Certbot Error - Some challenges have failed

My domain is: sunpixel.ir

I ran this command: sudo certbot --apache -d sunpixel.ir

It produced this output:

root@root:~# sudo certbot --apache -d sunpixel.ir
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for sunpixel.ir

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Domain: sunpixel.ir
  Type:   unauthorized
  Detail: 45.81.18.104: Invalid response from http://sunpixel.ir/.well-known/acme-challenge/lpy48Tzbo94s-kvlc02lKHALp2SD1W16u1VYNQjfyNk: 504

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): apache2 - 2.4.52

The operating system my web server runs on is (include version): Ubuntu 22.04.4

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.9.0

Hello @Kriss, welcome to the Let's Encrypt community.

I see Server: ddos-guard, not Apache. Are you using https://ddos-guard.net/en?

$ curl -i http://sunpixel.ir/.well-known/acme-challenge/sometestfile
HTTP/1.1 504 Gateway Timeout
Server: ddos-guard
Date: Fri, 01 Mar 2024 18:03:28 GMT
Connection: keep-alive
Keep-Alive: timeout=60
Content-Type: text/html; charset=utf8
Content-Length: 583

<!DOCTYPE html><html lang=en><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 504</title><style>*{margin:0;padding:0}html{font:15px/22px arial,sans-serif;background: #fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}p{margin:11px 0 22px;overflow :hidden}ins{color:#777;text-decoration :none;}</style><p><b>504 - Gateway Timeout .</b> <ins>That’s an error.</ins><p>We did not receive a timely response from the upstream server.  <ins>That’s all we know.</ins>

Using the online tool Let's Debug yields these results https://letsdebug.net/sunpixel.ir/1821514

ANotWorking
ERROR
sunpixel.ir has an A (IPv4) record (45.81.18.104) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.
A timeout was experienced while communicating with sunpixel.ir/45.81.18.104: Get "http://sunpixel.ir/.well-known/acme-challenge/letsdebug-test": context deadline exceeded

Trace:
@0ms: Making a request to http://sunpixel.ir/.well-known/acme-challenge/letsdebug-test (using initial IP 45.81.18.104)
@0ms: Dialing 45.81.18.104
@10000ms: Experienced error: context deadline exceeded

Here is a list of issued certificates crt.sh | sunpixel.ir
and it seems like this certificate is being served crt.sh | 12219451014 and has a
Validity
Not Before: Feb 28 12:57:06 2024 GMT
Not After : May 28 12:57:05 2024 GMT
as shown here Hardenize Report: sunpixel.ir
and here https://decoder.link/sslchecker/sunpixel.ir/443

Hey @Bruce5051 thank you!
My friend setup some stuff in Cloudflare to prevent simple DDoS attacks, Asked him about ddos-guard.net and he has no idea what that is.
Also I tried million times to create a SSL certificate using Certbot maybe that's why we've a SSL certificate, if we've why the website isn't loading with https:// ?
I'll check the Cloudflare for more information about ddos-guard and something which blocks any request and connection, thank you for you help.

Hi @Kriss,

Additionally from here SSL Server Test: sunpixel.ir (Powered by Qualys SSL Labs)
there is a second certificate that contains "Issuer ddos-guard Self-signed".

image1203×943 26.3 KB

Hey there, the problem was my hosting provider was blocking incoming connections with DDoS-Guard, they disabled it temporarily for me and I created the SSL certificate, thanks for support everyone!

@Kriss that will likely need to happen every renewal;
certificates expire 90 days after being issued (presently, short maybe coming in the future). The recommendation is to renew the certificate at 2/3 of its lifetime, that means a renewal every 60 days.

You might consider using DNS-01 authentication instead.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.