Certbot/letsencrypt querying wrong

My domain is: echannel.se

I ran this command:

sudo certbot certonly --test-cert --manual

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): echannel.se
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for echannel.se

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Create a file containing just this data:

... Stuff hidden ....
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. echannel.se (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://linux-wk.wk.se/.well-known/acme-challenge/6s9U4Wqf_IQogrDBY5H-FfSZN2aqE0X7L2v-zgLbmOk [2001:67c:2b58:1::53]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: echannel.se
   Type:   unauthorized
   Detail: Invalid response from
   https://linux-wk.wk.se/.well-known/acme-challenge/6s9U4Wqf_IQogrDBY5H-FfSZN2aqE0X7L2v-zgLbmOk
   [2001:67c:2b58:1::53]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version):
Manual

The operating system my web server runs on is (include version):
Ubuntu

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.31.0

As it can be seen, I am trying to generate certificate for domain echannel.se, but LE sends the request to linux-wk.wk.se.

I tried dns resolver got my IP address. Also unboundtest also returns my IP address.

Hi @tejainece

checking your configuration there is such a redirect ( https://check-your-website.server-daten.de/?q=echannel.se ):

Your ip addresses (ipv4 and ipv6):

Ipv6 works. But there are curious redirects:

http + ipv6 is redirected to a parking site. And http + ipv6 + /.well-known/acme-challenge is redirected to linux-wk.wk.se.

Is this your hoster? Or is this another domain you own?

Letsencrypt follows these redirects, so that may not work. It may work, if the linux-domain is your own domain.

Thanks for the quick response!

I don’t have an IPv6 address. The IPv4 address is 195.67.148.135 as seen above. wk.se (like godaddy) is the service from where I got the domain.

LE seems to hit 195.67.148.135 before it contacts https://linux-wk.wk.se. However it says No connection could be made because the target machine actively refused it. Any idea why this occurs?

 http://echannel.se/				
195.67.148.135	-2		1.110	V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 195.67.148.135:80				
• http://www.echannel.se/				
195.67.148.135	-2		1.090	V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 195.67.148.135:80			

For example, you can reach this webpage: http://echannel.se/hello.txt

You have an ipv6 address - https://check-your-website.server-daten.de/?q=echannel.se

Same picture again:

And Letsencrypt prefers ipv6, so that's critical.

Ipv4 + http answers now, but ipv6 has the same redirect.

So that can't work.

Check your DNS entries and remove the not working ipv6 address.

Then recheck your domain with the online tool to see, if the ipv6 is gone.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.