Question

Failed authorization procedure whilst running Letsencrypt for multiple website(s)

Posted September 16, 2020 110 views
DigitalOceanLet's Encrypt

I run letsdebug.net on vramalta.com . I enabled ‘Full SSL (strict) on Cloudflare but still have the following log.

HTTPCheck
DEBUG
Requests made to the domain
Request to: vramalta.com/2606:4700:3032::6812:2e7a, Result: [Address=2606:4700:3032::6812:2e7a,Address Type=IPv6,Server=cloudflare,HTTP Status=403], Issue:
Trace:
@0ms: Making a request to http://vramalta.com/.well-known/acme-challenge/letsdebug-test (using initial IP 2606:4700:3032::6812:2e7a)
@0ms: Dialing 2606:4700:3032::6812:2e7a
@19ms: Server response: HTTP 403 Forbidden

Request to: vramalta.com/2606:4700:3031::6812:2f7a, Result: [Address=2606:4700:3031::6812:2f7a,Address Type=IPv6,Server=cloudflare,HTTP Status=403], Issue:
Trace:
@0ms: Making a request to http://vramalta.com/.well-known/acme-challenge/letsdebug-test (using initial IP 2606:4700:3031::6812:2f7a)
@0ms: Dialing 2606:4700:3031::6812:2f7a
@14ms: Server response: HTTP 403 Forbidden

Request to: vramalta.com/2606:4700:3033::ac43:9268, Result: [Address=2606:4700:3033::ac43:9268,Address Type=IPv6,Server=cloudflare,HTTP Status=403], Issue:
Trace:
@0ms: Making a request to http://vramalta.com/.well-known/acme-challenge/letsdebug-test (using initial IP 2606:4700:3033::ac43:9268)
@0ms: Dialing 2606:4700:3033::ac43:9268
@15ms: Server response: HTTP 403 Forbidden

Request to: vramalta.com/104.18.46.122, Result: [Address=104.18.46.122,Address Type=IPv4,Server=cloudflare,HTTP Status=403], Issue:
Trace:
@0ms: Making a request to http://vramalta.com/.well-known/acme-challenge/letsdebug-test (using initial IP 104.18.46.122)
@0ms: Dialing 104.18.46.122
@22ms: Server response: HTTP 403 Forbidden

Request to: vramalta.com/104.18.47.122, Result: [Address=104.18.47.122,Address Type=IPv4,Server=cloudflare,HTTP Status=403], Issue:
Trace:
@0ms: Making a request to http://vramalta.com/.well-known/acme-challenge/letsdebug-test (using initial IP 104.18.47.122)
@0ms: Dialing 104.18.47.122
@15ms: Server response: HTTP 403 Forbidden

Request to: vramalta.com/172.67.146.104, Result: [Address=172.67.146.104,Address Type=IPv4,Server=cloudflare,HTTP Status=403], Issue:
Trace:
@0ms: Making a request to http://vramalta.com/.well-known/acme-challenge/letsdebug-test (using initial IP 172.67.146.104)
@0ms: Dialing 172.67.146.104
@17ms: Server response: HTTP 403 Forbidden

HTTPRecords
DEBUG
A and AAAA records found for this domain
vramalta.com. 0 IN A 104.18.46.122
vramalta.com. 0 IN A 104.18.47.122
vramalta.com. 0 IN A 172.67.146.104
vramalta.com. 0 IN AAAA 2606:4700:3032::6812:2e7a
vramalta.com. 0 IN AAAA 2606:4700:3031::6812:2f7a
vramalta.com. 0 IN AAAA 2606:4700:3033::ac43:9268
LetsEncryptStaging
DEBUG
Challenge update failures for vramalta.com in order https://acme-staging-v02.api.letsencrypt.org/acme/order/5751349/150572340
acme: error code 403 "urn:ietf:params:acme:error:unauthorized": Invalid response from http://vramalta.com/.well-known/acme-challenge/y_anSdQuyf5vyUEbkq6JzPGmQcAFYUJHHuQ2Oxo4dWo [2606:4700:3031::6812:2f7a]: "<!DOCTYPE html>\n<!--[if lt IE 7]> <html class=\"no-js ie6 oldie\" lang=\"en-US\"> <![endif]-->\n<!--[if IE 7]> <html class=\"no-js "
PublicSuffix
DEBUG
The IANA public suffix is the TLD of the Registered Domain
The TLD for vramalta.com is: com
StatusIO
DEBUG
The current status.io status for Let's Encrypt
Operational

To be honest I am a bit confused as where to start. I seen similar errors but when I tried the offered solution(s) it didnt work for me. Help please.

edited by MattIPv4

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
1 answer

Hi,

When you have Cloudflare (CF) proxy turn on for your domain’s A/AAAA record/-s , letsdebug.net tool cannot get direct access to your origin server, and check if TLS certificate could be issued for a domain held by this server. My advice is to turn the proxy off, run letsdebug.net tool then, and turn proxy on again after the test.

To turn CF proxy off/on you must enter the CF DNS control panel and edit A/AAAA record/-s of your domain. Follow this guide:
https://community.cloudflare.com/t/editing-dns-records/65070

There is an orange cloud icon as a toggle, as it is on that picture. Clicking on it you can turn the proxy on and off:
https://images.ctfassets.net/slt3lc6tev37/1LXOtXS4OSmByrd15YFgoE/bc56a226d8d35f7780363e54b08a77f2/hc-import-add_record.png

Let us know how it went.

Submit an Answer