Letsencrypt unauthorized error

Hi, I’m trying to get a certificate for app.instapack.es. The real domain is instapack.es that already has a certificate but is pointing to another host, my current nginx configuration for the subdomain is:

server {

listen 80;

server_name back.instapack.es www.back.instapack.es app.instapack.es www.app.instapack.es;

root /home/instapack/instapack_backend_app/web;

#rewrite ^/instapack/web/(.*)$ /$1 last; rewrite ^/web/(.*)$ /$1 last;
location / {
    # try to serve file directly, fallback to app.php
    try_files $uri /app_prod.php$is_args$args;
}
# Return
location ~* /instapack/web/(.*)$ {
    return 301 $scheme://$host/$1;
}
location ~* /web/(.*)$ {
    return 301 $scheme://$host/$1;
}
location ~* \.(jpg|jpeg|png|gif|ico)$ {
    expires 365d;
}
location ~* \.(css|js)$ {
    expires 1d;
}
# PROD
location ~ ^/app_prod\.php(/|$) {
    fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
    fastcgi_split_path_info ^(.+\.php)(/.*)$;
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
    fastcgi_param DOCUMENT_ROOT $realpath_root;
}

location ~ \.php$ {
    return 404;
}
error_log /var/log/nginx/project_error.log;
access_log /var/log/nginx/project_access.log;

}

then when I try to get the certificate with the following command : certbot --nginx
I get this error:

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for app.instapack.es
http-01 challenge for www.app.instapack.es
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. app.instapack.es (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://app.instapack.es/.well-known/acme-challenge/nhut5Js9RezhcMRx_oxElaNvmAzInAgWsnPadluLBfM [2001:8d8:100f:f000::245]: 204, www.app.instapack.es (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.app.instapack.es/.well-known/acme-challenge/ENSmPEJQ_DTOXN-OODoDSghkDLVcaqUxnNyz9zBHsX0 [2001:8d8:100f:f000::245]: 204

IMPORTANT NOTES:

Hi @rborges89

checking your domain you have ipv4- and ipv6 - addresses - https://check-your-website.server-daten.de/?q=app.instapack.es

Host T IP-Address is auth. ∑ Queries ∑ Timeout
app.instapack.es A 40.113.100.53 Amsterdam/North Holland/Netherlands (NL) - Microsoft Corporation No Hostname found yes 1 0
AAAA 2001:8d8:100f:f000::245 Karlsruhe/Baden-Württemberg Region/Germany (DE) - DE-SCHLUND yes
www.app.instapack.es A 40.113.100.53 Amsterdam/North Holland/Netherlands (NL) - Microsoft Corporation No Hostname found yes 1 0
AAAA 2001:8d8:100f:f000::245 Karlsruhe/Baden-Württemberg Region/Germany (DE) - DE-SCHLUND yes

But ipv4 and ipv6 have different answers:

Domainname Http-Status redirect Sec. G
http://app.instapack.es/
40.113.100.53 302 BACKEND Instapack - Login
Html is minified: 124,44 % 0.050 D
http://www.app.instapack.es/
40.113.100.53 302 BACKEND Instapack - Login
Html is minified: 124,44 % 0.047 D
http://app.instapack.es/
2001:8d8:100f:f000::245 GZip used - 197 / 229 - 13,97 % 200 Html is minified: 112,25 % 0.073 H
http://www.app.instapack.es/
2001:8d8:100f:f000::245 GZip used - 197 / 229 - 13,97 % 200 Html is minified: 112,25 % 0.057 H
BACKEND Instapack - Login
GZip used - 585 / 1364 - 57,11 % 404 Html is minified: 395,36 % 0.057 M
Not Found
BACKEND Instapack - Login
GZip used - 585 / 1364 - 57,11 % 404 Html is minified: 395,36 % 0.057 M
Not Found
https://app.instapack.es/
40.113.100.53 -2 1.046 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 40.113.100.53:443
https://app.instapack.es/
2001:8d8:100f:f000::245 -10 0.047 P
SecureChannelFailure - The request was aborted: Could not create SSL/TLS secure channel.
https://www.app.instapack.es/
40.113.100.53 -2 1.050 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 40.113.100.53:443
https://www.app.instapack.es/
2001:8d8:100f:f000::245 -10 0.054 P
SecureChannelFailure - The request was aborted: Could not create SSL/TLS secure channel.
http://app.instapack.es/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de

40.113.100.53 GZip used - 296 / 471 - 37,15 %
Inline-JavaScript (∑/total): 0/0 Inline-CSS (∑/total): 0/0|404|Html is minified: 126,27 %|0.047|A|
|Not Found|
|Visible Content: Oops! An Error Occurred The server returned a "404 Not Found". Something is broken. Please let us know what you were doing when this error occurred. We will fix it as soon as possible. Sorry for any inconvenience caused.|
||
|• http://app.instapack.es/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
2001:8d8:100f:f000::245
Inline-JavaScript (∑/total): 0/0 Inline-CSS (∑/total): 0/0|204||0.060|A|
|Visible Content:|
||
|• http://www.app.instapack.es/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
40.113.100.53 GZip used - 296 / 471 - 37,15 %
Inline-JavaScript (∑/total): 0/0 Inline-CSS (∑/total): 0/0|404|Html is minified: 126,27 %|0.046|A|
|Not Found|
|Visible Content: Oops! An Error Occurred The server returned a "404 Not Found". Something is broken. Please let us know what you were doing when this error occurred. We will fix it as soon as possible. Sorry for any inconvenience caused.|
||
|• http://www.app.instapack.es/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
2001:8d8:100f:f000::245
Inline-JavaScript (∑/total): 0/0 Inline-CSS (∑/total): 0/0|204||0.060|A|
|Visible Content:|

Checking /.well-known/acme-challenge/random-filename ipv4 answers with the expected result 404 - Not Found. Ipv6 has a http status 204.

Result:

Fatal: Check of /.well-known/acme-challenge/random-filename has different answers checking ipv6 / ipv4. Ipv6 doesn't have the expected result http status 404 - Not Found. Creating a Letsencrypt certificate via http-01 validation may not work. Checking the validation file in /.well-known/acme-challenge Letsencrypt prefers ipv6. Two options: Remove your ipv6 / AAAA DNS entry or (better) fix your ipv6, so your webserver handles ipv6 correct. Perhaps add "Listen [::]:80". Don't use <VirtualHost ip-address:80>, switch to <VirtualHost *:80>.

1 Like

thanks @JuergenAuer crack I have removed the IPv6 address from my DNS because currently my application hosted in azure has only the ipv4 address configured. Thanks again

1 Like

Ah, thanks, then the ipv6 from your dns provider or your other hoster can't work.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.