Certbot Some challenges have failed

yuds · September 15, 2021, 3:53am

helloo.. please help me

I ran this command: certbot --apache

It produced this output:

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: icestack.org
Type: unauthorized
Detail: Invalid response from http://icestack.org/.well-known/acme-challenge/9wDBPukQrMSARCOwixGxGB3Y_43kJkVMBDgGNPK6kJg [2001:df0:2fc:99::163]: "\n\n404 Not Found\n\n

Not Found

\n<p"

Domain: www.icestack.org
Type: unauthorized
Detail: Invalid response from http://www.icestack.org/.well-known/acme-challenge/_xoFeRvFsXIkktG2L2fLtRAfHnaHa1WzJWQSDr-G0aM [2001:df0:2fc:99::163]: "\n\n404 Not Found\n\n

Not Found

\n<p"

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): apache

please help, anyone? thankyouu

rg305 · September 15, 2021, 5:22am

Hi @yuds, welcome to the LE community forum

You have an IPv6 problem.
The site responds with 403 forbidden via IPv6:

curl -Iki4 http://icestack.org/
HTTP/1.1 200 OK
Date: Wed, 15 Sep 2021 05:21:06 GMT
Server: Apache/2.4.41 (Ubuntu)
Upgrade: h2,h2c
Connection: Upgrade
Content-Type: text/html; charset=UTF-8

curl -Iki6 http://icestack.org/
HTTP/1.1 403 Forbidden
Connection: close
Content-Type: text/html
Cache-Control: no-cache
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors 'self'
Content-Length: 3446

Name:      icestack.org
Addresses: 2001:df0:2fc:99::163
           103.163.39.28

raf · September 15, 2021, 5:33am

Hi, I went to icestack.org and found an empty website. Then I went to www.icestack.org and found the proper website. I think this means that you have only configured apache to handle the www.icestack.org domain, not the icestack.org domain. Or maybe it's just that they aren't configured to be the same website. This might have something to do with your problem.

You probably want to change the apache configuration, so that it handles the bare icestack.org domain as well (i.e. so that one domain is the ServerName and the other is a ServerAlias). Once you have done that, and checked that both domains work the same in a web browser, you can try to obtain a certificate for both domains, e.g.:

certbot --apache -d icestack.org -d www.icestack.org

However, this theory doesn't explain why the challenge for www.icestack.org didn't work. That website looks functional. So I might be wrong. The problem might be something else about your apache configuration. But I think my suggestion is probably still helpful.

Ah, the IPv6 thing is the actual problem. icestack.org shows an empty site for IPv4 and IPv6. www.icestack.org only shows an empty site for IPv6 and the real site for IPv4. So only 1 of 4 combinations is working.

So, in addition to the ServerName/ServerAlias thing to make both domains refer to the same website, you also need to make sure that you aren't specifically referring to the IPv4 address of your site in the VirtualHost configuration. It should look like:

<VirtualHost *:80>

to start with. It should not look like:

<VirtualHost 103.163.39.28:80>

My configuration originally had the specific IPv4 address. It's no good.
If your server has multiple IPv4 and IPv6 addresses, and different virtual hosts
per IPv4 address, it gets more complicated. You need to specify both the relevant
IPv4 and IPv6 addresses for each virtual host. If not, just use * as the address to
match both the IPv4 address and the IPv6 address.

Also note, that if you have multiple virtual hosts, and a default (IP-based) host that is deliberately forbidden, you will need to manually add the SSL certificate details to the default host's configuration after you get certbot working or bad things will happen. Ignore this last bit if it doesn't sound relevant.

yuds · September 15, 2021, 7:19am

hellooo @rg305 So, what should I do?

yuds · September 15, 2021, 7:25am

hellooo @raf , my VirtualHost configuration like this

And every time I do the process cetbot --apache, always come out like this

And I don't know what to do

raf · September 15, 2021, 7:50am

I think you first need to get your apache configuration correct, so that icestack.org and www.icestack.org both work.

