Cannot obtain certificate (404 error)

Help
1

My domain is: http://kdetosakra.cz

I ran this command:

certbot certonly --manual --dry-run

It produced this output:

Create a file containing just this data:

PL1mRK6_6Nu3jUvuvKQVXpDvDlCfkNxqnZ4CgIihYpI.jR9_O8TaKiRYhtC-Kl8j3_NRXsXyHlbIf0ZHWyJGo5k

And make it available on your web server at this URL:

http://kdetosakra.cz/.well-known/acme-challenge/PL1mRK6_6Nu3jUvuvKQVXpDvDlCfkNxqnZ4CgIihYpI

Press Enter to Continue
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. kdetosakra.cz (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://kdetosakra.cz/.well-known/acme-challenge/PL1mRK6_6Nu3jUvuvKQVXpDvDlCfkNxqnZ4CgIihYpI [2a02:2b88:1:4::16]: “\n\n404 Not Found\n\n

Not Found

\n<p”

IMPORTANT NOTES:

My web server is (include version): Server version: Apache/2.4.29 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is: AWS EC2

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

Please, can you give me some advice? A you can see, I can obtain that file from http://kdetosakra.cz/.well-known/acme-challenge/PL1mRK6_6Nu3jUvuvKQVXpDvDlCfkNxqnZ4CgIihYpI but certbot still throws 404 Not Found after verification.

2

apachectl -S

*:80                   kdetosakra.cz (/etc/apache2/sites-enabled/kdetosakra.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex proxy: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33
3

Hi @bouchja1

there are some checks of your domain - some minutes old - https://check-your-website.server-daten.de/?q=kdetosakra.cz

There you see the problem.

You have ipv4 and ipv6 addresses.

But there are different answers:

K	http://kdetosakra.cz/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 18.194.106.223, Status 200
	
	http://kdetosakra.cz/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 2a02:2b88:1:4::16, Status 404
	configuration problem - different ip addresses with different status

Ipv4 has a http status 200 checking a not existing file, ipv6 has a http status 404 - Not Found.

Ipv4: Server: Apache/2.4.29 (Ubuntu)
Ipv6: Server: Apache

That can't work.

Looks like your ipv6 isn't configured.

Add a

Listen [::]:80

4

Thank you for your reply @JuergenAuer! I am not an admin so I am sorry for my basic questions but… where should I add a

Listen [::]:80

I added IPV6 to my Inbound in AWS so the current state is:

41
Screenshot 2019-11-09 at 01.13.41.png1502×308 10.6 KB

and this is my current apache2 VirtualHost configuration:

<VirtualHost *:80>
        ServerAdmin admin@janbouchner.cz
        ServerName kdetosakra.cz

        ProxyRequests Off
        ProxyPreserveHost On
        ProxyVia Full

        <Proxy *>
                Order deny,allow
                Require all granted
        </Proxy>

        <Location />
                ProxyPass http://127.0.0.1:8085/
                ProxyPassReverse http://127.0.0.1:8085/
        </Location>

        <Directory "/home/ubuntu/node/kdetosakra.cz/build">
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
5

The IPv6 address isn’t from AWS.

kdetosakra.cz.  1799  A     18.194.106.223
kdetosakra.cz.  1799  AAAA  2a02:2b88:1:4::16
6

Read your output:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
kdetosakra.cz A 18.194.106.223 Frankfurt am Main/Hesse/Germany (DE) - Amazon Technologies Inc. Hostname: ec2-18-194-106-223.eu-central-1.compute.amazonaws.com yes 1 0
AAAA 2a02:2b88:1:4::16 Hluboka nad Vltavou/Jihocesky kraj/Czechia (CZ) - WEDOS Internet yes
www.kdetosakra.cz A 18.194.106.223 Frankfurt am Main/Hesse/Germany (DE) - Amazon Technologies Inc. Hostname: ec2-18-194-106-223.eu-central-1.compute.amazonaws.com yes 1 0
AAAA 2a02:2b88:1:4::16 Hluboka nad Vltavou/Jihocesky kraj/Czechia (CZ) - WEDOS Internet yes

Your ipv4 is from Amazon. Your ipv6 is from your hoster.

So you don’t use the ipv4 of your hoster -> different servers -> remove the DNS AAAA record.

7

@mnordhoff @JuergenAuer After I cleared AAAA records, I’ve moved on and obtained the certificate! Thank you for your help guys.