Unable to obtain SSL Certificates Apache

Help
1

My domain is: samyscrepes.com/

I ran this command: sudo certbot --apache

It produced this output: Requesting a certificate for samyscrepes.com

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: samyscrepes.com
Type: unauthorized
Detail: 2a02:4780:1e:b1fd:5fa1:aa33:9612:8afe: Invalid response from http://samyscrepes.com/.well-known/acme-challenge/5XWICw4366y4Lkfk9eG6btzwgQUO4DTP8I9xEDSei3w: 404

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Apache (2.4.57)

The operating system my web server runs on is (include version): Ubuntu 23.10

My hosting provider, if applicable, is: Hostinger

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Certbot 2.10.0

1 Like
2

Hello @Kritika, welcome to the Let's Encrypt community. :slightly_smiling_face:

You are the using the HTTP-01 challenge of the Challenge Types - Let's Encrypt, the most common challenge.
It states "The HTTP-01 challenge can only be done on port 80" thus Best Practice - Keep Port 80 Open

However using the online tool Let's Debug yields these results https://letsdebug.net/samyscrepes.com/1948174

ANotWorking
ERROR
samyscrepes.com has an A (IPv4) record (178.16.129.174) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.
A timeout was experienced while communicating with samyscrepes.com/178.16.129.174: Get "http://samyscrepes.com/.well-known/acme-challenge/letsdebug-test": context deadline exceeded

Trace:
@0ms: Making a request to http://samyscrepes.com/.well-known/acme-challenge/letsdebug-test (using initial IP 178.16.129.174)
@0ms: Dialing 178.16.129.174
@10000ms: Experienced error: context deadline exceeded

Showing that Port 80 cannot get through.

Here Permanent link to this check report you can see that HTTP (Port 80) is getting Results of "Connection timed out".

===========================================================================

Using nmap shows Port 80 is filtered (i.e. block), generally this is due to a firewall.

$ nmap -Pn -p80,443 samyscrepes.com
Starting Nmap 7.80 ( https://nmap.org ) at 2024-05-12 14:53 UTC
Nmap scan report for samyscrepes.com (178.16.129.174)
Host is up (0.16s latency).
Other addresses for samyscrepes.com (not scanned): 2a02:4780:22:4bc5:4622:b80a:3af7:3f82

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp open     https

Nmap done: 1 IP address (1 host up) scanned in 3.04 seconds

Beyond that HTTP (not HTTPS) is being served on Port 443

Attempt of HTTP on Port 443 gets a response of "error:0A00010B:SSL routines::wrong version number"
$ curl -k -I https://samyscrepes.com:443/
curl: (35) error:0A00010B:SSL routines::wrong version number

Attempt of HTTP on Port 443 gets a response of "HTTP/1.1 200 OK"

$ curl -k -I http://samyscrepes.com:443/
HTTP/1.1 200 OK
Date: Sun, 12 May 2024 14:54:42 GMT
Server: Apache/2.4.57 (Ubuntu)
Last-Modified: Wed, 07 Feb 2024 02:29:02 GMT
ETag: "29af-610c1754786d4"
Accept-Ranges: bytes
Content-Length: 10671
Vary: Accept-Encoding
Content-Type: text/html
3 Likes
4

Thanks

It seems that my didn't listen on port 80. i have fix it.

But i still can't get my certificate same error.

