Invalid response from http://zab.ordana.net/.well-known/acme-challenge/YJXtpoqNspEIpHpa7kDLz-JmP_FHqaUJTaJFpNGprqo: 400

ordana · August 11, 2022, 5:25am

Hello letsencrypt Team!

I haven't been able to renew certificates for a few days. It works over ipv4 but not ipv6. We are not using iptables and have not made any changes to the domain or firewall. The website can be reached via ipv6 and 4 and on port 80 there is a redirect to 443. This has always worked flawlessly so far!

Tank you for help!

My domain is: zab.ordana.net

I ran this command: Thu, 11 Aug 2022 05:08:33 GMT

It produced this output:

2022-08-11 07:08:33,887:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3301501384:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC82NDkwNzg5IiwgIm5vbmNlIjogIjAwMDJoQmRVNlFrdVR0TnVJWEhHQVlnd2hrT0o1V0ljLUlac3dsN0FMTFlaZUhFIiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzMzMDE1MDEzODQifQ",
"signature": "lIKgDffeFEyJ55IVMgtAex8N2ScJ40PVsUCjVAT5tXfq1Lx2-LcMDzLv1JUMCLWTd5L_3WK3BGVbCY0fx_HgQ6tkLcRssu9QYNPvehGAlxv-_FObcqNkPMHfnSv9uhf51_QgZmoU7J-9vRGHFikON8jUjYIrCp1G5ySw1ovTPp5Ms_Mq7dcJU9UyBRR-dFuEyp3Y6eYcy5Gvx6m0wICuNI7fHwQa-slTO1nthUooCQGwcI-I_NMJWJyvW5-_rf3_x2tVNPCc2cwluUZMJGUuxbMuNgtv7xbL3nuLAMlJNOmkTzbRtJ6HamXO48hYSsA1h6EmmIbv-ZNhBQBJeiwH3w",
"payload": ""
}
2022-08-11 07:08:34,039:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/3301501384 HTTP/1.1" 200 1085
2022-08-11 07:08:34,041:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 11 Aug 2022 05:08:33 GMT
Content-Type: application/json
Content-Length: 1085
Connection: keep-alive
Boulder-Requester: 6490789
Cache-Control: public, max-age=0, no-cache
Link: https://acme-staging-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 0001LBgT5A6-OP4IJi711-6XxuQt5zkyAGHs1m6EgmcKLbg
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "zab.ordana.net"
},
"status": "invalid",
"expires": "2022-08-18T05:08:32Z",
"challenges": [
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "2a01:4f8:1c0c:80b3::2: Invalid response from http://zab.ordana.net/.well-known/acme-challenge/YJXtpoqNspEIpHpa7kDLz-JmP_FHqaUJTaJFpNGprqo: 400",
"status": 403
},
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/3301501384/Sacmvg",
"token": "YJXtpoqNspEIpHpa7kDLz-JmP_FHqaUJTaJFpNGprqo",
"validationRecord": [
{
"url": "http://zab.ordana.net/.well-known/acme-challenge/YJXtpoqNspEIpHpa7kDLz-JmP_FHqaUJTaJFpNGprqo",
"hostname": "zab.ordana.net",
"port": "80",
"addressesResolved": [
"195.201.252.224",
"2a01:4f8:1c0c:80b3::2"
],
"addressUsed": "2a01:4f8:1c0c:80b3::2"
}
],
"validated": "2022-08-11T05:08:32Z"
}
]
}
2022-08-11 07:08:34,042:DEBUG:acme.client:Storing nonce: 0001LBgT5A6-OP4IJi711-6XxuQt5zkyAGHs1m6EgmcKLbg
2022-08-11 07:08:34,042:WARNING:certbot.auth_handler:Challenge failed for domain zab.ordana.net
2022-08-11 07:08:34,043:INFO:certbot.auth_handler:http-01 challenge for zab.ordana.net
2022-08-11 07:08:34,043:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: zab.ordana.net
Type: unauthorized
Detail: 2a01:4f8:1c0c:80b3::2: Invalid response from http://zab.ordana.net/.well-known/acme-challenge/YJXtpoqNspEIpHpa7kDLz-JmP_FHqaUJTaJFpNGprqo: 400

