Problem renewing cert (http challenge on a wordpress site)


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: firstaidsuppliesonline.com

I ran this command: certbot -d firstaidsuppliesonline.com -d www.firstaidsuppliesonline.com --manual --preferred-challenges http certonly

It produced this output:

`Create a file containing just this data:

9d5drtNY8Wgph0JGrWgD251RX_UapuKMpnbe28W93iI.fqn5zYUKCYAOI_5T_Tfx9C6LKM7wPtn9zRKoFRn7lFU

And make it available on your web server at this URL:

http://firstaidsuppliesonline.com/.well-known/acme-challenge/9d5drtNY8Wgph0JGrWgD251RX_UapuKMpnbe28W93iI

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Create a file containing just this data:

hMkXq0C9YncYkZ7FFAFdTNx1O5UGCF7rUVQgQNRw7hQ.fqn5zYUKCYAOI_5T_Tfx9C6LKM7wPtn9zRKoFRn7lFU

And make it available on your web server at this URL:

http://www.firstaidsuppliesonline.com/.well-known/acme-challenge/hMkXq0C9YncYkZ7FFAFdTNx1O5UGCF7rUVQgQNRw7hQ

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.firstaidsuppliesonline.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.firstaidsuppliesonline.com/.well-known/acme-challenge/hMkXq0C9YncYkZ7FFAFdTNx1O5UGCF7rUVQgQNRw7hQ: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.firstaidsuppliesonline.com
   Type:   unauthorized
   Detail: Invalid response from
   http://www.firstaidsuppliesonline.com/.well-known/acme-challenge/hMkXq0C9YncYkZ7FFAFdTNx1O5UGCF7rUVQgQNRw7hQ:
   "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.`

My web server is (include version): Apache 2.4

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

We had no problem getting the cert initially, but now it fails to renew even when I do --manual and actually visit and confirm the 2 .well-known/ urls (it works in the browser)

Is there some way the server is sending a cached 404 as a response to the certbot command? Here is my conf and the htaccess for the wordpress folder (.well-known is a subdirectory)

CONF:

<VirtualHost *:80>
	DocumentRoot /var/www/html/wordpress/
	ServerName firstaidsuppliesonline.com
	ServerAlias www.firstaidsuppliesonline.com

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	<Directory /var/www/html/wordpress/>
		Require all granted
		AllowOverride all
	</Directory>

	RewriteEngine on
	RewriteOptions inherit
	RewriteRule \.(svn|git)(/)?$ - [F]

	<IfModule mod_headers.c>
		Header set X-XSS-Protection "1; mode=block"
		Header always append X-Frame-Options SAMEORIGIN
	</IfModule>

	# RewriteCond %{SERVER_NAME} =firstaidsuppliesonline.com [OR]
	# RewriteCond %{SERVER_NAME} =www.firstaidsuppliesonline.com
	# RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

# <IfModule mod_ssl.c>
# 	<VirtualHost *:443>
# 		DocumentRoot /var/www/html/wordpress/
# 		ServerName firstaidsuppliesonline.com
# 		ServerAlias www.firstaidsuppliesonline.com

# 		ErrorLog ${APACHE_LOG_DIR}/ssl_error.log
# 		CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined

# 		<Directory /var/www/html/wordpress/>
# 			Require all granted
# 			AllowOverride all
# 		</Directory>

# 		RewriteEngine on
# 		RewriteOptions inherit
# 		RewriteRule \.(svn|git)(/)?$ - [F]

# 		<IfModule mod_headers.c>
# 			Header set X-XSS-Protection "1; mode=block"
# 			Header always append X-Frame-Options SAMEORIGIN
# 		</IfModule>

# 		SSLCertificateFile /etc/letsencrypt/live/firstaidsuppliesonline.com/fullchain.pem
# 		SSLCertificateKeyFile /etc/letsencrypt/live/firstaidsuppliesonline.com/privkey.pem
# 		Include /etc/letsencrypt/options-ssl-apache.conf
# 	</VirtualHost>
# </IfModule>

(notice the HTTPS parts are commented out) and apache has been restarted several times with this config

HTACCESS:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress`

We are trying the dns challenge now, but of course that requires waiting some time for the TXT record to propagate


#2

According to https://letsdebug.net/www.firstaidsuppliesonline.com/9932 it looks like your site is serving different content on IPv4 and IPv6 - but only for the www subdomain, which is odd since that’s just a CNAME pointed at the non-www version. Although checking with an IPv6 proxy, both names seem to return the wrong content over IPv6 for me.

Are you sure your AAAA record for IPv6 is correct?


#3

It does seem that both v4 and v6 are on the same server…
But it’s really confusing why only one hostname is validated via ipv6…

@IsaacNewbton Please configure your site’s v6 virtual host to listen with the correct IPV6 record…


#4

I got the cert to renew using DNS challenge instead. I did edit the AAAA record so will attempt a dry run for HTTP challenge after it propagates.