Challenge failed but apache logs indicate success for the validation 200

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
certbot certonly
It produced this output:
Waiting for verification…
Challenge failed for domain
Challenge failed for domain
http-01 challenge for
http-01 challenge for
Cleaning up challenges
Some challenges have failed.

My web server is (include version):
apache2 fedora httpd-2.4.41-6.1.fc30

The operating system my web server runs on is (include version):
Fedora 30

My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know):
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 1.0.0

Web server logs (showing the 200 status) - - [04/Mar/2020:15:49:19 -0500] “GET /.well-known/acme-challenge/GdRnB3AWUJbV2l8cmqMDjg-AVHFsR3W5HvMMcbEhjN4 HTTP/1.1” 200 87 “-” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +” - - [04/Mar/2020:15:49:19 -0500] “GET /.well-known/acme-challenge/AOaPdnNJ6utcnpKSwP71kdETAMSHMIcjUwNToKfnZDU HTTP/1.1” 200 87 “-” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +”

$ dig -x

$ dig

1 Like

You should be getting 4 requests per challenge URL (subject to change), all from different IP addresses. The others come from AWS at the moment, but that’s also subject to change.

You’re not whitelisting IPs, are you?

Reviewing this might help: ACME v1/v2: Validating challenges from multiple network vantage points

Could you also show the validation error from Certbot? Is it a timeout, wrong content, etc?

1 Like

Thanks very much for the quick reply.

I don’t whitelist, but I do blacklist and AWS is definitely blacklisted, since AWS is a huge source of all sorts of ungood traffic.

I opened up port 80, to everything and it worked. So I’ll have to remember to unrestrict while I’m renewing. Already had one for the TLD and the renewal was fine in Jan.
Guess I’ll have to open things from for tcp:80 up for the renewals. Its the only legit traffic I would ever get from AWS. At least know I know I need to do that.

Thanks again.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.