Also, it's good that you have <VirtualHost *:80> but perhaps there's something wrong
with your IPv6 networking on that server. You need to investigate that.

Strangely, when I run nmap against both IPv4 and IPv6 addresses for icestack.org
and www.icestack.org, I get surprisingly different results:

> nmap -sT icestack.org
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Although the first attempt showed the ports as closed. And...

> nmap -sT -6 icestack.org
PORT     STATE  SERVICE
20/tcp   closed ftp-data
21/tcp   open   ftp
22/tcp   closed ssh
25/tcp   open   smtp
53/tcp   open   domain
80/tcp   open   http
110/tcp  open   pop3
143/tcp  open   imap
443/tcp  open   https
465/tcp  open   smtps
587/tcp  open   submission
993/tcp  open   imaps
995/tcp  open   pop3s
8443/tcp closed https-alt

So it looks like IPv6 is fine, but it's wierd that the same ports
aren't open for IPv4 and IPv6. They are for the purposes of apache,
so maybe it's nothing to worry about, but it really does seem odd that
many ports that are accessible via the IPv6 address aren't accessible
via the IPv4 address.

If you understand why there is this discrepency, and it's all OK, then that's
OK (I guess), but if this the discrepency between IPv4 and IPv6 access is
a surprise to you, then you should investigate that and sort it out. But really,
the same ports should be open whether a client uses the IPv4 address or
the IPv6 address.

Once the same ports are open regardless of which version of IP address is
used, make sure that apache is configured to serve the same website regardless
of which version of IP address was used. This can be tested by forcing either
the IPv4 or IPv6 address for icestack.org and www.icestack.org temporarily in
your local /etc/hosts file, and checking with a browser.

Also, you didn't mention whether or not you have both domains setup for the same
website (with ServerName/ServerAlias). Don't forget that.

Once your website works properly with either IPv4 or IPv6, and with either
icestack.org or www.icestack.org, then you can think about whether or not
certbot is working for you. Until then, you might need to ask for help on other forums
(i.e. IPv6 related forums, or service-specific forums, and apache forums).

rg305 · September 15, 2021, 2:44pm

Either:

add a listen for IPv6 for all the names that use IPv6
listen [::]:80
remove the IPv6 records from DNS

yuds · September 15, 2021, 4:10pm

Thank you so much for replying to my message @rg305 @raf , I've updated my apache configuration, I'm trying to re-do the certbot --apache command, and there's another problem coming out.

apachectl -S

griffin · September 15, 2021, 6:09pm

Welcome to the Let's Encrypt Community

What are the outputs of:

sudo ls -lRa /etc/apache2
sudo cat /etc/apache2/sites-enabled/icestack.org.conf

Please put 3 backticks above and below each output, like this:

```
output
```

yuds · September 16, 2021, 2:41am

helloo @griffin


total 100
drwxr-xr-x   8 root root  4096 Sep 16 02:32 .
drwxr-xr-x 100 root root  4096 Sep 15 10:11 ..
-rw-r--r--   1 root root  8069 Sep 15 16:14 apache2.conf
-rw-r--r--   1 root root  7905 Sep 15 09:07 apache2.conf.bak
-rw-r--r--   1 root root   513 Sep 15 09:16 apache2-le-ssl.conf
drwxr-xr-x   2 root root  4096 Sep 15 05:04 conf-available
drwxr-xr-x   2 root root  4096 Sep 15 05:04 conf-enabled
-rw-r--r--   1 root root  1782 Jul  5 07:11 envvars
-rw-r--r--   1 root root 31063 Jul  5 07:11 magic
drwxr-xr-x   2 root root 12288 Sep  6 07:28 mods-available
drwxr-xr-x   2 root root  4096 Sep 15 05:02 mods-enabled
-rw-r--r--   1 root root   320 Jul  5 07:11 ports.conf
drwxr-xr-x   2 root root  4096 Sep 16 02:32 sites-available
drwxr-xr-x   2 root root  4096 Sep 15 07:26 sites-enabled

