Certificate issued for one subdomain, not for another

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
handel.gemmill.name
I ran this command:
sudo /usr/local/bin/certbot-auto certonly --standalone -d handel.gemmill.name
It produced this output:
Domain: handel.gemmill.name
Type: unauthorized
Detail: Invalid response from
http://handel.gemmill.name/.well-known/acme-challenge/Q821_uuBius64QST0PDLHOd-agtxfghp3Q9dJrFLVI0
[2001:8d8:1000:30d7:5bfb:a07d:d028:8023]: 204

My web server is (include version):
Server version: Apache/2.4.43 (Unix)
The operating system my web server runs on is (include version):
Mageia 7 5.5.15-desktop-3.mga7
My hosting provider, if applicable, is:
1and1
I can login to a root shell on my machine (yes or no, or I don’t know):
Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 1.3.0
I recently renewed certificates for bach.gemmill.name and share.gemmill.name, resident on machine bach.gemmill.name. The A and AAAA records for the successful domains and the unsuccessful one appear identical.

Hi @ggemmill

see your output. Your ipv6 sends a http status 204 - No Content. Looks like ipv6 is defined, but your webserver doesn't answer with the correct result.

Yep - checked your domain - https://check-your-website.server-daten.de/?q=handel.gemmill.name - you have ipv4 and ipv6:

Looks like ipv4 and ipv6 have different machines, one in GB, one in DE. So that can't work.

Remove your ipv6 or (if exist) change to your correct ipv6.

Thanks for a very prompt reply.

1. Deleted the AAAA record and re-ran certbot-auto: same result
2. Re-created the AAAA record. same result
   3.. The "check-your-website" data for share.gemmill.name and bach.gemmill.name show the same difference between A and AAAA records; they were renewed successfully a couple of days ago

DNS changes can take time to propagate. Did you get an error with an IPv4 address this time? Or still the IPv6 addres? If it's the latter: please wait longer until the TTL for the AAAA record has expired. If it's the former: the error would be different that time, please include that different error message in your post.

Yes, your IPv6 is still doing remarkably weird things:

• curl -Lv4 http://handel.gemmill.name/ gives a "It works!" result.
• curl -Lv6 http://handel.gemmill.name/ gives a HTML redirect (which is weird enough without a HTTP redirect) to the URL "defaultsite";
• curl -Lv4 http://handel.gemmill.name/.well-known/ gives a proper 404 File not found reply from the server with token "Apache/2.4.43 (Mageia) OpenSSL/1.1.0l PHP/7.3.16";
• curl -Lv6 http://handel.gemmill.name/.well-known/ gives a 404 File not found reply from a webserver with token "Apache" and gives me links to the links /./ and /../ as documents found similar to my request..??
• curl -Lv4 http://handel.gemmill.name/.well-known/acme-challenge/ gives a proper 404 again like the /.well-known/ path above for IPv4.
• curl -Lv6 http://handel.gemmill.name/.well-known/acme-challenge/ gives the HTTP 204 error. But now it comes from a nginx/1.10.3 webserver according to the HTTP server header?!? What gives?

So in my opinion: your IPv6 is behaving very differently from your IPv4 address. It looks like it's a different server altogether.

I would recommend either fix your IPv6, fix the AAAA record or delete it again and wait for the deletion to propagate.

That's

not possible.

Your error

shows an ipv6 address and the http status 204 - No Content.

So if you remove your ipv6 correct, you must have another error message.

PS: ns1104.ui-dns.com is one of your name servers.

Remove your AAAA record, then recheck your domain to see, if the AAAA is gone.

Yes, I was a bit quick. I deleted the AAAA record, waited about 1 hour and tried again. You’re correct - the error message was different:
Domain: handel.gemmill.name
Type: unauthorized
Detail: Invalid response from
http://handel.gemmill.name/.well-known/acme-challenge/-AFHeDUl2Uhij8237IOJB5E75ymYV7ZLHxpbYyYqBDo
[78.141.12.8]: "<?xml version=“1.0”
encoding=“UTF-8”?>\n<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0
Strict//EN”\n “http://www.w3.org/TR/xhtml1/D”

What’s next? Do I have to get IONOS involved? I didn’t think there were IPv6 processes running on this machine, but I see from "Advanced (Network) Settings, IPv6 is not disabled.
Thanks for your continuing help.
Graeme

You’re using the standalone authenticator. Do you run certbot from the same server as where your Apache runs? I.e., 78.141.12.8?

Yes. I remember from early experience with LetsEncrypt that if I selected the --apache option, I got a message saying that this option wasn’t tested with Mageia installations, so I used standalone.

Perhaps anticipating the next suggestion, I restarted Apache and issued:
sudo /usr/local/bin/certbot-auto --apache -d handel.gemmill.name

Caused errors:
File: /etc/httpd/conf.d/le_http_01_challenge_pre.conf - Could not be found to be deleted

• Certbot probably shut down unexpectedly
  File: /etc/httpd/conf.d/le_http_01_challenge_post.conf - Could not be found to be deleted
• Certbot probably shut down unexpectedly
  An unexpected error occurred:
  IOError: [Errno 2] No such file or directory: ‘/etc/httpd/conf.d/le_http_01_challenge_pre.conf’
  On my system there is no /etc/httpd/conf.d/
  There is however /etc/httpd/conf/conf.d/
  However it doesn’t contain any *_pre.conf or *_post.conf files
  Why is it an error if a file to be deleted isn’t there?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.