Certbot uses wrong IP address


#1

Hi. I’ve got a problem with certbot certonly --webroot ... on a certain domain, where I changed the A record to a new server. All browsers are trying to access the domain using the new IP address but certbot seems to use the old one. This way I am not able to create a new certificate.

Because of that I got blocked for new tries. I wasn’t expecting that.
An unexpected error occurred: There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/

Why seems certbot to be the only one how got old DNS information here?

My domain is:
weingut-dr-lawall.de

I ran this command:
certbot certonly --dry-run --webroot --webroot-path /var/www/vhosts/weingut-dr-lawall.de -d weingut-dr-lawall.de -d www.weingut-dr-lawall.de

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for weingut-dr-lawall.de
http-01 challenge for www.weingut-dr-lawall.de
Using the webroot path /var/www/vhosts/weingut-dr-lawall.de for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.weingut-dr-lawall.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.weingut-dr-lawall.de/.well-known/acme-challenge/lNwL3p3yQjCf6T21X02Oy0qrPMaERKc-BVBeNdnz2Kk: “\n\n404 Not Found\n\n

Not Found

\n<p”, weingut-dr-lawall.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://weingut-dr-lawall.de/.well-known/acme-challenge/UEshx1o5zpsma8prvdl0YpsqJ2zsf8WOWUbe4WBOWdI: “\n\n404 Not Found\n\n

Not Found

\n<p”

IMPORTANT NOTES:

My web server is (include version):
Server version: Apache/2.4.18 (Ubuntu)
Server built: 2018-06-07T19:43:03

The operating system my web server runs on is (include version):
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.5 LTS
Release: 16.04
Codename: xenial

My hosting provider, if applicable, is:
Me

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no


#2

Hi @NicolasGoeddel

you have an ipv4- and an ipv6 - address:

D:\temp>nslookup weingut-dr-lawall.de.
Name: weingut-dr-lawall.de
Addresses: 2a01:238:42b2:df00:9f9e:7719:2e7d:3f57
85.214.198.107

And your ipv6 - server has a different version:

https://letsdebug.net/weingut-dr-lawall.de/7938?debug=y

[Address Type=IPv4,Server=Apache/2.4.18 (Ubuntu),HTTP Status=404] vs [Address Type=IPv6,Server=Apache/2.4.7 (Ubuntu),HTTP Status=404]

So configure a vHost with your ipv6 address. Or remove your ipv6 address in your dns-settings.


#3

Uh, shit. I was completely overseeing that setting in the settings dialog of my domain registrar.
Thank you!
Now the dry-run runs fine. How long do I have to wait to to being able to retrieve a new certificate now?

It would be a nice touch to check these kinds of misconfigurations and give a hint. :slight_smile:


#4

You can try it now. Letsencrypt queries the authoritative name servers of the domain.


#5

Unfortunality it does not work. The first time I got the error was 42 minutes ago. Maybe I have to wait another 18 minutes until I can do it again.

certbot certonly --webroot --webroot-path /var/www/vhosts/weingut-dr-lawall.de -d weingut-dr-lawall.de -d www.weingut-dr-lawall.de
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/
Please see the logfiles in /var/log/letsencrypt for more details.

#6

This is another error.

There is a Failed Validation limit of 5 failures per account, per hostname, per hour.

So you have to wait one hour.


#7

Yeah, I found that same link in the debug log. So if I understand correctly that hour begins with the first fail. Then it should work again in a few minutes.

I registered many of domains this way and everytime there was no problem at all. I think that’s why I didn’t do a dry-run. I should consider doing this more often before acquiring the real certificate. :wink:


#8

It’s working now. thx


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.