/etc/apache2/conf-available:
total 32
drwxr-xr-x 2 root root 4096 Sep 15 05:04 .
drwxr-xr-x 8 root root 4096 Sep 16 02:32 ..
-rw-r--r-- 1 root root  315 Jul  5 07:11 charset.conf
-rw-r--r-- 1 root root 3224 Jul  5 07:11 localized-error-pages.conf
-rw-r--r-- 1 root root  189 Jul  5 07:11 other-vhosts-access-log.conf
-rw-r--r-- 1 root root 2174 Jul  5 07:11 security.conf
-rw-r--r-- 1 root root  455 Jul  5 07:11 serve-cgi-bin.conf
-rw-r--r-- 1 root root  248 Sep 15 05:01 well-known.conf

/etc/apache2/conf-enabled:
total 8
drwxr-xr-x 2 root root 4096 Sep 15 05:04 .
drwxr-xr-x 8 root root 4096 Sep 16 02:32 ..
lrwxrwxrwx 1 root root   30 Sep  5 02:58 charset.conf -> ../conf-available/charset.conf
lrwxrwxrwx 1 root root   44 Sep  5 02:58 localized-error-pages.conf -> ../conf-available/localized-error-pages.conf
lrwxrwxrwx 1 root root   46 Sep  5 02:58 other-vhosts-access-log.conf -> ../conf-available/other-vhosts-access-log.conf
lrwxrwxrwx 1 root root   31 Sep  5 02:58 security.conf -> ../conf-available/security.conf
lrwxrwxrwx 1 root root   36 Sep  5 02:58 serve-cgi-bin.conf -> ../conf-available/serve-cgi-bin.conf
lrwxrwxrwx 1 root root   33 Sep 15 05:04 well-known.conf -> ../conf-available/well-known.conf

