Challenge failed "404 unauthorised" but challenge file publicly accessible

PARAMETERS

My domain is: flowmastr.io

I ran this command: certbot --debug-challenges -v

It produced this output:

Root logging level set at 10
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requested authenticator None and installer None
Apache version is 2.4.6
Single candidate plugin: * apache
Description: Apache Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache._internal.entrypoint:ENTRYPOINT
Initialized: <certbot_apache._internal.override_centos.CentOSConfigurator object at 0x7f23c1c5d710>
Prep: True
Selected authenticator <certbot_apache._internal.override_centos.CentOSConfigurator object at 0x7f23c1c5d710> and installer <certbot_apache._internal.override_centos.CentOSConfigurator object at 0x7f23c1c5d710>
Plugins selected: Authenticator apache, Installer apache
Picked account: <Account(RegistrationResource(body=Registration(status=None, terms_of_service_agreed=None, agreement=None, only_return_existing=None, contact=(), key=None, external_account_binding=None), uri=u'https://acme-v02.api.letsencrypt.org/acme/acct/69605428', new_authzr_uri=None, terms_of_service=None), 943c3bccbb1437fbfeac33cbd1bf32d0, Meta(creation_host=u'dev.centipod.nl', register_to_eff=None, creation_dt=datetime.datetime(2019, 10, 17, 6, 57, 5, tzinfo=<UTC>)))>
Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
"GET /directory HTTP/1.1" 200 658
Received response:
HTTP 200
content-length: 658
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
cache-control: public, max-age=0, no-cache
date: Wed, 12 Aug 2020 19:19:49 GMT
x-frame-options: DENY
content-type: application/json
{
"7uklym-2q5w": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
*snip*
10: flowmastr.io
11: www.flowmastr.io
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): **10**
Obtaining a new certificate
Generating key (2048 bits): /etc/letsencrypt/keys/0193_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0193_csr-certbot.pem
Requesting fresh nonce
Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
"HEAD /acme/new-nonce HTTP/1.1" 200 0
Received response:
HTTP 200
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
cache-control: public, max-age=0, no-cache
date: Wed, 12 Aug 2020 19:19:55 GMT
x-frame-options: DENY
replay-nonce: *snip*
Storing nonce: *snip*
JWS payload:
{
"identifiers": [
{
"type": "dns",
"value": "flowmastr.io"
}
]
}
Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
"protected": "*snip*",
"payload": "*snip*",
"signature": "*snip*"
}
"POST /acme/new-order HTTP/1.1" 201 342
Received response:
HTTP 201
content-length: 342
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
location: https://acme-v02.api.letsencrypt.org/acme/order/69605428/4655291397
boulder-requester: 69605428
date: Wed, 12 Aug 2020 19:19:55 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: *snip*
{
  "status": "pending",
  "expires": "2020-08-19T19:19:55.339695005Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "flowmastr.io"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/6491024497"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/69605428/4655291397"
}
Storing nonce: *snip*
JWS payload: 
Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/6491024497:
{
  "protected": "*snip*", 
  "payload": "", 
  "signature": "*snip*"
}
"POST /acme/authz-v3/6491024497 HTTP/1.1" 200 790
Received response:
HTTP 200
content-length: 790
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
boulder-requester: 69605428
date: Wed, 12 Aug 2020 19:19:55 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: *snip* 
{
  "identifier": {
    "type": "dns",
    "value": "flowmastr.io"
  },
  "status": "pending",
  "expires": "2020-08-19T19:19:55Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/6491024497/xMUVeg",
      "token": "P0ms_bl0-YWc8mdUQUPFeLPHvuzeUevJ2Ne7I70pyTw"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/6491024497/HoRvew",
      "token": "P0ms_bl0-YWc8mdUQUPFeLPHvuzeUevJ2Ne7I70pyTw"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/6491024497/9uky0g",
      "token": "P0ms_bl0-YWc8mdUQUPFeLPHvuzeUevJ2Ne7I70pyTw"
    }
  ]
}
Storing nonce: 01022GGPi02lnV7NXKBpt0mSADRiuHOgCTq7X4kw4a3Y3HU
Performing the following challenges:
http-01 challenge for flowmastr.io
Adding a temporary challenge validation Include for name: flowmastr.io in: /etc/httpd/conf.d/vhosts.conf
writing a pre config file with text:
         RewriteEngine on
        RewriteRule ^/\.well-known/acme-challenge/([A-Za-z0-9-_=]+)$ /var/lib/letsencrypt/http_challenges/$1 [END]
    
writing a post config file with text:
         <Directory /var/lib/letsencrypt/http_challenges>
            Require all granted
        </Directory>
        <Location /.well-known/acme-challenge>
            Require all granted
        </Location>
    
