Let's-encrypt fails for one domain on vestacp

rkhyd · August 23, 2017, 9:50am

I have three domains on vestacp. i have followed the instructions according to this git page.

it works flawlessly for two domains. For the third domain, the verification fails with 404 message as below.

Failed authorization procedure.domain3.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from domain3.com/.well-known/acme-challenge/QT37i-SBWOM5EL9mQgVvFFepBeeNAI5GBoqz_qBfVCE: "
404 Not Found
Not Found
<p"
IMPORTANT NOTES:

The following errors were reported by the server:

Domain: domain3.com
Type: unauthorized
Detail: Invalid response from
http://domain3.com/.well-known/acme-cha ... OIat_IQYjY:
"
404 Not Found
Not Found
<p"
Domain: domain3.com
Type: unauthorized
Detail: Invalid response from
http://www.domain3.com/.well-known/acme ... oqz_qBfVCE:
"
404 Not Found
Not Found
<p"
To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
Let's Encrypt returned an error status. Aborting.

rkhyd · August 23, 2017, 9:52am

Just to clarify, the domain3.com is accessible via web and has records setup for domain.com and also www.domain.com as well.

rg305 · August 23, 2017, 1:57pm

Place a test text file at: http://domain3.com/.well-known/acme-challenge/test.text
And see if it is accessible from the Internet.

rkhyd · August 23, 2017, 5:40pm

yes, i just placed a text file and i was able to publicly access it from the web.
but when i try the command
letsencrypt-vesta admin domain3.com
i get the 404 error.

schoen · August 23, 2017, 6:16pm

Did you check about IPv6 AAAA records? (We would have checked ourselves, but you didn’t tell us your real domain name.)

rkhyd · August 23, 2017, 6:45pm

Domain is connecticut-houses.com

schoen · August 23, 2017, 6:57pm

Thanks! Yes, you have an IPv6 address advertised in DNS.

connecticut-houses.com has address 172.104.12.7
connecticut-houses.com has IPv6 address 2600:3c03::f03c:91ff:fe92:4e04

The web content returned by the web server on the two addresses is totally different, and this is the source of your problem. VestaCP and other Let’s Encrypt clients are presumably able to change the content on your IPv4 web site but not on your IPv6 web site. The Let’s Encrypt CA defaults to connecting to the IPv6 version of the site whenever one is advertised.

rkhyd · August 24, 2017, 6:51am

Ok, thank you for the explanation. After deleting the IPv6 addresses, ssl certificates were fetched. But i could not understnad how do the other two domains succeed in getting the certificates, when they also have had the same configuration?

schoen · August 24, 2017, 4:44pm

The Let's Encrypt CA will fall back from IPv6 to IPv4 under some circumstances but not others, so if you had three sites that are all not working in IPv6 but they're not working in very slightly different ways, you might have triggered the IPv4 fallback on the other sites but not this one. That's my best guess.

system · September 23, 2017, 4:44pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.