/etc/apache2/mods-available:
total 592
drwxr-xr-x 2 root root 12288 Sep  6 07:28 .
drwxr-xr-x 8 root root  4096 Sep 16 02:32 ..
-rw-r--r-- 1 root root   100 Jul  5 07:11 access_compat.load
-rw-r--r-- 1 root root   377 Jul  5 07:11 actions.conf
-rw-r--r-- 1 root root    66 Jul  5 07:11 actions.load
-rw-r--r-- 1 root root   843 Jul  5 07:11 alias.conf
-rw-r--r-- 1 root root    62 Jul  5 07:11 alias.load
-rw-r--r-- 1 root root    76 Jul  5 07:11 allowmethods.load
-rw-r--r-- 1 root root    76 Jul  5 07:11 asis.load
-rw-r--r-- 1 root root    94 Jul  5 07:11 auth_basic.load
-rw-r--r-- 1 root root    96 Jul  5 07:11 auth_digest.load
-rw-r--r-- 1 root root   100 Jul  5 07:11 auth_form.load
-rw-r--r-- 1 root root    72 Jul  5 07:11 authn_anon.load
-rw-r--r-- 1 root root    72 Jul  5 07:11 authn_core.load
-rw-r--r-- 1 root root    85 Jul  5 07:11 authn_dbd.load
-rw-r--r-- 1 root root    70 Jul  5 07:11 authn_dbm.load
-rw-r--r-- 1 root root    72 Jul  5 07:11 authn_file.load
-rw-r--r-- 1 root root    78 Jul  5 07:11 authn_socache.load
-rw-r--r-- 1 root root    74 Jul  5 07:11 authnz_fcgi.load
-rw-r--r-- 1 root root    90 Jul  5 07:11 authnz_ldap.load
-rw-r--r-- 1 root root    72 Jul  5 07:11 authz_core.load
-rw-r--r-- 1 root root    96 Jul  5 07:11 authz_dbd.load
-rw-r--r-- 1 root root    92 Jul  5 07:11 authz_dbm.load
-rw-r--r-- 1 root root   104 Jul  5 07:11 authz_groupfile.load
-rw-r--r-- 1 root root    94 Jul  5 07:11 authz_host.load
-rw-r--r-- 1 root root    74 Jul  5 07:11 authz_owner.load
-rw-r--r-- 1 root root    94 Jul  5 07:11 authz_user.load
-rw-r--r-- 1 root root  3374 Jul  5 07:11 autoindex.conf
-rw-r--r-- 1 root root    70 Jul  5 07:11 autoindex.load
-rw-r--r-- 1 root root    64 Jul  5 07:11 brotli.load
-rw-r--r-- 1 root root    64 Jul  5 07:11 buffer.load
-rw-r--r-- 1 root root   889 Jul  5 07:11 cache_disk.conf
-rw-r--r-- 1 root root    89 Jul  5 07:11 cache_disk.load
-rw-r--r-- 1 root root    62 Jul  5 07:11 cache.load
-rw-r--r-- 1 root root    95 Jul  5 07:11 cache_socache.load
-rw-r--r-- 1 root root    70 Jul  5 07:11 cern_meta.load
-rw-r--r-- 1 root root   115 Jul  5 07:11 cgid.conf
-rw-r--r-- 1 root root    60 Jul  5 07:11 cgid.load
-rw-r--r-- 1 root root    58 Jul  5 07:11 cgi.load
-rw-r--r-- 1 root root    76 Jul  5 07:11 charset_lite.load
-rw-r--r-- 1 root root    60 Jul  5 07:11 data.load
-rw-r--r-- 1 root root    83 Jul  5 07:11 dav_fs.conf
-rw-r--r-- 1 root root    79 Jul  5 07:11 dav_fs.load
-rw-r--r-- 1 root root    58 Jul  5 07:11 dav.load
-rw-r--r-- 1 root root    68 Jul  5 07:11 dav_lock.load
-rw-r--r-- 1 root root    58 Jul  5 07:11 dbd.load
-rw-r--r-- 1 root root   395 Jul  5 07:11 deflate.conf
-rw-r--r-- 1 root root    84 Jul  5 07:11 deflate.load
