Http-01 challenge failing inexplicably

otaku · December 23, 2022, 9:20pm

Not quite sure why this is happening, I verified the following:

The directory in [renewalparams] for the domain is correctly set to /var/www/twifag.com
I created a .well-known subdirectory in the above along with a test HTML file and was able to access it by using the address http://twifag.com/.well-known/test.html
I created a .well-known/acme-challenge subdirectory in the above along with a test HTML file and was able to access it by using the address http://twifag.com/.well-known/acme-challenge/test.html
I created a file without an extension and verified it was accessible in the .well-known/acme-challenge directory
I ran certbot with -vvv and verified it was using the proper directory

Attempting to save validation to /var/www/twifag.com/.well-known/acme-challenge/GkZ1R31xlzk6IeltF6HEmNzbXB8_pLq5NfSn_kydulw
Attempting to save validation to /var/www/twifag.com/.well-known/acme-challenge/Bi2EbzFrvgdHpkwVBqBMjjxW3wiBRg0KfgzGMek-7Iw
Waiting for verification...

Given the above, I verified both the certbot conf is pointing to the proper directory, certbot reports it's creating the challenge files in the proper directory, and that there is no possibility of having a 404 error. But I am getting 404 errors.

My domain is: twifag.com

I ran this command: certbot --noninteractive --agree-tos --rsa-key-size 4096 --hsts --redirect --uir --staple-ocsp renew

It produced this output:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/twifag.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for twifag.com
http-01 challenge for www.twifag.com
Waiting for verification...
Challenge failed for domain twifag.com
Challenge failed for domain www.twifag.com
http-01 challenge for twifag.com
http-01 challenge for www.twifag.com
Cleaning up challenges
Attempting to renew cert (twifag.com) from /etc/letsencrypt/renewal/twifag.com.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/twifag.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/twifag.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: twifag.com
   Type:   unauthorized
   Detail: 2604:2dc0:100:318c::def: Invalid response from
   http://twifag.com/.well-known/acme-challenge/Fk3FhQX5VhTEFrvUN2PiRuWuRDCyUVzhjXo2MaEVlSU:
   404

   Domain: www.twifag.com
   Type:   unauthorized
   Detail: 2604:2dc0:100:318c::eeee: Invalid response from
   http://www.twifag.com/.well-known/acme-challenge/dP9k1sis3LJGvAkpW4Mb_NlLgGCyK_JnvM9n64lD11s:
   404

My web server is (include version): nginx 1.19.9

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.40.0

Thanks for any assistance.

_az · December 23, 2022, 9:59pm

Sure:

# curl -4 http://twifag.com/.well-known/acme-challenge/test.html
hello world

But the hint is here:

If we try your IPv6 address:

# curl -6 http://twifag.com/.well-known/acme-challenge/test.html
<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx</center>
</body>
</html>

Doesn't work.

Bruce5051 · December 23, 2022, 10:05pm

Hello @otaku, welcome to the Let's Encrypt community.

Just noting that is an old version of Cerbot; see here Certbot 2.1.0 Release

Yep, so can I. So it comes down to why is the HTTP-01 Challenge files not being created?

what user is running certbot?
Often I see it as sudo certbot, but doesn't have to be as there are other was to become the needed user.

$ curl -I http://twifag.com/.well-known/acme-challenge/sNkz50miq9hSMFC3ZXp2wpI4hfYgdH_t_t2jFyGupXY
HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 23 Dec 2022 21:54:31 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Vary: Accept-Encoding
Vary: Accept-Encoding
X-Best-Pony: Twilight Sparkle
Content-Security-Policy: default-src 'self' *.twifag.com twifag.com *.twifag twifag; style-src 'self' *.twifag.com twifag.com *.twifag twifag 'unsafe-inline'; upgrade-insecure-requests

$ curl -I http://twifag.com/.well-known/acme-challenge/test.html
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 23 Dec 2022 22:01:04 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Vary: Accept-Encoding
Last-Modified: Fri, 23 Dec 2022 20:33:08 GMT
Vary: Accept-Encoding
ETag: W/"63a61084-b"
X-Best-Pony: Twilight Sparkle
Content-Security-Policy: default-src 'self' *.twifag.com twifag.com *.twifag twifag; style-src 'self' *.twifag.com twifag.com *.twifag twifag 'unsafe-inline'; upgrade-insecure-requests

Let's Encrypt uses Multi-Perspective Validation Improves Domain Validation Security - Let's Encrypt

$ nslookup twifag.com ns-cloud-a1.googledomains.com
Server:         ns-cloud-a1.googledomains.com
Address:        216.239.32.106#53

Name:   twifag.com
Address: 135.148.34.140
Name:   twifag.com
Address: 2604:2dc0:100:318c::eeee
Name:   twifag.com
Address: 2604:2dc0:100:318c::def

And I do not have an

to test with myself.

At this point kindly wait for more knowledgeable, than me, Let's Encrypt community volunteers to assist.

rg305 · December 24, 2022, 12:15am

The solution is in post #2.
The problem is the name has both IPv4 and IPv6, but they don't return the same content.
LE prefers IPv6 over IPv4 when present and that is where the problem lies.
[as already shown].
But here it is again (condensed):

curl -Ii4 http://twifag.com/.well-known/acme-challenge/test.html
HTTP/1.1 200 OK

curl -Ii6 http://twifag.com/.well-known/acme-challenge/test.html
HTTP/1.1 404 Not Found

barf7709 · December 24, 2022, 12:26am

Does Let's Debug also prefer IPv6?

rg305 · December 24, 2022, 12:31am

Let's Debug is just a testing tool; It has no preference.
It does check both [IPv6 and IPv4].
However, in such test cases, they will both return 404; So, there is nothing for it to detect a difference with.

curl -Ii6 http://twifag.com/.well-known/acme-challenge/12345abcde
HTTP/1.1 404 Not Found

curl -Ii4 http://twifag.com/.well-known/acme-challenge/12345abcde
HTTP/1.1 404 Not Found

MikeMcQ · December 24, 2022, 12:33am

Adding on to Rudy's comment ...

Let's Debug has two different tests. One is a test HTTP request for each IP in the DNS. It is expecting a 404 response since the test file it looks for won't exist. I have seen it warn when the responses are different between the IP's as a warning something is not right.

The other test is it uses the Let's Encrypt staging system so, yes, that is the same as the LE production in how it connects.

barf7709 · December 24, 2022, 12:33am

Thanks @rg305

barf7709 · December 24, 2022, 12:34am

Thanks @MikeMcQ

otaku · December 24, 2022, 9:58pm

Thank you (and everyone else) for replying!!!

There was indeed an error in my nginx config I didn't even look for, I wasn't listening to the [::] address.

Thanks again for your help.

system · January 23, 2023, 9:59pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.