Unable to obtain SSL Certificates Apache

@Kritika,

Yet the online tool https://unboundtest.com/ has these results https://unboundtest.com/m/AAAA/samyscrepes.com/Q5NOOWYZ

Query results for AAAA samyscrepes.com

Response:
;; opcode: QUERY, status: NOERROR, id: 6473
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags: do; udp: 512

;; QUESTION SECTION:
;samyscrepes.com.	IN	 AAAA

;; ANSWER SECTION:
samyscrepes.com.	0	IN	AAAA	2a02:4780:21:7229:6f49:208:9c26:452e

----- Unbound logs -----
May 12 15:48:35 unbound1.19[2115721:0] debug: creating udp6 socket ::1 1053

And https://letsdebug.net/samyscrepes.com/1948284 is once again showing
[Address=2a02:4780:23:1b25:e09f:4c7b:5aeb:4ee8,Address Type=IPv6,Server=hcdn,HTTP Status=404] vs [Address=178.16.129.174,Address Type=IPv4,Server=Apache/2.4.57 (Ubuntu),HTTP Status=404]

MultipleIPAddressDiscrepancy
WARNING
samyscrepes.com has multiple IP addresses in its DNS records. While they appear to be accessible on the network, we have detected that they produce differing results when sent an ACME HTTP validation request. This may indicate that some of the IP addresses may unintentionally point to different servers, which would cause validation to fail.
[Address=2a02:4780:23:1b25:e09f:4c7b:5aeb:4ee8,Address Type=IPv6,Server=hcdn,HTTP Status=404] vs [Address=178.16.129.174,Address Type=IPv4,Server=Apache/2.4.57 (Ubuntu),HTTP Status=404]

===========================================================================

If you are not expecting to use IPv6 I would suggest deleting it.

===========================================================================

@Kritika,

Showing curl results for both IPv4 & IPv6 and they are not the same.

IPv4 Results:

>curl -4 -Ii http://samyscrepes.com/.well-known/acme-challenge/sometestfile
HTTP/1.1 404 Not Found
Date: Sun, 12 May 2024 15:55:33 GMT
Server: Apache/2.4.57 (Ubuntu)
Cache-Control: no-cache, private
Content-Type: application/json

IPv6 Results:

>curl -6 -Ii http://samyscrepes.com/.well-known/acme-challenge/sometestfile
HTTP/1.1 404 Not Found
Server: hcdn
Date: Sun, 12 May 2024 15:55:40 GMT
Content-Type: text/html
Content-Length: 150
Connection: keep-alive
Vary: Accept-Encoding
platform: hostinger
content-security-policy: upgrade-insecure-requests
x-turbo-charged-by: LiteSpeed
alt-svc: h3=":443"; ma=86400
x-hcdn-request-id: 84e2c48937f4ae42cb0d99a7e8f988da-bos-edge2

And just supplemental using nmap of both IPv4 & IPv6; samyscrepes.com resolves to both IPv4 & IPv6 addresses.

IPv4

>nmap -4 -Pn -p80,443 samyscrepes.com
Starting Nmap 7.94 ( https://nmap.org ) at 2024-05-12 15:58 UTC
Nmap scan report for samyscrepes.com (178.16.129.174)
Host is up (0.16s latency).
Other addresses for samyscrepes.com (not scanned): 2a02:4780:1d:941f:df78:a6a7:67c8:81a1

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds

IPv6

>nmap -6 -Pn -p80,443 samyscrepes.com
Starting Nmap 7.94 ( https://nmap.org ) at 2024-05-12 15:58 UTC
Nmap scan report for samyscrepes.com (2a02:4780:1d:941f:df78:a6a7:67c8:81a1)
Host is up (0.078s latency).
Other addresses for samyscrepes.com (not scanned): 178.16.129.174

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 0.66 seconds

Edit: and there is the HTTPS response on Port 443 is different also between IPv4 (failing) and IPv6

IPv4 failing response

>curl -4 -Ii https://samyscrepes.com/.well-known/acme-challenge/sometestfile
curl: (35) OpenSSL/1.1.1t: error:1408F10B:SSL routines:ssl3_get_record:wrong version number

IPv6 response

>curl -6 -Ii https://samyscrepes.com/.well-known/acme-challenge/sometestfile
HTTP/2 404
server: hcdn
date: Sun, 12 May 2024 16:10:43 GMT
content-type: text/html
content-length: 150
vary: Accept-Encoding
platform: hostinger
content-security-policy: upgrade-insecure-requests
alt-svc: h3=":443"; ma=86400
x-hcdn-request-id: 32cfd11ebfe1e6ed287a0a3d5d47e560-bos-edge3

===========================================================================

Hi @Kritika,

Are you using a CDN?

Here Permanent link to this check report shows several different IPv6 Addresses.

And here shows some of the DNS:

Edit: here is what ICANN Lookup shows:

Nameservers:
NS1.DNS-PARKING.COM
NS2.DNS-PARKING.COM

===========================================================================

@Kritika,
Also Let's Encrypt uses Multi-Perspective Validation Improves Domain Validation Security - Let's Encrypt

And regarding that here are a few links to check out

===========================================================================

@Kritika,

Another tool showing the IPv4 vs IPv6 issue Hardenize Report: samyscrepes.com

===========================================================================

Also for future reference the is Aide (en français) in addition to Help.

4 Likes