Letsencrypt tries to validate a wrong doman name when dash is in domain name

My domain is:

mahariishi-ajurveda.com

I ran this command:

/usr/bin/certbot-auto certonly -d maharishi-ajurveda.com -d www.maharishi-ajurveda.com

It produced this output:

IMPORTANT NOTES:

My web server is (include version):

Nginx 16

The operating system my web server runs on is (include version):

Centos7

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

certbot 1.6.0

Hi @vrgfa

Letsencrypt tries to validate a wrong doman name

you have a redirect to that domain name, so Letsencrypt follows that redirect. Remove that.

2 Likes

Hi @JuergenAuer, thanks for your answer.
Can you help me figure out what kind of redirect it can be?
The web server is not running on the IP of the domain http://maharishi-ajurveda.com/ and I can’t see CNAME rediriects either.
Thanks,
Ferenc

1 Like

The redirect is reproducible with a simple request:

$ curl -X GET -I maharishi-ajurveda.com
HTTP/1.1 302 Found
Date: Thu, 16 Jul 2020 11:51:32 GMT
Server: Apache
Location: http://maharishiajurveda.com/

Note that the redirect Location is missing the dash.

1 Like

Hi @JuergenAuer,
Thanks for you answer again.
I am still confused on what is happening, I tried to provide as elaborate logging as possible
I would appreciate if you would look at the issue agian.
Thanks in advance.

When I run
curl -X GET -I maharishi-ajurveda.com -v

I get this response

  • Rebuilt URL to: maharishi-ajurveda.com/
  • Trying 193.91.67.242…
  • TCP_NODELAY set
  • Trying 2a00:c760:83:def:aced:fff0:0:7cd…
  • TCP_NODELAY set
  • Immediate connect fail for 2a00:c760:83:def:aced:fff0:0:7cd: Network is unreachable
  • connect to 193.91.67.242 port 80 failed: Connection refused
  • Trying 2a00:c760:83:def:aced:fff0:0:7cd…
  • TCP_NODELAY set
  • Immediate connect fail for 2a00:c760:83:def:aced:fff0:0:7cd: Network is unreachable
  • Trying 2a00:c760:83:def:aced:fff0:0:7cd…
  • TCP_NODELAY set
  • Immediate connect fail for 2a00:c760:83:def:aced:fff0:0:7cd: Network is unreachable
  • Failed to connect to maharishi-ajurveda.com port 80: Connection refused
  • Closing connection 0
    curl: (7) Failed to connect to maharishi-ajurveda.com port 80: Connection refused

Which means maharishi-ajurveda.com is resolved to 193.91.67.242 and no webserver is running there

dig maharishi-ajurveda.com

; <<>> DiG 9.11.4-3ubuntu5.4-Ubuntu <<>> maharishi-ajurveda.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34091
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;maharishi-ajurveda.com. IN A

;; ANSWER SECTION:
maharishi-ajurveda.com. 5 IN A 193.91.67.242

;; Query time: 7 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Thu Jul 23 01:46:29 EDT 2020
;; MSG SIZE rcvd: 67

At the same time on the server:

/usr/bin/certbot-auto certonly -d maharishi-ajurveda.com -vvv

Root logging level set at -10
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requested authenticator None and installer None
Failed to find executable apachectl in PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/opt/puppetlabs/bin:/root/bin
No installation (PluginEntryPoint#apache): Cannot find Apache executable apachectl
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/_internal/plugins/disco.py”, line 136, in prepare
self._initialized.prepare()
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot_apache/_internal/configurator.py”, line 318, in prepare
self._verify_exe_availability(self.option(“ctl”))
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot_apache/_internal/configurator.py”, line 436, in _verify_exe_availability
‘Cannot find Apache executable {0}’.format(exe))
NoInstallationError: Cannot find Apache executable apachectl
Error while running nginx -c /etc/nginx/nginx.conf -t.

nginx: [emerg] BIO_new_file("/etc/letsencrypt/live/maharishiajurveda.com-0001/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen(’/etc/letsencrypt/live/maharishiajurveda.com-0001/fullchain.pem’,‘r’) error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed

Misconfigured PluginEntryPoint#nginx: Error while running nginx -c /etc/nginx/nginx.conf -t.

