Invalid response from /.well-known/acme-challenge/ when running certbot --apache (Apache, Ubuntu 20.04)

My domain is:

I ran this command: certbot --apache

It produced this output:

Domain: website.com Type: unauthorized Detail: Invalid response from https://website.com/.well-known/acme-challenge/KfHqC9jlLM4kDrCkXEVCbWptpRw5sM8IEW1KrkHHdec [2606:4700:3031::ac43:9a53]: “<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p”

Domain: www.website.com Type: unauthorized Detail: Invalid response from https://www.website.com/.well-known/acme-challenge/Tu_rA1qZqphdzQ46_Jb6UTHERvuUsme4-G-WQmdVP4c [2606:4700:3035::6815:309f]: “<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p”

My web server is (include version): Apache/2.4.41

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.40.0


I have just migrated my sites to this fresh server, previously everything was working fine (using LE on Ubuntu 16.04). All the other sites I was able to use certbot --apache just fine to set up SSL on my new server. This leads me to believe my virtual host file is possibly set up incorrectly, so this is the .conf file for this domain:

<VirtualHost *:80> ServerAdmin admin@website.com DocumentRoot /var/www/website.com/public_html ServerName website.com ServerAlias www.website.com

    <Directory /var/www/website.com/public_html>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    <IfModule mod_dir.c>
        DirectoryIndex index.php index.pl index.cgi index.html index.xhtml index.htm
    </IfModule>
</VirtualHost>

When I rename the well-known folder, the error changes slightly:

   Domain: website.com
   Type:   unauthorized
   Detail: Invalid response from
   https://website.com/.well-known/acme-challenge/S9CHpUEq3o64XTgRfE1Q83--5CjARVUpzPUF8oEyWZg
   [2606:4700:3035::6815:309f]: "<!DOCTYPE html>\n<html
   lang=\"en-US\">\n<head>\n\t<meta http-equiv=\"Content-Type\"
   content=\"text/html; charset=UTF-8\" />\n\t<meta name=\"v"

   Domain: www.website.com
   Type:   unauthorized
   Detail: Invalid response from
   https://www.website.com/.well-known/acme-challenge/vkCQocNUC0Fg36Aqr_4LtJ8cfP9tgcyFZQ0u84zk8T0
   [2606:4700:3031::ac43:9a53]: "<!DOCTYPE html>\n<html
   lang=\"en-US\">\n<head>\n\t<meta http-equiv=\"Content-Type\"
   content=\"text/html; charset=UTF-8\" />\n\t<meta name=\"v"

I have an A record set up for the server's IP address, and another A record targeting www pointed at the IP as well. I also use Cloudflare, in case this matters.

I have seen other people have similar errors but they mostly seem to be on nginx, so I wasn't able to determine a good strategy to fix this.

Thanks

The error is on IPv6, so you should check your AAAA records. (Quite important, if you migrated servers)

2 Likes

Thanks for this.

I don't have any AAAA records set up, just the two A records pointing at my server IPv4. This is the same setup as I use with my other websites. I don't have IPv6 enabled on this server, nor my old one. Oddly though, I did have AAAA records before, according to SecurityTrails, pointing at what I assume is my old server's IPv6, proxied through Cloudflare.

I'm a bit confused as to why IPv6 is being used for this particular website. How do I know what to put as my AAAA record(s)?

Thanks

1 Like

You put your server ipv6. If it doesn't have one, you remove the AAAA records.

(You can discover what it is through your provider)

1 Like

My server doesn't have IPv6. I have the option to enable it in DigitalOcean. I do not have any AAAA records.

This shows otherwise:

Whoever manages the DNS for your domain, you need to login to their control panel, and delete that DNS AAAA record.

3 Likes

I would check myself but I need your actual domain name to do so.

1 Like

There are no AAAA records in my DNS settings (Cloudflare). However when I check with mxtoolbox two AAAA records show up. So I tried flushing my DNS cache with systemd-resolve --flush-caches, and I still get the same error. It's been about 10 hours since I deleted the old AAAA records.

Ah, I see.

You have Cloudflare's proxy enabled on your domain, which implicitly gives you AAAA records. But it also means that the AAAA records are not the problem.

I would check that your website actually loads when you visit it in a browser. If you see the Cloudflare "origin error" page or similar, you're going to need to go into Cloudflare and change your SSL setting to "Flexible" (see https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/). You should be able then to get a certificate, and change the setting back to "Full" or "Strict".

4 Likes

This fixed it, thanks!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.