Certbot failed to authenticate some domains

My domain is: mail.seomiotico.it

I ran this command:

It produced this output:

My web server is (include version): Apache version 2.4.52

The operating system my web server runs on is (include version): Ubuntu Linux 22.04.2

My hosting provider, if applicable, is: N/D

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Virtualmin 7.7.3

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Certbot 1.21.0

///

Hello

The following virtual servers' SSL certificates have expired: mail.seomiotico.it and I can't succeed to update through the control panel.

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: admin.mail.seomiotico.it
  Type:   unauthorized
  Detail: 2a01:4f8:c17:1fe5::1: Invalid response from https://admin.mail.seomiotico.it/index.php: "<!DOCTYPE html>\n<html lang=\"it-IT\">\n<head>\n\t<meta charset=\"UTF-8\" />\n\t<meta name=\"viewport\" content=\"width=device-width, initial"

  Domain: autoconfig.mail.seomiotico.it
  Type:   unauthorized
  Detail: 2a01:4f8:c17:1fe5::1: Invalid response from https://autoconfig.mail.seomiotico.it/index.php: "<!DOCTYPE html>\n<html lang=\"it-IT\">\n<head>\n\t<meta charset=\"UTF-8\" />\n\t<meta name=\"viewport\" content=\"width=device-width, initial"

  Domain: autodiscover.mail.seomiotico.it
  Type:   unauthorized
  Detail: 2a01:4f8:c17:1fe5::1: Invalid response from https://autodiscover.mail.seomiotico.it/index.php: "<!DOCTYPE html>\n<html lang=\"it-IT\">\n<head>\n\t<meta charset=\"UTF-8\" />\n\t<meta name=\"viewport\" content=\"width=device-width, initial"

  Domain: mail.mail.seomiotico.it
  Type:   unauthorized
  Detail: 2a01:4f8:c17:1fe5::1: Invalid response from https://mail.mail.seomiotico.it/index.php: "<!DOCTYPE html>\n<html lang=\"it-IT\">\n<head>\n\t<meta charset=\"UTF-8\" />\n\t<meta name=\"viewport\" content=\"width=device-width, initial"

  Domain: webmail.mail.seomiotico.it
  Type:   unauthorized
  Detail: 2a01:4f8:c17:1fe5::1: Invalid response from https://webmail.mail.seomiotico.it/index.php: "<!DOCTYPE html>\n<html lang=\"it-IT\">\n<head>\n\t<meta charset=\"UTF-8\" />\n\t<meta name=\"viewport\" content=\"width=device-width, initial"

  Domain: www.mail.seomiotico.it
  Type:   unauthorized
  Detail: 2a01:4f8:c17:1fe5::1: Invalid response from https://www.mail.seomiotico.it/index.php: "<!DOCTYPE html>\n<html lang=\"it-IT\">\n<head>\n\t<meta charset=\"UTF-8\" />\n\t<meta name=\"viewport\" content=\"width=device-width, initial"

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.



Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
  Domain: admin.mail.seomiotico.it
  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.admin.mail.seomiotico.it - check that a DNS record exists for this domain

  Domain: autoconfig.mail.seomiotico.it
  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.autoconfig.mail.seomiotico.it - check that a DNS record exists for this domain

  Domain: autodiscover.mail.seomiotico.it
  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.autodiscover.mail.seomiotico.it - check that a DNS record exists for this domain

  Domain: mail.mail.seomiotico.it
  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.mail.mail.seomiotico.it - check that a DNS record exists for this domain

  Domain: webmail.mail.seomiotico.it
  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.webmail.mail.seomiotico.it - check that a DNS record exists for this domain

  Domain: www.mail.seomiotico.it
  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.www.mail.seomiotico.it - check that a DNS record exists for this domain

Hint: The Certificate Authority failed to verify the DNS TXT records created by the --manual-auth-hook. Ensure that this hook is functioning correctly and that it waits a sufficient duration of time for DNS propagation. Refer to "certbot --help manual" and the Certbot User Guide.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

May you please assist in put some light on? Do you need I provide some more evidence from error.log or DNS entries?

Thank you in advance.

Check your DNS entries. Your IPv6 (AAAA) address responds different than IPv4. Normally they should be the same.

nslookup mail.seomiotico.it
A    Address: 162.55.37.58
AAAA Address: 2a01:4f8:c17:1fe5::1

curl -I6 https://mail.seomiotico.it
HTTP/2 301
x-redirect-by: WordPress
location: https://www.seomiotico.it/
server: Apache

curl -I4k https://mail.seomiotico.it
HTTP/2 200
server: Apache
4 Likes

Hello

I am checking.