nginx: [emerg] BIO_new_file("/etc/letsencrypt/live/maharishiajurveda.com-0001/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen(’/etc/letsencrypt/live/maharishiajurveda.com-0001/fullchain.pem’,‘r’) error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/_internal/plugins/disco.py”, line 136, in prepare
self._initialized.prepare()
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot_nginx/_internal/configurator.py”, line 186, in prepare
self.config_test()
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot_nginx/_internal/configurator.py”, line 926, in config_test
raise errors.MisconfigurationError(str(err))
MisconfigurationError: Error while running nginx -c /etc/nginx/nginx.conf -t.

nginx: [emerg] BIO_new_file("/etc/letsencrypt/live/maharishiajurveda.com-0001/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen(’/etc/letsencrypt/live/maharishiajurveda.com-0001/fullchain.pem’,‘r’) error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed

Multiple candidate plugins: * nginx
Description: Nginx Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx._internal.configurator:NginxConfigurator
Initialized: <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7f4bce54f0d0>
Prep: Error while running nginx -c /etc/nginx/nginx.conf -t.

nginx: [emerg] BIO_new_file("/etc/letsencrypt/live/maharishiajurveda.com-0001/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen(’/etc/letsencrypt/live/maharishiajurveda.com-0001/fullchain.pem’,‘r’) error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed

  • standalone
    Description: Spin up a temporary webserver
    Interfaces: IAuthenticator, IPlugin
    Entry point: standalone = certbot._internal.plugins.standalone:Authenticator
    Initialized: <certbot._internal.plugins.standalone.Authenticator object at 0x7f4bce5497d0>
    Prep: True

  • webroot
    Description: Place files in webroot directory
    Interfaces: IAuthenticator, IPlugin
    Entry point: webroot = certbot._internal.plugins.webroot:Authenticator
    Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0x7f4bce549d10>
    Prep: True

How would you like to authenticate with the ACME CA?


1: Nginx Web Server plugin (nginx) [Misconfigured]
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)


Select the appropriate number [1-3] then [enter] (press ‘c’ to cancel): 2
Selected authenticator <certbot._internal.plugins.standalone.Authenticator object at 0x7f4bce5497d0> and installer None
Plugins selected: Authenticator standalone, Installer None
Picked account: <Account(RegistrationResource(body=Registration(status=None, terms_of_service_agreed=None, agreement=None, only_return_existing=None, contact=(), key=None, external_account_binding=None), uri=u’https://acme-v02.api.letsencrypt.org/acme/acct/92072270’, new_authzr_uri=None, terms_of_service=None), ae120835076389f0ca4abea169f7787e, Meta(creation_host=u’maharishiajurveda.com’, register_to_eff=u’varga.ferenc.andras@gmail.com’, creation_dt=datetime.datetime(2020, 7, 23, 5, 9, 44, tzinfo=)))>
Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
https://acme-v02.api.letsencrypt.org:443 “GET /directory HTTP/1.1” 200 658
Received response:
HTTP 200
Server: nginx
Date: Thu, 23 Jul 2020 06:02:03 GMT
Content-Type: application/json
Content-Length: 658
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
“k1XFL3xjKdw”: “Adding random entries to the directory”,
“keyChange”: “https://acme-v02.api.letsencrypt.org/acme/key-change”,
“meta”: {
“caaIdentities”: [
letsencrypt.org
],
“termsOfService”: “https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf”,
“website”: “https://letsencrypt.org
},
“newAccount”: “https://acme-v02.api.letsencrypt.org/acme/new-acct”,
“newNonce”: “https://acme-v02.api.letsencrypt.org/acme/new-nonce”,
“newOrder”: “https://acme-v02.api.letsencrypt.org/acme/new-order”,
“revokeCert”: “https://acme-v02.api.letsencrypt.org/acme/revoke-cert
}
Obtaining a new certificate
Generating key (2048 bits): /etc/letsencrypt/keys/0004_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0004_csr-certbot.pem
Requesting fresh nonce
Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
https://acme-v02.api.letsencrypt.org:443 “HEAD /acme/new-nonce HTTP/1.1” 200 0
Received response:
HTTP 200
Server: nginx
Date: Thu, 23 Jul 2020 06:02:03 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
Replay-Nonce: 0001Y-8P5js27sTF6i7sMHP3tIaehvTE5zxdJ_6k97SgEUY
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

