• certbot first establishes connection over ipv6. If you are getting timeout errors check firewall for ipv6 https access or set network stack to prefer ipv4 over ipv6. Also remove the AAAA record for your domain if you don't want it to connect over IPv6.

• Make sure that you can access a file path under webserver root as certbot uses .well-acme folder inside it to fetch the token it uses to check the owner of domain/server

• If there is a previous redirect in webserver configuration it could also interfere with certificate generation

• Certbot only works on default ports, 80 and 443. Check if the Listen directive has a different port if you get “Unauthorized error.

• When using the ansible module make sure you add a check for the challenge_data this part:

when: sample_com_challenge is changed and 'sample.com' in sample_com_challenge['challenge_data']

otherwise the step will fail with this error

TASK [letsencrypt : Implement http-01 challenge files] ***********************************************************************************************************
fatal: [1.1.1.1]: FAILED! => 
  msg: |-
    The task includes an option with an undefined variable. The error was: 'dict object' has no attribute 'my.domain.com'
  

Error: Failed authorization procedure. www.example.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from…

There might redirect rules in effect. Try putting this in your .htaccess or vhost file:

RewriteCond %{REQUEST_URI} !^\.well-known/(.*)$

If you get this weird error only on Firefox (89.0.2) and other browsers are ok, delete the existing certificate

certbot delete

and run again

certbot

This should resolve the issue.

• Debian 10.8
• certbot 0.31.0

• Install certbot
• Install certbot via manual method
• Certbot download certificates only

• https://github.com/ansible/ansible/issues/67949
• https://letsencrypt.org/docs/ipv6-support/