Validation error - works for a bunch of domains - but not this one

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: risksheet.com

I ran this command: certbot certonly --dry-run -d risksheet.com -w /home/ms/public_html**

It produced this output:

root@risksheet:/etc/apache2/sites-available# certbot certonly --dry-run -d risksheet.com -w /home/ms/public_html
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Apache Web Server plugin (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator apache, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for risksheet.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. risksheet.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://risksheet.com/.well-known/acme-challenge/Iz-qCQBbmjPJreT\
wBhhGorcK585s1k_ZgOveWxekaTI [64.251.26.132]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"
                                                                                                                                                                                                                                       
IMPORTANT NOTES:                                                                                                                                                                                                                       
 - The following errors were reported by the server:

   Domain: risksheet.com
   Type:   unauthorized
   Detail: Invalid response from
   http://risksheet.com/.well-known/acme-challenge/Iz-qCQBbmjPJreTwBhhGorcK585s1k_ZgOveWxekaTI
   [64.251.26.132]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
root@risksheet:/etc/apache2/sites-available# 

My web server is (include version):

root@risksheet:/etc/apache2/sites-available# **apache2 -v**
Server version: Apache/2.4.29 (Ubuntu)
Server built: 2019-04-03T13:22:37
root@risksheet:/etc/apache2/sites-available#

The operating system my web server runs on is (include version):

root@risksheet:/etc/apache2/sites-available# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.2 LTS
Release: 18.04
Codename: bionic
root@risksheet:/etc/apache2/sites-available#

My hosting provider, if applicable, is: serverpronto.com

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

I use godaddy for dns and this domain is set up exactly the same way as another domain I have, thebrookhavengroup.com, that works with letsencrypt. I checked the ip address. Also, risksheet.com is currently serving up the right pages. Mysterious. Please help.

Hi @brookhaven

your command is curious. You use the -w parameter, but not -a webroot, so -w is ignored and Certbot asks.

Your main configuration looks ok ( https://check-your-website.server-daten.de/?q=risksheet.com ):

Domainname Http-Status redirect Sec. G
http://www.risksheet.com/
64.251.26.132 302 https://risksheet.com/ 0.270 E
http://risksheet.com/
64.251.26.132 200 0.273 H
https://risksheet.com/
64.251.26.132 200 1.373 N
Certificate error: RemoteCertificateChainErrors
https://www.risksheet.com/
64.251.26.132 200 1.586 N
Certificate error: RemoteCertificateNameMismatch
http://www.risksheet.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
64.251.26.132 302 https://risksheet.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.274 E
Visible Content: Found The document has moved here . Apache/2.4.29 (Ubuntu) Server at www.risksheet.com Port 80
http://risksheet.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
64.251.26.132 404 0.274 A
Not Found
Visible Content: Not Found The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server. Apache/2.4.29 (Ubuntu) Server at risksheet.com Port 80
https://risksheet.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 404 1.120 N
Not Found
Certificate error: RemoteCertificateChainErrors

Port 80 is open, checking a not-existing file in /.well-known/acme-challenge there is the expected answer http status 404 - Not Found.

So check, if /home/ms/public_html is really your webroot, then use it.

certbot certonly -a webroot --dry-run -d risksheet.com -w /home/ms/public_html

If that doesn’t work, your webroot may be wrong or you use additional location definitions.

Thank you, that sort of worked. I got this from the command you suggested:

root@risksheet:/etc/apache2/sites-available# certbot certonly -a webroot -d risksheet.com -w /home/ms/public_html
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for risksheet.com
Using the webroot path /home/ms/public_html for all unmatched domains.
Waiting for verification…
Cleaning up challenges

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/risksheet.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/risksheet.com/privkey.pem
    Your cert will expire on 2019-08-06. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    “certbot renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

root@risksheet:/etc/apache2/sites-available# /etc/init.d/apache2 restart
Restarting apache2 (via systemctl): apache2.service.
root@risksheet:/etc/apache2/sites-available#

which looks good. However, when I visit https://risksheet.com I get this message:

Your connection is not private

Attackers might be trying to steal your information from risksheet.com (for example, passwords, messages, or credit cards). Learn more

NET::ERR_CERT_AUTHORITY_INVALID

Non secure http://risksheet.com works and I restarted apache. Also, the risksheet.com-.com-le-ssl.conf looks right. Here it is:

ServerName www.risksheet.com ServerAlias risksheet.com
    ServerAdmin ms@TheBrookhavenGroup.com
    DocumentRoot /home/ms/public_html

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    <Directory /home/ms/public_html>
         AllowOverride All
         Require all granted
         Order allow,deny
         Allow from all
    </Directory>

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/risksheet.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/risksheet.com/privkey.pem

Rechecked your domain - your configuration is curious - https://check-your-website.server-daten.de/?q=risksheet.com

Both connections are insecure:

