Certbot 404 reading response on renew

My domain is:
lingnu.com

I ran this command:
certbot-auto certonly --dry-run --debug-challenges -v --nginx -d lingnu.com

It produced this output:

http-01 challenge for lingnu.com
Reporting to user: The following errors were reported by the server:

Domain: lingnu.com
Type:   unauthorized
Detail: Invalid response from http://lingnu.com/.well-known/acme-challenge/jSVVTObWuHMwqm2RtiGvcAQXos6liDfnOf_QvQx7p5s [2a02:c207:2021:373::1]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>"

My web server is (include version):
nginx 1.10.3-1+deb9u2

The operating system my web server runs on is (include version):

Description:    Debian GNU/Linux 9.9 (stretch)
Release:        9.9
Codename:       stretch

My hosting provider, if applicable, is:
https://contabo.com/

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.38.0

Details:
When I run the above command, I get the 404 listed above. I asked certbot to stop prior to sending the challenge, and when I manually run wget http://lingnu.com/.well-known/acme-challenge/jSVVTObWuHMwqm2RtiGvcAQXos6liDfnOf_QvQx7p5s, I get the expected result and the site’s access log shows my access as 200.

I then press Enter, and get the response listed above (that the CA got a 404), but my access log does not show anyone accessing the site.

Since my laptop is IPv4 only, and the CA uses IPv6, I tried using a web tool that checks IPv6 access. It says the site is reachable, and my access log shows its connection.

This is not a transient problem. It affects all of my domains, and has been going on long enough for my certificates to begin nearing expiration.

Hi @shachar

checking your domain there are different answers ipv4 / ipv6.

Check the output of https://check-your-website.server-daten.de/?q=lingnu.com

One sample:

Ipv4 has a redirect http -> https, then follows a http status 404. ipv6 answers with a 404 without a redirect.

So these are different configurations.

Perhaps remove your ipv6, create a certificate, then fix your ipv6.

It is incredibly hard for me to test this myself, as I don’t have an IPv6 enabled desktop.

It seems that all failed domains are tied to this one IP address. mail.lingnu.com, which has a different IPv6 address, renewed correctly.

Thank you for your help. For the time being, I disabled all of my IPv6 domains. I suspect I may have assigned them to an IP that belongs to the registrar. I’ll investigate when I have time.

Thank you.
Shachar

An Ipv6 desktop isn't enough. It's important to check the same url with different ip addresses, normally, that's not possible to check that with a browser. And that with 6 urls -> use online tools to automate that.

Rechecked your raw ipv6 - https://check-your-website.server-daten.de/?q=2a02%3Ac207%3A2021%3A373%3A%3A1

There is an answer:

And a certificate:

CN=yoda.lingnu.com
	24.08.2019
	22.11.2019
expires in 75 days	yoda.lingnu.com - 1 entry

May be the standard vHost.

Perhaps your other vHosts have wrong definitions.

Use

<VirtualHost *:80>

not

<VirtualHost ip-address:80>

Yep - checking the ipv6 with the hostname - there is again the - now wrong - certificate - https://check-your-website.server-daten.de/?q=[2a02%3Ac207%3A2021%3A373%3A%3A1]&h=lingnu.com

So there is no vHost ipv6 + lingnu.com + https, then the http version may wrong too.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.