Invalid response from .well-known/acme-challenge on Rocky 9

I have read all the other posts on this issue and the problem is usually webroot or DNS. I don't think that is my issue here, please help.....

My domain is:

electservices.biz

I ran this command:

##################
certbot run -a webroot -i apache -w /var/www/html/electservices.biz/html/ -d electservices.biz -d www.electservices.biz

It produced this output:

Requesting a certificate for electservices.biz and www.electservices.biz

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: electservices.biz
Type: unauthorized
Detail: 2607:f1c0:100f:f000::200: Invalid response from http://electservices.biz/.well-known/acme-challenge/-mdXWvjjArLLV2zB7DnuLpNz2t8ZJBNcGWXK-fZaOmA: 204

Domain: www.electservices.biz
Type: unauthorized
Detail: 2607:f1c0:100f:f000::200: Invalid response from http://www.electservices.biz/.well-known/acme-challenge/eN9Px5Nbf1wUlmHl1VnDJsypqH54bMln0goXkQ0rI3w: 204

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.

###################
My web server is (include version):
/usr/sbin/httpd -v
Server version: Apache/2.4.53 (Rocky Linux)
Server built: Jul 20 2022 00:00:00

The operating system my web server runs on is (include version):

cat /etc/system-release

Rocky Linux release 9.1 (Blue Onyx)

My hosting provider, if applicable, is:
NA

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.1.0

I have done this on numerous Cent 7, Cent 8 and Rocky 8 servers previously without issue.

Things I have checked:

  • My A record is pointed to the correct Ip
    sgingell@Shanes-MacBook-Pro-2 ~ % nslookup electservices.biz

Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
Name: electservices.biz
Address: 50.21.182.158

  • I CAN download a test file @ /webroot/.well-known/acme-challenge/ this tells me layer 4 to my server (port 80) is good as well as http config, webroot, ownership/permissions etc etc

http://electservices.biz/.well-known/acme-challenge/DedSKH9zCxHWEFi27_CMNrm53hKLiddAM462bX2pA9Q without issue.

  • my webroot is : /var/www/html/electservices.biz/html/

cat /etc/httpd/conf.d/default-site.conf
<VirtualHost *:80>
ServerName electservices.biz
ServerALias www.electservices.biz
ServerAdmin

DirectoryIndex index.html index.php
DocumentRoot /var/www/html/electservices.biz/html/

Proxy declaration

<Proxy "unix:/run/php-fpm/www.sock|fcgi://php-fpm">
   # we must declare a parameter in here (doesn't matter which) or 
   # it'll not register the proxy ahead of time

   ProxySet disablereuse=off

   # Note: If you configure php-fpm to use the "pm = ondemand" 
   #then use "ProxySet disablereuse=on"
 </Proxy>

    <Directory /var/www/html/electservices.biz/html/>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>

    ErrorLog /var/log/httpd/electservices.biz_error.log
    CustomLog /var/log/httpd/electservices.biz_access.log combined

As the error suggests, Let's Encrypt is trying to connect to the IPv6 address of your domain.

That address points to some nginx server, not to your Apache server.

Correct or remove the IPv6 address (the DNS AAAA record) and the problem should go away.

5 Likes

It would appear that you problem is solved.
There was a certificate issued on 2023-01-25 https://crt.sh/?q=electservices.biz
Let's Debug has OK results for the HTTP-01 Challenge https://letsdebug.net/electservices.biz/1352317
And the A results here SSL Server Test: electservices.biz (Powered by Qualys SSL Labs) with the certificate issued on 2023-01-25.