Lets Encrypt 401 when challenge ACME

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: phucsinh.hopto.org

I ran this command: certbot certonly --webroot -w /var/www/phucsinh.hopto.org/html -d phucsinh.hopto.org

It produced this output:

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: phucsinh.hopto.org
  Type:   unauthorized
  Detail: 2001:ee0:4f3a:2834:95ec:c328:3c48:cc60: Invalid response from http://phucsinh.hopto.org/.well-known/acme-challenge/0Y-NDqiHJwMcZyeDo0xA_mFved7f4xt-oIv_zFef7L4: 401

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

My web server is (include version): just nginx and a single html file

The operating system my web server runs on is (include version): Ubuntu 22.10

My hosting provider, if applicable, is: Personal on Rasbery Pi 4

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 1.29.0
1 Like

Hello @minhtranes, welcome to the Let's Encrypt community. :slightly_smiling_face:

You are using the HTTP-01 challenge of the Challenge Types - Let's Encrypt
The HTTP-01 challenge requires access to Port 80. Best Practice - Keep Port 80 Open

$ nmap -Pn phucsinh.hopto.org
Starting Nmap 7.80 ( https://nmap.org ) at 2023-02-22 15:15 UTC
Nmap scan report for phucsinh.hopto.org (123.21.76.137)
Host is up (0.26s latency).
Other addresses for phucsinh.hopto.org (not scanned): 2001:ee0:4f3a:2834:95ec:c328:3c48:cc60
Not shown: 947 filtered ports, 47 closed ports
PORT     STATE SERVICE
443/tcp  open  https
888/tcp  open  accessbuilder
9000/tcp open  cslistener
9001/tcp open  tor-orport
9002/tcp open  dynamid
9050/tcp open  tor-socks

Nmap done: 1 IP address (1 host up) scanned in 28.14 seconds
1 Like

Me thinks the problem may be IPv6 related.

3 Likes

Agree!

1 Like

I used to use LE, and it works well with another modem. They’re different models. So I think I would try with the previous one.

quite many home ISPs have hard time keeping IPv6 prefixes assigned to you, it may changed while you didn't notice

5 Likes

Yes however I think the IPv6 is only used for the LE challenge phase right? As usual, the communication to our web server is through IPv4.

Maybe I'm not fully grasping the context of your question...
So, bear :beer: with me while I try to address most possible meaning I've imagined of it.

LE prefers IPv6 [over IPv4] when present and operational.
That said, LE will NOT follow links to IPs, nor to random ports [other than 80 and 443].

Including this statement into the thought:

Anyone who uses a browser [and has IPv6] might also try connecting to your site that way and encounter problems if that path is broken.
IPv4 is not only for "usual communications" and IPv6 is not for "unusual communications".
IPv4 and IPv6 are in basically equal for their common uses.
It's like listening to the radio via AM, FM (or XM) [paying no attention to the stereo effects].
If you advertise your station on AM and FM, then it should be heard on both of those channels.
Likewise, if your FQDN resolves to both IPv4 and IPv6 addresses, your site should be found via both.

3 Likes

Thank you @rg305 ,

I bring my raspberry pi to the previous home ISP modem, and it works like a charm.
Basically, the main difference is the port 80 open status. I made no change on the raspberry, just change the modem, one is always closed the other is opened.

Anyway thank so much

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.