404 error due to unauthorized type

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: certbot --nginx

It produced this output: Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: biteanapple.com
Type: unauthorized
Detail: 2a02:4780:11:786:0:2367:26fa:2: Invalid response from http://biteanapple.com/.well-known/acme-challenge/VieBZtXihQTADd17RgwYtK2k86pjRvnwtPZ5bisW-mo: 404

Domain: www.biteanapple.com
Type: unauthorized
Detail: 2a02:4780:11:786:0:2367:26fa:2: Invalid response from http://www.biteanapple.com/.well-known/acme-challenge/RZs5kcsw-dyuiiId-rUINw6BwnJ5YGaFrgNQJY-QTh4: 404

My web server is (include version): Nginx (nginx/1.24.0 (Ubuntu))

The operating system my web server runs on is (include version): Ubuntu 24.04

My hosting provider, if applicable, is: Hostinger

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.11.0

Hi @SuriMunir, welcome. :slightly_smiling_face:

What do the Certbot logs show?

Also possibly trying rerunning with the verbose Certbot option. -vv

EDIT:

Also https://letsdebug.net/biteanapple.com/2020978 shows


MultipleIPAddressDiscrepancy
WARNING
biteanapple.com has multiple IP addresses in its DNS records. While they appear to be accessible on the network, we have detected that they produce differing results when sent an ACME HTTP validation request. This may indicate that some of the IP addresses may unintentionally point to different servers, which would cause validation to fail.
[Address=2a02:4780:11:786:0:2367:26fa:2,Address Type=IPv6,Server=LiteSpeed,HTTP Status=404] vs [Address=93.127.167.38,Address Type=IPv4,Server=nginx/1.24.0 (Ubuntu),HTTP Status=404]

All the IP Addresses needed to respond the same.

4 Likes

As Bruce noted, your DNS has 2 IP addresses. One A record for IPv4 and one AAAA record for IPv6

The IPv4 points to an nginx server but IPv6 points to a LiteSpeed server.

Hostinger often sets up an IPv6 for new configs. Let's Encrypt prefers the IPv6 so is failing as the LiteSpeed server does not respond correctly.

You need to correct the IPv6 address and make sure nginx is configured to listen on that. Or, remove the AAAA record if you don't have IPv6 support. Contact Hostinger support if you are not sure how to do this.

4 Likes

Thank you. I have now changed the IPV6 to the VPS IPV6. Do I need to wait for DNS propogation or will this work immediately.

2 Likes

Also, with an objective to make me self reliant can you share with me how did you check this i.e. IPV6 points to litespeed and IPV4 points to nginx.

1 Like

It is in the link above Let’s Debug.

Edit: and with more debug details https://letsdebug.net/biteanapple.com/2020978?debug=y

3 Likes

I have successfully generated the certificate. Thanks a ton.

4 Likes

It's good that you have a cert. You need to fix your nginx config redirects. They currently result in a loop. You should not be redirecting back to HTTP from your HTTPS (port 443) server block

# HTTP to HTTPS (good)
curl -I http://biteanapple.com/
HTTP/1.1 301 Moved Permanently
Server: nginx/1.24.0 (Ubuntu)
Location: https://biteanapple.com/

# HTTPS to HTTP (bad)
curl -I https://biteanapple.com/
HTTP/1.1 301 Moved Permanently
Server: nginx/1.24.0 (Ubuntu)
Location: http://biteanapple.com/

# HTTP back to HTTPS (looping)
curl -I http://biteanapple.com/
HTTP/1.1 301 Moved Permanently
Server: nginx/1.24.0 (Ubuntu)
Location: https://biteanapple.com/
4 Likes