Failed to verificate on site which has already https enabled

Hi,

I am trying to install Letsencrypt. On my site I have already a working SSL solution (RapidSSL), but I want to replace it by Letsenrypt.

./letsencrypt-auto certonly --agree-tos --webroot --webroot-path /home/html/xy.eu/public_html/ -d xy.eu -d www.xy.eu

(Y)es/(N)o: Y
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for xy.eu
http-01 challenge for www.xy.eu
Using the webroot path /home/html/xy.eu/public_html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. xy.eu (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://xy.eu/.well-known/acme-challenge/: Timeout, www.xy.eu (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.xy.eu/.well-known/acme-challenge/-8K16HrIGfIHzm1MgeZrR-I: Timeout

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: xy.eu
   Type:   connection
   Detail: Fetching
   http://xy.eu/.well-known/acme-challenge/:
   Timeout

   Domain: www.xy.eu
   Type:   connection
   Detail: Fetching
   http://www.xy.eu/.well-known/acme-challenge/-8K16HrIGfIHzm1MgeZrR-I:
   Timeout

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

The $ ls /home/html/mihalko.eu/public_html/.well-known/ is created and accessible:

@-MBP:~$ curl "http://xy.eu/.well-known/"
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://xy.eu/.well-known/">here</a>.</p>
<hr>
<address>Apache/2.2.22 (Debian) Server at xy.eu Port 80</address>
</body></html>
@-MBP:~$ curl "http://xy.eu/.well-known/" -L
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /.well-known/
on this server.</p>
<hr>
<address>Apache/2.2.22 (Debian) Server at xy.eu Port 443</address>
</body></html>
@-MBP:~$

access.log:

- - [16/Nov/2017:12:35:47 +0100] "GET /.well-known/acme-challenge/- HTTP/1.1" 301 296 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" 2541 262 698

http://xy.eu/ and http://www.xy.eu/ are accessible.
But
http://xy.eu/.well-known/
http://xy.eu/.well-known/acme-challenge/
and
http://www.xy.eu/.well-known/
http://www.xy.eu/.well-known/acme-challenge/
all fail with error 404.

The webroot "/home/html/xy.eu/public_html/"
places the /.well-known/acme-challenge/ folder at:
/home/html/xy.eu/public_html/.well-known/acme-challenge/
Does that directory also exist?
Place a test.txt file there and it should be accessible via:
http://xy.eu/.well-known/acme-challenge/test.txt
http://www.xy.eu/.well-known/acme-challenge/test.txt
then retry the renewal.

Thanks for the reply:

/home/html/xy.eu/public_html/.well-known - it is exists
/home/html/xy.eu/public_html/.well-known/acme-challenge/ - acme-challenge directory and keys in it are only existing while the letsencrypt-auto script is running.

I created test.txt:

http://xy.eu/.well-known/acme-challenge/test.txt

and it is accessible from web.

My htaccess:

RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP_HOST} ^(www\.)?xy.eu [NC]
RewriteRule (.*) https://xy.eu/$1 [L,R=301,QSA]

Prior to this change IPv4 would be preferred for all dual-homed hosts. You may notice new validation failures for domains that publish an AAAA record but are only configured to respond to challenges for IPv4.

I think this is the problem. My server/domain has AAAA records set, but it is not available from ipv6. Is there any way to set/prefer ipv4 in letsenrypt-auto?

I’m not able to access the TEST.TXT file (404 error).

And I don’t see an AAAA record:

Name: xy.eu
Address: 195.56.45.187

Name: www.xy.eu
Address: 195.56.45.187

Is your domain not actually xy.eu? It kind of wastes a lot of time when people don't share their real domains for this reason, because IPv6 is one of the first things that many of us would look for and test in this situation!

The server checks IPv6 before IPv4 and this behavior is mandatory. If you can't support IPv6, you shouldn't advertise AAAA records. If you somehow can't remove your invalid AAAA records, you should use the DNS-01 challenge method instead of one of the challenge methods that requires connecting to your server.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.