-rw-r--r-- 1 root root    64 Jul  5 07:11 dialup.load
-rw-r--r-- 1 root root   157 Jul  5 07:11 dir.conf
-rw-r--r-- 1 root root    58 Jul  5 07:11 dir.load
-rw-r--r-- 1 root root    64 Jul  5 07:11 dump_io.load
-rw-r--r-- 1 root root    60 Jul  5 07:11 echo.load
-rw-r--r-- 1 root root    58 Jul  5 07:11 env.load
-rw-r--r-- 1 root root    66 Jul  5 07:11 expires.load
-rw-r--r-- 1 root root    72 Jul  5 07:11 ext_filter.load
-rw-r--r-- 1 root root    89 Jul  5 07:11 file_cache.load
-rw-r--r-- 1 root root    64 Jul  5 07:11 filter.load
-rw-r--r-- 1 root root    66 Jul  5 07:11 headers.load
-rw-r--r-- 1 root root   176 Jul  5 07:11 heartbeat.load
-rw-r--r-- 1 root root   182 Jul  5 07:11 heartmonitor.load
-rw-r--r-- 1 root root  1240 Jul  5 07:11 http2.conf
-rw-r--r-- 1 root root    62 Jul  5 07:11 http2.load
-rw-r--r-- 1 root root    62 Jul  5 07:11 ident.load
-rw-r--r-- 1 root root    68 Jul  5 07:11 imagemap.load
-rw-r--r-- 1 root root    82 Jul  5 07:11 include.load
-rw-r--r-- 1 root root   402 Jul  5 07:11 info.conf
-rw-r--r-- 1 root root    60 Jul  5 07:11 info.load
-rw-r--r-- 1 root root   116 Jul  5 07:11 lbmethod_bybusyness.load
-rw-r--r-- 1 root root   116 Jul  5 07:11 lbmethod_byrequests.load
-rw-r--r-- 1 root root   114 Jul  5 07:11 lbmethod_bytraffic.load
-rw-r--r-- 1 root root   114 Jul  5 07:11 lbmethod_heartbeat.load
-rw-r--r-- 1 root root   121 Jul  5 07:11 ldap.conf
-rw-r--r-- 1 root root    60 Jul  5 07:11 ldap.load
-rw-r--r-- 1 root root    70 Jul  5 07:11 log_debug.load
-rw-r--r-- 1 root root    76 Jul  5 07:11 log_forensic.load
-rw-r--r-- 1 root root    58 Jul  5 07:11 lua.load
-rw-r--r-- 1 root root    62 Jul  5 07:11 macro.load
-rw-r--r-- 1 root root    56 Jul  5 07:11 md.load
-rw-r--r-- 1 root root  7676 Jul  5 07:11 mime.conf
-rw-r--r-- 1 root root    60 Jul  5 07:11 mime.load
-rw-r--r-- 1 root root   120 Jul  5 07:11 mime_magic.conf
-rw-r--r-- 1 root root    72 Jul  5 07:11 mime_magic.load
-rw-r--r-- 1 root root   668 Jul  5 07:11 mpm_event.conf
-rw-r--r-- 1 root root   106 Jul  5 07:11 mpm_event.load
-rw-r--r-- 1 root root   571 Jul  5 07:11 mpm_prefork.conf
-rw-r--r-- 1 root root   108 Jul  5 07:11 mpm_prefork.load
-rw-r--r-- 1 root root   836 Jul  5 07:11 mpm_worker.conf
-rw-r--r-- 1 root root   107 Jul  5 07:11 mpm_worker.load
-rw-r--r-- 1 root root   724 Jul  5 07:11 negotiation.conf
-rw-r--r-- 1 root root    74 Jul  5 07:11 negotiation.load
-rw-r--r-- 1 root root   855 Jul  5 15:13 php7.4.conf
-rw-r--r-- 1 root root   102 Jul  5 15:13 php7.4.load
-rw-r--r-- 1 root root    87 Jul  5 07:11 proxy_ajp.load
-rw-r--r-- 1 root root   347 Jul  5 07:11 proxy_balancer.conf
-rw-r--r-- 1 root root   115 Jul  5 07:11 proxy_balancer.load
-rw-r--r-- 1 root root   822 Jul  5 07:11 proxy.conf
