Strange Lets Encrypt Error 403

jlguerrero · November 15, 2024, 8:41pm

Hello, this is a very strange issue.

Whenever I try to create the LE I get the 403 error:

The contents of the nginx file are:

cat nginx.ssl.conf_letsencrypt
location ~ "^/\.well-known/acme-challenge/([-_A-Za-z0-9]+)$" {
    default_type text/plain;
    return 200 "$1.w4zAiCqRw1Y-Fz1Ja9Df3y5QzeGBxJUySh6EBMroJiE";
}

From the LE.log I get this:

  "type": "http-01",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/430635709907/RQbxNA",
  "status": "invalid",
  "validated": "2024-11-15T19:52:22Z",
  "error": {
    "type": "urn:ietf:params:acme:error:unauthorized",
    "detail": "The key authorization file from the server did not match this challenge. Expected \"ldjRS1EFq1hAovNO11TNxyapMeIyNHyXOWhww58yXU0.w4zAiCqRw1Y-Fz1Ja9Df3y5QzeGBxJUySh6EBMroJiE\" (got \"ldjRS1EFq1hAovNO11TNxyapMeIyNHyXOWhww58yXU0.4E3VCTFsySjUrqnCg0ooULx-3kbdPBygi0aWkvg5Gd8\")",
    "status": 403

As you can see, the expected answer is in the nginx config file:
w4zAiCqRw1Y-Fz1Ja9Df3y5QzeGBxJUySh6EBMroJiE

Where does the 4E3VCTFsySjUrqnCg0ooULx-3kbdPBygi0aWkvg5Gd8 come from?

Raphael · November 15, 2024, 9:16pm

check Add some loops due to 403 errors durring LE request in some random ca… · hestiacp/hestiacp@c9d53ca · GitHub

sahsanu · November 15, 2024, 10:43pm

I don’t know where 4E3VCTFsySjUrqnCg0ooULx-3kbdPBygi0aWkvg5Gd8 is coming from, I couldn’t find it testing your domain but what I can say is that the domain has an AAAA record 2001:41d0:301:4::28 and it is not serving the same content as the A record 51.255.65.164

$ curl -IkL6 http://a3dbuilding.com/.well-known/acme-challenge/test
HTTP/1.1 404 Not Found
date: Fri, 15 Nov 2024 22:41:10 GMT
content-type: text/html; charset=UTF-8
server: Apache
x-powered-by: PHP/8.0
expires: Wed, 11 Jan 1984 05:00:00 GMT
cache-control: no-cache, must-revalidate, max-age=0
link: <https://a3dbuilding.com/wp-json/>; rel="https://api.w.org/"
x-iplb-request-id: 2A0104F81C1CE8AA0000000000000001:8AAC_200141D0030100040000000000000028:0050_6737CE05_28412:36BA
x-iplb-instance: 52413

$ curl -ikL4 http://a3dbuilding.com/.well-known/acme-challenge/test
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 15 Nov 2024 22:40:39 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 48
Connection: keep-alive

test.w4zAiCqRw1Y-Fz1Ja9Df3y5QzeGBxJUySh6EBMroJiE#

As Let’s Encrypt will prefer IPv6 over IPv4, you should remove the AAAA record for that domain or configure your web server to serve the right config for that domain and ipv6.

jlguerrero · November 18, 2024, 5:01pm

Thank you very much. It was the IP6 thing.