Unauthorized on Domain studip.dim.sc

Hello dear community,

I have a problem with the authorization of my sub-domain.

I would like to create a certificate via ACME-Cert-Bot.

The IP settings and the DNS settings should actually be correct ...

If the information is needed: A V-Server with Apache 2 is installed. It is only a subdomain. The FQDN itself does not have a certificate, as the hoster does not want it to be.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: studip.dim.sc

I ran this command: sudo certbot --apache -d studip.dim.sc -d www.studip.dim.sc

It produced this output: - The following errors were reported by the server:

Domain: studip.dim.sc
Type: unauthorized
Detail: During secondary validation: Invalid response from
http://studip.dim.sc/.well-known/acme-challenge/LAEtAJE6oAHRj82tyw4MvsM5zhVwTNxNivfpcEuPy2A
[2a00:17d8:200::271]: "\n\n403
Forbidden\n\n

Forbidden

\n<p"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

My web server is (include version): Apache2

The operating system my web server runs on is (include version): Ubuntu 18.04.5 LTS

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.31.0

Complete SSH-Out:

root@v2202101102336138985:~# sudo certbot --apache -d studip.dim.sc -d www.studip.dim.sc
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for studip.dim.sc
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. studip.dim.sc (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: During secondary v alidation: Invalid response from http://studip.dim.sc/.well-known/acme-challenge/LAEtAJE6oAHRj82tyw4MvsM5zhVwTNxNivfpcEuPy2A [2a00:17d8:200::271]: "\n\n403 Forbidden\n\n

Forbidden

\n<p"

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: studip.dim.sc
    Type: unauthorized
    Detail: During secondary validation: Invalid response from
    http://studip.dim.sc/.well-known/acme-challenge/LAEtAJE6oAHRj82tyw4MvsM5zhVwTNxNivfpcEuPy2A
    [2a00:17d8:200::271]: "\n\n403
    Forbidden\n\n

    Forbidden

    \n<p"

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.
    root@v2202101102336138985:~# nslookup

studip.dim.sc
Server: 127.0.0.53
Address: 127.0.0.53#53

Non-authoritative answer:
Name: studip.dim.sc
Address: 94.16.106.213
Name: studip.dim.sc
Address: 2a03:4000:50:e9b:9408:2eff:febe:87fd
Name: studip.dim.sc
Address: 2a00:17d8:200::271

^Croot@v2202101102336138985:~# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 94.16.106.213 netmask 255.255.252.0 broadcast 94.16.107.255
inet6 fe80::9408:2eff:febe:87fd prefixlen 64 scopeid 0x20
inet6 2a03:4000:50:e9b:9408:2eff:febe:87fd prefixlen 64 scopeid 0x0
ether 96:08:2e:be:87:fd txqueuelen 1000 (Ethernet)
RX packets 3799885 bytes 401600506 (401.6 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 212869 bytes 37143738 (37.1 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
loop txqueuelen 1000 (Local Loopback)
RX packets 332 bytes 31640 (31.6 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 332 bytes 31640 (31.6 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

Hi @Elbo

really? See https://check-your-website.server-daten.de/?q=studip.dim.sc - your ip addresses:

Host Type IP-Address is auth. ∑ Queries ∑ Timeout
studip.dim.sc A 94.16.106.213 Regensburg/Bavaria/Germany (DE) - powered by ANX Hostname: studip.dim.sc yes 1 0
AAAA 2a00:17d8:200::271 Aachen/North Rhine-Westphalia/Germany (DE) - .net yes
AAAA 2a03:4000:50:e9b:9408:2eff:febe:87fd Karlsruhe/Baden-Württemberg/Germany (DE) - netcup GmbH yes

Two different ipv6. And the answers

Domainname Http-Status redirect Sec. G
http://studip.dim.sc/ 94.16.106.213 GZip used - 2422 / 8706 - 72,18 % 200 Html is minified: 173,22 % 0.064
small visible content (num chars: 270)
Menu StudIP Start More… Stud.IP Homepage StudIP Login for registered users Register for becoming a user Help to use and range of features Deutsch English Active courses: 0 Registered users: 1 Users online: 0 more … Stud.IP Legal information Data protection
http://studip.dim.sc/ 2a00:17d8:200::271 200 Html is minified: 100,00 % 0.077 H
small visible content (num chars: 9)
It works!
http://studip.dim.sc/ 2a03:4000:50:e9b:9408:2eff:febe:87fd GZip used - 2420 / 8706 - 72,20 % 200 Html is minified: 173,22 % 0.063
small visible content (num chars: 270)
Menu StudIP Start More… Stud.IP Homepage StudIP Login for registered users Register for becoming a user Help to use and range of features Deutsch English Active courses: 0 Registered users: 1 Users online: 0 more … Stud.IP Legal information Data protection

are different.

Looks like the 2a00:17d8:200::271 is expired / not longer valid.

And your error says: Letsencrypt picks that ip to check your domain -> can't work.

Remove that AAAA record.

Thanks for your quick reply ! I'll take a look at it and give you feedback as to whether the problem has now been solved.

But first of all, THANKS!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.