SSL fail on provisioning of virtual server

knkrog · March 31, 2023, 8:06pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

Thank you for your help. It is much appreciated.

My domain is: soakingrace.com

I ran this command: Enable SSL

It produced this output:

ssl-provision Log Begin - soakingrace.com
**********************************************************************************************
Fri Mar 31 00:06:58 UTC 2023

-------------------------------------------------------------------
Creating lock file @ /tmp/gridpane.ssl.lock
Lock contains:
soakingrace.com
-------------------------------------------------------------------
-------------------------------------------------------------------
Auto SSL 
Checking for Previous failed SSL provision attempts...
-------------------------------------------------------------------
Ensuring no remnant Certbot LE certs...
-------------------------------------------------------------------
Ensuring no remnant Acme LE certs...
-------------------------------------------------------------------
Using Webroot Method and Certbot
-------------------------------------------------------------------
Server IP: 24.199.84.211 
-------------------------------------------------------------------
Testing soakingrace.com DNS records before attempting to provision SSL...
soakingrace.com IP: 
172.67.178.219
104.21.17.237
www.soakingrace.com IP/CNAME: 
172.67.178.219
104.21.17.237
-------------------------------------------------------------------
Proceeding to do a Lets encrypt Dry Run for both: 
soakingrace.com, www.soakingrace.com
-------------------------------------------------------------------
Account registered.
Simulating a certificate request for soakingrace.com and www.soakingrace.com

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: soakingrace.com
  Type:   unauthorized
  Detail: 2606:4700:3032::ac43:b2db: Invalid response from http://soakingrace.com/.well-known/acme-challenge/0AwaRvo4z-i4132iDUsZpyq91bnCp3XwdIJyuUBwozY: "<!doctype html><html lang=\"en\"><head><meta http-equiv=\"content-type\" content=\"text/html;charset=utf-8\"/><meta name=\"viewport\" co"

  Domain: www.soakingrace.com
  Type:   unauthorized
  Detail: 2606:4700:3032::ac43:b2db: Invalid response from http://www.soakingrace.com/.well-known/acme-challenge/WK8tNo89ftW7q7arEchKHtih9i6kzuKkdzuWvHd2iSM: "<!doctype html><html lang=\"en\"><head><meta http-equiv=\"content-type\" content=\"text/html;charset=utf-8\"/><meta name=\"viewport\" co"

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
-------------------------------------------------------------------
Dry Run failed.
-------------------------------------------------------------------
Proceeding to do a Lets encrypt Dry Run for:
soakingrace.com
Simulating a certificate request for soakingrace.com

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: soakingrace.com
  Type:   unauthorized
  Detail: 2606:4700:3033::6815:11ed: Invalid response from http://soakingrace.com/.well-known/acme-challenge/qVgTPg4GCn6hblv26CnTcPEUPCqRgSlv3tqIbrtmt1c: "<!doctype html><html lang=\"en\"><head><meta http-equiv=\"content-type\" content=\"text/html;charset=utf-8\"/><meta name=\"viewport\" co"

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrount registered.
Simulating a certificate request for soakingrace.com and www.soakingrace.com

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: soakingrace.com
  Type:   unauthorized
  Detail: 2606:4700:3032::ac43:b2db: Invalid response from http://soakingrace.com/.well-known/acme-challenge/0AwaRvo4z-i4132iDUsZpyq91bnCp3XwdIJyuUBwozY: "<!doctype html><html lang=\"en\"><head><meta http-equiv=\"content-type\" content=\"text/html;charset=utf-8\"/><meta name=\"viewport\" co"

  Domain: www.soakingrace.com
  Type:   unauthorized
  Detail: 2606:4700:3032::ac43:b2db: Invalid response from http://www.soakingrace.com/.well-known/acme-challenge/WK8tNo89ftW7q7arEchKHtih9i6kzuKkdzuWvHd2iSM: "<!doctype html><html lang=\"en\"><head><meta http-equiv=\"content-type\" content=\"text/html;charset=utf-8\"/><meta name=\"viewport\" co"

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
-------------------------------------------------------------------
Dry Run failed.
-------------------------------------------------------------------
Proceeding to do a Lets encrypt Dry Run for:
soakingrace.com
Simulating a certificate request for soakingrace.com

