I’m having issues obtaining a certificate. A few months ago someone already had a working certificate, but last month it expired, so I’m trying to set up a new license. To my understanding, I have to issue a command from the server like: certbot --staging --preferred-challenges=http --agree-tos --email name@example.com --break-my-certs -d natan-security.net -d www.natan-security.net --apache --debug-challenges
However, this results in an error: Failed authorization procedure. www.natan-security.net (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.natan-security.net/.well-known/acme-challenge/NlmqO7IYCfx56u2WFD8Mmap8z0W_mceb4pGlvBtJfRg: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<HTML><HEAD>\n<TITLE>404 Not Found</TITLE>\n</HEAD><BODY>\n<H1>Not Found</H1>\nTh"
I have also attempted using --manual, and then I can see that for the given challenge in my browser, and even at w3c-validator (my first attempt to validate my server isn’t blocking different countries), while certbot always shows the 404 result. What can cause this issue?
The strangest part is that my server gives a different HTML-document for a 404-message. With an added character: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /.well-known/acme-challenge/lrKZpQbfQQdLU1XsGUVva14dQEWg66NpLBvPg9gJWcI3 was not found on this server.</p> <hr> <address>Apache/2.4.18 (Ubuntu) Server at www.natan-security.net Port 80</address> </body></html>
LE doesn’t cache DNS entries.
All queries are “fresh” and “new”; they go directly to your authoritative name servers.
So you should be able to check right away.
rg305 is right - there is no caching (on the test either). Your nameserver is still currently serving the same IPv6 record that it was from my original test:
This is strange. I surely changed the quad-A record at transip, our hosting provider, and just changed it again (currently to the translated IPv4 address). I’ll look into it monday.