Certbot renewal was working, but broke at some point


#1

My domain is: fighting.ru

I ran this command: certbot renew

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/fighting.ru.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for fighting.ru
http-01 challenge for fightingarena.org
http-01 challenge for fightingarena.ru
http-01 challenge for www.fighting.ru
http-01 challenge for www.fightingarena.org
http-01 challenge for www.fightingarena.ru
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (fighting.ru) from /etc/letsencrypt/renewal/fighting.ru.conf produced an unexpected error: Failed authorization procedure. www.fighting.ru (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.fighting.ru/.well-known/acme-challenge/7R0FuJXWBIkdiNUkFVFeCHhW-sjb2DE-sKBZ4ghAsGc: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>", fighting.ru (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization     :: Invalid response from http://fighting.ru/.well-known/acme-challenge/l_2SO7byHg0MH6gvF3pIgSc1p2ALzJ9IzfvZZEvfg0A: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>". Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/fighting.ru/fullchain.pem (failure)

-------------------------------------------------------------------------------

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/fighting.ru/fullchain.pem (failure)
-------------------------------------------------------------------------------
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.fighting.ru
   Type:   unauthorized
   Detail: Invalid response from
   http://www.fighting.ru/.well-known/acme-challenge/7R0FuJXWBIkdiNUkFVFeCHhW-sjb2DE-sKBZ4ghAsGc:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   Domain: fighting.ru
   Type:   unauthorized
   Detail: Invalid response from
   http://fighting.ru/.well-known/acme-challenge/l_2SO7byHg0MH6gvF3pIgSc1p2ALzJ9IzfvZZEvfg0A:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): nginx/1.10.3 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 16.04.4 LTS

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#2

Hi @BioLogIn,

Your domain fighting.ru and subdomain www.fighting.ru are advertising AAAA records and Let’s Encrypt prefers IPv6 over IPv4 so it will try to validate them using the IPv6 record but your system/web server is not configured properly so it gets a 404 error message.

You should fix your system/web server config to serve the same content using IPv4 and IPv6 or remove the AAAA records for fighting.ru and www.fighting.ru.

Cheers,
sahsanu


#3

Hi @sahsanu,

Many thanks, this was indeed the case. To my shame, I saw the same answer at the similar thread, but I was under impression that my server serves ipv6 correctly; apparently, it did not. I removed the ipv6 dns entries, which allowed certbot to renew properly:

Thank you for your patience with us all! =)


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.