Problems with http challenges and IPv4 only domains

klauspforte · August 5, 2018, 7:24pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: cosmictourist.de,www.cosmictourist.de

I ran this command:
certbot --text --email info@… --domains cosmictourist.de,www.cosmictourist.de --rsa-key-size 4096 --agree-tos --renew-by-default --manual certonly

It produced this output:
Domain: www.cosmictourist.de
Type: unauthorized
Detail: The key authorization file from the server did not match this challenge [tw4S15l3HaHGYVETV4T8DXZKrHMWiCZYj9JAwBA2tmI._FbOP2J5b0VWu0eF0q2-QvEMz3PGY7WIhFN3TvucLrc] != []

My web server is (include version): Apache

The operating system my web server runs on is (include version): Linux

My hosting provider, if applicable, is: all-inkl.com

I can login to a root shell on my machine (yes or no, or I don’t know): no

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): yes, name unknown

Hi,

today I tried to generate a new certificate like described above. I used a virtual machine of Fedora 28, the certificate is for a webhosting package.
I have done this multiple times in the past with other domains successfully.

This time I tried many many variations and options and no success. Everytime certbot tells me that the challenges are not accessible. Its not true. I can access the uploaded challenges via webbrowser with no error page…
The challenges are correctly generated with the correct file name and content.

I found via Google many discussions about the problem with IPv4 domains with no working IPv6. This is the case here. In the DNS (not editable for me!) is not configured any IPv6 record. Also tests with some test sites are unsuccessful (http://ipv6-test.com/validate.php).
I can also NOT configure at this site DNS TXT records for DNS challenge.

I tried also https://zerossl.com/ with the same error result.

I used certbot 0.26, today updated via dnf upgrade.

So, what can I do to have a Letsencrypt certificate for this IPv4 only domains?
Any help would be highly appreciated.

Thank you,
Klaus

stevenzhu · August 5, 2018, 7:36pm

Hi,

Can you please share us an example of your uploaded files?

also there is something wrong with your site… Whatever files are accessed in /.well-known/acme-challenge/ are given a http 200… (should return 403 or 404)

Thank you

JuergenAuer · August 5, 2018, 7:52pm

Hi @klauspforte

there is no need to have an ipv6 - record. Only ipv4 works without problems.

Sometimes there are wrong ipv6 definitions. These produce errors.

Your error message

means, that Letsencrypt wants a file with the content

tw4S15l3HaHGYVETV4T8DXZKrHMWiCZYj9JAwBA2tmI._FbOP2J5b0VWu0eF0q2-QvEMz3PGY7WIhFN3TvucLrc

but the content of your file is empty.

Put a file under /.well-known/acme-challenge/123123123

with the content

test

then test, if you can load it per browser.

Loading

http://www.cosmictourist.de/.well-known/acme-challenge/123456789

is wrong - there is a http-status 200, not a 404.

PS: All-inkl has an own client.

https://all-inkl.com/webhosting/lets-encrypt-ssl-zertifikate/

Test to use that. Perhaps all-inkl blocks the standard-file. Then an own certbot isn't required.

klauspforte · August 6, 2018, 5:01am

@JuergenAuer and @stevenzhu: Thank you for your quick response.

My challenges were not empty and were manually created.
(I cannot upload as a new user.) An example:
file name: JTwyM-okw1w51upgg2QxIYJ73D-pqKQul8o9GE8uMHc
content: JTwyM-okw1w51upgg2QxIYJ73D-pqKQul8o9GE8uMHc._FbOP2J5b0VWu0eF0q2-QvEMz3PGY7WIhFN3TvucLrc

All my files were not empty. The error message with the [] is a real mystery for me…

Please test yourself, there is no error, I generated such a file:
http://www.cosmictourist.de/.well-known/acme-challenge/123456789

Thank you very much for the hint regarding the all-inkl.com page. I didn’t know!
I just used this special function and all worked perfectly! Job is done!

Maybe it is correct that all-inkl.com blocks the other way to generate the certificate…
I have asked the support about that and await the reply from them.

Thank you and best regards,
Klaus

JuergenAuer · August 6, 2018, 7:06am

I can download the file. But it is empty.

Good to know. So this solution is better than your own client.

Yes, that looks so. If you have an answer, share it.

In 60 - 70 days: Check, if the renew works. If yes, forget your own client

klauspforte · August 6, 2018, 8:01am

Please, believe me that the file on the server, as well as all other uploaded files, are not empty.
The content is “test”.
May be there is a special blocking function…

I will update the topic later, OK.

klauspforte · August 11, 2018, 8:40am

Update:

I received a reply from all-inkl.com.
They extend the Lets-Encrypt certivicate automatically(!) once it is in place. Very nice!
And they use the folder .well.known/challenge for their own process. That’s why it is blocked for outside usage! And that’s why the challenge is everytime “empty”.

Regards,
Klaus

JuergenAuer · August 11, 2018, 9:12am

Ah - thanks. Good to know.

So empty file, 200 status with random file name -->> the hoster may have an own solution.

system · September 10, 2018, 9:12am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.