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: soakingrace.com
  Type:   unauthorized
  Detail: 2606:4700:3033::6815:11ed: Invalid response from http://soakingrace.com/.well-known/acme-challenge/qVgTPg4GCn6hblv26CnTcPEUPCqRgSlv3tqIbrtmt1c: "<!doctype html><html lang=\"en\"><head><meta http-equiv=\"content-type\" content=\"text/html;charset=utf-8\"/><meta name=\"viewport\" co"

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
-------------------------------------------------------------------
Dry Run Failed, please check the error messages for more details, exiting without provisioning SSL...
Fri Mar 31 00:07:08 UTC 2023
**********************************************************************************************
ssl-provision Log End - soakingrace.com
**********************************************************************************************

Removing lockfile @ /tmp/gridpane.ssl.lock
**********************************************************************************************
ssl-provision Log Begin - soakingrace.com
**********************************************************************************************
Fri Mar 31 00:21:58 UTC 2023

-------------------------------------------------------------------
Creating lock file @ /tmp/gridpane.ssl.lock
Lock contains:
soakingrace.com
-------------------------------------------------------------------
-------------------------------------------------------------------
Auto SSL 
Checking for Previous failed SSL provision attempts...
-------------------------------------------------------------------
Ensuring no remnant Certbot LE certs...
-------------------------------------------------------------------
Ensuring no remnant Acme LE certs...
-------------------------------------------------------------------
Using Webroot Method and Certbot
-------------------------------------------------------------------
Server IP: 24.199.84.211 
-------------------------------------------------------------------
Testing soakingrace.com DNS records before attempting to provision SSL...
soakingrace.com IP: 
172.67.178.219
104.21.17.237
www.soakingrace.com IP/CNAME: 
104.21.17.237
172.67.178.219
-------------------------------------------------------------------
Proceeding to do a Lets encrypt Dry Run for both: 
soakingrace.com, www.soakingrace.com
-------------------------------------------------------------------
Simulating a certificate request for soakingrace.com and www.soakingrace.com

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: soakingrace.com
  Type:   unauthorized
  Detail: 2606:4700:3032::ac43:b2db: Invalid response from http://soakingrace.com/.well-known/acme-challenge/S7wbEu5rX7V2JFyKjk4BBQUPxFZu88Md8DxK8ECXGeY: "<!doctype html><html lang=\"en\"><head><meta http-equiv=\"content-type\" content=\"text/html;charset=utf-8\"/><meta name=\"viewport\" co"

  Domain: www.soakingrace.com
  Type:   unauthorized
  Detail: 2606:4700:3032::ac43:b2db: Invalid response from http://www.soakingrace.com/.well-known/acme-challenge/FzfPI9m0j9eooqzyctVdSdVYLni_WSl4P5085LTeu4g: "<!doctype html><html lang=\"en\"><head><meta http-equiv=\"content-type\" content=\"text/html;charset=utf-8\"/><meta name=\"viewport\" co"

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
-------------------------------------------------------------------
Dry Run failed.
-------------------------------------------------------------------
Proceeding to do a Lets encrypt Dry Run for:
soakingrace.com
Simulating a certificate request for soakingrace.com

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: soakingrace.com
  Type:   unauthorized
  Detail: 2606:4700:3032::ac43:b2db: Invalid response from http://soakingrace.com/.well-known/acme-challenge/gkh4uwmVQK6TM3GmKy_peorPSKASpewmXvpl6K_COHc: "<!doctype html><html lang=\"en\"><head><meta http-equiv=\"content-type\" content=\"text/html;charset=utf-8\"/><meta name=\"viewport\" co"

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
-------------------------------------------------------------------
Dry Run Failed, please check the error messages for more details, exiting without provisioning SSL...
Fri Mar 31 00:22:08 UTC 2023
**********************************************************************************************
ssl-provision Log End - soakingrace.com
**********************************************************************************************

Removing lockfile @ /tmp/gridpane.ssl.lock
**********************************************************************************************
ssl-provision Log Begin - soakingrace.com
**********************************************************************************************
Fri Mar 31 19:15:06 UTC 2023