Domainname Http-Status redirect Sec. G
http://www.risksheet.com/
64.251.26.132 302 https://risksheet.com/ 0.276 E
http://risksheet.com/
64.251.26.132 200 0.273 H
https://risksheet.com/
64.251.26.132 200 1.340 N
Certificate error: RemoteCertificateChainErrors
https://www.risksheet.com/
64.251.26.132 200 1.587 N
Certificate error: RemoteCertificateNameMismatch
http://www.risksheet.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
64.251.26.132 302 https://risksheet.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.277 E
Visible Content: Found The document has moved here . Apache/2.4.29 (Ubuntu) Server at www.risksheet.com Port 80
http://risksheet.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
64.251.26.132 404 0.274 A
Not Found
Visible Content: Not Found The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server. Apache/2.4.29 (Ubuntu) Server at risksheet.com Port 80
https://risksheet.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 404 1.124 N

But your certificates:

One self signed (non-www)

CN=risksheet.com
	21.06.2017
	19.06.2027
expires in 2964 days	

the new Letsencrypt certificate

CN=risksheet.com
	08.05.2019
	06.08.2019
expires in 90 days	risksheet.com - 1 entry

but that doesn’t work with your www version.

So both connections have the wrong certificate.

Looks like your non-www uses the standard vHost, not the individual vHost.

And you should create one certificate with both domain names.

But your redirects are inconsistent. http + www redirects to https + non-www, http + non-www doesn’t have a redirect.

So fix your vHost configuration.

What says

Apachectl -S

Thank you again for your help. I don’t understand most of what you reported. I think you are saying I have two certificates when I should have only one. Not sure how remedy that.

Here is the output you requested:

root@risksheet:~# apachectl -S
VirtualHost configuration:
*:443 is a NameVirtualHost
port 443 namevhost risksheet.com (/etc/apache2/sites-enabled/default-ssl.conf:2)
port 443 namevhost www.risksheet.com (/etc/apache2/sites-enabled/risksheet.com-le-ssl.conf:2)
alias risksheet.com
port 443 namevhost www.thebrookhavengroup.com (/etc/apache2/sites-enabled/thebrookhavengroup.com-le-ssl.conf:2)
alias thebrookhavengroup.com
*:80 is a NameVirtualHost
default server risksheet.com (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost risksheet.com (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost www.risksheet.com (/etc/apache2/sites-enabled/risksheet.com.conf:1)
alias risksheet.com
port 80 namevhost www.thebrookhavengroup.com (/etc/apache2/sites-enabled/thebrookhavengroup.com.conf:1)
alias thebrookhavengroup.com
ServerRoot: “/etc/apache2”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/var/log/apache2/error.log”
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
PidFile: “/var/run/apache2/apache2.pid”
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
Define: ENABLE_USR_LIB_CGI_BIN
User: name=“www-data” id=33
Group: name=“www-data” id=33
root@risksheet:~#

I only see one certificate, I think. How do I eliminate the redundant certificate.

Thank you.

There is your wrong double definition.

But your port 80

has the same wrong double definition.

Every combination of port and domain name must be unique.

So remove the definition without the www-version.

First, make a backup of these files.

It’s not a problem of duplicated certificates. It’s a problem of duplicated vHosts.

Thank you, thank you. It is all working. I had to issue these three commands.

root@risksheet:~# a2dissite 000-default.conf
root@risksheet:~# a2dissite default-ssl.conf
root@risksheet:~# systemctl reload apache2

Really helpful, thank you again.

M.

1 Like

Not complete. Your certificate has only one domain name, the non-www version.

So the www version

Domainname Http-Status redirect Sec. G
http://risksheet.com/
64.251.26.132 302 https://risksheet.com/ 0.274 A
http://www.risksheet.com/
64.251.26.132 302 https://risksheet.com/ 0.274 E
https://risksheet.com/
64.251.26.132 200 1.427 B
https://www.risksheet.com/
64.251.26.132 200 1.364 N
Certificate error: RemoteCertificateNameMismatch

is insecure.

Use the same command with

-d risksheet.com -d www.risksheet.com

then you have one certificate with both domain names.

OK, I did what you said but I don’t know what you did to check and get that Certificate error: RemoteCertficateNameMismatch. But it seems like it is all working.

Thank you.

Ah, with this https://check-your-website.server-daten.de/?q=risksheet.com.

Still have that error there. Not sure what to do.

M.

If you want, then recheck the domain. The last check

Checked:
08.05.2019 23:47:49

~~ 35 minutes old.

If you have changed something, then recheck the domain.

I did this and it all looks good now. Does it look right to you?

Thank you again.

There is no newer check - checked 08.05.2019 23:47:49.

But now rechecked your domain - https://check-your-website.server-daten.de/?q=risksheet.com - now it’s good.

Your certificate has two domain names

CN=www.risksheet.com
	08.05.2019
	06.08.2019
expires in 89 days	
risksheet.com, www.risksheet.com - 2 entries

both connections

Domainname Http-Status redirect Sec. G
http://risksheet.com/
64.251.26.132 302 https://risksheet.com/ 0.273 A
http://www.risksheet.com/
64.251.26.132 302 https://risksheet.com/ 0.274 E
https://risksheet.com/
64.251.26.132 200 1.627 B
https://www.risksheet.com/
64.251.26.132 200 1.380 B

use the certificate and both connections are secure.

So the main things are fixed, the domain has a Grade E. Perhaps you may fix some smaller things to get a Grade B or A.

Fantastic. Thank you for your help. I hope this whole post is helpful to others as well.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.