OK. Confirmed the .well-known/acme-challenge directories exist and have 755 permisions. I was able to browse to a one line test file as you suggested with no problem. The site is working fine.
A few points:
The (owncloud) site is https self-certified running as virtual host.
nslookup gives correct IPs for IPv4 and IPv6 for the host.
Apache is listening on ipv4 and ipv6. The host I am trying with also has an ipv6 global address.
LE seems to be trying to connect using http which won’t work as there are several other http virtual hosts running on the one ipv4 address and the rdns is for another host.
Here is relevant snippet from latest LE log with domain name / ip masked.
2015-12-05 21:39:32,885:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/acme/authz/LqKidpVXdh6fZBzR9pHg_ljv8oVfsDjqrLvT3MYXbXE. args: (), kwargs: {}
2015-12-05 21:39:32,886:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2015-12-05 21:39:33,089:DEBUG:requests.packages.urllib3.connectionpool:“GET /acme/authz/LqKidpVXdh6fZBzR9pHg_ljv8oVfsDjqrLvT3MYXbXE HTTP/1.1” 200 1107
2015-12-05 21:39:33,092:DEBUG:root:Received <Response [200]>. Headers: {‘Content-Length’: ‘1107’, ‘Expires’: ‘Sat, 05 Dec 2015 21:39:33 GMT’, ‘Strict-Transport-Security’: ‘max-age=604800’, ‘Server’: ‘nginx’, ‘Connection’: ‘keep-alive’, ‘Link’: ‘https://acme-v01.api.letsencrypt.org/acme/new-cert;rel=“next”’, ‘Pragma’: ‘no-cache’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Date’: ‘Sat, 05 Dec 2015 21:39:33 GMT’, ‘X-Frame-Options’: ‘DENY’, ‘Content-Type’: ‘application/json’, ‘Replay-Nonce’: ‘zoP0AQ6RvFWY0Syef1vKkWP55KNR0Y97HpLsYarS-aU’}. Content: '{“identifier”:{“type”:“dns”,“value”:“host.mydomain.co.uk”},“status”:“invalid”,“expires”:“2015-12-12T21:39:29Z”,“challenges”:[{“type”:“http-01”,“status”:“invalid”,“error”:{“type”:“urn:acme:error:unauthorized”,“detail”:“Invalid response from http://host.mydomain.co.uk/.well-known/acme-challenge/UL-ip1VN2e1G1Y3iDCU9Iw8Hgl2dp-SbPOZExQ6jmrA [99.999.99.99]: 404”},“uri”:“https://acme-v01.api.letsencrypt.org/acme/challenge/LqKidpVXdh6fZBzR9pHg_ljv8oVfsDjqrLvT3MYXbXE/970091",“token”:“UL-ip1VN2e1G1Y3iDCU9Iw8Hgl2dp-SbPOZExQ6jmrA”,“keyAuthorization”:“UL-ip1VN2e1G1Y3iDCU9Iw8Hgl2dp-SbPOZExQ6jmrA.ts4r63kWSQE4E6t9CM8QKq0hKJkcURBJ11uDzBvXK2w”,“validationRecord”:[{“url”:“http://host.mydomain.co.uk/.well-known/acme-challenge/UL-ip1VN2e1G1Y3iDCU9Iw8Hgl2dp-SbPOZExQ6jmrA”,“hostname”:“host.mydomain.co.uk”,“port”:“80”,“addressesResolved”:[99.999.99.99],“addressUsed”:“99.999.99.99”}]},{“type”:“tls-sni-01”,“status”:“pending”,“uri”:“https://acme-v01.api.letsencrypt.org/acme/challenge/LqKidpVXdh6fZBzR9pHg_ljv8oVfsDjqrLvT3MYXbXE/970092”,“token”:“VHC6fO71wdf2X9cArQlFF8GM-vEe5G7mQL2xYG_GVc0”}],"combinations”:[[1],[0]]}'
2015-12-05 21:39:33,092:DEBUG:acme.client:Received response <Response [200]> (headers: {‘Content-Length’: ‘1107’, ‘Expires’: ‘Sat, 05 Dec 2015 21:39:33 GMT’, ‘Strict-Transport-Security’: ‘max-age=604800’, ‘Server’: ‘nginx’, ‘Connection’: ‘keep-alive’, ‘Link’: ‘https://acme-v01.api.letsencrypt.org/acme/new-cert;rel=“next”’, ‘Pragma’: ‘no-cache’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Date’: ‘Sat, 05 Dec 2015 21:39:33 GMT’, ‘X-Frame-Options’: ‘DENY’, ‘Content-Type’: ‘application/json’, ‘Replay-Nonce’: ‘zoP0AQ6RvFWY0Syef1vKkWP55KNR0Y97HpLsYarS-aU’}): '{“identifier”:{“type”:“dns”,“value”:“host.mydomain.co.uk”},“status”:“invalid”,“expires”:“2015-12-12T21:39:29Z”,“challenges”:[{“type”:“http-01”,“status”:“invalid”,“error”:{“type”:“urn:acme:error:unauthorized”,“detail”:“Invalid response from http://host.mydomain.co.uk/.well-known/acme-challenge/UL-ip1VN2e1G1Y3iDCU9Iw8Hgl2dp-SbPOZExQ6jmrA [99.999.99.99]: 404”},“uri”:“https://acme-v01.api.letsencrypt.org/acme/challenge/LqKidpVXdh6fZBzR9pHg_ljv8oVfsDjqrLvT3MYXbXE/970091",“token”:“UL-ip1VN2e1G1Y3iDCU9Iw8Hgl2dp-SbPOZExQ6jmrA”,“keyAuthorization”:“UL-ip1VN2e1G1Y3iDCU9Iw8Hgl2dp-SbPOZExQ6jmrA.ts4r63kWSQE4E6t9CM8QKq0hKJkcURBJ11uDzBvXK2w”,“validationRecord”:[{“url”:“http://host.mydomain.co.uk/.well-known/acme-challenge/UL-ip1VN2e1G1Y3iDCU9Iw8Hgl2dp-SbPOZExQ6jmrA”,“hostname”:“host.mydomain.co.uk”,“port”:“80”,“addressesResolved”:[“99.999.99.99”],“addressUsed”:“99.999.99.99”}]},{“type”:“tls-sni-01”,“status”:“pending”,“uri”:“https://acme-v01.api.letsencrypt.org/acme/challenge/LqKidpVXdh6fZBzR9pHg_ljv8oVfsDjqrLvT3MYXbXE/970092”,“token”:“VHC6fO71wdf2X9cArQlFF8GM-vEe5G7mQL2xYG_GVc0”}],"combinations”:[[1],[0]]}'
2015-12-05 21:39:33,094:INFO:letsencrypt.reporter:Reporting to user: The following ‘unauthorized’ errors were reported by the server:
Domains: host.mydomain.co.uk
Error: The client lacks sufficient authorization
To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address.
2015-12-05 21:39:33,094:INFO:letsencrypt.auth_handler:Cleaning up challenges
2015-12-05 21:39:33,095:DEBUG:letsencrypt.plugins.webroot:Removing /var/www/host.mydomain.co.uk/owncloud/.well-known/acme-challenge/UL-ip1VN2e1G1Y3iDCU9Iw8Hgl2dp-SbPOZExQ6jmrA
2015-12-05 21:39:33,097:DEBUG:letsencrypt.cli:Exiting abnormally:
Traceback (most recent call last):
File “./letsencrypt”, line 11, in
sys.exit(main())
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py”, line 1140, in main
return args.func(args, config, plugins)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py”, line 490, in obtaincert
_auth_from_domains(le_client, config, domains, plugins)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py”, line 328, in _auth_from_domains
lineage = le_client.obtain_and_enroll_certificate(domains, plugins)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/client.py”, line 229, in obtain_and_enroll_certificate
certr, chain, key, _ = self.obtain_certificate(domains)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/client.py”, line 212, in obtain_certificate
return self._obtain_certificate(domains, csr) + (key, csr)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/client.py”, line 170, in _obtain_certificate
authzr = self.auth_handler.get_authorizations(domains)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/auth_handler.py”, line 84, in get_authorizations
self._respond(cont_resp, dv_resp, best_effort)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/auth_handler.py”, line 142, in _respond
self._poll_challenges(chall_update, best_effort)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/auth_handler.py”, line 204, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. host.mydomain.co.uk (http-01): unauthorized :: The client lacks sufficient authorization :: Invalid response from http://host.mydomain.co.uk/.well-known/acme-challenge/UL-ip1VN2e1G1Y3iDCU9Iw8Hgl2dp-SbPOZExQ6jmrA [99.999.99.99]: 404