404 Certbot Error (Apache / Debian 9)


#1

My domain is: http://staff.csra-hs.com/.well-known/acme-challenge/index

I ran this command: sudo certbot --authenticator webroot --installer apache

It produced this output:
Domain: staff.csra-hs.com
Type: unauthorized
Detail: Invalid response from
http://staff.csra-hs.com/.well-known/acme-challenge/gDD5M-b8RyoywsR8-4IzuRq6QK2c2zbV99ZDOnsmfvE:
"

   <head>
     <title>sta"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): Apache/2.4.25 (Debian)
The operating system my web server runs on is: Debian GNU/Linux 9.4 (stretch)
My hosting provider, if applicable, is: Linode
I can login to a root shell on my machine (yes or no, or I don’t know): yes

When I run that command, I get a 404 error, and I can’t seem to figure out why. When I go to the /.well-known/acme-challenge/index (A file I made to test) in chrome, the contents show up, no problem. I’ve checked to see if it actually is making a file during the validation process before it deletes it, and I can see it.

I’ve even tried to validate though zerossl, manually placing the file, and manually testing that I can see it, and yet it even fails validation on there.

More details:

I’ve been googling and searching the internet, mainly this forum for 2 days, and I am pretty sure I did something dumb at some point, but can’t for the life of me figure out what. Any help would be appreciated.


#2

Hi @HLSiira,

Your server staff.csra-hs.com doesn’t directly serve files, but instead creates an HTML frame that tries to load the files from a different server 173.230.129.193. This is not OK for Let’s Encrypt because the certificate authority requires the response to be the literal contents that are specified for the challenge, not an HTML page. You might not easily be able to tell the difference in your browser (because the content might be loaded and rendered inside the frame), but again, it’s not OK for the certificate authority.

Is it possible that what’s we’re seeing is the GoDaddy “forwarding” and that your real server is 173.230.129.193? If so, this forwarding method is not acceptable for the HTTP-01 challenge and you do need to directly create an A record in the DNS that points to 173.230.129.193, not to 184.168.221.20.


#3

Alright, now what tools did you use to determine all that wonderful stuff?

I’ll check back with you after messing with GoDaddy to try to fix this on if this fixed it btw.


#4

curl -L -v :slight_smile:


#5

You are my hero, I can’t thank you enough. It’s been 2 solid days of staring at this problem trying to figure it out, and now, it works flawlessy, and hopefully it stays that way.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.