1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: msuacquisition.org, www.msuacquisition.org jatos.msuacquisition.org

I ran this command: sudo certbot renew --dry-run

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/msuacquisition.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for msuacquisition.org and 2 more domains

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Domain: msuacquisition.org
  Type:   unauthorized
  Detail: 185.199.111.153: Invalid response from http://msuacquisition.org/.well-known/acme-challenge/RMPEK0PWYpbSTFVnqUoAhCBHQi-cZMpZVQIilElhKys: 404

  Domain: www.msuacquisition.org
  Type:   unauthorized
  Detail: 2606:50c0:8003::153: Invalid response from http://www.msuacquisition.org/.well-known/acme-challenge/YWKnJo5J1E06cBz4boYU9xiiAm0cfod9HoaS1p7cFu4: 404

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Failed to renew certificate msuacquisition.org with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/msuacquisition.org/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

My web server is (include version): Apache/2.4.41 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 20.04.6 LTS

My hosting provider, if applicable, is: Amazon AWS EC2

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): AWS?

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 3.0.1

2

Of those 3 domain names only your jatos subdomain points to an Apache server hosted at EC2. Is this the only domain you need a cert for?

Because your apex domain and www subdomain have valid certs and are using Varnish CDN and GitHub. This is very different than direct to Apache. Looks like you might have setup Github and Varnish in late August based on your cert history.

Also, your DNS for your apex domain is different than for your www subdomain. Your apex domain has 4 IPv4 addresses. Your www subdomain has a CNAME to msu-language-acquisition-lab.github.io. which has 4 IPv4 and 4 IPv6 addresses. These two domain don't technically require identical IP address lists but usually that's what is done.

4 Likes
3

Thanks! Yes, the jatos subdomain is probably the only domain I need the cert for. Indeed I did set up the lab web page in August and before that the www and apex domains were running on the EC2 apache server. So how do I get certbot to just get the cert for the jatos subdomain and remove the www and apex domain?

1 Like
4

Never mind, I found what I needed.

certbot certonly --cert-name msuacquisition.org -d jatos.msuacquisition.org

does the trick and removes the www and apex domains from the cert.

Thanks again for the help.

2 Likes