How to force certbot to use HTTP for authentication instead of HTTPS?

My domain is:

animopticum.com

I ran this command:

sudo certbot --authenticator webroot --preferred-challenges http --installer nginx -w /sites/animopticum.com -d animopticum.com

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer nginx
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for animopticum.com
Using the webroot path /sites/animopticum.com for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. animopticum.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://animopticum.com/.well-known/acme-challenge/6OpJlulaoZ0oXC3dtW6KUadViY212j37e0KsiXjdqAs: Error getting validation data

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: animopticum.com
   Type:   connection
   Detail: Fetching
   https://animopticum.com/.well-known/acme-challenge/6OpJlulaoZ0oXC3dtW6KUadViY212j37e0KsiXjdqAs:
   Error getting validation data

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

My web server is (include version):

nginx/1.10.3

The operating system my web server runs on is (include version):

Ubuntu 16.04.2 LTS

I can login to a root shell on my machine: yes

I’m using a control panel to manage my site: no

Please note it’s trying to use HTTPS for some reason which does not make any sense since I’m exactly trying to obtain the certificate.
I have checked the access to files on my domain in .well-known path and everything is working great via HTTP (80 port).

Let’s Encrypt will only do this if instructed by the web server with an HTTP redirect.

The reason, in your case, this is happening, is because the IPv6 variant of your website, hosted at 2a01:7e00::f03c:91ff:fee5:6bd3, is serving up this redirect:

$ curl -X GET -I -6 animopticum.com/.well-known/acme-challenge/test
HTTP/1.1 301 Moved Permanently
Server: nginx/1.10.3
Date: Wed, 24 Jan 2018 20:58:56 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: https://animopticum.com/.well-known/acme-challenge/test

whereas the IPv4 variant doesn’t:

$ curl -X GET -I -4 animopticum.com/.well-known/acme-challenge/test
HTTP/1.1 404 Not Found
Server: nginx/1.10.3
Date: Wed, 24 Jan 2018 20:59:45 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

Let’s Encrypt will always prefer to use the AAAA record if it is present on your zone.

1 Like

Oh wow, that’s weird, I did not setted up those domains for using ipv6.

Anyway, it seems it helped me to solve the issue!
Thank you a lot!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.