How to tell which IP Let's Encrypt is checking for validation

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: monorailex.org and innovaresource.com

I ran this command: Let's Encypt button in Virtualmin

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for monorailex.org
http-01 challenge for www.monorailex.org
Using the webroot path /home/innovanv/domains/monorailex.org/public_html for all unmatched domains.
Waiting for verification...
Challenge failed for domain monorailex.org
Challenge failed for domain www.monorailex.org
http-01 challenge for monorailex.org
http-01 challenge for www.monorailex.org
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:

My web server is (include version): Apache version 2.4.41

The operating system my web server runs on is (include version): Ubuntu Linux 20.04.3

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Virtualmin 6.17-3

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.40.0

I moved my sites from one host to another. I got certificates for some of the other sites, but these two keep giving me this error. I have looked at the Name Servers and the DNS and it looks right to me. Is there a way to tell which IP Let's Encrypt is trying to verify the response from? I don't see it trying in the access logs. I made the switchover 4 days ago.

1 Like
2

Welcome to the Let's Encrypt Community, Stephen :slightly_smiling_face:

Essentially, no. The IP addresses of the verification servers change.

I suspect that your IPv6 address (AAAA record) might not be serving the same content as your IPv4 address (A record).

What are the outputs of:

sudo apachectl -S
sudo ls -lRa /etc/apache2

Please put 3 backticks above and below each output, like this:

```
output
```

4 Likes
3

I took out the IPV6 addresses and it worked. Thanks. I don't really want the IPV6 addresses anyways.

I think though you didn't understand what I was asking. I wasn't asking about the IP address of the Let's Encrypt server. I was wanting to know the IP Let's Encrypt found for my site in DNS. It was obviously trying the IPV6 address and who knows what Apache was doing with it.

Anyways thanks for the help. I really appreciate it.

2 Likes
4

It gives that in the error message you got, between the square brackets:

[2600:3c00::f03c:92ff:fe9a:728d]: "\n\n404 NotFound\n\n

Let's Encrypt just looks up your IPs using your domain's authoritative DNS servers. You can use tools like Unboundtest if you want to emulate what lookups like using a system set up similar to Let's Encrypt.

Well, while it's great you have it working for IPv4 users for now, you may want to figure out how to get IPv6 working on your new host at some point sooner rather than later. IPv6 is becoming more and more the way everything works natively, with backwards-compatibility workarounds set up so that users can access the legacy IPv4 Internet.

3 Likes
5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.