-rw-r--r-- 1 root root    95 Jul  5 07:11 proxy_connect.load
-rw-r--r-- 1 root root    95 Jul  5 07:11 proxy_express.load
-rw-r--r-- 1 root root    89 Jul  5 07:11 proxy_fcgi.load
-rw-r--r-- 1 root root    93 Jul  5 07:11 proxy_fdpass.load
-rw-r--r-- 1 root root   189 Jul  5 07:11 proxy_ftp.conf
-rw-r--r-- 1 root root    87 Jul  5 07:11 proxy_ftp.load
-rw-r--r-- 1 root root    93 Jul  5 07:11 proxy_hcheck.load
-rw-r--r-- 1 root root  2511 Jul  5 07:11 proxy_html.conf
-rw-r--r-- 1 root root    97 Jul  5 07:11 proxy_html.load
-rw-r--r-- 1 root root    97 Jul  5 07:11 proxy_http2.load
-rw-r--r-- 1 root root    89 Jul  5 07:11 proxy_http.load
-rw-r--r-- 1 root root    62 Jul  5 07:11 proxy.load
-rw-r--r-- 1 root root    89 Jul  5 07:11 proxy_scgi.load
-rw-r--r-- 1 root root    91 Jul  5 07:11 proxy_uwsgi.load
-rw-r--r-- 1 root root    97 Jul  5 07:11 proxy_wstunnel.load
-rw-r--r-- 1 root root    85 Jul  5 07:11 ratelimit.load
-rw-r--r-- 1 root root    70 Jul  5 07:11 reflector.load
-rw-r--r-- 1 root root    68 Jul  5 07:11 remoteip.load
-rw-r--r-- 1 root root  1190 Jul  5 07:11 reqtimeout.conf
-rw-r--r-- 1 root root    72 Jul  5 07:11 reqtimeout.load
-rw-r--r-- 1 root root    66 Jul  5 07:11 request.load
-rw-r--r-- 1 root root    66 Jul  5 07:11 rewrite.load
-rw-r--r-- 1 root root    58 Jul  5 07:11 sed.load
-rw-r--r-- 1 root root    99 Jul  5 07:11 session_cookie.load
-rw-r--r-- 1 root root    99 Jul  5 07:11 session_crypto.load
-rw-r--r-- 1 root root    93 Jul  5 07:11 session_dbd.load
-rw-r--r-- 1 root root    66 Jul  5 07:11 session.load
-rw-r--r-- 1 root root  1280 Jul  5 07:11 setenvif.conf
-rw-r--r-- 1 root root    68 Jul  5 07:11 setenvif.load
-rw-r--r-- 1 root root    78 Jul  5 07:11 slotmem_plain.load
-rw-r--r-- 1 root root    74 Jul  5 07:11 slotmem_shm.load
-rw-r--r-- 1 root root    74 Jul  5 07:11 socache_dbm.load
-rw-r--r-- 1 root root    84 Jul  5 07:11 socache_memcache.load
-rw-r--r-- 1 root root    78 Jul  5 07:11 socache_redis.load
-rw-r--r-- 1 root root    78 Jul  5 07:11 socache_shmcb.load
-rw-r--r-- 1 root root    66 Jul  5 07:11 speling.load
-rw-r--r-- 1 root root  3110 Jul  5 07:11 ssl.conf
-rw-r--r-- 1 root root    97 Jul  5 07:11 ssl.load
-rw-r--r-- 1 root root   749 Jul  5 07:11 status.conf
-rw-r--r-- 1 root root    64 Jul  5 07:11 status.load
-rw-r--r-- 1 root root    72 Jul  5 07:11 substitute.load
-rw-r--r-- 1 root root    64 Jul  5 07:11 suexec.load
-rw-r--r-- 1 root root    70 Jul  5 07:11 unique_id.load
-rw-r--r-- 1 root root   324 Jul  5 07:11 userdir.conf
-rw-r--r-- 1 root root    66 Jul  5 07:11 userdir.load
-rw-r--r-- 1 root root    70 Jul  5 07:11 usertrack.load
-rw-r--r-- 1 root root    74 Jul  5 07:11 vhost_alias.load
-rw-r--r-- 1 root root    66 Jul  5 07:11 xml2enc.load

