriteCond %{HTTP_HOST} =cpanel.mztest.mizoram.gov.in [OR]
        RewriteCond %{HTTP_HOST} =cpanel.mztest.mizoram.gov.in:443
    RewriteCond %{HTTP:Upgrade} !websocket   [nocase]

    RewriteRule ^/(.*) /___proxy_subdomain_cpanel/$1 [PT]
        ProxyPass "/___proxy_subdomain_cpanel" "http://127.0.0.1:2082" max=1 retry=0
        RewriteCond %{HTTP_HOST} =cpcalendars.mztest.mizoram.gov.in [OR]
        RewriteCond %{HTTP_HOST} =cpcalendars.mztest.mizoram.gov.in:443
    RewriteCond %{HTTP:Upgrade} !websocket   [nocase]

    RewriteRule ^/(.*) /___proxy_subdomain_cpcalendars/$1 [PT]
        ProxyPass "/___proxy_subdomain_cpcalendars" "http://127.0.0.1:2079" max=1 retry=0
        RewriteCond %{HTTP_HOST} =cpcontacts.mztest.mizoram.gov.in [OR]
        RewriteCond %{HTTP_HOST} =cpcontacts.mztest.mizoram.gov.in:443
    RewriteCond %{HTTP:Upgrade} !websocket   [nocase]

    RewriteRule ^/(.*) /___proxy_subdomain_cpcontacts/$1 [PT]
        ProxyPass "/___proxy_subdomain_cpcontacts" "http://127.0.0.1:2079" max=1 retry=0
        RewriteCond %{HTTP_HOST} =webdisk.mztest.mizoram.gov.in [OR]
        RewriteCond %{HTTP_HOST} =webdisk.mztest.mizoram.gov.in:443
    RewriteCond %{HTTP:Upgrade} !websocket   [nocase]

    RewriteRule ^/(.*) /___proxy_subdomain_webdisk/$1 [PT]
        ProxyPass "/___proxy_subdomain_webdisk" "http://127.0.0.1:2077" max=1 retry=0
        RewriteCond %{HTTP_HOST} =webmail.mztest.mizoram.gov.in [OR]
        RewriteCond %{HTTP_HOST} =webmail.mztest.mizoram.gov.in:443
    RewriteCond %{HTTP:Upgrade} !websocket   [nocase]

    RewriteRule ^/(.*) /___proxy_subdomain_webmail/$1 [PT]
        ProxyPass "/___proxy_subdomain_webmail" "http://127.0.0.1:2095" max=1 retry=0

        RewriteCond %{HTTP:Upgrade} websocket   [nocase]
            RewriteCond %{HTTP_HOST} =cpanel.mztest.mizoram.gov.in [OR]
            RewriteCond %{HTTP_HOST} =cpanel.mztest.mizoram.gov.in:443

        RewriteRule ^/(.*) /___proxy_subdomain_ws_cpanel/$1 [PT]
         RewriteCond %{HTTP:Upgrade} websocket   [nocase]
                    RewriteCond %{HTTP_HOST} =webmail.mztest.mizoram.gov.in [OR]
                    RewriteCond %{HTTP_HOST} =webmail.mztest.mizoram.gov.in:443

                RewriteRule ^/(.*) /___proxy_subdomain_ws_webmail/$1 [PT]

    RewriteRule ^/Microsoft-Server-ActiveSync /___proxy_activesync/$1 [PT]
    ProxyPass "/___proxy_activesync" "http://127.0.0.1:2090/Microsoft-Server-ActiveSync" max=1 retry=0
</VirtualHost>


We always generate each Certificate for the individual sub-domain manually. Certbot was working until two or three days ago and we could not figure out why.

Apache and an 80K+ config file ...
I'm betting on some name:port overlap that has slipped in and is creating this problem.
OR more specifically overlapping /.well-known/acme-challenge/ requests.

You should:

  • put a test file in the expected challenge location
  • try accessing it from the Internet
  • review the Apache log files to see which vhost is handling that request
5 Likes

I am able to access the directory and file from browser if i created manually.

http://mztest.mizoram.gov.in/.well-known/acme-challenge/

However, when i run the certbot command, it is still not working and apache error log is not having anything about this.

Can you create a file named letsdebug-test in the ACME challenge folder. It looks like this would do that:

echo Test123 >/site/mztest/public_html/.well-known/acme-challenge/letsdebug-test

Also, can you show the error message when you try this again (you just said it didn't work but want to be sure it's same reason)

sudo certbot certonly --webroot -w /site/mztest/public_html -d mztest.mizoram.gov.in --dry-run
3 Likes

Have your tried using --webroot ?

3 Likes

Hi Guys,

After trying out all suggestions, nothing works.

However, we notice one thing that on our Cpanel IPV6 is enabled by default. When we disable IPV6, the command run successfully and everything still works.

So, it looks like in my case, the culprit was IPv6 being enabled. So we have disable IPv6 for now. However, i do not think this is the ideal situation.

Can any one help me understand why IPV6 enabled server cannot complete certbot command?

I doubt the IPv6 is working in general and Certbot is just the first time you've noticed.

You could try the following commands from outside your local network to check each

curl -I4 http://(domain)
curl -I6 http://(domain)

But, if I had to guess what is wrong with your IPv6, I'd start with changing

to

5 Likes

We have settled for disabling IPv6 for now. But will consider your solutions for future reference.

Thank you guys for your help.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.