Challenge fails despite good conf [solved]

I am running openbsd 5.8 and try now to renew certificates and it fails, whatever client or acme server (staging or prod’) I try.

Here it is with acme-tiny:

stephane@blackblock:/var/www/www.22decembre.eu doas -u le /var/le/generate www.22decembre.eu 
doas (stephane@blackblock.22decembre.eu) password: 
Generating RSA private key, 4096 bit long modulus
................................................................................................................................................................++
............................................................................................................................................................................................++
e is 65537 (0x10001)
Parsing account key...
Parsing CSR...
Registering account...
Already registered!
Verifying www.22decembre.eu...
Traceback (most recent call last):
  File "/var/le/acme-tiny/acme_tiny.py", line 198, in <module>
    main(sys.argv[1:])
  File "/var/le/acme-tiny/acme_tiny.py", line 194, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)
  File "/var/le/acme-tiny/acme_tiny.py", line 149, in get_crt
    domain, challenge_status))
ValueError: www.22decembre.eu challenge did not pass: {u'status': u'invalid', u'validationRecord': [{u'url': u'http://www.22decembre.eu/.well-known/acme-challenge/ti1aguTK5m-YoINFyUtzkB7tDkNaYaAXYSFiaKdFsuQ', u'hostname': u'www.22decembre.eu', u'addressUsed': u'90.185.111.213', u'port': u'80', u'addressesResolved': [u'90.185.111.213']}], u'keyAuthorization': u'ti1aguTK5m-YoINFyUtzkB7tDkNaYaAXYSFiaKdFsuQ.L4TPRmCy6xGjPSjU2Xzk1Yq6IDS9Z3hiv2ASxM1z42s', u'uri': u'https://acme-staging.api.letsencrypt.org/acme/challenge/65TH7qDYiXRxcGpTFixP8LSMOX-ogpthaQF9OSFLiJw/1336745', u'token': u'ti1aguTK5m-YoINFyUtzkB7tDkNaYaAXYSFiaKdFsuQ', u'error': {u'type': u'urn:acme:error:unauthorized', u'detail': u'Invalid response from http://www.22decembre.eu/.well-known/acme-challenge/ti1aguTK5m-YoINFyUtzkB7tDkNaYaAXYSFiaKdFsuQ [90.185.111.213]: 404'}, u'type': u'http-01'}

this one with letsacme:

stephane@blackblock:/home/stephane/letsacme doas python letsacme.py --no-chain --account-key /var/le/master.key  --csr /var/le/domains/www.22decembre.eu/cu>
doas (stephane@blackblock.22decembre.eu) password: 
Parsing account key...
Parsing CSR...
CN: www.22decembre.eu
Registering account...
Already registered!
Verifying www.22decembre.eu...
www.22decembre.eu challenge did not pass: {u'status': u'invalid', u'validationRecord': [{u'url': u'http://www.22decembre.eu/.well-known/acme-challenge/yxltSqajH3bXXESF_7WiWI8kYLmPgbQWF69S6W_bKFQ', u'hostname': u'www.22decembre.eu', u'addressUsed': u'90.185.111.213', u'port': u'80', u'addressesResolved': [u'90.185.111.213']}], u'keyAuthorization': u'yxltSqajH3bXXESF_7WiWI8kYLmPgbQWF69S6W_bKFQ.L4TPRmCy6xGjPSjU2Xzk1Yq6IDS9Z3hiv2ASxM1z42s', u'uri': u'https://acme-v01.api.letsencrypt.org/acme/challenge/y8xr56unkvO00RAwpJCqOAfkCA5y1rgVSD7XsRXP6hs/17564408', u'token': u'yxltSqajH3bXXESF_7WiWI8kYLmPgbQWF69S6W_bKFQ', u'error': {u'type': u'urn:acme:error:unauthorized', u'detail': u'Invalid response from http://www.22decembre.eu/.well-known/acme-challenge/yxltSqajH3bXXESF_7WiWI8kYLmPgbQWF69S6W_bKFQ [90.185.111.213]: 404'}, u'type': u'http-01'}

yet, when I check, I can write a random text file as the user, then download it from an other computer:

stephane@luciole:~$ wget http://www.22decembre.eu/.well-known/acme-challenge/t
--2016-02-17 12:21:32--  http://www.22decembre.eu/.well-known/acme-challenge/t
Résolution de www.22decembre.eu (www.22decembre.eu)… 2001:16d8:dd00:8207::, 2001:16d8:dd00:8207:be5f:f4ff:fe73:a7e0, 2001:16d8:dd00:207::2, ...
Connexion à www.22decembre.eu (www.22decembre.eu)|2001:16d8:dd00:8207::|:80… connecté.
requête HTTP transmise, en attente de la réponse… 200 OK
Taille : 34 [application/octet-stream]
Sauvegarde en : « t.1 »

100%[=============================================================>] 34          --.-K/s   ds 0s      

any idea ?

I’m able to fetch http://www.22decembre.eu/.well-known/acme-challenge/t when using IPv6, but it’s not working for IPv4.

wget -4 http://www.22decembre.eu/.well-known/acme-challenge/t --2016-02-17 15:08:59-- http://www.22decembre.eu/.well-known/acme-challenge/t Resolving www.22decembre.eu... 90.185.111.213 Connecting to www.22decembre.eu|90.185.111.213|:80... connected. HTTP request sent, awaiting response... 404 Not Found 2016-02-17 15:09:00 ERROR 404: Not Found.

I’m pretty sure IPv4 is used by Let’s Encrypt to perform the validation. Something wrong with your web server configuration perhaps?

That explain the whole thing. Eventhough it’s weird cause my website is reachable by ipv4-only without trouble.

Thanks.

It made it. Thank you so much.