Storing nonce: 0001Y-8P5js27sTF6i7sMHP3tIaehvTE5zxdJ_6k97SgEUY
JWS payload:
{
“identifiers”: [
{
“type”: “dns”,
“value”: “maharishi-ajurveda.com
}
]
}
Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
“protected”: “eyJub25jZSI6ICIwMDAxWS04UDVqczI3c1RGNmk3c01IUDN0SWFlaHZURTV6eGRKXzZrOTdTZ0VVWSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LW9yZGVyIiwgImtpZCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzkyMDcyMjcwIiwgImFsZyI6ICJSUzI1NiJ9”,
“payload”: “ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwgCiAgICAgICJ2YWx1ZSI6ICJtYWhhcmlzaGktYWp1cnZlZGEuY29tIgogICAgfQogIF0KfQ”,
“signature”: “eOTBEL9UEYAS78GUX2abx83guTzcGnbrFS1r4dFp6lEYM3lUwGxm3beo9pcYgH8J5-Bbmzj2w9feJe1nlklA5bG-lq7e9NJSkMxOk9OD76B-VsGQUqjs0s-Z3yotW0qQBhv9Gp5495pWTB9pjRNHrOxVGyf7d80BIlGoUr_cITi4nIWQwEKw0cx0QIRMWQhw03BoR0I0xCSOSL_lBZcNvIQAIqG8SRmx9pqbH4aBS68v_of2fFcU8g0L9cMrlTtWDqJysbT13-nLwFtFv-PbpOHI4hp6YD8lGlbIkQ_72D7x3Shcka0JR2FBL6ZUtw4GQ44K_eKKMXCbTkMl61f70w”
}
https://acme-v02.api.letsencrypt.org:443 “POST /acme/new-order HTTP/1.1” 201 351
Received response:
HTTP 201
Server: nginx
Date: Thu, 23 Jul 2020 06:02:04 GMT
Content-Type: application/json
Content-Length: 351
Connection: keep-alive
Boulder-Requester: 92072270
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
Location: https://acme-v02.api.letsencrypt.org/acme/order/92072270/4334394818
Replay-Nonce: 0001fpItTun5pAzA0O7X5XM50RP4kPTnPqZE5AWLFTTI4yc
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
“status”: “pending”,
“expires”: “2020-07-30T06:02:04.17248525Z”,
“identifiers”: [
{
“type”: “dns”,
“value”: “maharishi-ajurveda.com
}
],
“authorizations”: [
https://acme-v02.api.letsencrypt.org/acme/authz-v3/6055574344
],
“finalize”: “https://acme-v02.api.letsencrypt.org/acme/finalize/92072270/4334394818
}
Storing nonce: 0001fpItTun5pAzA0O7X5XM50RP4kPTnPqZE5AWLFTTI4yc
JWS payload:

Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/6055574344:
{
“protected”: “eyJub25jZSI6ICIwMDAxZnBJdFR1bjVwQXpBME83WDVYTTUwUlA0a1BUblBxWkU1QVdMRlRUSTR5YyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvNjA1NTU3NDM0NCIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC85MjA3MjI3MCIsICJhbGciOiAiUlMyNTYifQ”,
“payload”: “”,
“signature”: “rfWXHROKMtpR4WPVHp09PbwQh_r7qYkBeqequuWMdTfQRtJJvtDpyjkOwfEpPKXvy0n4ho1zKvg7fFeq4cMcV8rhXhKo3BrPDRPPiT4BnbGIJlCn0ec7uXqI1oz_9RU1cuYXtUTvi0Ukr9mxB1LEKASN3_sgT7ka7Af1gCyQFUEE3_fBqzG1p-_gJN6pSmTUoSk479mZJ9-SJqVTzBdnp0_8pS62orNvZAMOrLY58pw20gqMY9e4ZkhKbAngA2Kp2NQVbcW-hqC_FcrYu2KC4E9P0uObA5kO-vZKQiF2tUYvD0Pwkfx0HrE-sr1kKSS2KxnoO7rqTw0iDmQg7rUzww”
}
https://acme-v02.api.letsencrypt.org:443 “POST /acme/authz-v3/6055574344 HTTP/1.1” 200 800
Received response:
HTTP 200
Server: nginx
Date: Thu, 23 Jul 2020 06:02:04 GMT
Content-Type: application/json
Content-Length: 800
Connection: keep-alive
Boulder-Requester: 92072270
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
Replay-Nonce: 0002GDh2ziNmRL23HobydxAq3pAkwEfGNFAyxpgi9ADaPb8
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
“identifier”: {
“type”: “dns”,
“value”: “maharishi-ajurveda.com
},
“status”: “pending”,
“expires”: “2020-07-30T06:02:04Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/6055574344/L5L0Nw”,
“token”: “JzR0duw0dS-5lDr7KfzHBL_s74x76lp9e8k_r4U5f7A”
},
{
“type”: “dns-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/6055574344/xor4tw”,
“token”: “JzR0duw0dS-5lDr7KfzHBL_s74x76lp9e8k_r4U5f7A”
},
{
“type”: “tls-alpn-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/6055574344/tTGQLA”,
“token”: “JzR0duw0dS-5lDr7KfzHBL_s74x76lp9e8k_r4U5f7A”
}
]
}
Storing nonce: 0002GDh2ziNmRL23HobydxAq3pAkwEfGNFAyxpgi9ADaPb8
Performing the following challenges:
http-01 challenge for maharishi-ajurveda.com
Successfully bound to :80 using IPv6
Certbot wasn’t able to bind to :80 using IPv4, this is often expected due to the dual stack nature of IPv6 socket implementations.
Waiting for verification…
JWS payload:
{}
Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/6055574344/L5L0Nw:
{
“protected”: “eyJub25jZSI6ICIwMDAyR0RoMnppTm1STDIzSG9ieWR4QXEzcEFrd0VmR05GQXl4cGdpOUFEYVBiOCIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvY2hhbGwtdjMvNjA1NTU3NDM0NC9MNUwwTnciLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvOTIwNzIyNzAiLCAiYWxnIjogIlJTMjU2In0”,
“payload”: “e30”,
“signature”: “HTwxwI-SMTqXDBnp5XNi3k2fG3C4ONN1poQWtgsUaxDE89R27TSENhjUHIrIHzsWZd3qJCy3JyNVWo2XrjFIRJtob0cSkqPdpD91yW6yUcpvBCsQzNVywuqjSVSyYl7xEPsYGMvaQzPlxYpCvO-Y5tYrjNRfxoFogd1hNyvnTZ_JdgWEcq67sQOnjeRECBkdkCLWHK4daQK3RinHG14d6APpehyfctP5F3cnVNDacK-3Y-XCaCmAt0C48hnIDBeVEuxjA1BJDt9Z6RAnUR-aibvWO6vLxplTPUIEcPuRtkBwvv-KEwaX4ZRHKn7W2A4LxhXNP2QcJC1GJLzFKd25gA”
}
https://acme-v02.api.letsencrypt.org:443 “POST /acme/chall-v3/6055574344/L5L0Nw HTTP/1.1” 200 185
Received response:
HTTP 200
Server: nginx
Date: Thu, 23 Jul 2020 06:02:04 GMT
Content-Type: application/json
Content-Length: 185
Connection: keep-alive
Boulder-Requester: 92072270
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”, https://acme-v02.api.letsencrypt.org/acme/authz-v3/6055574344;rel=“up”
Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/6055574344/L5L0Nw
Replay-Nonce: 0001pTXkXpYgZW5bM8mBKj8lzeEPQpd9wb0VT_9x8zaDv0Y
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
“type”: “http-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/6055574344/L5L0Nw”,
“token”: “JzR0duw0dS-5lDr7KfzHBL_s74x76lp9e8k_r4U5f7A”
}
Storing nonce: 0001pTXkXpYgZW5bM8mBKj8lzeEPQpd9wb0VT_9x8zaDv0Y
JWS payload:

Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/6055574344:
{
“protected”: “eyJub25jZSI6ICIwMDAxcFRYa1hwWWdaVzViTThtQktqOGx6ZUVQUXBkOXdiMFZUXzl4OHphRHYwWSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvNjA1NTU3NDM0NCIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC85MjA3MjI3MCIsICJhbGciOiAiUlMyNTYifQ”,
“payload”: “”,
“signature”: “rOcYwvGzYsAJBuhUZB2qkB1WoRXiDj0h8DWNVr-LSyJmw3U18KkHpMQf5OONmhzEe1u4_nyFsUEetnfwynpGQPSdCljzXFLwLra5RnW-x2Kpjw1aJpk_K2MXRaPIj7Ah1a_kZI7A6Y_s1ChWt62fDwfbNHbxOhuCY5CLgxTJ5gdJaGzeUD0z6QzBK_l0NF4xRzW1q5jlDzAfvAwD6pPFsDoxnXjUSGTlcYhKn36BUaOmVEYA2f_GO_Y3uO6OFOyTxi1l4gqBWulHFmhHWN6izSxf05M-MGFMaATtfFyAIfeGtuN_hYmEUPGN3iqlyioTTYKO786K_B7p5Cm7IDFx2Q”
}
https://acme-v02.api.letsencrypt.org:443 “POST /acme/authz-v3/6055574344 HTTP/1.1” 200 800
Received response:
HTTP 200
Server: nginx
Date: Thu, 23 Jul 2020 06:02:05 GMT
Content-Type: application/json
Content-Length: 800
Connection: keep-alive
Boulder-Requester: 92072270
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
Replay-Nonce: 0002scTqIiJ8Jutdtbb5tF-lfeEbX8rK2xRZoPmbbG8uqlM
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
“identifier”: {
“type”: “dns”,
“value”: “maharishi-ajurveda.com
},
“status”: “pending”,
“expires”: “2020-07-30T06:02:04Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/6055574344/L5L0Nw”,
“token”: “JzR0duw0dS-5lDr7KfzHBL_s74x76lp9e8k_r4U5f7A”
},
{
“type”: “dns-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/6055574344/xor4tw”,
“token”: “JzR0duw0dS-5lDr7KfzHBL_s74x76lp9e8k_r4U5f7A”
},
{
“type”: “tls-alpn-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/6055574344/tTGQLA”,
“token”: “JzR0duw0dS-5lDr7KfzHBL_s74x76lp9e8k_r4U5f7A”
}
]
}
Storing nonce: 0002scTqIiJ8Jutdtbb5tF-lfeEbX8rK2xRZoPmbbG8uqlM
JWS payload:

Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/6055574344:
{
“protected”: “eyJub25jZSI6ICIwMDAyc2NUcUlpSjhKdXRkdGJiNXRGLWxmZUViWDhySzJ4UlpvUG1iYkc4dXFsTSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvNjA1NTU3NDM0NCIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC85MjA3MjI3MCIsICJhbGciOiAiUlMyNTYifQ”,
“payload”: “”,
“signature”: “KOpUHbYrgDIecSBYyEF3akZrYEQuilgWyqCLdavI5gCTP8rTs1oWymCqaanlcM9Qt5omNdr_22BMVjVnXilJpJ-g2KqdtUCeFwgWepoxiy65UOE6BOst3AgJibnoS1rg_WMGwZ-PhSDMcF_d1KUxcHvqY7VOXrAdaJ6lj7-KJUNSMAnjixBVjpY5EnBEtDx7m59ByHXzDgSwJJPmz2Mve0EF_hr0zmoC7qdyM36I9RElsycLadvLat6qLcBT1l_ksLKOiaRfmnn2wd2IdJjOwgxApzj5YRDeofPieWZ-hyArRvgxLqQ40CZKZrxtwCtC-CJ1pFv9ChaBKzGkbn-saQ”
}
https://acme-v02.api.letsencrypt.org:443 “POST /acme/authz-v3/6055574344 HTTP/1.1” 200 1716
Received response:
HTTP 200
Server: nginx
Date: Thu, 23 Jul 2020 06:02:09 GMT
Content-Type: application/json
Content-Length: 1716
Connection: keep-alive
Boulder-Requester: 92072270
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
Replay-Nonce: 0002ueSziJsOCbomEWkFpUb98POEEUG8fhgii18X_ap6nnw
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
“identifier”: {
“type”: “dns”,
“value”: “maharishi-ajurveda.com
},
“status”: “invalid”,
“expires”: “2020-07-30T06:02:04Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:ietf:params:acme:error:unauthorized”,
“detail”: “Invalid response from https://maharishiajurveda.com/ [52.209.3.224]: “\u003c!DOCTYPE html\u003e\n\u003c!–[if lt IE 7]\u003e \u003chtml class=\“no-js lt-ie10 lt-ie9 lt-ie8 lt-ie7\” lang=\“hu\” dir=\“ltr\”\u003e \u003c![endif]–\u003e\n\u003c!–[i\””, “status”: 403 }, “url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/6055574344/L5L0Nw”, “token”: “JzR0duw0dS-5lDr7KfzHBL_s74x76lp9e8k_r4U5f7A”, “validationRecord”: [ { “url”: “http://maharishi-ajurveda.com/.well-known/acme-challenge/JzR0duw0dS-5lDr7KfzHBL_s74x76lp9e8k_r4U5f7A”, “hostname”: “maharishi-ajurveda.com”, “port”: “80”, “addressesResolved”: [ “193.91.67.242”, “2a00:c760:83:def:aced:fff0:0:7cd” ],
“addressUsed”: “2a00:c760:83:def:aced:fff0:0:7cd”
},
{
“url”: “http://maharishiajurveda.com/”,
“hostname”: “maharishiajurveda.com”,
“port”: “80”,
“addressesResolved”: [
“52.209.3.224”
],
“addressUsed”: “52.209.3.224”
},
{
“url”: “https://maharishiajurveda.com/”,
“hostname”: “maharishiajurveda.com”,
“port”: “443”,
“addressesResolved”: [
“52.209.3.224”
],
“addressUsed”: “52.209.3.224”
}
]
}
]
}
Storing nonce: 0002ueSziJsOCbomEWkFpUb98POEEUG8fhgii18X_ap6nnw
Challenge failed for domain maharishi-ajurveda.com
http-01 challenge for maharishi-ajurveda.com
Reporting to user: The following errors were reported by the server:

Domain: maharishi-ajurveda.com
Type: unauthorized
Detail: Invalid response from https://maharishiajurveda.com/ [52.209.3.224]: “\n\n<!–[i”

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
Encountered exception:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/_internal/auth_handler.py”, line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/_internal/auth_handler.py”, line 180, in _poll_authorizations
raise errors.AuthorizationError(‘Some challenges have failed.’)
AuthorizationError: Some challenges have failed.

Calling registered functions
Cleaning up challenges
Stopping server at :::80…
Exiting abnormally:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/bin/letsencrypt”, line 11, in
sys.exit(main())
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/main.py”, line 15, in main
return internal_main.main(cli_args)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/_internal/main.py”, line 1353, in main
return config.func(config, plugins)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/_internal/main.py”, line 1237, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/_internal/main.py”, line 121, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/_internal/client.py”, line 418, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/_internal/client.py”, line 351, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/_internal/client.py”, line 398, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/_internal/auth_handler.py”, line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/_internal/auth_handler.py”, line 180, in _poll_authorizations
raise errors.AuthorizationError(‘Some challenges have failed.’)
AuthorizationError: Some challenges have failed.
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: maharishi-ajurveda.com
    Type: unauthorized
    Detail: Invalid response from https://maharishiajurveda.com/
    [52.209.3.224]: “\n\n<!–[i”

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

That’s wrong. You have ipv4 and ipv6, your ipv4 doesn’t answer, your ipv6 answers.

But your local ipv6 doesn’t work, so you don’t see that.

> D:\temp>curl -4 http://maharishi-ajurveda.com/
> curl: (7) Failed to connect to maharishi-ajurveda.com port 80: Connection refused
> 
> D:\temp>curl -6 http://maharishi-ajurveda.com/
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> <html><head>
> <title>302 Found</title>
> </head><body>
> <h1>Found</h1>
> <p>The document has moved <a href="http://maharishiajurveda.com/">here</a>.</p>
> </body></html>
2 Likes

Thanks, @JuergenAuer,
the solution was that the domain had an AAAA record for ipv6 and it pointed to an old server that still had the redirection in place.
Deleting the AAAA record solved the issue, we have the Letsencrypt certificate
Thank you!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.