Error at "request Certificate"

Hello, i need some help. Because i have only installed the server new. Because we want to user LAMP instead of Nginx. Under Nginx and virtualmin we have received a certificate.

My domain is: meatec-intranet.de

I ran this command: Virtualmin GUI (LAMP) to request a certificate

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for meatec-intranet.de
Using the webroot path /home/meatec-intranet/public_html for all unmatched domains.
Waiting for verification...
Challenge failed for domain meatec-intranet.de
http-01 challenge for meatec-intranet.de
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:


Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for meatec-intranet.de
Running manual-auth-hook command: /etc/webmin/webmin/letsencrypt-dns.pl
Waiting for verification...
Challenge failed for domain meatec-intranet.de
dns-01 challenge for meatec-intranet.de
Cleaning up challenges
Running manual-cleanup-hook command: /etc/webmin/webmin/letsencrypt-cleanup.pl
Some challenges have failed.
IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: meatec-intranet.de
    Type: unauthorized
    Detail: No TXT record found at _acme-challenge.meatec-intranet.de

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.


My web server is (include version): Apache 2.4.41

The operating system my web server runs on is (include version): Ubuntu 20.04 lts

My hosting provider, if applicable, is: netcup with a netcup root server

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Control Panel, Version: i don┬┤t know, but the newest.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.40.0

I have 2 Log Files from Apache

52.28.236.88 - - [11/Oct/2020:21:41:54 +0200] "GET /.well-known/acme-challenge/2_UY-T5k8YMVNs1pTurTjJJzPrUHOZLc0GTch4YEk4M HTTP/1.1" 200 294 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
3.22.70.135 - - [11/Oct/2020:21:41:55 +0200] "GET /.well-known/acme-challenge/2_UY-T5k8YMVNs1pTurTjJJzPrUHOZLc0GTch4YEk4M HTTP/1.1" 200 294 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
66.133.109.36 - - [11/Oct/2020:21:41:55 +0200] "GET /.well-known/acme-challenge/2_UY-T5k8YMVNs1pTurTjJJzPrUHOZLc0GTch4YEk4M HTTP/1.1" 200 292 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
34.209.232.166 - - [11/Oct/2020:21:41:56 +0200] "GET /.well-known/acme-challenge/2_UY-T5k8YMVNs1pTurTjJJzPrUHOZLc0GTch4YEk4M HTTP/1.1" 200 292 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
177.240.216.193 - - [11/Oct/2020:21:53:59 +0200] "GET / HTTP/1.1" 200 985984 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
1.34.18.123 - - [11/Oct/2020:22:02:01 +0200] "GET / HTTP/1.1" 400 0 "-" "-"
213.202.223.223 - - [11/Oct/2020:22:02:08 +0200] "POST /goform/webLogin HTTP/1.1" 404 397 "http://45.157.176.40:80/login_inter.asp" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0"
118.189.139.212 - - [11/Oct/2020:22:02:46 +0200] "GET /login/ HTTP/1.1" 404 1847 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
118.189.139.212 - - [11/Oct/2020:22:02:48 +0200] "POST /login/ HTTP/1.1" 404 1847 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
118.189.139.212 - - [11/Oct/2020:22:02:49 +0200] "POST /login//xmlrpc.php HTTP/1.1" 404 1847 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
1.34.18.123 - - [11/Oct/2020:22:05:34 +0200] "GET / HTTP/1.1" 400 0 "-" "-"


Blockquote
[Sun Oct 11 21:41:41.726293 2020] [ssl:warn] [pid 48130] AH01906: meatec-intranet.de:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sun Oct 11 21:43:46.141190 2020] [ssl:warn] [pid 48130] AH01906: meatec-intranet.de:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)

Hi @acer2k

checking your domain you have ipv4 and ipv6 - see https://check-your-website.server-daten.de/?q=meatec-intranet.de

Host Type IP-Address is auth. ԳŠQueries ԳŠTimeout
meatec-intranet.de A 45.157.176.40 Karlsruhe/Baden-W├╝rttemberg/Germany (DE) - netcup GmbH Hostname: v220201075330129175.powersrv.de yes 1 0
AAAA 2a03:4000:4b:eb4:5415:e4ff:fe48:ded4 Karlsruhe/Baden-W├╝rttemberg/Germany (DE) - netcup GmbH yes
www.meatec-intranet.de A 45.157.176.40 Karlsruhe/Baden-W├╝rttemberg/Germany (DE) - netcup GmbH Hostname: v220201075330129175.powersrv.de yes 1 0
AAAA 2a03:4000:4b:eb4:5415:e4ff:fe48:ded4 Karlsruhe/Baden-W├╝rttemberg/Germany (DE) - netcup GmbH yes

But your ipv6 sends different content.

K https://meatec-intranet.de/ 45.157.176.40, Status 200
https://meatec-intranet.de/ 2a03:4000:4b:eb4:5415:e4ff:fe48:ded4, Status -4
configuration problem - different ip addresses with different status
K https://www.meatec-intranet.de/ 45.157.176.40, Status 200
https://www.meatec-intranet.de/ 2a03:4000:4b:eb4:5415:e4ff:fe48:ded4, Status -4
configuration problem - different ip addresses with different status
K http://meatec-intranet.de:443/ 45.157.176.40, Status 400
http://meatec-intranet.de:443/ 2a03:4000:4b:eb4:5415:e4ff:fe48:ded4, Status 200
configuration problem - different ip addresses with different status
K http://www.meatec-intranet.de:443/ 45.157.176.40, Status 400
http://www.meatec-intranet.de:443/ 2a03:4000:4b:eb4:5415:e4ff:fe48:ded4, Status 200
configuration problem - different ip addresses with different status

Looks like your Virtualmin doesn't answer with ipv6.

So

  • remove the ipv6 (or, better)
  • change your Virtualmin, so ipv6 works

Checking your domain Letsencrypt prefers ipv6, so that's critical.

Thx Juergen,
i have now removed the ipv6 out from the DNS an i will test this, after the reset of my rate limit :slight_smile:

1 Like

You didn't create certificates, so it's only the failed validation limit - one hour.