Error getting validation data (status 400)

sahsanu · January 12, 2018, 7:08pm

Your domain advertises IPv4 and IPv6 addresses, Let’s Encrypt prefers IPv6 over IPv4 so it tries to validate your domain using the IPv6 address but you have a redirection that Let’s Encrypt won’t follow.

So, trying to reach the challenge using IPv4 it works, no problem:

$ curl -ikL4 http://sittenkammer.de/.well-known/acme-challenge/RfW8Z7Cwe89s3Zk7LQkQXwutbc84xeMYdmm3y0teo4c
HTTP/1.1 200 OK
Date: Fri, 12 Jan 2018 19:01:57 GMT
Server: Apache/2.4.10 (Raspbian)
Last-Modified: Fri, 12 Jan 2018 17:26:23 GMT
ETag: "58-562979043fb67"
Accept-Ranges: bytes
Content-Length: 88

RfW8Z7Cwe89s3Zk7LQkQXwutbc84xeMYdmm3y0teo4c.2yZ2fR3iDBQesHdvMZFl3ngmJQmXvVDz3_vzf4bz9g8

But trying to reach it using IPv6 you have 2 problems:

$ curl -ikL6 http://sittenkammer.de/.well-known/acme-challenge/RfW8Z7Cwe89s3Zk7LQkQXwutbc84xeMYdmm3y0teo4c
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Fri, 12 Jan 2018 19:02:05 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive
Location: http://185.142.180.85/sittenkammer/.well-known/acme-challenge/RfW8Z7Cwe89s3Zk7LQkQXwutbc84xeMYdmm3y0teo4c

HTTP/1.1 404 Not Found
Date: Fri, 12 Jan 2018 19:02:05 GMT
Server: Apache/2.4.10 (Raspbian)
Content-Length: 363
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /sittenkammer/.well-known/acme-challenge/RfW8Z7Cwe89s3Zk7LQkQXwutbc84xeMYdmm3y0teo4c was not found on this server.</p>
<hr>
<address>Apache/2.4.10 (Raspbian) Server at 185.142.180.85 Port 80</address>
</body></html>

1.- You are not serving the same content as using IPv4, using IPv6 I can’t reach the same challenge I can reach using IPv4.

2.- Let’s Encrypt follows redirections but doesn’t follow them if the redirection is an ip instead of a domain so this redirection won’t work:

Location: http://185.142.180.85/sittenkammer/.well-known/acme-challenge/RfW8Z7Cwe89s3Zk7LQkQXwutbc84xeMYdmm3y0teo4c

Solution, fix your IPv6 conf or remove AAAA record for your domain.

Good luck.
sahsanu