Why in your opinion I receive a different output with nslookup?

nslookup mail.seomiotico.it
Server:         127.0.0.53
Address:        127.0.0.53#53

Name:   mail.seomiotico.it
Address: 162.55.37.58

Thank you in advance.

1 Like

I don't know. Your authoritive name servers show both A and AAAA records. Also, the Let's Encrypt Servers see the AAAA (IPv6) address because you can see that value in the error message in your first post.

nslookup mail.seomiotico.it hydrogen.ns.hetzner.com
Server:         hydrogen.ns.hetzner.com
Address:        2a01:4f8:0:1::add:1098#53

A    Address: 162.55.37.58
AAAA Address: 2a01:4f8:c17:1fe5::1
4 Likes

@Kharon, this more supplemental to the topic, it is trying to answer your subtopic nslookup question.

Could be different nslookup or /etc/resolv.conf or etc.
Try using nslookup -q=aaaa mail.seomiotico.it for looking up IPv6 Address(es).

Also using the online tool https://unboundtest.com/ and looking for the DNS AAAA Record
yields https://unboundtest.com/m/AAAA/mail.seomiotico.it/3CIIDH26
getting the same answer that @MikeMcQ did

Query results for AAAA mail.seomiotico.it

Response:
;; opcode: QUERY, status: NOERROR, id: 41145
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;mail.seomiotico.it.	IN	 AAAA

;; ANSWER SECTION:
mail.seomiotico.it.	0	IN	AAAA	2a01:4f8:c17:1fe5::1

----- Unbound logs -----
Apr 24 17:03:35 unbound[60695:0] notice: init module 0: validator
Apr 24 17:03:35 unbound[60695:0] notice: init module 1: iterator
Apr 24 17:03:35 unbound[60695:0] info: start of service (unbound 1.16.3).
Apr 24 17:03:36 unbound[60695:0] info: 127.0.0.1 mail.seomiotico.it. AAAA IN
Apr 24 17:03:36 unbound[60695:0] info: resolving mail.seomiotico.it. AAAA IN
3 Likes

Using the online tool Let's Debug yielded these results https://letsdebug.net/mail.seomiotico.it/1456160?debug=y

And following @MikeMcQ's curl probing (and hopefully going a little further);
note the IPv6 Response eventually ends with the URL https://mail.seomiotico.it/index.php
The IPv6 redirect seems to not handle the case for /.well-known/acme-challenge/<TOKEN> properly.

Also Let's Encrypt Challenges prefer IPv6 over IPv4.

IPv4 Response

>curl -4 -Ii http://mail.seomiotico.it/.well-known/acme-challenge/sometestfile
HTTP/1.1 200 OK
Date: Mon, 24 Apr 2023 17:38:50 GMT
Server: Apache
Upgrade: h2,h2c
Connection: Upgrade
Last-Modified: Mon, 24 Apr 2023 15:18:39 GMT
ETag: "23ae0-5fa1685814edd"
Accept-Ranges: bytes
Content-Length: 146144
Vary: Accept-Encoding
Content-Type: text/html

IPv6 Responses

>curl -6 -Ii http://mail.seomiotico.it/.well-known/acme-challenge/sometestfile
HTTP/1.1 302 Found
Date: Mon, 24 Apr 2023 17:39:03 GMT
Server: Apache
Location: https://mail.seomiotico.it/index.php
Content-Type: text/html; charset=iso-8859-1
>curl -6 -Ii https://mail.seomiotico.it/index.php
HTTP/2 200
link: <https://www.seomiotico.it/wp-json/>; rel="https://api.w.org/", <https://www.seomiotico.it/wp-json/wp/v2/pages/8>; rel="alternate"; type="application/json", <https://www.seomiotico.it/>; rel=shortlink
content-type: text/html; charset=UTF-8
date: Mon, 24 Apr 2023 17:39:25 GMT
server: Apache

3 Likes

Also on Windows 10 using Firefox 112.0.1 (64-bit), IPv4 only access, this is what I see for the URL http://mail.seomiotico.it/.well-known/acme-challenge/sometestfile

2 Likes

I suspect that your Apache config is not properly setup to use IPv6 for that vhost.
When that happens, those IPv6 requests will be served from the default IPv6 vhost.
Which appears to be forwarding everything to /index.php

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.