/etc/apache2/mods-enabled:
total 8
drwxr-xr-x 2 root root 4096 Sep 15 05:02 .
drwxr-xr-x 8 root root 4096 Sep 16 02:32 ..
lrwxrwxrwx 1 root root   36 Sep  5 02:58 access_compat.load -> ../mods-available/access_compat.load
lrwxrwxrwx 1 root root   28 Sep  5 02:58 alias.conf -> ../mods-available/alias.conf
lrwxrwxrwx 1 root root   28 Sep  5 02:58 alias.load -> ../mods-available/alias.load
lrwxrwxrwx 1 root root   33 Sep  5 02:58 auth_basic.load -> ../mods-available/auth_basic.load
lrwxrwxrwx 1 root root   33 Sep  5 02:58 authn_core.load -> ../mods-available/authn_core.load
lrwxrwxrwx 1 root root   33 Sep  5 02:58 authn_file.load -> ../mods-available/authn_file.load
lrwxrwxrwx 1 root root   33 Sep  5 02:58 authz_core.load -> ../mods-available/authz_core.load
lrwxrwxrwx 1 root root   33 Sep  5 02:58 authz_host.load -> ../mods-available/authz_host.load
lrwxrwxrwx 1 root root   33 Sep  5 02:58 authz_user.load -> ../mods-available/authz_user.load
lrwxrwxrwx 1 root root   32 Sep  5 02:58 autoindex.conf -> ../mods-available/autoindex.conf
lrwxrwxrwx 1 root root   32 Sep  5 02:58 autoindex.load -> ../mods-available/autoindex.load
lrwxrwxrwx 1 root root   30 Sep  5 02:58 deflate.conf -> ../mods-available/deflate.conf
lrwxrwxrwx 1 root root   30 Sep  5 02:58 deflate.load -> ../mods-available/deflate.load
lrwxrwxrwx 1 root root   26 Sep  5 02:58 dir.conf -> ../mods-available/dir.conf
lrwxrwxrwx 1 root root   26 Sep  5 02:58 dir.load -> ../mods-available/dir.load
lrwxrwxrwx 1 root root   26 Sep  5 02:58 env.load -> ../mods-available/env.load
lrwxrwxrwx 1 root root   29 Sep  5 02:58 filter.load -> ../mods-available/filter.load
lrwxrwxrwx 1 root root   30 Sep 15 05:02 headers.load -> ../mods-available/headers.load
lrwxrwxrwx 1 root root   28 Sep 15 05:02 http2.conf -> ../mods-available/http2.conf
lrwxrwxrwx 1 root root   28 Sep 15 05:02 http2.load -> ../mods-available/http2.load
lrwxrwxrwx 1 root root   27 Sep  5 02:58 mime.conf -> ../mods-available/mime.conf
lrwxrwxrwx 1 root root   27 Sep  5 02:58 mime.load -> ../mods-available/mime.load
lrwxrwxrwx 1 root root   34 Sep  6 07:28 mpm_prefork.conf -> ../mods-available/mpm_prefork.conf
lrwxrwxrwx 1 root root   34 Sep  6 07:28 mpm_prefork.load -> ../mods-available/mpm_prefork.load
lrwxrwxrwx 1 root root   34 Sep  5 02:58 negotiation.conf -> ../mods-available/negotiation.conf
lrwxrwxrwx 1 root root   34 Sep  5 02:58 negotiation.load -> ../mods-available/negotiation.load
lrwxrwxrwx 1 root root   29 Sep  6 07:28 php7.4.conf -> ../mods-available/php7.4.conf
lrwxrwxrwx 1 root root   29 Sep  6 07:28 php7.4.load -> ../mods-available/php7.4.load
lrwxrwxrwx 1 root root   33 Sep  5 02:58 reqtimeout.conf -> ../mods-available/reqtimeout.conf
lrwxrwxrwx 1 root root   33 Sep  5 02:58 reqtimeout.load -> ../mods-available/reqtimeout.load
lrwxrwxrwx 1 root root   30 Sep  6 10:13 rewrite.load -> ../mods-available/rewrite.load
lrwxrwxrwx 1 root root   31 Sep  5 02:58 setenvif.conf -> ../mods-available/setenvif.conf
lrwxrwxrwx 1 root root   31 Sep  5 02:58 setenvif.load -> ../mods-available/setenvif.load
lrwxrwxrwx 1 root root   36 Sep  7 16:39 socache_shmcb.load -> ../mods-available/socache_shmcb.load
lrwxrwxrwx 1 root root   26 Sep  7 16:39 ssl.conf -> ../mods-available/ssl.conf
lrwxrwxrwx 1 root root   26 Sep  7 16:39 ssl.load -> ../mods-available/ssl.load
lrwxrwxrwx 1 root root   29 Sep  5 02:58 status.conf -> ../mods-available/status.conf
lrwxrwxrwx 1 root root   29 Sep  5 02:58 status.load -> ../mods-available/status.load

