"The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot" error

rebeccake · July 28, 2021, 8:51pm

I think there may be something more I need to do with my DNS records but am unsure as to what precisely that is. I have checked to make sure my domain is pointing to the right name servers and that the IP address is correct but think I am missing something.

My domain is: comealive.world

I ran this command: sudo certbot --apache

It produced this output:
Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: comealive.world
Type: unauthorized
Detail: Invalid response from http://comealive.world/.well-known/acme-challenge/......
Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot....

My web server is (include version):

The operating system my web server runs on is (include version): Ubuntu 20.04.2

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 1.17.0

Thanks for any help you can provide!

rg305 · July 28, 2021, 9:02pm

Hi @rebeccake, and welcome to the LE community forum

As with most Apache problems found in this forum...
Please start unraveling the problem with:
sudo apachectl -S

_az · July 28, 2021, 9:10pm

It looks like your Apache server gives a different response based on whether the visitor is connecting via IPv4 or IPv6.

A couple things to check:

That your VirtualHost is not restricted to an IPv4 address. It should look like

<VirtualHost *:80>

rather than

<VirtualHost 172.104.194.238:80>

In /etc/apache2/ports.conf, you are not listening on a specific IP address, but rather just:

Listen 80

rg305 · July 28, 2021, 9:30pm

Yeah, this is an interesting redirect:

curl -Iki 172.104.194.238
HTTP/1.1 301 Found
Date: Wed, 28 Jul 2021 21:29:49 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: PHPSESSID=femqp1i36bh5pqnd4omqo0kbqd; path=/; HttpOnly
Set-Cookie: PHPSESSIDCV=Akek6429lmqEzBJaEkNm4Q%3D%3D; expires=Thu, 28-Jul-2022 21:29:49 GMT; Max-Age=31536000; path=/; HttpOnly
Location: http://www.172.104.194.238/
Content-Type: text/html; charset=UTF-8

While IPv6 address returns 403:

curl -Iki [2600:3c00::f03c:92ff:fe80:7663]
HTTP/1.1 403 Forbidden
Connection: close
Content-Type: text/html
Cache-Control: no-cache
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors 'self'
Content-Length: 3464

curl -Iki6 comealive.world
HTTP/1.1 403 Forbidden
Connection: close
Content-Type: text/html
Cache-Control: no-cache
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors 'self'
Content-Length: 3447

rg305 · July 28, 2021, 9:34pm

Wow, this is more revealing:

curl -Iki6 https://comealive.world/
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

curl -Iki6 http://comealive.world:443/
HTTP/1.1 200 OK
Date: Wed, 28 Jul 2021 21:33:24 GMT
Server: Apache
Last-Modified: Fri, 23 Apr 2021 20:39:49 GMT
ETag: "2aa6-5c0a9cc172a68"
Accept-Ranges: bytes
Content-Length: 10918
Vary: Accept-Encoding
Content-Type: text/html

rebeccake · July 29, 2021, 8:08pm

Thanks for getting me pointed in the right direction! I configured VirtualHost for IPv6 and now it works! I really appreciate your help.

system · August 28, 2021, 8:08pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.