Challenge failed for domain

Help
1

My domain is: www.hemotrans.com.ar

I ran this command: certbot -v

It produced this output:
http-01 challenge for www.hemotrans.com.ar
Waiting for verification...
Challenge failed for domain www.hemotrans.com.ar
http-01 challenge for www.hemotrans.com.ar

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: www.hemotrans.com.ar
Type: unauthorized
Detail: 2a02:4780:b:1058:0:e1c:bcb8:2: Invalid response from http://www.hemotrans.com.ar/.well-known/acme-challenge/mGyHEzG5jkuw6ESGAZWVI58OlTdDHp2JSSiSzDXwcXc: 404

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
Server version: Apache/2.4.56 (Debian)
Server built: 2023-04-02T03:06:01

The operating system my web server runs on is (include version):
Debian v11.9

My hosting provider, if applicable, is: Hostinger

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No, i have a vps

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.9.0

My problem is that certbot does not generate the ".well-known" folder
I am executing the certbot command with the root user,
ServerRoot permissions "/var/www/html/api-rest" are www-data

2

Welcome to the community @ggomez

No, I don't think that is the problem. Your IPv6 address (the DNS AAAA record) points to a LiteSpeed server. Your IPv4 address (A record) points to Apache.

Let's Encrypt prefers IPv6 when the AAAA is present. You should update the AAAA record to be the public IP of your Apache server.

There are many ways to find it. One is to run this command on Apache machine

curl -6 https://ifconfig.io

Also see

4 Likes
3

Also, if your Apache server simply does not have an IPv6 address, you can remove the AAAA record from your DNS records to avoid confusing IPv6 enabled apps, currently if a user browsed to your website from an IPv6 enabled machine they would get the wrong website.

3 Likes
4

Aside from the incorrect IPv6 address, the IPv4 address has an HTTPS issue:

HTTP port

curl -Ii4 http://www.hemotrans.com.ar/
HTTP/1.1 200 OK
Date: Wed, 21 Feb 2024 04:37:21 GMT
Server: Apache/2.4.56 (Debian)
Last-Modified: Tue, 20 Feb 2024 22:20:49 GMT
ETag: "3377-611d79f6163e8"
Accept-Ranges: bytes
Content-Length: 13175
Vary: Accept-Encoding
Cache-Control: max-age=7200, no-cache
Content-Type: text/html

HTTPS port

curl -Ii4 https://www.hemotrans.com.ar/
curl: (35) error:0A00010B:SSL routines::wrong version number

curl -Ii4 http://www.hemotrans.com.ar:443/
HTTP/1.1 200 OK
Date: Wed, 21 Feb 2024 04:37:23 GMT
Server: Apache/2.4.56 (Debian)
Content-Type: text/html;charset=UTF-8

Let's start to fix this problem by having a look at:

sudo apachectl -t -D DUMP_VHOSTS

3 Likes
5

Thanks for the help, I corrected the AAAA record by adjusting the ipv6 to my domain.

2 Likes
6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.