Struggle with nginx & .well-known/acme-challenge


#1

Nginx config:

I placed test.html file inside /var/www/letsencrypt/.well-known/acme-challenge and it opens fine as you can see:
http://crystalbit.be/.well-known/acme-challenge/test.html

When I try to renew the certificate using the following command
sudo -H ./letsencrypt-auto certonly --webroot --renew-by-default -w /var/www/letsencrypt -d crystalbit.be -d www.crystalbit.be

I get this response:

- The following errors were reported by the server:

   Domain: www.crystalbit.be
   Type:   unauthorized
   Detail: Invalid response from
   http://www.crystalbit.be/.well-known/acme-challenge/dfXk_w8OwpiO7Bne_osVYlE0Tmy7BgBiJ9Jimf9nPY0:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   Domain: crystalbit.be
   Type:   unauthorized
   Detail: Invalid response from
   http://crystalbit.be/.well-known/acme-challenge/FUVQZLjsmBE5WHEMOJxBr4fel1EixB2H4P_OmFw6fkU:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

#2

The AAAA DNS records for crystalbit.be and www.crystalbit.be seem to be pointing to an Apache server. Check that you’ve got the right IPv6 address.


#3

Thanks for the reply, here’s what I got:
sshot-2018-06-09-%5B19-10-07%5D


#4

Yes, I get the same. But is 2600:3c01::f03c:91ff:fe69:5ca0 actually the correct IPv6 address for your server? I guess it isn’t because when I try to access your site via IPv6 I see an “Apache2 Ubuntu Default Page”, whereas you said you’re using nginx (and indeed if I access your site over IPv4 I see a “Welcome to nginx” page).

You need to find out the correct IPv6 address for your server and set the AAAA records to that. Or if you don’t have an IPv6 address, remove the AAAA records entirely.


#5

The two IP addresses do seem to be the same VPS.

And the Apache page is being served by Nginx.

Server: nginx/1.10.3 (Ubuntu)

So it might be that the DNS is correct, but the Nginx configuration need to be adjusted. Maybe some of the server blocks are missing IPv6 listen directives.


#6

Interesting! I don’t have IPv6 here so I was using a proxy that unfortunately doesn’t show me the headers :slight_smile:


#7

Thank you very much guys! This helped:
listen 80;
listen [::]:80 ipv6only=on;


#8

Hi,

You might want to remove “ipv6only=on”, because your server now would only serve IPV6 and disable ipv4…(Al least that’s my version of Nginx do)

Thank you


#9

It’s fine if you have IPv4 and IPv6 listen directives.

ipv6only is on by default in more recent versions of Nginx.


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.