Challenge on IPv6 failed (404)

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
os-plus.org

Hostname is:
b4x.os-plus.org

I ran this command:
certbot --apache --test-cert --staging

It produced this output:
root@bodi:~# certbot --apache --test-cert --staging
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?

1: b4x.os-plus.org

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for b4x.os-plus.org
Performing the following challenges:
http-01 challenge for b4x.os-plus.org
Enabled Apache rewrite module
Waiting for verification...
Challenge failed for domain b4x.os-plus.org
http-01 challenge for b4x.os-plus.org
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: b4x.os-plus.org
  Type: unauthorized
  Detail: During secondary validation: Invalid response from
  http://b4x.os-plus.org/.well-known/acme-challenge/fz8DOiUOQfxtkerW2WGYRYGp-vdOI0dQ88L20AXGzAA
  [2003:a:70c:7001:20c:29ff:fe90:c58d]: 404

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address.

My web server is (include version):
Apache/2.4.53 (Debian)

The operating system my web server runs on is (include version):
Debian 11

My hosting provider, if applicable, is:
Self hosted in a VM.

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.12.0

Firewall setup
I am using Opnsene and configured port forwarding 80 and 443 to this system.
Tested from outside several times. OK

DNS / IPv6
I am using IPv4 and IPv6 on the LAN card.
Only the IPv6 address is used as this is my public IP address for this system to use.
It has a proper reverse mapping entry which is working also.
root@bodi:~# host b4x.os-plus.org
b4x.os-plus.org has IPv6 address 2003:a:70c:7001:20c:29ff:fe90:c58d
root@bodi:~# host 2003:a:70c:7001:20c:29ff:fe90:c58d
d.8.5.c.0.9.e.f.f.f.9.2.c.0.2.0.1.0.0.7.c.0.7.0.a.0.0.0.3.0.0.2.ip6.arpa domain name pointer b4x.os-plus.org.

As the IP reverse DNS is setup and working I do not understand why I get 404.

I checked the certbot documentation and the let's encrypt documentation but found nothing.
I checked the forum and found some entries with similar situations but there the problem was the DNS reverse entry which I have.

I use staging as I learned about the rate limit.

Did I miss something?

Best regards

--Christian

This smells like a race condition.

You should probably try again.

also, check from the server if the ip address is right: curl -6 ifconfig.co

I tried it many times on some days before I opened this thread.

"During secondary validation" means that the validation works the first time but the second, third, and fourth connections fail (at least two). Is your firewall interfering with that?

Is your firewall interfering with that?
I am not sure if I understand it correctly.

The firewall nat and rules allow all http and https traffic from the internet to this system via the IPv6 address. There are no restrictions. At least I am not known to some.

When I used some external sites to test the ports and DNS there were no problems.

I don't know why, but two different servers are responding on your IP:

root@Quake:~# curl -IL http://b4x.os-plus.org/
HTTP/1.1 200 OK
Date: Sun, 17 Apr 2022 14:49:44 GMT
Server: Apache/2.4.38 (Debian)
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Upgrade: h2,h2c
Connection: Upgrade
Last-Modified: Tue, 24 Nov 2020 19:40:30 GMT
ETag: "29cd-5b4df7bc0f680"
Accept-Ranges: bytes
Content-Length: 10701
Vary: Accept-Encoding
Content-Type: text/html

root@Quake:~# curl -IL http://b4x.os-plus.org/
HTTP/1.1 200 OK
Date: Sun, 17 Apr 2022 14:49:46 GMT
Server: Apache/2.4.53 (Debian)
Last-Modified: Wed, 06 Apr 2022 14:30:45 GMT
ETag: "75a-5dbfd34fd566d"
Accept-Ranges: bytes
Content-Length: 1882
Vary: Accept-Encoding
Content-Type: text/html

Hm ...

I have an default entry for the domain os-plus.org which point to the system with the apache 2.4.38.

But why this happens?

From my understanding the default entry should only become active when there is no configured dns entry. In this case the dns entry b4x.os-plus.org is configured.

one is

<title>Apache2 Debian Default Page: It works</title>

and the other

<title>Christian Jeannot - Open Source Apps</title> 

It's not even the same server, they are two different Apache versions.

Yes this is true as these are 2 different VMs with different IPs.

I will check this with the DNS provider.
I also will check the firewall setup with the OPNsense community. Just to be sure that my setup is ok.

Many thanks. It is a bit more clear now.

I will keep this post updated so it may help other people with a similar setup.
It may take some days as I am a few days offline (vacation )

with ipv6 you can use a different address for each vm, you probably don't need to use a host-based proxy.

Is there any GeoLocation type blocking?

No. There is no GeoLocation type blocking.

As I am using several systems with a web service I have changed my setup.
I have updated my firewall configuration and using now haproxy as a reverse proxy.
Now it is working.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.