Challange / token not copied to .well-known

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: m-it.care

I ran this command:sudo certbot certonly --webroot -w /var/www/html -d m-it.care

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for m-it.care

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: m-it.care
Type: unauthorized
Detail: 2a01:238:20a:202:1093::: Invalid response from http://m-it.care/.well-known/acme-challenge/x51Lo8dGDJu7l5ssp3_ZLUHLW2TeJsS89uzEytj_XtM: "\n\n\nhttp://m-it.care/.well-known/acme-challenge/x51Lo8dGDJu7l5ssp3_ZLUHLW2TeJsS89uzEytj_XtM\n<meta http"

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Problem seems to be that the folder token is not generated under .well-known/acme-challenge/...
But when i manually create the token file in folder .well-known/acme-challenge I can access the file from the brower...

http://m-it.care/.well-known/acme-challenge/D-CSsqs6cKr3PJ3_U4Qrg7nss-oYR28q3uSBjgnAbrQ

mh@server:/var/www/html/.well-known/acme-challenge$ more /etc/apache2/sites-enabled/m-it.conf

<VirtualHost *:80>
    ServerName m-it.care
    ServerAlias www.m-it.care
    DocumentRoot /var/www/html
# added manually for debugging
    <Directory /var/www/html>
        AllowOverride All
        Options Indexes FollowSymLinks
        Require all granted
    </Directory>

<Directory /var/www/html/.well-known>
    AllowOverride None
    Options None
    Require all granted
</Directory>


    ErrorLog ${APACHE_LOG_DIR}/m-it_error.log
    CustomLog ${APACHE_LOG_DIR}/m-it_access.log combined
</VirtualHost>

I even removed apache completly and reinstalled everything. I still get the same error.

My web server is (include version):
Server version: Apache/2.4.52 (Ubuntu)
Server built: 2024-07-17T18:57:26

The operating system my web server runs on is (include version):
Linux Mint 21.2 Victoria \n \l

My hosting provider, if applicable, is: strato

I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.21.0

letsencrypt.log:
https://ctxt.io/2/AAB4lkowEw

Hi @midt,

I have chosen 2 highly unlikely TOKEN (file names)
yet both times the HTTP Response is HTTP/1.1 200 OK 200 OK - HTTP | MDN
I highly expect that 404 Not Found - HTTP | MDN is what should be being returned.

$ curl -Ii http://m-it.care/.well-known/acme-challenge/xFMGDMzJdFgbw9gSmW7qjX9_-MVZf79Qw1_5P7QRnOi
HTTP/1.1 200 OK
Date: Tue, 17 Dec 2024 18:47:32 GMT
Server: Apache/2.4.62 (Unix)
Vary: User-Agent
Accept-Ranges: bytes
Content-Type: text/html

$ curl -Ii http://m-it.care/.well-known/acme-challenge/IfkHpItue0yTYTiUSb6G_s0Gbmec7ul-mtRlFOBL3xq
HTTP/1.1 200 OK
Date: Tue, 17 Dec 2024 18:47:43 GMT
Server: Apache/2.4.62 (Unix)
Vary: User-Agent
Accept-Ranges: bytes
Content-Type: text/html

That's not the webserver that is responding to requests for m-it.care. As you can see from Bruces return headers, there's an Apache version 2.4.62 responding.

It responds with some ancient <frameset> redirect thingy to http://server.bc9xamf4lhwkdxiy.myfritz.net/, does that ring a bell?

By the way, who uses <frameset>s nowadays?! I thought those things died out decades ago! Maybe it's some Strato URL redirect """feature"""?

If you need that server.bc9xamf4lhwkdxiy.myfritz.net hostname for some reason, it's probably better to add it as a CNAME to your domain. Although CNAMEs are not permitted as the 'apex' domain unfortunately. Maybe use a DNAME or ANAME?

Here details on Apache can be found in documentation and forums:

• Documentation: Apache HTTP Server - The Apache HTTP Server Project
• Apache HTTP Server Support - The Apache HTTP Server Project
• https://www.apachelounge.com/

NB, your router and your server behind it in your lan have two different public IPv6 addresses.

Yes Thank you so much!
This is actually my server responding. As far as I know Strato uses frames to forward to my server. I will try to change that right now. I am not a web developer. Thats why I need to check first what the provider Strato allows. If you have a good hint which provider I should use (private server with private IP adress) I could also move the domain there.

I changed the configuration for my url m-it.care within the provider Strato to "301" forwarding to my router http://server.bc9xamf4lhwkdxiy.myfritz.net. This router then forwards to the server. Probably this all does not work with a certificate for this domain, right?

That's to be expected for IPv6.

The "301" forwarding actually does work with Let's Encrypt. Please try again to get a certificate.

With regard to IPv6, maybe adding to what @9peppe also mentioned: Let's Encrypt does prefer IPv6 above IPv4, but your website is not working when accessed over IPv6. Please fix the IPv6 connectivity to your server.

now I get this error message: Detail: 81.169.145.93: Fetching http://server.bc9xamf4lhwkdxiy.myfritz.net/.well-known/acme-challenge/XTUUeuJg7ROhUnyAUpRT10atSkOJZghCc6pdS7IOroc: Redirect loop detected

Weird, because I'm seeing 188.174.175.79 as the IP address for that hostname, not 81.169.145.93.

Maybe LE has some old IP address cached.. (I believe LE caches DNS results for a very short time.)

Nevermind, it's probably a bug in Let's Encrypts server software where it takes the IP address from m-it.care and outputs the hostname from the redirect.. Weird.. Anyway, I can't reproduce the redirect loop currently, as I'm getting a 404 file not found. Can you keep the challenge "active" with --debug-challenges please?

done: Detail: 81.169.145.93: Fetching http://m-it.care/web/.well-known/acme-challenge/HLCSB1xf_TWizbeX5Lt2WJLzRU-D4MXXprUonvx31WU: Redirect loop detected

No, not "done".

With "keep the challenge active" I meant to NOT press any key to attempt to validate the challenge.

By the way, where does that /web/ come from?!

I started the command again without pressing enter

Can you please provide the actual challenge URL? You might need to use -v to see it.

(Which is kinda a stupid requirement.. Why would anyone run --debug-challenges without the need to see the actual URL.. The -v is IMO kinda an unnecessary requirement..)

mh@server:/var/www/html$ sudo certbot --apache -d m-it.care -d www.m-it.care --debug-challenges -v
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Requesting a certificate for m-it.care and www.m-it.care
Performing the following challenges:
http-01 challenge for m-it.care
http-01 challenge for www.m-it.care

Challenges loaded. Press continue to submit to CA. Pass "-v" for more info about
challenges.

No mentioning of the actual challenge URLs? That's weird.. You've used -v as it requests.. You should have been given some extra information.

like this right: sudo certbot --apache -d m-it.care -d www.m-it.care --debug-challenges -v

Yes, that should have worked..

Also, why did you change to --apache? That might complicate things and be the reason of the redirect loop.

Okay, changed that:
mh@server:/var/www/html$ sudo certbot certonly --webroot -w /var/www/html -d m-it.care -v --debug-challenges
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Requesting a certificate for m-it.care
Performing the following challenges:
http-01 challenge for m-it.care
Using the webroot path /var/www/html for all unmatched domains.

Challenges loaded. Press continue to submit to CA. Pass "-v" for more info about
challenges.

Press Enter to Continue