Certbot fails to get/renew certificate, DNS cache problem?


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: pag-crowd.nangasystems.com

I ran this command:
certbot certonly --dry-run --non-interactive --agree-tos --no-self-upgrade --email some@email --webroot --webroot-path /var/www/html -d pag-crowd.nangasystems.com

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for pag-crowd.nangasystems.com
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. pag-crowd.nangasystems.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://pag-crowd.nangasystems.com/.well-known/acme-challenge/YUp_NeghLzcJfyYS0-Bd6901rWr58GA8Fwbqm0qQDFs: "

404 Not Found

404 Not Found


"

IMPORTANT NOTES:

My web server is (include version): Apache/2.4.18

The operating system my web server runs on is (include version):
PRETTY_NAME=“Ubuntu 16.04.3 LTS”

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): yep

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

Guys, it’s very strange! the response that has "

404 Not Found

" is the error from Nginx server, and we run Apache, and apache log files, and tcpdump/tcpflow do not show any attempts to actually get the challenge file, the LE both live and staging endpoints go to some very wrong IP address. I checked DNS from several places, all looks OK. If I try accessing well-known URL using regular browser all is OK. It’s the first time I encounter this problem, though we have/had dozens of domains.

#2

The corrects response (htmlencoded)

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for pag-crowd.nangasystems.com
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. pag-crowd.nangasystems.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://pag-crowd.nangasystems.com/.well-known/acme-challenge/jqwgaqjwNrswokXCvVLvRmV9MUcDAIQbWjRtloLiTKQ: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>"

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: pag-crowd.nangasystems.com
    Type: unauthorized
    Detail: Invalid response from
    http://pag-crowd.nangasystems.com/.well-known/acme-challenge/jqwgaqjwNrswokXCvVLvRmV9MUcDAIQbWjRtloLiTKQ:
    "<html>
    <head><title>404 Not Found</title></head>
    <body bgcolor="white">
    <center><h1>404 Not Found</h1></center>
    <hr><center>"

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.


#3

Hi @oles.hnatkevych,

Your domain has IPv4 and IPv6 records, the A record points to an Apache web server and the AAAA record points to a nginx web server. As Let’s Encrypt prefers IPv6 over IPv4, it is trying to reach the challenge using your nginx web server and seems you are not using it to issue your cert.

Fix your IPv6 conf or if you are not using it, remove the AAAA record for your domain.

Cheers,
sahsanu


#4

Many thanks, that was the problem.

Cheers,
Oles


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.