Problem creating new certificate

radim · 2019-01-27 20:20:11 UTC

Hello,

I have very similar trouble - therefore I add my comment to this thread instead of creating new one.

I have 2 domains, for one certbot-auto did a job ok. But for another nothing (404). I have spent several hours on this…I simplified apache config for this vhost almost to nothing, I have moved the webroot to empty directory (no .htaccess). I have disabled all remaining vhosts. yet it still does not work.

Strangely verification does not trigger any entry in access log…

I tried the command with your suggested --debug-challanges arguemnt…

certbot-auto certonly --dry-run --debug -v -d “radimroska.cz” --debug-challenges

I can access URL from my browser - using correct DNS…-A entry is ok, pointing to right IP address:

8.102.88.136 - - [27/Jan/2019:21:09:59 +0100] “GET /.well-known/acme-challenge/9RcKIvVdyOO9aDU0sVlOwNZF7MiMZiXxNbpXb1Mzc20 HTTP/1.1” 200 345 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36”

In the log there is no entry from letsencrypt servers…but still, certbot gets 404

FailedChallenges: Failed authorization procedure. radimroska.cz (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://radimroska.cz/.well-known/acme-challenge/9RcKIvVdyOO9aDU0sVlOwNZF7MiMZiXxNbpXb1Mzc20: “\n\n404 Not Found\n\n

Not Found

\n<p”

Any idea? its driving me crazy

As you can see apache config for this vhost is extremely simple.

VirtualHost *:80>
ServerName radimroska.cz
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

Thanks
Radim

_az · 2019-01-27 20:28:51 UTC

Your domain’s IPv6 address points to a different server

JuergenAuer · 2019-01-27 20:30:03 UTC

Hi @radim

I’ve splitted the thread, it’s better to have an own thread.

Your domain has ipv4 and ipv6 addresses (via https://check-your-website.server-daten.de/?q=radimroska.cz ):

Host	T	IP-Address	is auth.	∑ Queries	∑ Timeout
radimroska.cz	A	178.17.12.110	yes	1	0
	AAAA	2a02:2b88:1:4::16	yes
www.radimroska.cz	A	178.17.12.110	yes	1	0
	AAAA	2a02:2b88:1:4::16	yes

But there are different answers and different server headers:

Domainname	Http-Status	Sec.	G
• http://radimroska.cz/
178.17.12.110	200	0.090	H
Date: Sun, 27 Jan 2019 20:20:16 GMT
Server: Apache/2.4.10 (Debian)
Last-Modified: Mon, 25 Dec 2017 13:00:22 GMT
ETag: “29cd-56129bfcac660”
Accept-Ranges: bytes
Content-Length: 10701
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

• http://radimroska.cz/
2a02:2b88:1:4::16	200	0.050	H
Date: Sun, 27 Jan 2019 20:22:08 GMT
Server: Apache
Last-Modified: Mon, 28 Nov 2016 10:20:48 GMT
ETag: “89f-54259d34cc2bc”
Accept-Ranges: bytes
Content-Length: 2207
Vary: Accept-Encoding
Cache-Control: max-age=0
Expires: Sun, 27 Jan 2019 20:22:08 GMT
Connection: close
Content-Type: text/html

• http://www.radimroska.cz/
178.17.12.110	200	0.086	H
Date: Sun, 27 Jan 2019 20:20:16 GMT
Server: Apache/2.4.10 (Debian)
Last-Modified: Mon, 25 Dec 2017 13:00:22 GMT
ETag: “29cd-56129bfcac660”
Accept-Ranges: bytes
Content-Length: 10701
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

• http://www.radimroska.cz/
2a02:2b88:1:4::16	200	0.047	H
Date: Sun, 27 Jan 2019 20:22:08 GMT
Server: Apache
Last-Modified: Mon, 28 Nov 2016 10:20:48 GMT
ETag: “89f-54259d34cc2bc”
Accept-Ranges: bytes
Content-Length: 2207
Vary: Accept-Encoding
Cache-Control: max-age=0
Expires: Sun, 27 Jan 2019 20:22:08 GMT
Connection: close
Content-Type: text/html

One (ivp4) is an Apache/2.4.10 (Debian), the ipv6 says only “Apache”.

Letsencrypt prefers ipv6, so you may have a second webserver.

Perhaps remove the ipv6, create a new certificate, then fix your ipv6 configuration.

radim · 2019-01-28 21:54:26 UTC

Hi guys,

thanks :). You are right. I actually did not notice that IPv6 exists for my domain. I did not set it but it was there by default. My provider does not provide IPv6 connectivity :).

I did not realize certbot is trying IPv6 address primarily - good to know ;). Did not notice in debug output either.

Thanks a lot!
Radim

JuergenAuer · 2019-01-28 22:09:27 UTC

I see, you have rechecked your domain ( https://check-your-website.server-daten.de/?q=radimroska.cz ), now the ipv6 is gone.

But there is a small thing: Checking your domain with my browser, your non www version has a new certificate. But your www version has the same certificate, but this certificate has only the non-www domain name.

So create one certificate with both domain names:

certbot-auto certonly --debug -v -d “radimroska.cz” -d “www.radimroska.cz”

and use this.

Then www and non www are secure.

radim · 2019-01-28 22:39:40 UTC

Dear Juergen,

thank you for advise. I updated cert to include also www. domain ;).

Radim

JuergenAuer · 2019-01-28 22:47:33 UTC

Yep, now you have one certificate with two domain names:

CN=radimroska.cz
	28.01.2019
	28.04.2019
	radimroska.cz, www.radimroska.cz - 2 entries

So both domain versions are secure.