Unauthorized for 1 of 2 websites?

Hi,

Problem description: I tried to get certificates for two websites. One appears to be ok (www.mediamagnet.nl). The other one has failed (www.bi-magnet.nl).
This is strange because both websites are on the same server and I just newly installed this server with Lubuntu 18.04. There is nothing else on this server as it is intended to purely service my two websites.

Question: What would be the steps to get this problem solved?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
www.bi-magnet.nl
www.mediamagnet.nl

I ran this command:
user@webserver:~$ ./certbot-auto

Which names would you like to activate HTTPS for?


1: bi-magnet.nl
2: www.bi-magnet.nl
3: mediamagnet.nl
4: www.mediamagnet.nl


It produced this output:
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel):
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for bi-magnet.nl
http-01 challenge for mediamagnet.nl
http-01 challenge for www.bi-magnet.nl
http-01 challenge for www.mediamagnet.nl
Enabled Apache rewrite module
Waiting for verification…
Challenge failed for domain www.bi-magnet.nl
Challenge failed for domain bi-magnet.nl
http-01 challenge for www.bi-magnet.nl
http-01 challenge for bi-magnet.nl
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.bi-magnet.nl
    Type: unauthorized
    Detail: Invalid response from
    https://www.bi-magnet.nl/.well-known/acme-challenge/dxMWQpzrWizLNtBop5jOecYq5cdWUUmbdZDPxBXZkuI
    [2a02:4a8:ac24:117::101:3]: “\r\n404 Not
    Found\r\n\r\n

    404 Not
    Found

    \r\n
    nginx\r\n”

    Domain: bi-magnet.nl
    Type: unauthorized
    Detail: Invalid response from
    https://bi-magnet.nl/.well-known/acme-challenge/3nPMuUsq3xaJiwJOmD0fDyBUHpOc_quJt5qYxNZ8rDI
    [2a02:4a8:ac24:117::101:3]: “\r\n404 Not
    Found\r\n\r\n

    404 Not
    Found

    \r\n
    nginx\r\n”

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.
    twan@SYS2:~/Documents$

My web server is (include version):
Server version: Apache/2.4.29 (Ubuntu)
Server built: 2018-06-27T17:05:04

The operating system my web server runs on is (include version):
Lubuntu 18.04.2

My hosting provider, if applicable, is:
Own server

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

Hi @jansb000

your bi-magnet.nl has ipv4- and ipv6 - addresses ( https://check-your-website.server-daten.de/?q=bi-magnet.nl ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
bi-magnet.nl A 84.29.133.242 yes 1 0
AAAA 2a02:4a8:ac24:117::101:3 yes
www.bi-magnet.nl A 84.29.133.242 yes 1 0
AAAA 2a02:4a8:ac24:117::101:3 yes

That's not a general problem. But in your case, it's a special problem.

Ipv4 / ipv6 have different answers:

K http://bi-magnet.nl/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 84.29.133.242, Status 404
http://bi-magnet.nl/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 2a02:4a8:ac24:117::101:3, Status 301
configuration problem - different ip addresses with different status
K http://www.bi-magnet.nl/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 84.29.133.242, Status 404
http://www.bi-magnet.nl/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 2a02:4a8:ac24:117::101:3, Status 301
configuration problem - different ip addresses with different status

ipv4 isn't redirected, ipv6 is redirected to https. That's ok, checking a file Letsencrypt follows these redirects.

But check your connections ( https://check-your-website.server-daten.de/?q=bi-magnet.nl#connections ):

ipv4 uses a self signed certificate

CN=lubuntu.dynamic.ziggo.nl
	06.08.2018
	03.08.2028
expires in 3373 days	lubuntu.dynamic.ziggo.nl - 1 entry

ipv6 uses an older, but valid Letsencrypt certificate:

CN=www.bi-magnet.nl
	30.03.2019
	28.06.2019
expires in 49 days	bi-magnet.nl, www.bi-magnet.nl - 2 entries

Is the ipv6 from your old server? You have a lot of old certificates, started 2016-06-11 16:37:00.

Your other domain

Host T IP-Address is auth. ∑ Queries ∑ Timeout
mediamagnet.nl A 84.29.133.242 yes 2 0
AAAA yes
www.mediamagnet.nl C mediamagnet.nl yes 1 0
A 84.29.133.242 yes

doesn't have an ipv6 address, but a correct working http -> https.

Other thing: What says

apachectl -S

Normally, it may be easier if you create two different certificates:

One per domain with two domain names (non-www and www).

Start with

certbot-auto -d www.mediamagnet.nl -d mediamagnet.nl

then the same with the second domain.

So

  • fix your ipv6 (or)
  • remove your ipv6, then create a certificate, then fix your ipv6.

Hi JuergenAuer,

thanks for your reply.
Yes, the server that you have been looking at is my old server, but it has the same problem. That’s why i started a clean install on a second server. Because the second server is a clean install (Lubuntu + Apache) I hope it will be easier to zoom in to the root cause of the problem.

Your answer contains a lot of technical details, so it will take me a couple of days to try your suggestions. (and understand them :frowning:).
Thanks

It's simple: If you have a wrong DNS AAAA entry (ipv6), then Letsencrypt uses this entry to check your domain.

If you change only your ipv4 address (A-record), that doesn't help.

So check your dns settings and remove the not working ipv6 / AAAA entry.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.