Certbot failed to authenticate some domains

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
rogerco.uk

I ran this command:
sudo certbot --apache
selected number for rogerco.uk (or any other domain)

It produced this output:
Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: rogerco.uk
Type: unauthorized
Detail: 2a00:da00:f429:8700::1: Invalid response from http://rogerco.uk/.well-known/acme-challenge/66SFI_C8kLnF_vKKtG8iPxulPu0A-5rb-F6EGt0VsUs: 404

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

My web server is (include version):
Apache2 Apache/2.4.66 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 24.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 5.2.2

vhost files created and enabled for all domains and subdomains with
<VirtualHost *:80>

Directories for all domains in /var/www/domain.name/public_html all with www-data:www-data as user:group and 775 permissions recursive.

No .htaccess files are present on the system in any directories

All domains are accessible and working on port 80

If I manually create a .well-known directory under public_html and place an index.php file there it works ok. (index.php is just running phpinfo();

In one case radioroger.uk after manually creating the .well-known folder the certbot was able to complete the authentication and https://radioroger.uk is working. In all other domains it still fails with the error above.

The domains were all running previously on a different VPS with certbot certificates but the nameservers and dns were changed last week. dns checker.org shows the correct ip for the new VPS for all domains

Any ideas or suggestions? Could certbot itself be using the old ip address when trying to authenticate and not the new one? It is 4 days since the changes were made so they should have propogated.

Any ideas?

Let's Encrypt is getting an invalid response from your system when using the IPv6 address you have in your DNS. The error is a 404 Not Found

An openresty server is replying to requests using IPv6. Apache is replying for IPv4.

Let's Encrypt prefers IPv6 when an AAAA record is present in the DNS.

You should either remove that AAAA record if you don't support IPv6. Or, change it to the correct value. You can test the changes using Let's Debug: Let's Debug

To expand on this, if you expect IPv6 to work, check that your server is hosting on IPv6 as well as IPv4. Depending on your set up, it may only bind to IPv4 by default. Additional configuration may be required for IPv6. As @MikeMcQ mentioned, LE will prefer IPv6 where it seems to be provided.

Thank you. That was the problem. Deleting the AAAA and then recreating it worked.
Slight quirks remain on 2 domains but not a LE problem. Thank you very much for speedy and helpful reply.

This also helped, the server was set up correctly but somehow had got the wrong ip6 addr in the dns - most likely a typo by me not noticing that the browser had autofilled a previous ip6 addr from a different server.
IP6 address are less human readable than ip4 ones I find. (poor memory for big numbers)
Thanks again

As a final comment the LE docs could make it clearer that ip6 addr will be used in preference if present (I expect it is there somewhere but not that I noticed)

Yeah, it can be difficult to sort out the various places things get documented. Some are with the ACME Client (like Certbot) and some are in Let's Encrypt's site.

For IPv6 it is on LE site: IPv6 Support - Let's Encrypt

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.