User:Woozle/Let's Encrypt mystery
Solution
After looking carefully through the error message I pasted below, I noticed that it was pulling up references to cwre.org (another domain on the same server).
Making a wild guess, I thought to check the server configuration to make sure htyp.org had the same IPv6 address as the working domains -- and it did not.
So I added the IPv6 address to both VirtualHost directives in /etc/apache2/sites-available/htyp.org.conf (copied from issuepedia.org.conf), reloaded Apache -- and Let's Encrypt was successful.
Original Problem
I've been migrating domains from one server to another, and setting them up with Let's Encrypt SSL certificates. Out of four domains migrated so far, all have obtained their certs just fine except for this one (htyp.org).
They are all configured identically in Apache, as far as I can tell.
This is the error I get:
Parsing account key...
Parsing CSR...
Registering account...
Already registered!
Verifying htyp.org...
Wrote file to /home/htyp/public_html/.well-known/acme-challenge/woQzuJQV5zQ5h_5l5dlj8FbVsk31E9-HHYyIQfccKO8, but couldn't download http://htyp.org/.well-known/acme-challenge/woQzuJQV5zQ5h_5l5dlj8FbVsk31E9-HHYyIQfccKO8
Traceback (most recent call last):
File "/usr/share/webmin/webmin/acme_tiny.py", line 235, in <module>
main(sys.argv[1:])
File "/usr/share/webmin/webmin/acme_tiny.py", line 231, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, args.dns_hook, args.cleanup_hook, log=LOGGER, CA=args.ca)
File "/usr/share/webmin/webmin/acme_tiny.py", line 184, in get_crt
domain, challenge_status))
ValueError: htyp.org challenge did not pass: {u'status': u'invalid', u'validationRecord': [{u'addressesResolved': [u'45.55.169.129', u'2604:a880:800:10::63:b001'], u'url': u'https://cwre.org/.well-known/acme-challenge/woQzuJQV5zQ5h_5l5dlj8FbVsk31E9-HHYyIQfccKO8', u'hostname': u'cwre.org', u'addressesTried': [], u'addressUsed': u'45.55.169.129', u'port': u'443'}, {u'addressesResolved': [u'45.55.169.129', u'2604:a880:800:10::63:b001'], u'url': u'https://cwre.org/w/Main_Page', u'hostname': u'cwre.org', u'addressesTried': [], u'addressUsed': u'45.55.169.129', u'port': u'443'}, {u'addressesResolved': [u'45.55.169.129', u'2604:a880:800:10::63:b001'], u'url': u'http://htyp.org/.well-known/acme-challenge/woQzuJQV5zQ5h_5l5dlj8FbVsk31E9-HHYyIQfccKO8', u'hostname': u'htyp.org', u'addressesTried': [], u'addressUsed': u'2604:a880:800:10::63:b001', u'port': u'80'}], u'keyAuthorization': u'woQzuJQV5zQ5h_5l5dlj8FbVsk31E9-HHYyIQfccKO8.pSZGKOoVXSTb2RnQtCFPd4GPasTVgvX5LTGba9tvQEU', u'uri': u'https://acme-v01.api.letsencrypt.org/acme/challenge/En0F_38TKIAZhzVwHAJpO14RX29vd_85QWFcPHodl5w/2524467156', u'token': u'woQzuJQV5zQ5h_5l5dlj8FbVsk31E9-HHYyIQfccKO8', u'error': {u'status': 403, u'type': u'urn:acme:error:unauthorized', u'detail': u'Invalid response from http://htyp.org/.well-known/acme-challenge/woQzuJQV5zQ5h_5l5dlj8FbVsk31E9-HHYyIQfccKO8: "<!DOCTYPE html>\n<html class="client-nojs" lang="en" dir="ltr">\n<head>\n<meta charset="UTF-8"/>\n<title>CWRE</title>\n<script>docume"'}, u'type': u'http-01'}
This seems to be implying that the remote Let's Encrypt can't retrieve the test file, which is a common problem that usually means an Apache config error is preventing access. However, when I go to http://htyp.org/.well-known/acme-challenge/woQzuJQV5zQ5h_5l5dlj8FbVsk31E9-HHYyIQfccKO8 with a web browser or wget, I experience no trouble retrieving the file.
I've compared the responses I get from this domain to one of the other domains which have been able to set up Let's Encrypt certs, and they appear identical.
The core problem here is that I don't understand why Let's Encrypt is saying there's a problem, because I'm not seeing the problem when I access the file it says it cannot access.