Creating backup of /etc/httpd/conf.d/vhosts.conf
Waiting for verification... 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Challenges loaded. Press continue to submit to CA. Pass "-v" for more info about
challenges.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
JWS payload:
{}
Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/6491024497/xMUVeg:
{
  "protected": "*snip*", 
  "payload": "e30", 
  "signature": "*snip*"
}
"POST /acme/chall-v3/6491024497/xMUVeg HTTP/1.1" 200 185
Received response:
HTTP 200
content-length: 185
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz-v3/6491024497>;rel="up"
location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/6491024497/xMUVeg
boulder-requester: 69605428
date: Wed, 12 Aug 2020 19:20:01 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: *snip* 
{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/6491024497/xMUVeg",
  "token": "P0ms_bl0-YWc8mdUQUPFeLPHvuzeUevJ2Ne7I70pyTw"
}
Storing nonce: *snip*
JWS payload: 
Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/6491024497:
{
  "protected": "*snip*", 
  "payload": "", 
  "signature": "*snip*"
}
"POST /acme/authz-v3/6491024497 HTTP/1.1" 200 1267
Received response:
HTTP 200
content-length: 1267
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
boulder-requester: 69605428
date: Wed, 12 Aug 2020 19:20:03 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: *snip* 
{
  "identifier": {
    "type": "dns",
    "value": "flowmastr.io"
  },
  "status": "invalid",
  "expires": "2020-08-19T19:19:55Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "Invalid response from http://flowmastr.io/.well-known/acme-challenge/P0ms_bl0-YWc8mdUQUPFeLPHvuzeUevJ2Ne7I70pyTw [2a02:2268:ffff:ffff::4]: \"\u003c!DOCTYPE HTML PUBLIC \\\"-//IETF//DTD HTML 2.0//EN\\\"\u003e\\n\u003chtml\u003e\u003chead\u003e\\n\u003ctitle\u003e404 Not Found\u003c/title\u003e\\n\u003c/head\u003e\u003cbody\u003e\\n\u003ch1\u003eNot Found\u003c/h1\u003e\\n\u003cp\"",
        "status": 403
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/6491024497/xMUVeg",
      "token": "P0ms_bl0-YWc8mdUQUPFeLPHvuzeUevJ2Ne7I70pyTw",
      "validationRecord": [
        {
          "url": "http://flowmastr.io/.well-known/acme-challenge/P0ms_bl0-YWc8mdUQUPFeLPHvuzeUevJ2Ne7I70pyTw",
          "hostname": "flowmastr.io",
          "port": "80",
          "addressesResolved": [
            "185.57.8.212",
            "2a02:2268:ffff:ffff::4"
          ],
          "addressUsed": "2a02:2268:ffff:ffff::4"
        }
      ]
    }
  ]
}
Storing nonce: *snip*
Challenge failed for domain flowmastr.io
http-01 challenge for flowmastr.io
Reporting to user: The following errors were reported by the server: 
Domain: flowmastr.io
Type:   unauthorized
Detail: Invalid response from http://flowmastr.io/.well-known/acme-challenge/P0ms_bl0-YWc8mdUQUPFeLPHvuzeUevJ2Ne7I70pyTw [2a02:2268:ffff:ffff::4]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p" 
To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
AuthorizationError: Some challenges have failed. 
Calling registered functions
Cleaning up challenges
Exiting abnormally:
Traceback (most recent call last):
  File "/bin/certbot", line 9, in <module>
    load_entry_point('certbot==1.6.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 1353, in main
    return config.func(config, plugins)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 1102, in run
    certname, lineage)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 121, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/client.py", line 418, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/client.py", line 351, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/client.py", line 398, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
AuthorizationError: Some challenges have failed.
Some challenges have failed. 
IMPORTANT NOTES:
 - The following errors were reported by the server: 
   Domain: flowmastr.io
   Type:   unauthorized
   Detail: Invalid response from
   http://flowmastr.io/.well-known/acme-challenge/P0ms_bl0-YWc8mdUQUPFeLPHvuzeUevJ2Ne7I70pyTw
   [2a02:2268:ffff:ffff::4]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD
   HTML 2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p" 
   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): Server version: Apache/2.4.6 (CentOS)

The operating system my web server runs on is (include version): CentOS 7.8.2003

My hosting provider, if applicable, is: host net.nl

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 1.6.0

PROBLEM

Facts:

• The given IP address is valid for the domain name and the HTTP content can be accessed
• When the certbot script pauses halfway the file http://flowmastr.io/.well-known/acme-challenge/P0ms_bl0-YWc8mdUQUPFeLPHvuzeUevJ2Ne7I70pyTw CAN be accessed through a browser
• The script continues to EXIT abnormally

Request:

• I have been ploughing the internet for days now to figure out what is going wrong before creating a new request but I have not found anything similar. Am I missing something?

Thanks!

Do you mean the IPv6 address or the IPv4 address? Because I'm getting different results when I switch between IPv4 and IPv6.. The IPv6 has some kind of domain placeholder from Hostnet saying somebody beat me to it and with curl I'm getting a whole different HTML page through IPv4..

So please configure your DNS and/or server properly.

Hi @cschuit

please read your check, ~~2,5 hours old - https://check-your-website.server-daten.de/?q=flowmastr.io

Answer non-www + ipv4:

Visible Content: Not Found The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server. Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.3.20

Answer non-www + ipv6:

Visible Content: Not Found The requested URL was not found on this server.

Server: Apache

Different server headers -> that's fatal. So if you see the correct result via ipv4, ipv6 is wrong. That's critical because Letsencrypt prefers ipv6.

Thanks for the quick response. I am going to work with your suggestions and will report the outcome here.

Christian

And we have lift-off.

Apparently, of the 14 domains I have with this provider and all of which worked fine with Lets Encrypt, this one domain did not have the AAAA DNS records set properly. I had rules that out because all the other domains were working fine and were configured using the same process.

Thank you very much for your help!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.