Help cant get ssl certs

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:viproductions.us

I ran this command:sudo certbot certonly --webroot

It produced this output:Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: viproductions.us
Type: unauthorized
Detail: 139.144.190.161: Invalid response from http://viproductions.us/.well-known/acme-challenge/AXddAvG3XKjK_gftKjjG-Mu3UYw7LOFOfoHpOwTi-AU: 404

Domain: www.viproductions.us
Type: unauthorized
Detail: 139.144.190.161: Invalid response from http://www.viproductions.us/.well-known/acme-challenge/z7x7x2SI0n2vtMIbR1nWXuLfKIIICGsGwHl21ibsLI8: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):docker/vaultwarden

The operating system my web server runs on is (include version):Ubuntu 22.04.1

My hosting provider, if applicable, is:Linode

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 2.3.0

2

Hello @Brad, welcome to the Let's Encrypt community. :slightly_smiling_face:

Using Let's Debug the results are AAAANotWorking ERROR
https://letsdebug.net/viproductions.us/1374426

The HTTP-01 Challenge needs Port 80 open on all IP Addresses that that domain name maps to.
Best Practice - Keep Port 80 Open

I only have IPv4 to test from, but AAAA is IPv6.

But from my IPv4 location I see

$ nmap -Pn viproductions.us
Starting Nmap 7.80 ( https://nmap.org ) at 2023-02-15 01:52 UTC
Nmap scan report for viproductions.us (139.144.190.161)
Host is up (0.079s latency).
Other addresses for viproductions.us (not scanned): 2600:3c02::f03c:93ff:fe88:7f9b
Not shown: 998 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 7.56 seconds

$ curl -Ii http://viproductions.us/.well-known/acme-challenge/sometestfile
HTTP/1.1 404 Not Found
content-type: text/html; charset=utf-8
server: Rocket
permissions-policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=()
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
referrer-policy: same-origin
x-xss-protection: 0
content-security-policy: default-src 'self'; base-uri 'self'; form-action 'self'; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'; child-src 'self' https://*.duosecurity.com https://*.duofederal.com; frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh moz-extension://* ; img-src 'self' data: https://haveibeenpwned.com https://www.gravatar.com ; connect-src 'self' https://api.pwnedpasswords.com https://2fa.directory https://app.simplelogin.io/api/ https://app.anonaddy.com/api/ https://api.fastmail.com/ ;
cache-control: no-cache, no-store, max-age=0
content-length: 2382
date: Wed, 15 Feb 2023 01:53:11 GMT
1 Like
3

You should definitely either fix your IPv6 config or remove the AAAA record from the DNS.

The Let's Encrypt servers will fallback to IPv4 for certain comms errors but it is best not to rely on that. And, other clients trying to reach your server with IPv6 may fail.

In your case the LE servers do fallback to IPv4 because the failure is a 404 (Not Found) and not some comms error.

The 404 means the LE servers could not find the HTTP Challenge file placed in the --webroot-path folder.

I don't know anything about your "Server: Rocket" but just make sure the --webroot-path (or just -w) matches the web server's root folder.

See more about webroot paths in the Certbot docs (link here)

5 Likes
4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.