Some challenges have failed

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: huijse.nl

I ran this command: sudo certbot --apache -d huijse.nl -d www.huijse.nl

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for huijse.nl
Waiting for verification...
Challenge failed for domain huijse.nl
http-01 challenge for huijse.nl
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

My web server is (include version): Server version: Apache/2.4.29 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is: hostnet.nl

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.8.0

Thanks in advance

1 Like

Welcome to the Let's Encrypt Community, Michiel :slightly_smiling_face:

I noticed the following, which makes me suspect a wrong ipv6 address:

Let me do some checking...

3 Likes

Alright. If you would, can you try removing the AAAA (ipv6) record from your DNS then run the following and let me know the result:

sudo certbot certonly --cert-name huijse.nl -a apache -d huijse.nl,www.huijse.nl --dry-run

1 Like

Indeed the IPv4 and IPv6 addresses point to different webservers:

2 Likes

Thanks for the assist @_az. I searched for a good 20 minutes trying to find a tool to quickly verify that. Never thought to use LD.

1 Like

Thanks for the quick response. Just removed the IPv6 AAAA record from my DNS settings. But it may take up to 24 hours to take effect everywhere.
Than did the following:
sudo certbot certonly --cert-name huijse.nl -a apache -d huijse.nl,www.huijse.nl --dry-run
[sudo] password for michiel:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for huijse.nl
http-01 challenge for www.huijse.nl
Waiting for verification...
Challenge failed for domain huijse.nl
http-01 challenge for huijse.nl
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: huijse.nl
   Type:   unauthorized
   Detail: Invalid response from
   http://huijse.nl/.well-known/acme-challenge/22feTxU2ZeYAon0p2Uq6SAOSynzngvgew1Hvkrberkg
   [2a02:2268:ffff:ffff::4]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD
   HTML 2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
2 Likes

OOh I waited a few minutes and now there is a better result:

    sudo certbot certonly --cert-name huijse.nl -a apache -d huijse.nl,www.huijse.nl --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for huijse.nl
http-01 challenge for www.huijse.nl
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - The dry run was successful.
3 Likes

Wonderful! :smiley:

Now let's try this:
sudo certbot certonly --cert-name huijse.nl -a apache -d huijse.nl,www.huijse.nl

1 Like

Whoop whoo! Works, thanks allot, happy it is solved. I asked my hosting multiple times if the DNS was configured well...
sudo certbot --apache -d huijse.nl -d www.huijse.nl
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for huijse.nl
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/huijse.nl-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/huijse.nl-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/huijse.nl-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/huijse.nl-le-ssl.conf
Redirecting vhost in /etc/apache2/sites-enabled/huijse.nl.conf to ssl vhost in /etc/apache2/sites-available/huijse.nl-le-ssl.conf

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Congratulations! You have successfully enabled https://huijse.nl and
    https://www.huijse.nl
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    IMPORTANT NOTES:
     - Congratulations! Your certificate and chain have been saved at:
       /etc/letsencrypt/live/huijse.nl/fullchain.pem
       Your key file has been saved at:
       /etc/letsencrypt/live/huijse.nl/privkey.pem
       Your cert will expire on 2020-12-22. To obtain a new or tweaked
       version of this certificate in the future, simply run certbot again
       with the "certonly" option. To non-interactively renew *all* of
       your certificates, run "certbot renew"
     - If you like Certbot, please consider supporting our work by:

       Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
       Donating to EFF:                    https://eff.org/donate-le
2 Likes

Congratulations!

:partying_face:

You even beat me to the install step. Fantastic!

All your redirects are working too!

You might want to consider redirecting to either only www or only non-www for SEO purposes, but aside from that, you're golden.

To renew, you need only run the following, which can (and may already) be automated with a scheduled task. Running it will skip acquiring a new certificate until 30 days before expiration, so feel free to run it as often as you like. :slightly_smiling_face:

sudo certbot renew

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.