Getting error The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet

Help
1

sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.

1: qs-groups.com
2: arbati.qs-groups.com

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for qs-groups.com

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: qs-groups.com
Type: unauthorized
Detail: 2a02:4780:9:1111:0:36f3:d8f:2: Invalid response from http://qs-groups.com/.well-known/acme-challenge/ZEk5Z94kD8X_uqx8G9Np29cY7sFVJUrZDBc3nWGENJI: 404

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

i always run into same problem i have done everyiging but i need help

my website is
qs-groups.com

2

@Tishko , welcome to the community!
Your domain is having both IPv4 and IPv6 addresses, and they are pointing to different systems. You may want to fix this.

pi@raspberrypi:~ $ curl -4 -s -v 'http://qs-groups.com/' > /dev/null
*   Trying 13.48.71.126...
* TCP_NODELAY set
* Connected to qs-groups.com (13.48.71.126) port 80 (#0)
> GET / HTTP/1.1
> Host: qs-groups.com
> User-Agent: curl/7.64.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Thu, 01 Aug 2024 06:10:20 GMT
< Server: Apache/2.4.58 (Ubuntu)
< Vary: Accept-Encoding
< Content-Length: 555
< Content-Type: text/html;charset=UTF-8
< 
{ [555 bytes data]
* Connection #0 to host qs-groups.com left intact
pi@raspberrypi:~ $ curl -6 -s -v 'http://qs-groups.com/' > /dev/null
*   Trying 2a02:4780:9:1111:0:36f3:d8f:2...
* TCP_NODELAY set
* Connected to qs-groups.com (2a02:4780:9:1111:0:36f3:d8f:2) port 80 (#0)
> GET / HTTP/1.1
> Host: qs-groups.com
> User-Agent: curl/7.64.0
> Accept: */*
> 
< HTTP/1.1 301 Moved Permanently
< Connection: Keep-Alive
< Keep-Alive: timeout=5, max=100
< content-type: text/html
< content-length: 795
< date: Thu, 01 Aug 2024 06:10:32 GMT
< server: LiteSpeed
< location: https://qs-groups.com/
< platform: hostinger
< content-security-policy: upgrade-insecure-requests
< 
{ [795 bytes data]
* Connection #0 to host qs-groups.com left intact
pi@raspberrypi:~ $
4 Likes
3

As @bruncsak says, your domain points to different system depending on whether you look at it using IPv6 or IPv4. Let's Encrypt use IPv6 if your DNS declares an IPv6 address.

Usually the fix is to point it to the correct IPv6 address of your system, or if doesn't have one then remove the (IPv6) AAAA record in DNS. In your case though I think your real website is on the IPv6 address (running LiteSpeed web server) and the IPv4 address is something else (running Apache web server).

You can also test for this using https://letsdebug.net/

3 Likes
4

This is a common problem with people setting up new sites at hostinger

The IPv6 address is set to their parking or other system and not your Apache server

As noted just remove the AAAA record or change its IP to be your system

UPDATE:
I see your domain is now proxied at Cloudflare. So, the IPv4 / IPv6 issue is different as Cloudflare prefers the IPv4 address to your Origin Server when both are present. Which is probably why it works even if you have not fixed that IPv6 address.

You didn't mention Hostinger in your post but I determined that from the IP address in the error. This IPv6 address is assigned to them

Detail: 2a02:4780:9:1111:0:36f3:d8f:2
Invalid response from http://qs-groups.com/.well-known/acme-challenge/ZEk5Z94kD8X_uqx8G9Np29cY7sFVJUrZDBc3nWGENJI: 404

4 Likes
5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.