Certbot 404 reading response on renew

My domain is:

I ran this command:
certbot-auto certonly --dry-run --debug-challenges -v --nginx -d lingnu.com

It produced this output:

http-01 challenge for lingnu.com
Reporting to user: The following errors were reported by the server:

Domain: lingnu.com
Type:   unauthorized
Detail: Invalid response from http://lingnu.com/.well-known/acme-challenge/jSVVTObWuHMwqm2RtiGvcAQXos6liDfnOf_QvQx7p5s [2a02:c207:2021:373::1]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>"

My web server is (include version):
nginx 1.10.3-1+deb9u2

The operating system my web server runs on is (include version):

Description:    Debian GNU/Linux 9.9 (stretch)
Release:        9.9
Codename:       stretch

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.38.0

When I run the above command, I get the 404 listed above. I asked certbot to stop prior to sending the challenge, and when I manually run wget http://lingnu.com/.well-known/acme-challenge/jSVVTObWuHMwqm2RtiGvcAQXos6liDfnOf_QvQx7p5s, I get the expected result and the site’s access log shows my access as 200.

I then press Enter, and get the response listed above (that the CA got a 404), but my access log does not show anyone accessing the site.

Since my laptop is IPv4 only, and the CA uses IPv6, I tried using a web tool that checks IPv6 access. It says the site is reachable, and my access log shows its connection.

This is not a transient problem. It affects all of my domains, and has been going on long enough for my certificates to begin nearing expiration.

Hi @shachar

checking your domain there are different answers ipv4 / ipv6.

Check the output of https://check-your-website.server-daten.de/?q=lingnu.com

Domainname Http-Status redirect Sec. G
http://lingnu.com/ 301 https://www.lingnu.com/ 0.060 E
http://www.lingnu.com/ 301 https://www.lingnu.com/ 0.056 A
2a02:c207:2021:373::1 200 0.057 H
2a02:c207:2021:373::1 200 0.053 H
https://lingnu.com/ 301 https://www.lingnu.com/ 3.490 B
2a02:c207:2021:373::1 200 3.156 B
https://www.lingnu.com/ 200 3.393 I
2a02:c207:2021:373::1 200 3.160 B

One sample:

K http://lingnu.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de, Status 301
http://lingnu.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 2a02:c207:2021:373::1, Status 404
configuration problem - different ip addresses with different status

Ipv4 has a redirect http -> https, then follows a http status 404. ipv6 answers with a 404 without a redirect.

So these are different configurations.

Perhaps remove your ipv6, create a certificate, then fix your ipv6.

It is incredibly hard for me to test this myself, as I don’t have an IPv6 enabled desktop.

It seems that all failed domains are tied to this one IP address. mail.lingnu.com, which has a different IPv6 address, renewed correctly.

Thank you for your help. For the time being, I disabled all of my IPv6 domains. :frowning_face: I suspect I may have assigned them to an IP that belongs to the registrar. I’ll investigate when I have time.

Thank you.

1 Like

An Ipv6 desktop isn't enough. It's important to check the same url with different ip addresses, normally, that's not possible to check that with a browser. And that with 6 urls -> use online tools to automate that.

Rechecked your raw ipv6 - https://check-your-website.server-daten.de/?q=2a02%3Ac207%3A2021%3A373%3A%3A1

There is an answer:

Domainname Http-Status redirect Sec. G
• http://[2a02:c207:2021:0373:0000:0000:0000:0001]/
2a02:c207:2021:373::1 200 0.060 H
• https://[2a02:c207:2021:0373:0000:0000:0000:0001]/
2a02:c207:2021:373::1 200 3.490 N
Certificate error: RemoteCertificateNameMismatch
• http://[2a02:c207:2021:0373:0000:0000:0000:0001]/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
2a02:c207:2021:373::1 404 0.057 A
Not Found
Visible Content: 404 Not Found nginx/1.10.3

And a certificate:

expires in 75 days	yoda.lingnu.com - 1 entry

May be the standard vHost.

Perhaps your other vHosts have wrong definitions.


<VirtualHost *:80>


<VirtualHost ip-address:80>

Yep - checking the ipv6 with the hostname - there is again the - now wrong - certificate - https://check-your-website.server-daten.de/?q=[2a02%3Ac207%3A2021%3A373%3A%3A1]&h=lingnu.com

So there is no vHost ipv6 + lingnu.com + https, then the http version may wrong too.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.