Let's Encrypt not accessing the acme-challenge, new authorizations now blocked


#1

When I try to register new domain, the authorization will fail. It reads that http://example.com/.well-known/acme-challenge/BClezoSSbYjrVETQCcJiERsoouKkweqpOx7Cx7xM27U gives 404.
Problem is that I checked access.log and error.log but there is no line mentioning said URL. When I manually load the URL in browser it then gets its record in access.log and error.log, but when i do tail -F on the files I get nothing.
I checked both DNS records (www and non-www) and those are correct and pointing at the same IP I can resolve locally. DNS records weren’t changed recently (months ago).


#2

Hi @lmojzis,

Without knowing the real name it is hard to know what is going on… did you check whether your new domain has AAAA records? If that is the case, LE will try to validate your domain using those IPv6 addresses but maybe your server or firewall is not configured properly for IPv6.

Cheers,
sahsanu


#3

That was it. Server had no IPv6 but the record was set. Wonder why it didn’t try IPv4 though.


#4

Let’s Encrypt considers the AAAA record to be a “real” address that it can use, so if the challenge fails there, it’s considered to fail. For general security reasons, the CA doesn’t want to retry with every known IP address for every challenge host because this will make life easier for attackers who can manipulate connections to some IP addresses but not others.


#5

Note that it will fall back if IPv6 isn’t actually working, but in your case IPv6 was working; it was just pointed to the wrong server.

A normal browser wouldn’t even be able to fall back to IPv4 in this case, so it’s important to fix.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.