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
2022-08-11 07:08:34,045:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 180, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2022-08-11 07:08:34,045:DEBUG:certbot.error_handler:Calling registered functions
2022-08-11 07:08:34,045:INFO:certbot.auth_handler:Cleaning up challenges
2022-08-11 07:08:34,046:DEBUG:certbot.plugins.webroot:Removing /var/www/www.zahnaerzte-am-breidenplatz.de/htdocs/.well-known/acme-challenge/YJXtpoqNspEIpHpa7kDLz-JmP_FHqaUJTaJFpNGprqo
2022-08-11 07:08:34,046:DEBUG:certbot.plugins.webroot:All challenges cleaned up
2022-08-11 07:08:34,047:ERROR:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 11, in
load_entry_point('certbot==0.40.0', 'console_scripts', 'certbot')()
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1382, in main
return config.func(config, plugins)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1265, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 116, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 320, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 348, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 396, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 180, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

My web server is (include version): Server version: Apache/2.4.41 (Ubuntu), Server built: 2022-06-14T13:30:55

The operating system my web server runs on is (include version): Ubuntu 20.04.4 LTS

My hosting provider, if applicable, is: Hetzner ( vm )

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no (cli only)

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.40.0

webprofusion · August 11, 2022, 6:31am

If you look at Let's Debug you will see that your domain points to both and IPv6 address and an IPv4 address. They are returning different results.

Usually this means you have a AAAA record in your dns that's pointing to the wrong server and you can either delete it or point it to the correct server (if your server does indeed have an IPv6 address).

ordana · August 11, 2022, 7:16am

Thanks for answering! But our server has the following IPs on eth0:

IPv4 address for eth0: 195.201.252.224
IPv4 address for eth0: 49.12.200.100
IPv6 address for eth0: 2a01:4f8:1c0c:80b3::2

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 96:00:00:d6:7f:24 brd ff:ff:ff:ff:ff:ff
inet 195.201.252.224/32 scope global eth0
valid_lft forever preferred_lft forever
inet 49.12.200.100/32 scope global dynamic eth0
valid_lft 78200sec preferred_lft 78200sec
inet6 2a01:4f8:1c0c:80b3::2/64 scope global
valid_lft forever preferred_lft forever
inet6 2a01:4f8:1c1c:fb4e::1/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::9400:ff:fed6:7f24/64 scope link
valid_lft forever preferred_lft forever

So the addresses in DNS are OK:

"addressesResolved": [
"195.201.252.224",
"2a01:4f8:1c0c:80b3::2"

Thanks for help!

schoen · August 11, 2022, 7:40am

Cool, yes, that is right.

Nonetheless, they do produce very significantly different behavior when accessed from the outside world. You can see this by running curl -4 zab.ordana.net and curl -6 zab.ordana.net on a separate server that has IPv6 connectivity. (Or maybe even on that same server, potentially.) The response and error condition are quite different.

So, you must identify and remove the reason for this discrepancy in behavior. Specifically, it seems that the IPv6 connection (even though it is a correct address for your server) is producing an error which is not produced for IPv4.

webprofusion · August 11, 2022, 8:21am

Yes, make sure Apache is configured to listen on all required interfaces, including IPv6, see Binding to Addresses and Ports - Apache HTTP Server Version 2.4

ordana · August 11, 2022, 10:19am

Yes in our config:

<VirtualHost [2a01:4f8:1c0c:80b3::2]:443>
DocumentRoot ....
...
...

<VirtualHost [2a01:4f8:1c0c:80b3::2]:80>
ServerName zab.ordana.net
Redirect 301 / https://zab.ordana.net/

/etc/apache/ports.conf:

Listen 80

Listen 443 Listen 443

Greets Maik

ordana · August 11, 2022, 10:22am

We have not adjusted or changed anything in our configuration. The problem was there all of a sudden.

ordana · August 11, 2022, 10:58am

Bad Request
Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.

--

We habe 301 redirect on ipv6 port 80 to https://zab.ordana.net. Unfortunately, we now have the problem generally on the entire server with all domains.

ordana · August 11, 2022, 11:23am

The Error was found in config of an other vhost. There was a directive to ssl with port 80! Many Thanks for HELP! P.S. we donate more because it was Layer8 Problem

system · September 10, 2022, 11:23am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.