I had a certificate who work on my port 443 but later day i can't renew it so i delate the old who was expired to get a new one and there is the point where i am

3 Likes
5

Hi @Kritika,

Now https://letsdebug.net/samyscrepes.com/1948241 shows

MultipleIPAddressDiscrepancy
WARNING
samyscrepes.com has multiple IP addresses in its DNS records. While they appear to be accessible on the network, we have detected that they produce differing results when sent an ACME HTTP validation request. This may indicate that some of the IP addresses may unintentionally point to different servers, which would cause validation to fail.
[Address=2a02:4780:32:ac31:ef68:ffce:e6f6:3a4f,Address Type=IPv6,Server=hcdn,HTTP Status=404] vs [Address=178.16.129.174,Address Type=IPv4,Server=Apache/2.4.57 (Ubuntu),HTTP Status=404]

The domain name has 2 IP Addresses, an IPv4 Address and an IPv6 Address

A and AAAA records found for this domain
samyscrepes.com. 0 IN A 178.16.129.174
samyscrepes.com. 0 IN AAAA 2a02:4780:32:ac31:ef68:ffce:e6f6:3a4f

Is that what you are expecting?

All IP Addresses need to respond the same; Let’s Encrypt prefers IPv6 over IPv4 if both are available.

5 Likes
6

here is my dns record on domain name in hostinger

dns 1
dns 11066×855 51.7 KB

7

dns 2
dns 21032×852 43.7 KB

8

and here is my vps ip address it seem that the ipv6 adress is different

info vps
info vps950×536 26.1 KB

1 Like
9

@Kritika,

Yet the online tool https://unboundtest.com/ has these results https://unboundtest.com/m/AAAA/samyscrepes.com/Q5NOOWYZ

Query results for AAAA samyscrepes.com

Response:
;; opcode: QUERY, status: NOERROR, id: 6473
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags: do; udp: 512

;; QUESTION SECTION:
;samyscrepes.com.	IN	 AAAA

;; ANSWER SECTION:
samyscrepes.com.	0	IN	AAAA	2a02:4780:21:7229:6f49:208:9c26:452e

----- Unbound logs -----
May 12 15:48:35 unbound1.19[2115721:0] debug: creating udp6 socket ::1 1053

And https://letsdebug.net/samyscrepes.com/1948284 is once again showing
[Address=2a02:4780:23:1b25:e09f:4c7b:5aeb:4ee8,Address Type=IPv6,Server=hcdn,HTTP Status=404] vs [Address=178.16.129.174,Address Type=IPv4,Server=Apache/2.4.57 (Ubuntu),HTTP Status=404]

MultipleIPAddressDiscrepancy
WARNING
samyscrepes.com has multiple IP addresses in its DNS records. While they appear to be accessible on the network, we have detected that they produce differing results when sent an ACME HTTP validation request. This may indicate that some of the IP addresses may unintentionally point to different servers, which would cause validation to fail.
[Address=2a02:4780:23:1b25:e09f:4c7b:5aeb:4ee8,Address Type=IPv6,Server=hcdn,HTTP Status=404] vs [Address=178.16.129.174,Address Type=IPv4,Server=Apache/2.4.57 (Ubuntu),HTTP Status=404]

===========================================================================

If you are not expecting to use IPv6 I would suggest deleting it.

===========================================================================

@Kritika,

Showing curl results for both IPv4 & IPv6 and they are not the same.

IPv4 Results:

>curl -4 -Ii http://samyscrepes.com/.well-known/acme-challenge/sometestfile
HTTP/1.1 404 Not Found
Date: Sun, 12 May 2024 15:55:33 GMT
Server: Apache/2.4.57 (Ubuntu)
Cache-Control: no-cache, private
Content-Type: application/json

IPv6 Results:

>curl -6 -Ii http://samyscrepes.com/.well-known/acme-challenge/sometestfile
HTTP/1.1 404 Not Found
Server: hcdn
Date: Sun, 12 May 2024 15:55:40 GMT
Content-Type: text/html
Content-Length: 150
Connection: keep-alive
Vary: Accept-Encoding
platform: hostinger
content-security-policy: upgrade-insecure-requests
x-turbo-charged-by: LiteSpeed
alt-svc: h3=":443"; ma=86400
x-hcdn-request-id: 84e2c48937f4ae42cb0d99a7e8f988da-bos-edge2

And just supplemental using nmap of both IPv4 & IPv6; samyscrepes.com resolves to both IPv4 & IPv6 addresses.

IPv4

>nmap -4 -Pn -p80,443 samyscrepes.com
Starting Nmap 7.94 ( https://nmap.org ) at 2024-05-12 15:58 UTC
Nmap scan report for samyscrepes.com (178.16.129.174)
Host is up (0.16s latency).
Other addresses for samyscrepes.com (not scanned): 2a02:4780:1d:941f:df78:a6a7:67c8:81a1

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds

IPv6

>nmap -6 -Pn -p80,443 samyscrepes.com
Starting Nmap 7.94 ( https://nmap.org ) at 2024-05-12 15:58 UTC
Nmap scan report for samyscrepes.com (2a02:4780:1d:941f:df78:a6a7:67c8:81a1)
Host is up (0.078s latency).
Other addresses for samyscrepes.com (not scanned): 178.16.129.174

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 0.66 seconds

Edit: and there is the HTTPS response on Port 443 is different also between IPv4 (failing) and IPv6

IPv4 failing response

>curl -4 -Ii https://samyscrepes.com/.well-known/acme-challenge/sometestfile
curl: (35) OpenSSL/1.1.1t: error:1408F10B:SSL routines:ssl3_get_record:wrong version number

IPv6 response

>curl -6 -Ii https://samyscrepes.com/.well-known/acme-challenge/sometestfile
HTTP/2 404
server: hcdn
date: Sun, 12 May 2024 16:10:43 GMT
content-type: text/html
content-length: 150
vary: Accept-Encoding
platform: hostinger
content-security-policy: upgrade-insecure-requests
alt-svc: h3=":443"; ma=86400
x-hcdn-request-id: 32cfd11ebfe1e6ed287a0a3d5d47e560-bos-edge3

===========================================================================

Hi @Kritika,

Are you using a CDN?

Here Permanent link to this check report shows several different IPv6 Addresses.

And here shows some of the DNS:

image
image1242×859 24.8 KB

Edit: here is what ICANN Lookup shows:

Nameservers:
NS1.DNS-PARKING.COM
NS2.DNS-PARKING.COM

image
image1179×866 23.1 KB

===========================================================================

@Kritika,
Also Let's Encrypt uses Multi-Perspective Validation Improves Domain Validation Security - Let's Encrypt

And regarding that here are a few links to check out

===========================================================================

@Kritika,

Another tool showing the IPv4 vs IPv6 issue Hardenize Report: samyscrepes.com

===========================================================================

Also for future reference the is Aide (en français) in addition to Help.

4 Likes
16

@Bruce5051 7 posts after one another? Wow.

@Kritika Your IPv6 IP address seems to be changing with every request for your hostname. That's weird. As if it's randomised somehow with each lookup.

I have no clue what's going on. Do you have an AAAA RR set in your DNS? Is this some Hostinger feature that you know about?

Maybe you need to explicitely add an AAAA RR with the IPv6 address of your server. Hopefully that will stop the weird IPv6 randomness.

3 Likes
18

IPv4 is routing directly to an Apache server but that server appears to have at least one major configuration issue (port 443 is listening for HTTP instead of HTTPS)

IPv6 is attempting to route through a Hostinger CDN but not actually functional, this might be related to the port 443 configuration on the server (assuming the CDN is trying to communicate with the server via port 443) but it could be something else

also, having IPv6 routing through a CDN but not IPv4 is really weird

3 Likes
19

yes i use hostinger CDN.

I have added a record type AAAA with the ipv6 ip to test it.

If it doesn't work i will disable the ipv6

2 Likes
20

it was Certbot who has configure automaticaly the 443 port when my ssl was working

2 Likes
21

thanks you all (i can only mention only two :sweat_smile:)

After added the AAAA record on DNS i have got the certificate

Thanks a lot.

Capture d'écran 2024-05-12 194255
Capture d'écran 2024-05-12 1942551417×420 17.1 KB

4 Likes
22

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.