Problem creating new certificate


#1

Hello,

I have very similar trouble - therefore I add my comment to this thread instead of creating new one.

I have 2 domains, for one certbot-auto did a job ok. But for another nothing (404). I have spent several hours on this…I simplified apache config for this vhost almost to nothing, I have moved the webroot to empty directory (no .htaccess). I have disabled all remaining vhosts. yet it still does not work.

Strangely verification does not trigger any entry in access log…

I tried the command with your suggested --debug-challanges arguemnt…

certbot-auto certonly --dry-run --debug -v -d “radimroska.cz” --debug-challenges

I can access URL from my browser - using correct DNS…-A entry is ok, pointing to right IP address:

8.102.88.136 - - [27/Jan/2019:21:09:59 +0100] “GET /.well-known/acme-challenge/9RcKIvVdyOO9aDU0sVlOwNZF7MiMZiXxNbpXb1Mzc20 HTTP/1.1” 200 345 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36”

In the log there is no entry from letsencrypt servers…but still, certbot gets 404

FailedChallenges: Failed authorization procedure. radimroska.cz (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://radimroska.cz/.well-known/acme-challenge/9RcKIvVdyOO9aDU0sVlOwNZF7MiMZiXxNbpXb1Mzc20: “\n\n404 Not Found\n\n

Not Found

\n<p”

Any idea? its driving me crazy :slight_smile:

As you can see apache config for this vhost is extremely simple.

VirtualHost *:80>
ServerName radimroska.cz
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

Thanks
Radim


The client lacks sufficient authorization
#2

Your domain’s IPv6 address points to a different server :slight_smile:


#3

Hi @radim

I’ve splitted the thread, it’s better to have an own thread.

Your domain has ipv4 and ipv6 addresses (via https://check-your-website.server-daten.de/?q=radimroska.cz ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
radimroska.cz A 178.17.12.110 yes 1 0
AAAA 2a02:2b88:1:4::16 yes
www.radimroska.cz A 178.17.12.110 yes 1 0
AAAA 2a02:2b88:1:4::16 yes

But there are different answers and different server headers:

Domainname Http-Status redirect Sec. G
http://radimroska.cz/
178.17.12.110 200 0.090 H
Date: Sun, 27 Jan 2019 20:20:16 GMT
Server: Apache/2.4.10 (Debian)
Last-Modified: Mon, 25 Dec 2017 13:00:22 GMT
ETag: “29cd-56129bfcac660”
Accept-Ranges: bytes
Content-Length: 10701
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
http://radimroska.cz/
2a02:2b88:1:4::16 200 0.050 H
Date: Sun, 27 Jan 2019 20:22:08 GMT
Server: Apache
Last-Modified: Mon, 28 Nov 2016 10:20:48 GMT
ETag: “89f-54259d34cc2bc”
Accept-Ranges: bytes
Content-Length: 2207
Vary: Accept-Encoding
Cache-Control: max-age=0
Expires: Sun, 27 Jan 2019 20:22:08 GMT
Connection: close
Content-Type: text/html
http://www.radimroska.cz/
178.17.12.110 200 0.086 H
Date: Sun, 27 Jan 2019 20:20:16 GMT
Server: Apache/2.4.10 (Debian)
Last-Modified: Mon, 25 Dec 2017 13:00:22 GMT
ETag: “29cd-56129bfcac660”
Accept-Ranges: bytes
Content-Length: 10701
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
http://www.radimroska.cz/
2a02:2b88:1:4::16 200 0.047 H
Date: Sun, 27 Jan 2019 20:22:08 GMT
Server: Apache
Last-Modified: Mon, 28 Nov 2016 10:20:48 GMT
ETag: “89f-54259d34cc2bc”
Accept-Ranges: bytes
Content-Length: 2207
Vary: Accept-Encoding
Cache-Control: max-age=0
Expires: Sun, 27 Jan 2019 20:22:08 GMT
Connection: close
Content-Type: text/html

One (ivp4) is an Apache/2.4.10 (Debian), the ipv6 says only “Apache”.

Letsencrypt prefers ipv6, so you may have a second webserver.

Perhaps remove the ipv6, create a new certificate, then fix your ipv6 configuration.


#5

Hi guys,

thanks :). You are right. I actually did not notice that IPv6 exists for my domain. I did not set it but it was there by default. My provider does not provide IPv6 connectivity :).

I did not realize certbot is trying IPv6 address primarily - good to know ;). Did not notice in debug output either.

Thanks a lot!
Radim


#6

I see, you have rechecked your domain ( https://check-your-website.server-daten.de/?q=radimroska.cz ), now the ipv6 is gone.

But there is a small thing: Checking your domain with my browser, your non www version has a new certificate. But your www version has the same certificate, but this certificate has only the non-www domain name.

So create one certificate with both domain names:

certbot-auto certonly --debug -v -d “radimroska.cz” -d “www.radimroska.cz”

and use this.

Then www and non www are secure.


#7

Dear Juergen,

thank you for advise. I updated cert to include also www. domain ;).

Radim


#8

Yep, now you have one certificate with two domain names:

CN=radimroska.cz
	28.01.2019
	28.04.2019
	radimroska.cz, www.radimroska.cz - 2 entries

So both domain versions are secure.