Some challenges have failed - challenge files are not downloaded?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.easyfairings.com

I ran this command: /usr/local/bin/certbot-auto certonly --nginx

It produced this output:
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.easyfairings.com
Waiting for verification…
Challenge failed for domain www.easyfairings.com
http-01 challenge for www.easyfairings.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: www.easyfairings.com
  Type: unauthorized
  Detail: Invalid response from
  http://www.easyfairings.com/.well-known/acme-challenge/JDku2Yteb-XE93SuWRDk1_nFO55-yC4lPy6PsmBuuhQ
  [2607:f1c0:1000:1e:44da:6f4c:a937:d]: 204

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address.

My web server is (include version): nginx/1.14.2

The operating system my web server runs on is (include version): Debian 8

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 1.0.0

I’ve tried with --dry-run and with --webroot

nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Current vhost config:

	limit_req_zone $binary_remote_addr zone=mylimit:10m rate=2r/s;

server {
		set $MAGE_ROOT /var/www/html/easyfairings.com/www.easyfairings.com;
		listen 80;
		#root $MAGE_ROOT/pub;
		server_name easyfairings.com www.easyfairings.com;

		index index.php;
		autoindex off;
		charset UTF-8;

		location / {
				try_files $uri $uri/ /index.php?$args;
		}

		location ~ (index|get|static|report|404|503)\.php$ {
				try_files $uri =404;
				fastcgi_pass   unix:/run/php/php7.0-fpm.sock;
				fastcgi_buffers 1024 4k;

				fastcgi_param  PHP_FLAG  "session.auto_start=off \n suhosin.session.cryptua=off";
				fastcgi_param  PHP_VALUE "memory_limit=768M \n max_execution_time=18000";
				fastcgi_param  HTTPS on;
				fastcgi_param  HTTPS              $https if_not_empty;
				fastcgi_read_timeout 600s;
				fastcgi_connect_timeout 600s;

				fastcgi_index  index.php;
				fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
				include        fastcgi_params;
		}

}

server {
		set $MAGE_ROOT /var/www/html/easyfairings.com/www.easyfairings.com;

		listen 443 ssl;
		ssl on;
		ssl_certificate /home/secuuser/ssl_certificate/easyfairings.com.bundle.crt;
		ssl_certificate_key /home/secuuser/ssl_certificate/easyfairings.com.priv.key;

		server_name www.easyfairings.com;

		access_log /var/log/nginx/easyfairings.com_access.log;
		error_log /var/log/nginx/easyfairings.com_error.log;

		root $MAGE_ROOT/pub;

		index index.php;
		autoindex off;
		charset UTF-8;
		error_page 404 403 = /errors/404.php;
		#add_header "X-UA-Compatible" "IE=Edge";

		location / {
				try_files $uri $uri/ /index.php?$args;
		}

		# PHP entry point for main application
		location ~ (index|get|static|report|404|503)\.php$ {
				try_files $uri =404;
				fastcgi_pass   unix:/run/php/php7.0-fpm.sock;
				fastcgi_buffers 1024 4k;

				fastcgi_param  PHP_FLAG  "session.auto_start=off \n suhosin.session.cryptua=off";
				fastcgi_param  PHP_VALUE "memory_limit=768M \n max_execution_time=18000";
				fastcgi_param  HTTPS on;
				fastcgi_param  HTTPS              $https if_not_empty;  
				fastcgi_read_timeout 600s;
				fastcgi_connect_timeout 600s;

				fastcgi_index  index.php;
				fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
				include        fastcgi_params;
		}

		gzip on;
		gzip_disable "msie6";
		gzip_comp_level 6;
		gzip_min_length 1100;
		gzip_buffers 16 8k;
		gzip_proxied any;
		gzip_types
				text/plain
				text/css
				text/js
				text/xml
				text/javascript
				application/javascript
				application/x-javascript
				application/json
				application/xml
				application/xml+rss
				image/svg+xml;
		gzip_vary on;
}

Hi @Chris8080

there are some checks of your domain, ~~one hour old - https://check-your-website.server-daten.de/?q=easyfairings.com

There you see the problem.

You have ipv4- and ipv6 - addresses:

But ipv4 is from Swiftway, ipv6 from 1&1.

So I don't think both addresses are pointing to the same server.

There are a lot of different answers - Grade K.

http + ipv4 + /.well-known/acme-challenge/random-filename -> http status 404
Same with ipv6 -> http status 204.

May be the easiest solution: Remove the ipv6 dns entry.

Checking your domain Letsencrypt prefers ipv6, so that's a critical problem.

I have no idea who Siftway is or why it should be there in the first place. I’ll try to check with 1&1 to see whether they can help.

That information may be wrong / expired.

If the webserver has both ip addresses (ipv4 and ipv6), your ipv6 configuration may be incomplete.

There is no

listen 80;
listen [::]:80

in your port 80 visible, that's required to have a working ipv6.

Assuming EDIS is your hosting company, Swiftway seems to be affiliated with them. I'd guess Swiftway is their hosting company, or maybe a parent company or related brand.

A traceroute (mtr) ends with:

 10. AS32748 te8-4.dist02.chi01.steadfast.net (208.100.32.53)                 0.0%    10   23.7  23.9  23.7  24.8   0.0
 11. AS32748 ip100.216-86-155.static.steadfastdns.net (216.86.155.100)        0.0%    10   25.9  25.6  24.5  32.0   2.2
 12. AS35017 58.154.21.46.static.swiftway.net (46.21.154.58)                  0.0%    10   25.5  26.0  25.4  30.7   1.5
 13. AS35017 110-175-252-162.static.edis.at (162.252.175.110)                 0.0%    10   23.6  24.0  23.6  25.9   0.5

Unless there are anycast shenanigans, it looks like your IPv6 address is a 1&1 IP address in Kansas City running Apache, and your IPv4 address is an EDIS address in Chicago running Nginx.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.