Invalid response on acme-challenge but can access files in the directory


#1

Hi,
I’m having problem with the acme-challenge for letsencrypt. I can see the output when I create a textfile in /var/www/domain/public /.well-known/acme-challenge/text.txt and access it through http://domain.com/.well-known/acme-challenge/text.txt or create a file for the token in the acme-challenge and the browser downloads it.

I have tried with both --webroot and --manual methods but they produce the same problem. I’ve also tried to install the certificate with sudo certbot --nginx etc.

I ran this command:
sudo certbot certonly --webroot -w /var/www/domain/public -d domain.com

It produced this output:

Failed authorization procedure. domain.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://domain.com/.well-known/{token}: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD><BODY>
<H1>Not Found</H1>
Th"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: domain.com
   Type:   unauthorized
   Detail: Invalid response from
   http://domain.com/.well-known/acme-challenge/{token}:
   "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
   <HTML><HEAD>
   <TITLE>404 Not Found</TITLE>
   </HEAD><BODY>
   <H1>Not Found</H1>
   Th"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version):
Nginx

The operating system my web server runs on is (include version):
Ubuntu 16.04

I can login to a root shell on my machine (yes or no, or I don’t know):
yes


#2

Hi @certbotsi

what’s your domain name and your hoster?


#3

@JuergenAuer The domain dropshipping.se/ and hoster is inleed.


#4

There are two older Letsencrypt-certificates:

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:true;include_subdomains:false;domain:dropshipping.se;issuer_uid:4428624498008853827&lu=cert_search

How did you create these certificates?

Sometimes, hoster have own solutions implemented. So they manage /.well-known/acme-challenge/ direct.

Yep - inleed has it:

https://www.inleed.se/inleed/nyheter/gratis-ssl-certifikat-med-lets-encrypt

Check, if you can use that.


#5

Thanks for helping @JuergenAuer !

I previosly had two certificates for two different domains. I forgot to renew (the domain above) and the renewal process gave multiple errors and I couldn’t resolve it so I deleted the certificates. Now i’m trying to reinstall it.

I don’t remember exactly how I installed them… but i’t was probobly with sudo certbox --nginx.

I don’t think I can use Inleeds certificate since I don’t have a control panel.


#6

Then create a file

/var/www/dropshipping.se/public/.well-known/acme-challenge/123456789

and check, if you can load it per

http://dropshipping.se/.well-known/acme-challenge/123456789

The test.txt doesn’t work.


#7

The textfile in acme-challenge is text.txt. I have also uploaded a 123456789 file that you should be able to see in browser.


#8

Your file is ok. But there is a problem with your dns-settings:

https://letsdebug.net/dropshipping.se/3576

IPv4IPv6Discrepancy

Warning

dropshipping.se has both AAAA (IPv6) and A (IPv4) records. While they both appear to be accessible on the network, we have detected that they produce differing results when sent an ACME HTTP validation request. This may indicate that the IPv4 and IPv6 addresses may unintentionally point to different servers, which would cause validation to fail.

[Address Type=IPv4,Server=nginx/1.10.3 (Ubuntu),HTTP Status=404] vs [Address Type=IPv6,Server=nginx,HTTP Status=404]

You have an ipv4 and an ipv6 - address. But the content is different. Perhaps remove the ipv6 - entry, create the certificate and fix the ipv6 - problem.


#9

Ah, so it could be the above error. How do I remove the ipv6 entry?


#10

Check your dns - menu. There, where you manage domainname -> ip-address. That may be inleed. It’s possible that you have another dns-provider.


#11

Great, the certbot installation was succesful! Thanks for the help @JuergenAuer.


#12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.