Certbot on CentOS 6 + Apache failing

mautas · October 4, 2019, 2:41pm

I ran this command:

root@localhost:~ $ /usr/local/bin/certbot-auto --apache

It produced this output:

/opt/eff.org/certbot/venv/lib/python3.4/site-packages/cryptography/hazmat/bindings/openssl/binding.py:163: CryptographyDeprecationWarning: OpenSSL version 1.0.1 is no longer supported by the OpenSSL project, please upgrade. A future version of cryptography will drop support for it.
utils.CryptographyDeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?

1: pbx.hdgcorp.net

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for pbx.hdgcorp.net
Waiting for verification…
Challenge failed for domain pbx.hdgcorp.net
http-01 challenge for pbx.hdgcorp.net
Cleaning up challenges
Some challenges have failed.

My web server is (include version): Apache 2

The operating system my web server runs on is (include version): CentOS 6

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.39.0

mnordhoff · October 4, 2019, 2:55pm

Was there more output that included the error message?

JuergenAuer · October 4, 2019, 3:02pm

Hi @mautas

your configuration can’t work.

There are ipv4- and ipv6 - addresses - https://check-your-website.server-daten.de/?q=pbx.hdgcorp.net

Host	T	IP-Address	is auth.	∑ Queries	∑ Timeout
pbx.hdgcorp.net	A	173.44.34.142 Miami/Florida/United States (US) - QuadraNet Enterprises LLC No Hostname found	yes	1	0
	AAAA	2607:f1c0:100f:f000::2f6 Kansas City/Missouri/United States (US) - 1&1 Internet SE	yes

But checking ipv4 + /.well-known/acme-challenge/random-filename, there is the expected result http status 404 - Not Found.

Ipv6 has a http status 204 - No Content. So the validation file is invisible.

That’s critical because Letsencrypt prefers ipv6.

So

change your server that ipv6 works (good)
or remove the ipv6 dns entry

mautas · October 4, 2019, 3:37pm

Thanks a lot Juergen! I did’t notice this about IPv6. IPv6 seems not to be well set up in this machine you i’ve better get that DNS record removed so I can proceed. That record is pointing somewhere else, not even the intended machine.

Best,

Mauricio.

JuergenAuer · October 4, 2019, 3:51pm

Looks like 1&1 creates a standard ipv6 entry. That works if you use the hosting of 1&1, but that doesn’t work with an own hosting.

Do you have a home server or an own ipv6 address? If yes, then use that address.

system · November 3, 2019, 3:51pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.