Subdomain built on EC2 instance with Ubuntu


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: dev.special-lite.com

I ran this command: sudo certbot certonly --webroot -w /var/www/html -d www.dev.special-lite.com -d dev.special-lite.com --dry-run

It produced this output:
http-01 challenge for dev.special-lite.com
http-01 challenge for www.dev.special-lite.com
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. dev.special-lite.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://dev.special-lite.com/.well-known/acme-challenge/ZoWhRo5ULDQwR7x5X0ZVa9Hxa0qK9_QLhMosffytOcA [2607:f1c0:1000:10a3:a1fb:3220:d458:c822]: 204, www.dev.special-lite.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.dev.special-lite.com/.well-known/acme-challenge/neb55Fop7cGrv4grJl668KnoHlizUbxstcgnjMHYarI [2607:f1c0:1000:10a3:a1fb:3220:d458:c822]: 204

IMPORTANT NOTES:

My web server is (include version): Apache/2.4.29 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 18.04.1 LTS

My hosting provider, if applicable, is:
Amazon AWS EC2 Instance

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.26.1


#2

Hi @andrewpaschall

you have ipv4 and ipv6 addresses:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
dev.special-lite.com A 3.16.107.165 yes 1 0
AAAA 2607:f1c0:1000:10a3:a1fb:3220:d458:c822 yes
www.dev.special-lite.com A 3.16.107.165 yes 1 0
AAAA 2607:f1c0:1000:10a3:a1fb:3220:d458:c822 yes

But ipv6 answers different, looks that there is no correct definition ( https://check-your-website.server-daten.de/?q=dev.special-lite.com ):

Domainname Http-Status redirect Sec. G
http://dev.special-lite.com/
3.16.107.165 200 0.230 H
http://dev.special-lite.com/
2607:f1c0:1000:10a3:a1fb:3220:d458:c822 200 0.267 H
http://www.dev.special-lite.com/
3.16.107.165 200 0.230 H
http://www.dev.special-lite.com/
2607:f1c0:1000:10a3:a1fb:3220:d458:c822 200 0.266 H
https://dev.special-lite.com/
3.16.107.165 200 6.373 N
Certificate error: RemoteCertificateNameMismatch
https://dev.special-lite.com/
2607:f1c0:1000:10a3:a1fb:3220:d458:c822 -10 0.267 P
SecureChannelFailure - The request was aborted: Could not create SSL/TLS secure channel.
https://www.dev.special-lite.com/
3.16.107.165 200 6.123 N
Certificate error: RemoteCertificateNameMismatch
https://www.dev.special-lite.com/
2607:f1c0:1000:10a3:a1fb:3220:d458:c822 -10 0.267 P
SecureChannelFailure - The request was aborted: Could not create SSL/TLS secure channel.
http://dev.special-lite.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
3.16.107.165 404 0.226 A
Not Found
http://dev.special-lite.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
2607:f1c0:1000:10a3:a1fb:3220:d458:c822 204 0.640 A
http://www.dev.special-lite.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
3.16.107.165 404 0.223 A
Not Found
http://www.dev.special-lite.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
2607:f1c0:1000:10a3:a1fb:3220:d458:c822 204 0.500 A

ipv6 + https - not defined, ipv4 + https - http status 200

And the critical /.well-known/acme-challenge:

ipv4 sends a 404 (this is good), ipv6 sends a 204 - no content. Then Letsencrypt finds nothing, this is bad.

So configure your ipv6 correct or remove your ipv6 dns AAAA entry.

Letsencrypt prefers ipv6 when checking /.well-known/acme-challenge.


closed #3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.