Certbot failed to authenticate some domains (authenticator: apache)

I am trying to register my domain with an SSL certificate. When I run the command sudo certbot --apache -v it times out.

This is the output when I ran sudo netstat -anp | grep apache:
--- START ---
tcp6 0 0 :::443 :::* LISTEN 1104/apache2
tcp6 0 0 :::80 :::* LISTEN 1104/apache2
--- END ---

My domain is: kaischmidt.ca

I ran this command: sudo certbot --apache -v

It produced this output:
--- START ---
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?


1: kaischmidt.ca
2: www.kaischmidt.ca


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Requesting a certificate for kaischmidt.ca and www.kaischmidt.ca
Performing the following challenges:
http-01 challenge for kaischmidt.ca
http-01 challenge for www.kaischmidt.ca
Enabled Apache rewrite module
Waiting for verification...
Challenge failed for domain kaischmidt.ca
Challenge failed for domain www.kaischmidt.ca
http-01 challenge for kaischmidt.ca
http-01 challenge for www.kaischmidt.ca

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: kaischmidt.ca
Type: connection
Detail: 2607:fea8:999f:5100:d63d:7eff:fe55:594f: Fetching http://kaischmidt.ca/.well-known/acme-challenge/fkvDPENa-UbzkZeNQ392HMc5Tgr-LgoHo4eVjC9OiBU: Timeout during connect (likely firewall problem)

Domain: www.kaischmidt.ca
Type: connection
Detail: 2607:fea8:999f:5100:d63d:7eff:fe55:594f: Fetching http://www.kaischmidt.ca/.well-known/acme-challenge/y20Amrt9jRsa4njeYokGy9c9TPISnHPxaLNR5owMFAI: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
--- END ---

My web server is (include version): Apache/2.4.52 (Ubuntu)

The operating system my web server runs on is (include version): Server version: Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-53-generic x86_64)

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.21.0

Hello @pinkduckies, welcome to the Let's Encrypt community. :slightly_smiling_face:

Using https://letsdebug.net/ the results for HTTP-01 and DNS-01 Challenge Types - Let's Encrypt
HTTP-01 Let's Debug
DNS-01 Let's Debug

As indicated here you are using the HTTP-01 Challenge.

~$ curl http://kaischmidt.ca/.well-known/acme-challenge/fkvDPENa-UbzkZeNQ392HMc5Tgr-LgoHo4eVjC9OiBU
curl: (7) Failed to connect to kaischmidt.ca port 80 after 10445 ms: No route to host

And your DNS IPv4 Address resolve to 10.0.0.244 which is Private network - Wikipedia and NOT Routable to the Public Facing Internet.

$ nslookup
> kaischmidt.ca
Server:         127.0.0.53
Address:        127.0.0.53#53

Non-authoritative answer:
Name:   kaischmidt.ca
Address: 10.0.0.244
Name:   kaischmidt.ca
Address: 2607:fea8:999f:5100:d63d:7eff:fe55:594f
>
3 Likes

It seems the 10 dot IP address has been corrected.
Now we see:

Addresses: 2607:fea8:999f:5100::88f
           99.253.145.20

But IPv4 connectivity is blocked (at least from my IP).
That isn't a problem for LE, because it prefers IPv6 over IPv4 (when present).
So...
There was an IPv6 access problem, as shown by the logs:

Is that still the case?
[I can reach your site via IPv6]
Note: The IPv6 address is changed from the one in the log entry.

3 Likes

Presently I am seeing this

$ nslookup
> kaischmidt.ca
Server:         127.0.0.53
Address:        127.0.0.53#53

Non-authoritative answer:
Name:   kaischmidt.ca
Address: 10.0.0.244
Name:   kaischmidt.ca
Address: 2607:fea8:999f:5100:d63d:7eff:fe55:594f
> set q=soa
> kaischmidt.ca
Server:         127.0.0.53
Address:        127.0.0.53#53

Non-authoritative answer:
kaischmidt.ca
        origin = ns-cloud-e1.googledomains.com
        mail addr = cloud-dns-hostmaster.google.com
        serial = 37
        refresh = 21600
        retry = 3600
        expire = 259200
        minimum = 300

Authoritative answers can be found from:
> server ns-cloud-e1.googledomains.com
Default server: ns-cloud-e1.googledomains.com
Address: 216.239.32.110#53
Default server: ns-cloud-e1.googledomains.com
Address: 2001:4860:4802:32::6e#53
> kaischmidt.ca
Server:         ns-cloud-e1.googledomains.com
Address:        216.239.32.110#53

kaischmidt.ca
        origin = ns-cloud-e1.googledomains.com
        mail addr = cloud-dns-hostmaster.google.com
        serial = 37
        refresh = 21600
        retry = 3600
        expire = 259200
        minimum = 300
> set q=a
> kaischmidt.ca
Server:         ns-cloud-e1.googledomains.com
Address:        216.239.32.110#53

Name:   kaischmidt.ca
Address: 99.253.145.20
> set q=aaaa
> kaischmidt.ca
Server:         ns-cloud-e1.googledomains.com
Address:        216.239.32.110#53

Name:   kaischmidt.ca
Address: 2607:fea8:999f:5100::88f
> exit
1 Like

How about?:
nslookup kaischmidt.ca ns-cloud-e1.googledomains.com

I get:

Name:    kaischmidt.ca
Address: 99.253.145.20
4 Likes

Yeah, DNS looks better now but their LE cert only covers the www.kaischmidt.ca name and not the apex too.

They should re-run the command in their first post and request both names again

https://tools.letsdebug.net/cert-search?m=domain&q=kaischmidt.ca&d=168

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.