How to create http challenge file?

My domain is: benoitlaval.com

I ran this command: certbot certonly --standalone -d benoitlaval.com -d www.benoitlaval.com

It produced this output: Failed authorization procedure. www.benoitlaval.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.benoitlaval.com/.well-known/acme-challenge/HcDeuX3TgSUOMibkU3m5eqnUaYiAmsYklDPKywEf6ns [2001:8d8:100f:f000::27f]: 204, benoitlaval.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://benoitlaval.com/.well-known/acme-challenge/1CWZWNtp67M0wwGn2KSn6rYVUEvhKvVtn39JXSEeGrQ [2001:8d8:100f:f000::27f]: 204

My web server is (include version): Apache 2.4.10

The operating system my web server runs on is (include version): debian 8

My hosting provider, if applicable, is: OVH

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.10.2

Hi there
I used to run this command to generate my certifcates :

certbot certonly --standalone -d domain.com -d www.domain.com.

But today this command produce the error mentionned above. I read the doc about challenges and it says :

The http challenge will ask you to place a file with a specific name and specific content in the /.well-known/acme-challenge/

But the http challenge does not ask me to place such a file. It directly fails. What i'm doing wrong ?

Hi @nicolas2

looks like you have used tls-sni-01 - validation. That's deprecated and does not longer work.

So your (very old) certbot switches to another validation.

But your configuration isn't good: You have ipv4- and ipv6 addresses ( https://check-your-website.server-daten.de/?q=benoitlaval.com)

Host T IP-Address is auth. āˆ‘ Queries āˆ‘ Timeout
benoitlaval.com A 149.202.95.87 yes 1 0
AAAA 2001:8d8:100f:f000::27f yes
www.benoitlaval.com A 149.202.95.87 yes 1 0
AAAA 2001:8d8:100f:f000::27f yes

But port 80 / ipv4 is blocked, port 80 / ipv6 answers with the wrong answer.

Domainname Http-Status redirect Sec. G
ā€¢ http://benoitlaval.com/
149.202.95.87 -2 1.074 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 149.202.95.87:80
ā€¢ http://benoitlaval.com/
2001:8d8:100f:f000::27f 200 0.053 H
ā€¢ http://www.benoitlaval.com/
149.202.95.87 -2 1.070 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 149.202.95.87:80
ā€¢ http://www.benoitlaval.com/
2001:8d8:100f:f000::27f 200 0.050 H
ā€¢ https://benoitlaval.com/
149.202.95.87 -2 1.083 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 149.202.95.87:443
ā€¢ https://benoitlaval.com/
2001:8d8:100f:f000::27f -10 0.047 P
SecureChannelFailure - The request was aborted: Could not create SSL/TLS secure channel.
ā€¢ https://www.benoitlaval.com/
149.202.95.87 -2 1.070 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 149.202.95.87:443
ā€¢ https://www.benoitlaval.com/
2001:8d8:100f:f000::27f -10 0.047 P
SecureChannelFailure - The request was aborted: Could not create SSL/TLS secure channel.
ā€¢ http://benoitlaval.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
149.202.95.87 -2 1.073 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 149.202.95.87:80
Visible Content:
ā€¢ http://benoitlaval.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
2001:8d8:100f:f000::27f 204 0.057 A
Visible Content:
ā€¢ http://www.benoitlaval.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
149.202.95.87 -2 1.074 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 149.202.95.87:80
Visible Content:
ā€¢ http://www.benoitlaval.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
2001:8d8:100f:f000::27f 204 0.050 A
Visible Content:

So open your firewall - port 80 is required, later you can redirect to port 443.

And check, if ipv6 is configured. If not, remove your ipv6 dns entry (the AAAA-record) or configure it (add vHost with ipv6 ( *:80 [::]:80).

That was the problem. Thanks !

1 Like

Maybe we should edit that documentation somehow because "ask you" sometimes means "ask you" and sometimes means "ask the client software that you're using". In some client software (for example with certbot --manual), the human user is asked to perform this task, but in other situations that software itself performs the task automatically (for example with certbot --standalone).

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.