Certbot/letsencrypt querying wrong

My domain is: echannel.se

I ran this command:

sudo certbot certonly --test-cert --manual

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): echannel.se
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for echannel.se

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Create a file containing just this data:

... Stuff hidden ....
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. echannel.se (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://linux-wk.wk.se/.well-known/acme-challenge/6s9U4Wqf_IQogrDBY5H-FfSZN2aqE0X7L2v-zgLbmOk [2001:67c:2b58:1::53]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: echannel.se
   Type:   unauthorized
   Detail: Invalid response from
   https://linux-wk.wk.se/.well-known/acme-challenge/6s9U4Wqf_IQogrDBY5H-FfSZN2aqE0X7L2v-zgLbmOk
   [2001:67c:2b58:1::53]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version):
Manual

The operating system my web server runs on is (include version):
Ubuntu

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.31.0

As it can be seen, I am trying to generate certificate for domain echannel.se, but LE sends the request to linux-wk.wk.se.

I tried dns resolver got my IP address. Also unboundtest also returns my IP address.

Hi @tejainece

checking your configuration there is such a redirect ( https://check-your-website.server-daten.de/?q=echannel.se ):

Your ip addresses (ipv4 and ipv6):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
echannel.se A 195.67.148.135 Saltsjö-Duvnäs/Stockholm/Sweden (SE) - TELIANET Hostname: 195-67-148-135.customer.telia.com yes 1 0
AAAA 2001:67c:2b58:1::27 Stockholm/Sweden (SE) - Webbkonsulterna AB yes
www.echannel.se A 195.67.148.135 Saltsjö-Duvnäs/Stockholm/Sweden (SE) - TELIANET Hostname: 195-67-148-135.customer.telia.com yes 1 0
AAAA 2001:67c:2b58:1::27 Stockholm/Sweden (SE) - Webbkonsulterna AB yes

Ipv6 works. But there are curious redirects:

Domainname Http-Status redirect Sec. G
http://echannel.se/
2001:67c:2b58:1::27 302 http://parking.wk.se 0.110 D
http://www.echannel.se/
2001:67c:2b58:1::27 302 http://parking.wk.se 0.096 D
http://echannel.se/
195.67.148.135 -2 1.110 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 195.67.148.135:80
http://www.echannel.se/
195.67.148.135 -2 1.090 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 195.67.148.135:80
http://parking.wk.se 200 0.187 H
https://echannel.se/
2001:67c:2b58:1::27 302 http://parking.wk.se 3.936 N
Certificate error: RemoteCertificateNameMismatch
https://www.echannel.se/
2001:67c:2b58:1::27 302 http://parking.wk.se 3.360 N
Certificate error: RemoteCertificateNameMismatch
https://echannel.se/
195.67.148.135 -2 1.094 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 195.67.148.135:443
https://www.echannel.se/
195.67.148.135 -2 1.110 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 195.67.148.135:443
http://echannel.se/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
2001:67c:2b58:1::27 301 https://linux-wk.wk.se/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.106 E
Visible Content: Moved Permanently The document has moved here .
http://www.echannel.se/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
2001:67c:2b58:1::27 301 https://linux-wk.wk.se/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.093 E
Visible Content: Moved Permanently The document has moved here .
http://echannel.se/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
195.67.148.135 -2 1.096 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 195.67.148.135:80
Visible Content:
http://www.echannel.se/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
195.67.148.135 -2 1.110 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 195.67.148.135:80
Visible Content:
https://linux-wk.wk.se/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 404 3.453 A
Not Found
Visible Content: Not Found The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server.

http + ipv6 is redirected to a parking site. And http + ipv6 + /.well-known/acme-challenge is redirected to linux-wk.wk.se.

Is this your hoster? Or is this another domain you own?

Letsencrypt follows these redirects, so that may not work. It may work, if the linux-domain is your own domain.

1 Like

Thanks for the quick response!

I don’t have an IPv6 address. The IPv4 address is 195.67.148.135 as seen above. wk.se (like godaddy) is the service from where I got the domain.

LE seems to hit 195.67.148.135 before it contacts https://linux-wk.wk.se. However it says No connection could be made because the target machine actively refused it. Any idea why this occurs?

 http://echannel.se/				
195.67.148.135	-2		1.110	V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 195.67.148.135:80				
• http://www.echannel.se/				
195.67.148.135	-2		1.090	V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 195.67.148.135:80			

For example, you can reach this webpage: http://echannel.se/hello.txt

You have an ipv6 address - https://check-your-website.server-daten.de/?q=echannel.se

Same picture again:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
echannel.se A 195.67.148.135 Saltsjö-Duvnäs/Stockholm/Sweden (SE) - TELIANET Hostname: 195-67-148-135.customer.telia.com yes 1 0
AAAA 2001:67c:2b58:1::27 Stockholm/Sweden (SE) - Webbkonsulterna AB yes
www.echannel.se A 195.67.148.135 Saltsjö-Duvnäs/Stockholm/Sweden (SE) - TELIANET Hostname: 195-67-148-135.customer.telia.com yes 1 0
AAAA 2001:67c:2b58:1::27 Stockholm/Sweden (SE) - Webbkonsulterna AB yes

And Letsencrypt prefers ipv6, so that’s critical.

Ipv4 + http answers now, but ipv6 has the same redirect.

Domainname Http-Status redirect Sec. G
http://echannel.se/
2001:67c:2b58:1::27 302 http://parking.wk.se 0.110 D
http://www.echannel.se/
2001:67c:2b58:1::27 302 http://parking.wk.se 0.097 D
http://echannel.se/
195.67.148.135 200 0.063 H
http://www.echannel.se/
195.67.148.135 200 0.064 H
http://parking.wk.se 200 0.283 H
https://echannel.se/
2001:67c:2b58:1::27 302 http://parking.wk.se 3.500 N
Certificate error: RemoteCertificateNameMismatch
https://www.echannel.se/
2001:67c:2b58:1::27 302 http://parking.wk.se 3.326 N
Certificate error: RemoteCertificateNameMismatch
https://echannel.se/
195.67.148.135 -2 1.110 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 195.67.148.135:443
https://www.echannel.se/
195.67.148.135 -2 1.090 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 195.67.148.135:443
http://echannel.se/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
2001:67c:2b58:1::27 301 https://linux-wk.wk.se/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.094 E
Visible Content: Moved Permanently The document has moved here .
http://www.echannel.se/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
2001:67c:2b58:1::27 301 https://linux-wk.wk.se/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.093 E
Visible Content: Moved Permanently The document has moved here .
http://echannel.se/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
195.67.148.135 404 0.060 A
File not found
Visible Content: Error response Error code 404. Message: File not found. Error code explanation: 404 = Nothing matches the given URI.
http://www.echannel.se/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
195.67.148.135 404 0.063 A
File not found
Visible Content: Error response Error code 404. Message: File not found. Error code explanation: 404 = Nothing matches the given URI.
https://linux-wk.wk.se/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 404 3.453 A
Not Found
Visible Content: Not Found The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server.

So that can’t work.

Check your DNS entries and remove the not working ipv6 address.

Then recheck your domain with the online tool to see, if the ipv6 is gone.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.