Years of CertBot / LetsEncrypt anguish. Could somebody help?

First of all, I appreciate everything Let'sEncrypt does for the world!!! My frustrations are born out of my own incompetence!!!!

My domain is: mdttexas.com

I ran this command: I updated my current Cert to add this domain to my 10 others and requested new Cert through the Lets Encrypt tool in VirtualMin

It produced this output:

Renewing an existing certificate for soberscove.com and 10 more domains

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: mdttexas.com
Type: connection
Detail: 2600:3c02::f03c:93ff:fe96:4d77: Fetching https://mdttexas.com/.well-known/acme-challenge/aonq59pxImhPjl4TPAq_k-XStBIW_KwptpagZR1h8UE: Error getting validation data

Domain: www.mdttexas.com
Type: connection
Detail: 2600:3c02::f03c:93ff:fe96:4d77: Fetching https://www.mdttexas.com/.well-known/acme-challenge/XcW-nJx_jgBh_GksVladaGdR3phCZY4WNwAxPLE0I-c: Error getting validation data

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Apache 2

The operating system my web server runs on is (include version): Ubuntu Linux 20.04.6

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): VirtualMin

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 3.1.0

I have to wrestle and fight and wait and hope and pray every three months that my certs will renew. I seem to get them to work, but there are always tons of errors, nothing works first time, and even when it does work, it says that it doesn't - then I have to go look at the actual sites to confirm that it does.

1. I have a WordPress Multi-Site set-up that runs on a VirtualHost that I admin with VirtualMin
2. I have about 10 domains, I request the SSL cert each time for all of them, seems to work eventually. Renewing does not really seem to work.
3. Adding a NEW domain is a coin flip, sometimes they work right away, sometimes not. I CAN see the well known ACME folders, but CertBot doesnt seem to be putting the challenges there, I made the folders 777 for time being

Basically I think that my Apache config file, CertBot settings, SSL settings, etc have just slowly gotten out of whack over last 8 years or so.

I have total access and control over the server, both with Virtualmin and root SSH if needed. It's a pretty basic web hosting setup, there is just something not quite right.

I would like to work with somebody to help me update and correctly align everything, and then help me how to proceed in a way to allow for easy additions and renewals. I think it should take maybe an hour or so tops, and I am happy to pay.

Please contact me (don't worry, I will get the message) via

trash
at
cloudcitydigital.com

...if you have a working knowledge of Apache / VirtualMin / Certbot / Let's Encrypt.

Again, happy to pay for an hour of your time.

Thanks!

Stephen

Do you only want to do this for pay? Because I can point out some things for free.

This domain has an AAAA record for IPv6. And, the https:// in the URL means your server redirected the original HTTP request to HTTPS. The HTTPS request then fails with invalid TLS.

The reason I point this out is that none of the other domains in that 10-domain cert have AAAA records. Well, I didn't check them all but the first two only had an A record for IPv4. See: Let's Debug

The IP addresses in your DNS look associated with Akamai Cloud. Can you explain how that ties into your hosting at Linode? It might help to know.

Let us know if you only want a paid consult. Don't want to waste time if it is not wanted

Mike, thank you so much for responding. No, I am open to free help as well! I just imagined there could be SO many variables and things wrong that I didn't want to annoy people.

The HTTPS forwarding is interesting, I wonder why it hasn't been a problem before (or maybe it has lol).

I do know that Akami owns Linode now, I admin my DNS through the Linode control panel.

Why did you setup an AAAA record for just this new domain and none of the others?

Have your configured Apache to listen for IPv6? If you are not sure maybe best to remove the AAAA record for now. Something is seeing the HTTP request on IPV6 and redirecting it.

Hmmm. I just used the default Linode DNS records. Maybe those have changed since the last time I set up DNS - so AAAA is included. I'll remove now.

Ok I've done that. I will wait 30 minutes and try the regenerate the cert!

You don't have to wait 30mins for Let's Encrypt. It looks directly at the authoritative DNS servers and I can see the AAAA record is already gone. See: https://unboundtest.com/

Oh ok, awesome. Will try right now then!

Change the setup to one Certificate per "registered domain" – i.e. one cert for example.com, and another for example.org,subdomain.example.org.

What happens in the "mix many domains into one cert" setup, is that any issues with a given domain will impact the entire certificate. If you drop this down to one (registered) domain per cert, they don't mess each other up it ends up being much easier to troubleshoot whatever is going on.

How do they do that with VirtualMin?

That did it! Thank you so much. I am still getting this error, which is puzzling, but it did seem to create the cert:

error1016×262 52.3 KB

Yeah, I see the new cert and mdttexas.com is using it correctly. See: SSL Server Test: mdttexas.com (Powered by Qualys SSL Labs)

A google found this. Sounds like your issue:

One can configure multiple virtualhosts or virtualservers, like apache/nginx. I'm not sure on the specifics, but it's come up here in the past and, doing a quick websearch, is very common.