Certbot invalid response from

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: techiedamien.xyz (relevent subdomain = searx.techiedamien.xyz)

I ran this command: certbot --nginx (and then picked my searx site)

It produced this output:

root@damien-server:~# certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: techiedamien.xyz
2: searx.techiedamien.xyz
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 2
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for searx.techiedamien.xyz
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. searx.techiedamien.xyz (http-01):     urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://searx.techiedamien.xyz/.well-known/acme-challenge/gJ5GkF3gahGSuRJ8UzsqcUtCkEDmhj0BNIUaJAirSoM [2001:19f0:5:8c5:5400:2ff:fed9:6b33]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>"

    IMPORTANT NOTES:
     - The following errors were reported by the server:

       Domain: searx.techiedamien.xyz
       Type:   unauthorized
       Detail: Invalid response from
       http://searx.techiedamien.xyz/.well-known/acme-challenge/gJ5GkF3gahGSuRJ8UzsqcUtCkEDmhj0BNIUaJAirSoM
       [2001:19f0:5:8c5:5400:2ff:fed9:6b33]: "<html>\r\n<head><title>404
       Not Found</title></head>\r\n<body
       bgcolor=\"white\">\r\n<center><h1>404 Not
       Found</h1></center>\r\n<hr><center>"

       To fix these errors, please make sure that your domain name was
       entered correctly and the DNS A/AAAA record(s) for that domain
       contain(s) the right IP address.

My web server is (include version): nginx/1.14.2

The operating system my web server runs on is (include version): Debian 10 (Linux damien-server 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64 GNU/Linux)

My hosting provider, if applicable, is: vultr

My DNS provider: epik

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

Also note that my placeholder main website at techiedamien.xyz verified just fine.

Hi @DAMO238

that looks curious - see https://check-your-website.server-daten.de/?q=searx.techiedamien.xyz

You have ipv4 and ipv6, checking /.well-known/acme-challenge/random-filename, there is the same result.

But

checking http + / there are different answers - ipv40 200, ipv6 404, the size is different.

Looks like your different ip addresses have different answers, so Certbot may pick the ipv4 vHost, but Letsencrypt prefers ipv6 checking your domain (see your output).

So this is an issue with my DNS then? This is my configuration (I can’t see anything wrong with it):

And my subdomain config: in the next post due to image limit
I’m really new to this, so sorry if this seems obvious to you.

Ah I found the problem, and it wasn’t my dns. I needed the following extra line in my nginx config in the server scope: listen [::]:80;. I am unsure why the searx installation instructions missed this line, but it works now, so thanks for the pointers!

IPv6 is the future. But a lot of web servers don't have a working ipv6 address. So it may be missing.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.