/etc/apache2/sites-available:
total 28
drwxr-xr-x 2 root root 4096 Sep 16 02:32 .
drwxr-xr-x 8 root root 4096 Sep 16 02:32 ..
-rw-r--r-- 1 root root 1332 Jul  5 07:11 000-default.conf
-rw-r--r-- 1 root root  279 Sep  9 16:32 defast.net.id.conf
-rw-r--r-- 1 root root 6338 Jul  5 07:11 default-ssl.conf
-rw-r--r-- 1 root root  268 Sep 15 05:39 icestack.org.conf

/etc/apache2/sites-enabled:
total 8
drwxr-xr-x 2 root root 4096 Sep 15 07:26 .
drwxr-xr-x 8 root root 4096 Sep 16 02:32 ..
lrwxrwxrwx 1 root root   32 Sep  7 16:39 apache2-le-ssl.conf -> /etc/apache2/apache2-le-ssl.conf
lrwxrwxrwx 1 root root   37 Sep 13 11:41 defast.net.id.conf -> ../sites-available/defast.net.id.conf
lrwxrwxrwx 1 root root   36 Sep 14 03:53 icestack.org.conf -> ../sites-available/icestack.org.conf

griffin · September 16, 2021, 3:22am

Please upload copies of these files:

/etc/apache2/apache2.conf
/etc/apache2/apache2.conf.bak
/etc/apache2/apache2-le-ssl.conf
/etc/apache2/sites-available/defast.net.id.conf
/etc/apache2/sites-available/icestack.org.conf

You will likely need to change the .conf extensions to .txt in order to upload the files. We need the actual files to check for character inconsistencies and other "odd" problems.

rg305 · September 16, 2021, 3:52am

Here is an obvious one:

Servername  icestack.org
ServerAlias icestack.org

and followed with:

RewriteCond %{SERVER_NAME} =icestack.org [OR]
RewriteCond %{SERVER_NAME} =icestack.org

And the most problematic one:

<VirtualHost *:80>
[2001:df0:2fc:99::163] ... 404 Not Found

Listening on IPv4 only.
While DNS resolves to IPv6 & IPv4 IPs.
Note: LE will prefer IPv6 over IPv4 when present.

Name:      icestack.org
Addresses: 2001:df0:2fc:99::163
           103.163.39.28

Deja vu!

raf · September 16, 2021, 5:01am

This shouldn't be needed. This should be enough for both IPv4 and IPv6:

/etc/apache2/ports.conf:
Listen 80
<IfModule ssl_module>
    Listen 443
</IfModule>

I thought so too at one point, but ended up realising that it's best to completely avoid any specific reference to IPv4 or IPv6. That way, both should work.

However, removing the IPv6/AAAA records from the DNS will "fix" this problem, but it's
not ideal. Ideally, both addresses should work.

I wonder what the /etc/apache2/apache-le-ssl.conf file is. I never got one of those.
The only *-le-ssl.conf files I've seen are in /etc/apache2/sites-{available,enabled}/*.

As for:

ServerName icestack.org
ServerAlias icestack.org

The ServerAlias line should be:

ServerAlias www.icestack.org

It doesn't make sense for the alias and the name to be identical.

However, when I now check icestack.org and www.icestack.org with IPv4 and IPv6, it has changed since yesterday. Both domains are working for IPv4, but neither domain is working for IPv6. So it's now 2/4 conbinations working.

@yuds, do you know why different ports are open on the server, depending on whether the IPv4 address is scanned, or the IPv6 address is scanned? I thought that maybe the two addresses might refer to different actual servers, but the round-trip times are the same for me so maybe not.

I think you need to understand why the IPv4 and IPv6 addresses are behaving so differently. The IPv4 address only has webserver ports open. The IPv6 address also has many mail-related ports open. Do you understand why that is the case? Might it be relevant? Please investigate that, and let us know. Maybe it's just that all of your mail servers are deliberately excluding IPv4 clients, but that seems very unlikely/unhelpful. What is the reason for the discrepency? I can't help thinking that it's significant.

rg305 · September 16, 2021, 2:35pm

That would have to be tested.
I prefer to be explicit than to assume anything from Apache.

raf · September 18, 2021, 12:34am

Good point. But I only said it because it works well for me. I'm not from Apache.

rg305 · September 18, 2021, 1:58am

@yuds, any news?