Please help me figure what is the most possible cause. --standalone works while --manual does not so it is may not be DNS or port problem. I followed the instruction in manual and even curl to make sure the SimpleHTTPServer is working.
I had tried using the the instruction from MANUAL, using python’s SimpleHTTPServer
I had tried using my server nginx and enable both 443 and 80 to serve the challenge.
I had tried both replying in content-type: application/octet-stream and text/plain.
The MANUAL HTTP-01 will perform a self-verify. Had the file isn’t in the folder, it will throw error before even notify the api to perform the challenge.
The weird thing is the STANDALONE can work.
After going through the official client’s code. There is no difference in STANDALONE and MANUAL method of responding to the challenge. The only difference MANUAL requires my intervention which might take 1 or 2 seconds, whereas STANDALONE is immediate. Is it possible whether the 1 or 2 seconds make the api unable to perform the challenge?
Since STANDALONE is using its own programmatic web server. I am unable to log easily, I can’t use a proxy (that can log) since I can’t change the port 80 in STANDALONE unless I edit the code. Not that it can’t be done, but not easy.
Again. Since STANDALONE works, all possibility of DNS misconfiguration and port blocking are omitted.
Were you using standalone mode with tls-sni-01? This uses port 443 and TLS as opposed to 80/HTTP.
The fact that self-verify (i.e. local access) works and that you don’t see any requests from the CA server in your logs indicates there’s an issue with your firewall blocking port 80, or a WAF disallowing requests from external IPs to .well-known. I would recommend trying to request the challenge URL through a proxy (e.g. Tor) and see if that works.