[solved] Standalone operations don't work on Ubuntu 16.04 LTS

I am trying to get certificates for my domain production-eu-00.babyphoneduo.de.
I am using standalone mode on a minimal Ubuntu 16.04 TLS. There is no webserver installed (and I don’t want to install one, this should be a minimal server only, I need the certs for securing an MQTT daemon).
DNS A record has been correctly configured.
Port 80 is reachable from the internet (tested with SimpleHTTPServer)

Command line:

sudo certbot certonly --standalone --preferred-challenges http

Output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): production-eu-00.babyphoneduo.de
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for production-eu-00.babyphoneduo.de
Waiting for verification...

Cleaning up challenges
Failed authorization procedure. production-eu-00.babyphoneduo.de (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://production-eu-00.babyphoneduo.de/.well-known/acme-challenge/MOC7EpQGNHuA5cagLcCeLimdIKkNGNShBi09OwZQ1Bo: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: production-eu-00.babyphoneduo.de
   Type:   unauthorized
   Detail: Invalid response from
   http://production-eu-00.babyphoneduo.de/.well-known/acme-challenge/MOC7EpQGNHuA5cagLcCeLimdIKkNGNShBi09OwZQ1Bo:
   "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
   <html><head>
   <title>404 Not Found</title>
   </head><body>
   <h1>Not Found</h1>
   <p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

Any idea?

Thx,
Roeland.

I run standalone all the time on some of my 16.04 servers which do not run web servers. Try this instead.

sudo ./certbot-auto certonly --standalone --agree-tos --rsa-key-size 4096 -m youremail@wherever.com -d mydomain.com -d www.mydomain.com --renew-by-default

Obviously change the email address and domains names in above example.

production-eu-00.babyphoneduo.de resolves to multiple IPs:
Addresses: 2001:8d8:926:7600::76:10ff
81.173.114.31

LE prefers IPv6 over IPv4, so you must ensure your site is accessible via IPv6.
I tested the IPv4 IP and it failed with “connection refused”:

wget http://production-eu-00.babyphoneduo.de/
–2017-10-03 10:46:40-- http://production-eu-00.babyphoneduo.de/
Resolving production-eu-00.babyphoneduo.de (production-eu-00.babyphoneduo.de)… 81.173.114.31, 2001:8d8:926:7600::76:10ff
Connecting to production-eu-00.babyphoneduo.de (production-eu-00.babyphoneduo.de)|81.173.114.31|:80… failed: Connection refused.

And it also failed from all major browsers, so you can rule out user-agent blocking:

Try placing a test.txt file with minimal content within the challenge folder.
The access it from the Internet
Like: http://production-eu-00.babyphoneduo.de/.well-known/acme-challenge/test.txt
get that to work and then retry the renewal.

1 Like

Well that would explain the problem.

I removed the AAAA record from DNS, retried the certbot command and everything worked like a charm :grinning:

Thx to rg305 and MitchellK for taking the time to help me and pointing me in the right direction - highly appreciate it!

cheers,
Roeland.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.