404 error when creating certificate / DNS issue?

I am trying to get a new certificate for the domain perfectpace.com

with this command:
letsencrypt certonly -d perfectpace.com --standalone

The error I get is:

   Type:   unauthorized
   Detail: Invalid response from
   http://perfectpace.com/.well-known/acme-challenge/jiFQgIH2xD8sFtZf073WbMx8E7fdDFCo3HyOYOMDnew:
   <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
   <html><head>
   <title>404 Not Found</title>
   </head><body>
   <h1>Not Found</h1>
   <p>

I tried both with the webserver that comes with letsencrypt as well as with an apache installation.

Running Ubuntu 16.04

The weird part is when I start the verification and curl perfectpace.com I get the ACME client standalone challenge solver line.

If I run letsencrypt with the domain name leanfive.ddns.net it is working fine. Which makes me think it is probably an issue with the DNS settings but I can’t figure out what it could be.
They both point to the same IPv4 address.
Does letsencrypt use IPv6?
Any dig expert out there who can spot the difference between perfectpace.com and leanfive.ddns.net?

Hi @_flolive,

Yes, Let’s Encrypt uses IPv6, indeed it prefers IPv6 over IPv4 so as your domain perfectpace.com has an AAAA record Let’s Encrypt will try to validate the challenge connecting to your IPv6 address.

Right now, the port 80 in your IPv4 address is closed, maybe because you have nothing listening there or because you have some firewall rule blocking it:

$ curl -IkL4 http://perfectpace.com/.well-known/acme-challenge/jiFQgIH2xD8sFtZf073WbMx8E7fdDFCo3HyOYOMDnew
curl: (7) Failed to connect to perfectpace.com port 80: Connection refused

But port 80 is working on your IPv6 address:

$ curl -IkL6 http://perfectpace.com/.well-known/acme-challenge/jiFQgIH2xD8sFtZf073WbMx8E7fdDFCo3HyOYOMDnew
HTTP/1.1 404 Not Found
Date: Thu, 25 Jan 2018 08:35:45 GMT
Server: Apache
Content-Type: text/html; charset=iso-8859-1

As a quick fix you could remove AAAA record for your domain and give a try to standalone method again.

Cheers,
sahsanu

1 Like

I was suspecting something like this.

I am using DynDNS (ddclient) which does not update my AAAA record. And my provider doesn’t allow my to remove the AAAA record.

I’ll have to find a way to dynamically update the AAAA record. Maybe some other client can handle that.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.