radim
January 27, 2019, 8:20pm
1
Hello,
I have very similar trouble - therefore I add my comment to this thread instead of creating new one.
I have 2 domains, for one certbot-auto did a job ok. But for another nothing (404). I have spent several hours on this…I simplified apache config for this vhost almost to nothing, I have moved the webroot to empty directory (no .htaccess). I have disabled all remaining vhosts. yet it still does not work.
Strangely verification does not trigger any entry in access log…
I tried the command with your suggested --debug-challanges arguemnt…
certbot-auto certonly --dry-run --debug -v -d “radimroska.cz” --debug-challenges
I can access URL from my browser - using correct DNS…-A entry is ok, pointing to right IP address:
8.102.88.136 - - [27/Jan/2019:21:09:59 +0100] “GET /.well-known/acme-challenge/9RcKIvVdyOO9aDU0sVlOwNZF7MiMZiXxNbpXb1Mzc20 HTTP/1.1” 200 345 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36”
In the log there is no entry from letsencrypt servers…but still, certbot gets 404
FailedChallenges: Failed authorization procedure. radimroska.cz (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://radimroska.cz/.well-known/acme-challenge/9RcKIvVdyOO9aDU0sVlOwNZF7MiMZiXxNbpXb1Mzc20: “\n\n404 Not Found\n\n
Not Found \n<p”
Any idea? its driving me crazy
As you can see apache config for this vhost is extremely simple.
VirtualHost *:80>
ServerName radimroska.cz
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Thanks
Radim
_az
January 27, 2019, 8:28pm
2
Your domain’s IPv6 address points to a different server
Hi @radim
I've splitted the thread, it's better to have an own thread.
Your domain has ipv4 and ipv6 addresses (via https://check-your-website.server-daten.de/?q=radimroska.cz ):
Host
T
IP-Address
is auth.
∑ Queries
∑ Timeout
radimroska.cz
A
178.17.12.110
yes
1
0
AAAA
2a02:2b88:1:4::16
yes
www.radimroska.cz
A
178.17.12.110
yes
1
0
AAAA
2a02:2b88:1:4::16
yes
But there are different answers and different server headers:
Domainname
Http-Status
redirect
Sec.
G
• http://radimroska.cz/
178.17.12.110
200
0.090
H
Date: Sun, 27 Jan 2019 20:20:16 GMT
Server: Apache/2.4.10 (Debian)
Last-Modified: Mon, 25 Dec 2017 13:00:22 GMT
ETag: "29cd-56129bfcac660"
Accept-Ranges: bytes
Content-Length: 10701
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
• http://radimroska.cz/
2a02:2b88:1:4::16
200
0.050
H
Date: Sun, 27 Jan 2019 20:22:08 GMT
Server: Apache
Last-Modified: Mon, 28 Nov 2016 10:20:48 GMT
ETag: "89f-54259d34cc2bc"
Accept-Ranges: bytes
Content-Length: 2207
Vary: Accept-Encoding
Cache-Control: max-age=0
Expires: Sun, 27 Jan 2019 20:22:08 GMT
Connection: close
Content-Type: text/html
• http://www.radimroska.cz/
178.17.12.110
200
0.086
H
Date: Sun, 27 Jan 2019 20:20:16 GMT
Server: Apache/2.4.10 (Debian)
Last-Modified: Mon, 25 Dec 2017 13:00:22 GMT
ETag: "29cd-56129bfcac660"
Accept-Ranges: bytes
Content-Length: 10701
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
• http://www.radimroska.cz/
2a02:2b88:1:4::16
200
0.047
H
Date: Sun, 27 Jan 2019 20:22:08 GMT
Server: Apache
Last-Modified: Mon, 28 Nov 2016 10:20:48 GMT
ETag: "89f-54259d34cc2bc"
Accept-Ranges: bytes
Content-Length: 2207
Vary: Accept-Encoding
Cache-Control: max-age=0
Expires: Sun, 27 Jan 2019 20:22:08 GMT
Connection: close
Content-Type: text/html
One (ivp4) is an Apache/2.4.10 (Debian), the ipv6 says only "Apache".
Letsencrypt prefers ipv6, so you may have a second webserver.
Perhaps remove the ipv6, create a new certificate, then fix your ipv6 configuration.
radim
January 28, 2019, 9:54pm
5
Hi guys,
thanks :). You are right. I actually did not notice that IPv6 exists for my domain. I did not set it but it was there by default. My provider does not provide IPv6 connectivity :).
I did not realize certbot is trying IPv6 address primarily - good to know ;). Did not notice in debug output either.
Thanks a lot!
Radim
I see, you have rechecked your domain ( https://check-your-website.server-daten.de/?q=radimroska.cz ), now the ipv6 is gone.
But there is a small thing: Checking your domain with my browser, your non www version has a new certificate. But your www version has the same certificate, but this certificate has only the non-www domain name.
So create one certificate with both domain names:
certbot-auto certonly --debug -v -d “radimroska.cz” -d “www.radimroska.cz”
and use this.
Then www and non www are secure.
1 Like
radim
January 28, 2019, 10:39pm
7
Dear Juergen,
thank you for advise. I updated cert to include also www. domain ;).
Radim
1 Like
Yep, now you have one certificate with two domain names:
CN=radimroska.cz
28.01.2019
28.04.2019
radimroska.cz, www.radimroska.cz - 2 entries
So both domain versions are secure.
system
Closed
February 27, 2019, 10:47pm
9
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.