Invalid response from .well-known/acme-challenge

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: http://alexgrow.biz/

I ran this command: sudo certbot --nginx -d www.alexgrow.biz -d alexgrow.biz

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for www.alexgrow.biz and alexgrow.biz

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: alexgrow.biz
  Type:   unauthorized
  Detail: Invalid response from http://alexgrow.biz/.well-known/acme-challenge/6BG9GOa9zXG0bWIZRkSvr59Vs7t_L4KI5_wRXJNGiXw [2a03:b0c0:3:d0::11a3:1001]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body>\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>nginx/1.18.0 (Ub"

  Domain: www.alexgrow.biz
  Type:   unauthorized
  Detail: Invalid response from http://www.alexgrow.biz/.well-known/acme-challenge/o6kI9sdIEJLckX84THFAd1D-Qbh-MsLr8C-9VuQ9Cxo [2a03:b0c0:3:d0::11a3:1001]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body>\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>nginx/1.18.0 (Ub"

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Ubuntu 20.04.3 LTS

The operating system my web server runs on is (include version): GNU/Linux 5.4.0-81-generic x86_64

My hosting provider, if applicable, is: digitalocean.com

I can login to a root shell on my machine (yes or no, or I don't know): I don't know

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.22.0

My nginx config:

server {
        listen 80;
        server_name alexgrow.biz www.alexgrow.biz;
        root /var/www/alexgrow;
        index index.php index.html;

        access_log  /var/log/nginx/alexgrow-access.log;
        error_log   /var/log/nginx/alexgrow-error.log;

        location ~ /\.ht {
           deny all;
        }

        location ~ \.php$ {
            fastcgi_pass unix:/run/php/php7.1-fpm.sock;
            include snippets/fastcgi-php.conf;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        }


        location ~* \.(js|css|png|jpg|jpeg|gif|svg|ico|woff|woff2|ttf)$ {
           expires max;
           add_header Cache-Control "public, no-transform";
        }
}
1 Like

Hi @7erj and welcome to the LE community forum :slight_smile:

There is a problem with your site's IPv6 path:

curl -Ii4 alexgrow.biz
HTTP/1.1 200 OK

curl -Ii6 alexgrow.biz
HTTP/1.1 403 Forbidden
Name:      alexgrow.biz
Addresses: 2a03:b0c0:3:d0::11a3:1001
           161.35.26.205

Lacks IPv6 binding.

Try adding:
listen [::]:80;

If that fails, check your IPv6 address, with:
curl -6 ifconfig.co
[which should match the entry found in DNS]

2 Likes

Ooh, thx very much! :slightly_smiling_face:
But why i have problem with my IPv6? I have been add this ip in my control panell on digital ocean (screen, if u can see: this different domain on the same server and have same IPv6 width letsencrypt cert). I have several domains on server and do same with each domains and had no problems. But this domain is explode my brain :grinning:

2 Likes

I wouldn't know why.
You should ask the manager of that control panel (likely your Hosting Service Provider [HSP]).

OR
Review/compare the vhost config files [look at the listen lines]

I think I provided you with the "fix".

2 Likes

Okay, thank you!
I'll do it!

2 Likes

That second site also has IPv6 problems!

curl -Ii4 obana.com.ua
HTTP/1.1 301 Moved Permanently

curl -Ii6 obana.com.ua
HTTP/1.1 404 Not Found
2 Likes

ooh :confused:
that is not good

1 Like

Please show the output of:
curl -6 ifconfig.co

2 Likes

I had add this line and its work :face_with_monocle:
But now i have this problem, maybe this problem bound with TTL? Or something sort of...

Console output

And i catch that this cert for enother domain from my server

Seems to be working from my end, maybe clear your browsers cache? Nevermind that, OpenSSL was using IPv6, which is working fine, but IPv4 is not working properly indeed..

What's the current content of /etc/nginx/sites-enabled/alexgrow ?

3 Likes

Sorry, I meant the file alexgrow, the nginx configuration file didn't have .biz on the end, my bad. I've edited my post above. Please show the contents of the file :slight_smile: (the files shown now are symbolic links to the actual configuration files in /sites-available/, you should be able to open the file alexgrow and see the contents to put here.)

3 Likes
server {
        server_name alexgrow.biz www.alexgrow.biz;
        root /var/www/alexgrow;
        index index.php index.html;

        access_log  /var/log/nginx/alexgrow-access.log;
        error_log   /var/log/nginx/alexgrow-error.log;

        location ~ /\.ht {
           deny all;
        }

        location ~ \.php$ {
            fastcgi_pass unix:/run/php/php7.1-fpm.sock;
            include snippets/fastcgi-php.conf;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        }


        location ~* \.(js|css|png|jpg|jpeg|gif|svg|ico|woff|woff2|ttf)$ {
           expires max;
           add_header Cache-Control "public, no-transform";
        }

    listen [::]:443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/www.alexgrow.biz/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/www.alexgrow.biz/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot






}server {
    if ($host = alexgrow.biz) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = www.alexgrow.biz) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        listen [::]:80;
        server_name alexgrow.biz www.alexgrow.biz;
    return 404; # managed by Certbot




}

Hm, strange, the two listen directives for port 80 and port 443 are essentially the same. But for some reason HTTP on port 80 works good, both IPv4 and IPv6, while HTTPS on port 443 works for IPv6 but not for IPv4? WEIRD!

You could try to add ipv6only=off to the listen [::]:443 directive, but I'm not sure why that wouldn't be necessary for the port 80 listen directive..

3 Likes

something like that? listen [::]:443 ipv6only=off ssl; # managed by Certbot

listen [::]:443 ipv6only=off ssl; // nginx error
listen [::]:443 ipv6only=off; // nginx error
listen [::]:443 ssl ipv6only=off; // nginx error

1 Like

Correct.

3 Likes

I have an error :frowning: