0

I have a Fedora 34 server running Apache Tomcat. I had certificates from Let's Encrypt working. I installed them with certbot (as one does) and everything was working well. Now, when I go to renew my certs, I get the following error:

[root@app myname]# certbot
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for example.com
Performing the following challenges:
http-01 challenge for example.com
Waiting for verification...
Challenge failed for domain example.com
http-01 challenge for example.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
- The following errors were reported by the server:

   Domain: example.com
   Type:   unauthorized
   Detail: Invalid response from
   http://example.com/.well-known/acme-challenge/bRtftQXeDygjye2u-1c2O1I63A2PoSPMNqclYAVivzg
   [ipv6address]: "html\r\nheadtitle404 Not
   Found/title/head\r\nbody\r\ncenterh1404 Not
   Found/h1/center\r\nhrcenteropenresty/cente"

   To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
[root@app myname]#

A few more details: I had a redirect (mod_rewrite) from the Apache web server to Tomcat working. I have temporarily taken that down during my troubleshooting.

rcsvivk
  • 31
  • 1
  • 5
  • Why has certbot reached an openresty web server, then? – Michael Hampton Sep 25 '21 at 20:14
  • Michael, sorry, I do not understand. Why are you thinking it is an openresty web server? Not sure if this is related but serverfault's editing tool said to use example.com in place of my actual domain. – rcsvivk Sep 25 '21 at 21:01
  • 1
    Because the output you posted said explicitly that certbot connected to an openresty web server. Anyway, I'm not sure why you were told to use example.com instead of your real domain name; that is exactly the [opposite of what we recommend](https://meta.serverfault.com/q/963/126632). – Michael Hampton Sep 25 '21 at 21:05
  • At this point you should do exactly what certbot recommended: `To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.` If this doesn't help, then disclose your actual domain name and the community can investigate further. – Michael Hampton Sep 25 '21 at 21:15
  • 1
    We just figured it out! It was a bad DNS AAAA (ipv6) record. We fixed that and then certbot ran successfully! Thank you all for your help! – rcsvivk Sep 25 '21 at 23:29
  • Michael, sorry, I messed that up by not using my actual domain. – rcsvivk Sep 25 '21 at 23:36

1 Answers1

3

We figured it out! It was a bad DNS AAAA (ipv6) record. We fixed that and then certbot ran successfully! We pointed the AAAA record to the ipv6 address that was showing on ifconfig on the server. I am not sure how it ended up pointing to a different address.

rcsvivk
  • 31
  • 1
  • 5