2
votes

My domain is:

monxas.ninja

I ran this command:

sudo certbot --apache --debug-challenges

It produced this output:

   Obtaining a new certificate
/usr/lib/python3/dist-packages/josepy/jwa.py:107: CryptographyDeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.
  signer = key.signer(self.padding, self.hash)
Performing the following challenges:
http-01 challenge for monxas.ninja
Waiting for verification...

-------------------------------------------------------------------------------
Challenges loaded. Press continue to submit to CA. Pass "-v" for more info about
challenges.
-------------------------------------------------------------------------------
Press Enter to Continue
/usr/lib/python3/dist-packages/josepy/jwa.py:107: CryptographyDeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.
  signer = key.signer(self.padding, self.hash)
Cleaning up challenges
Failed authorization procedure. monxas.ninja (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://monxas.ninja/.well-known/acme-challenge/Wt_CvapZhIJt3EDdoIjop4Lun7V4B_JpWmnpyMxz7es: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: monxas.ninja
   Type:   unauthorized
   Detail: Invalid response from
   http://monxas.ninja/.well-known/acme-challenge/Wt_CvapZhIJt3EDdoIjop4Lun7V4B_JpWmnpyMxz7es:
   "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

My web server is (include version):

Apache version 2.4.25   

The operating system my web server runs on is (include version):

Raspbian GNU/Linux 9

I can login to a root shell on my machine (yes or no, or I don’t know):

yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

no

the dns records are

A *.monxas.ninja 83.56.8.166 300

A monxas.ninja 83.56.8.166 300

and i don’t use AAAA

Also, manually created the well known path, it’s accesible as you can see here:

http://monxas.ninja/.well-known/acme-challenge/

1
Did you ever find a solution? I have two servers behaving exactly this way. - Michael

1 Answers

2
votes

I think I may have found the solution. It was my solution anyway...

I had the inclination to look at the renewal file and found the solution within. I don't know how or why this was created incorrectly, but the webroot was wrong in renewal file on both servers. When I corrected it, both renewals completed as expected.

/etc/letsencrypt/renewal/www.server.com.conf

Look for the entry under [[webroot_map]]

I hope this helps someone. I spent two days scratching my head before thinking to look at the renewal file.