Certbot Failed Authorization Procedure with nginx

Help
1

My domain is: tobiaskaufmann.at

I ran this command: sudo certbot --nginx -d tobiaskaufmann.at-d www.tobiaskaufmann.at

It produced this output:

Failed authorization procedure. www.tobiaskaufmann.at (http-01): 
urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 
Invalid response from http://www.tobiaskaufmann.at/.well-known/acme- 
challenge/a367FObbz0SqSu3S2im0uVkEtl6-URpUm2LZvGo-Sg0 [2a01:aee0:0:10::11]: "<!DOCTYPE 
html>\r\n<html lang=\"de\">\r\n    <head>\r\n        <meta charset=\"utf-8\">\r\n        
<title>easyname | Seite nicht gefunden</t"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.tobiaskaufmann.at
   Type:   unauthorized
   Detail: Invalid response from
   http://www.tobiaskaufmann.at/.well-known/acme-challenge/a367FObbz0SqSu3S2im0uVkEtl6-URpUm2LZvGo-Sg0
   [2a01:aee0:0:10::11]: "<!DOCTYPE html>\r\n<html lang=\"de\">\r\n
   <head>\r\n        <meta charset=\"utf-8\">\r\n
   <title>easyname | Seite nicht gefunden</t"

My web server is (include version): nginx/1.10.3

The operating system my web server runs on is (include version): debian 9

My hosting provider, if applicable, is: (self hosting on a vserver)

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.28.0

2

The Let's Encrypt server is getting a returning a not found error from your server when trying to access a challenge verification file it needs to verify your domain:

The actual error code from your server is a 401 unauthorized, indicating that the Let's Encrypt server lacks permission to access the file.

3

So what should I do to solve this issue? I thought certbot handles the creation of the verification file by itself.

4

Due to the 401 unauthorized http status code it looks like there’s a permission issue. I’ll look into it more.

5

I notice your domain is parked. Do you actually have hosting for your website? Without a hosting server, you have nowhere to install a certificate.

6

What do you mean with parked? When accessing tobiaskaufmann.at the hosted page will be displayed. The hosting is done by myself with nginx on debian.

7

Screenshot_20200818-123133_Samsung Internet
Screenshot_20200818-123133_Samsung Internet1440×3040 272 KB

8

This is strange, can you try this again in an Incognito tab? For me it works, even after clearing cache etc.

9

Same story. Couldn’t screenshot due to incognito.

10

Maybe an invalid DNS record

11

Screenshot_20200818-124146_Samsung Internet
Screenshot_20200818-124146_Samsung Internet1440×3040 259 KB

12

This is my DNS configuration. For some reasons I can reach it from all my devices/networks, even after clearing cache.

image
image1728×454 60.7 KB

13

Tried clearing my own cache. Same story. Is 37.252.188.60 actually the ip address of your hosting server?

14

Yes, the address should actually serve the same page.

I will contact easyname aswell if they know what this “parking” issue could be about.

17

Ah. it's an ipv6 issue

@JuergenAuer

Just saw it as you were responding. I bow to your superior skills for spotting it immediately.

1 Like
18

Hi @tkaufmann

your configuration can't work.

Checking your domain via https://check-your-website.server-daten.de/?q=tobiaskaufmann.at - you have ipv4 and ipv6.

Host Type IP-Address is auth. ∑ Queries ∑ Timeout
tobiaskaufmann.at A 37.252.188.60 Vienna/Austria (AT) - IPAX OG No Hostname found yes 2 0
AAAA 2a01:aee0:0:10::11 Vienna/Austria (AT) - easyname.com yes
www.tobiaskaufmann.at CNAME tobiaskaufmann.at yes 1 0
A 37.252.188.60 Vienna/Austria (AT) - IPAX OG No Hostname found yes
AAAA 2a01:aee0:0:10::11 Vienna/Austria (AT) - easyname.com yes

But there is different content:

Domainname Http-Status redirect Sec. G
http://tobiaskaufmann.at/ 37.252.188.60 GZip used - 1016 / 2927 - 65,29 % 200 Html is minified: 112,02 % 0.076 H
small visible content (num chars: 11)
http://tobiaskaufmann.at/ 2a01:aee0:0:10::11 GZip used - 1750 / 5880 - 70,24 % 200 Html is minified: 444,78 % 0.077 H
small visible content (num chars: 245)
Domain geparkt Diese Domain wird von easyname.com verwaltet. Solltest du der Inhaber dieser Domain sein, kannst du diese im easyname Controlpanel verwalten. Dies ist ein Service von easyname GmbH und wird im Auftrag des Domaininhabers betrieben.
http://www.tobiaskaufmann.at/ 37.252.188.60 GZip used - 1016 / 2927 - 65,29 % 200 Html is minified: 112,02 % 0.064 H
small visible content (num chars: 11)
http://www.tobiaskaufmann.at/ 2a01:aee0:0:10::11 GZip used - 1750 / 5880 - 70,24 % 200 Html is minified: 444,78 % 0.080 H
small visible content (num chars: 245)
Domain geparkt Diese Domain wird von easyname.com verwaltet. Solltest du der Inhaber dieser Domain sein, kannst du diese im easyname Controlpanel verwalten. Dies ist ein Service von easyname GmbH und wird im Auftrag des Domaininhabers betrieben.

Looks like you have configured ipv4 correct. But ipv6 doesn't work.

Checking your domain Letsencrypt prefers ipv6, that's visible in your error (the ipv6 address).

So

  • fix your config, so ipv6 works (or)
  • remove the ipv6 AAAA record
2 Likes
19

Thanks for your help, I removed the ipv6 entry and it’s working now.

Just a quick question, in which case would I need the ipv6 entry - or is it ok to proceed without it?

20

Ipv6 is the future, so it's excellent to have a working ipv6.

But:

  • The routing must be correct - 37.252.188.60 and 2a01:aee0:0:10::11 normally should be the same machine
  • your webserver must answer ipv6 - [::]:80 and [::]:443 etc.

PS: If a webserver has ipv4 and ipv6 and if the client connection / ISP supports ipv6, then the browser prefers iv6 to connect the website. No private ip addresses are required, enough ipv6. More speed.

21

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.