-------------------------------------------------------------------
Creating lock file @ /tmp/gridpane.ssl.lock
Lock contains:
soakingrace.com
-------------------------------------------------------------------
Checking for Previous failed SSL provision attempts...
-------------------------------------------------------------------
Ensuring no remnant Certbot LE certs...
-------------------------------------------------------------------
Ensuring no remnant Acme LE certs...
-------------------------------------------------------------------
Using Webroot Method and Certbot
-------------------------------------------------------------------
Server IP: 24.199.84.211 
-------------------------------------------------------------------
Testing soakingrace.com DNS records before attempting to provision SSL...
soakingrace.com IP: 
104.21.17.237
172.67.178.219
www.soakingrace.com IP/CNAME: 
104.21.17.237
172.67.178.219
-------------------------------------------------------------------
Proceeding to do a Lets encrypt Dry Run for both: 
soakingrace.com, www.soakingrace.com
-------------------------------------------------------------------
Simulating a certificate request for soakingrace.com and www.soakingrace.com

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: soakingrace.com
  Type:   unauthorized
  Detail: 2606:4700:3032::ac43:b2db: Invalid response from http://soakingrace.com/.well-known/acme-challenge/L_W4NfL7OKUks3pqDioAyiU_2Jap6nNCL-S-QxXMFpI: "<!doctype html><html lang=\"en\"><head><meta http-equiv=\"content-type\" content=\"text/html;charset=utf-8\"/><meta name=\"viewport\" co"

  Domain: www.soakingrace.com
  Type:   unauthorized
  Detail: 2606:4700:3033::6815:11ed: Invalid response from http://www.soakingrace.com/.well-known/acme-challenge/GC60gEiGJd8OCY_jlPAfx5FJ9o9ejX7wjIxN95g5OfY: "<!doctype html><html lang=\"en\"><head><meta http-equiv=\"content-type\" content=\"text/html;charset=utf-8\"/><meta name=\"viewport\" co"

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
-------------------------------------------------------------------
Dry Run failed.
-------------------------------------------------------------------
Proceeding to do a Lets encrypt Dry Run for:
soakingrace.com
Simulating a certificate request for soakingrace.com

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: soakingrace.com
  Type:   unauthorized
  Detail: 2606:4700:3033::6815:11ed: Invalid response from http://soakingrace.com/.well-known/acme-challenge/s5hzor7-5inO1S3c5UitXI2MJQ-6WpwTWiT6QeE8VSo: "<!doctype html><html lang=\"en\"><head><meta http-equiv=\"content-type\" content=\"text/html;charset=utf-8\"/><meta name=\"viewport\" co"

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
-------------------------------------------------------------------
Dry Run Failed, please check the error messages for more details, exiting without provisioning SSL...
Fri Mar 31 19:15:16 UTC 2023
**********************************************************************************************
ssl-provision Log End - soakingrace.com
**********************************************************************************************

Removing lockfile @ /tmp/gridpane.ssl.lock

My web server is (include version): Nginx

The operating system my web server runs on is (include version): Ubuntu 20.04 x64

My hosting provider, if applicable, is: Gridpane on Digital Ocean

I can login to a root shell on my machine (yes or no, or I don't know): I don't know

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no, WordPress not yet provisioned

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Certbot (no version given)

Bruce5051 · March 31, 2023, 8:13pm

Hello @knkrog, welcome to the Let's Encrypt community.

Using Let's Debug yields these results https://letsdebug.net/soakingrace.com/1428835

CloudflareCDN
Warning
The domain soakingrace.com is being served through Cloudflare CDN. Any Let's Encrypt certificate installed on the origin server will only encrypt traffic between the server and Cloudflare.
It is strongly recommended that the SSL option 'Full SSL (strict)' be enabled.
https://support.cloudflare.com/hc/en-us/articles/200170416-What-do-the-SSL-options-mean-

_az · April 1, 2023, 1:29am

If you open https://www.soakingrace.com/.well-known/acme-challenge/WK8tNo89ftW7q7arEchKHtih9i6kzuKkdzuWvHd2iSM, you'll see that the Cloudflare CDN is giving you an error. So, your web server is currently not accessible.

You'll probably want to set your Cloudflare SSL Mode to "Flexible", renew your certificate, and then change it back to "Full".

linkp · April 1, 2023, 1:34am

Alternately, you can search for an appropriate Cloudflare configuration that leaves /.well-known/acme-challenge/ unaltered without having to resort to the Cloudflare SSL mode that should never be used. I have written it up both here and in the Cloudflare Community quite a few times.

system · May 1, 2023, 1:34am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.