Installing certificate failed - urn:acme:error:unauthorized - 404 error

VeeK727 · March 19, 2018, 6:07am

I’m installing a certificate for my domain on Ubuntu 16.04 with Apache 2. I executed the command certbot --apache and selected my domains gurgaonvivah.com and www.gurgaonvivah.com and got this response:

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for gurgaonvivah.com
http-01 challenge for www.gurgaonvivah.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.gurgaonvivah.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.gurgaonvivah.com/.well-known/acme-challenge/tsKwRl5qXfk-6VYVeIax31RWyxbaS11ntglSKywt_RE: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p", gurgaonvivah.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://gurgaonvivah.com/.well-known/acme-challenge/38Zwae_-o66t54bSNqudtPbiZTeMLRilK_iNXIjXLIQ: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.gurgaonvivah.com
   Type:   unauthorized
   Detail: Invalid response from
   http://www.gurgaonvivah.com/.well-known/acme-challenge/tsKwRl5qXfk-6VYVeIax31RWyxbaS11ntglSKywt_RE:
   "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
   <html><head>
   <title>404 Not Found</title>
   </head><body>
   <h1>Not Found</h1>
   <p"
 Domain: gurgaonvivah.com
   Type:   unauthorized
   Detail: Invalid response from
   http://gurgaonvivah.com/.well-known/acme-challenge/38Zwae_-o66t54bSNqudtPbiZTeMLRilK_iNXIjXLIQ:
   "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
   <html><head>
   <title>404 Not Found</title>
   </head><body>
   <h1>Not Found</h1>
   <p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

I have seen similar questions here and tried a few things. Firstly there’s actually no file 38Zwae_-o66t54bSNqudtPbiZTeMLRilK_iNXIjXLIQ in acme-challenge folder. The permissions of the folders are 755.

I added a test file aa.txt in acme-challenge folder and can access it via a browser http://www.gurgaonvivah.com/.well-known/acme-challenge/aa.txt but if I use a curl command from shell
curl -i http://www.gurgaonvivah.com/.well-known/acme-challenge/aa.txt | cat -A
I get a 404 response again. What should I do?

sahsanu · March 19, 2018, 6:56am

Hi @VeeK727,

The problem here is that your domains have AAAA records so it is presenting an IPv6 address to Let's Encrypt and LE will prefer IPv6 over IPv4 so it will try to validate the domain using IPv6 but it is not configured properly on your web server to serve the same information as it does with IPv4.

You can check it adding -4 or -6 switch to curl command:

$ curl -4ikL http://www.gurgaonvivah.com/.well-known/acme-challenge/aa.txt
HTTP/1.1 200 OK
Date: Mon, 19 Mar 2018 06:52:37 GMT
Server: Apache/2.4.18
Last-Modified: Mon, 19 Mar 2018 05:09:49 GMT
ETag: "4-567bcf7997eb7"
Accept-Ranges: bytes
Content-Length: 4
Content-Type: text/plain

test⏎


$ curl -6ikL http://www.gurgaonvivah.com/.well-known/acme-challenge/aa.txt
HTTP/1.1 404 Not Found
Date: Mon, 19 Mar 2018 06:52:33 GMT
Server: Apache/2.4.18
Content-Length: 231
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /.well-known/acme-challenge/aa.txt was not found on this server.</p>
</body></html>

You should fix your IPv6 conf or if you don't want/need to be reached using IPv6, remove the AAAA records for your domain(s).

Cheers,
sahsanu

VeeK727 · March 19, 2018, 8:07am

I didn’t understand how to configure apache for ipv6 so I’ve removed the AAAA records. I’ll read up on it later.

Its been 30 minutes but I’m still getting the error. I’ll wait a bit more to let DNS propogate and get back to you.

Thanks mate.

_az · March 19, 2018, 8:09am

Linode nameservers have a ~20 minute delay on them.

However, it should be working right now, they're no longer advertising the AAAA record.

If you're still getting errors, the problem is elsewhere.

VeeK727 · March 19, 2018, 8:34am

Its working now. Thanks a lot man.

system · April 18, 2018, 8:34am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.