404, wrong IP when creating cert

I'm setting up a cert for a new mastodon instance with the Digital Ocean premade Mastodon droplet image with letsencrypt preinstalled. I already have a similar wordpress droplet running with working letsencrypt at the base of my domain: ericrie.se

I'm setting up the mastodon instance at toot.ericrie.se.

I can ssh into it at that subdomain. < That was only because I manually changed my /etc/hosts so I didn't have to wait for it to propogate.

I have an A record for ericrie.se pointing to that wordpress instances IP.
I added an A record for toot.ericrie.se pointing to the mastodon instance.

The problem seems to be that when running letsencrypt for toot.ericrie.se it's using the IP for ericrie.se

When first setting up the instance, the DNS change hadn't propogated so that had created other issues because I have a wildcard entry in my zone file so that *.ericrie.se points to the wordpress vps, so toot.ericrie.se was originally pointing there. So I'm guessing that got cached somewhere.

My DNS might be in a weird state. I previously switched to digital ocean's nameservers from those of my registrar, gandi.net. I had 2 CNAME entries for gandi's "Web Forwarding" service which are still working but they don't show up in Digital Ocean's web interface.

My domain is:

I ran this command:

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: toot.ericrie.se
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for toot.ericrie.se
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. toot.ericrie.se (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://toot.ericrie.se/.well-known/acme-challenge/D6u8iaHzV13ABHP0CrGMg2zisfbmMCn2zm1ZuiecZe4: 404

 - The following errors were reported by the server:

   Domain: toot.ericrie.se
   Type:   unauthorized
   Detail: Invalid response from

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version):

The operating system my web server runs on is (include version):
ubuntu 18.04

My hosting provider, if applicable, is:
digital ocean

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Well, currently the public DNS still thinks it should query the Gandi nameservers, see:


You should remove that version and switch to the latest snap version.

That is also nearing EOL.


Thanks. I agree it's something with DNS. I opened a support ticket with Digital Ocean.

My nameservers are mixed up according to this. DNS Checker - DNS Check Propagation Tool

This shows the wrong IP everywhere except the DO support tech is seeing the right one: DNS Checker - DNS Check Propagation Tool

1 Like

When I set this droplet up that was the only image but I just checked now and there's an image based on 20.04 but it doesn't fit on Digital Ocean's cheapest droplet so I have to pay twice as much. But I think it will need the RAM so I'll go with it for now.

You have different name servers for your delegation and authoritative levels. If you want digital ocean to be your DNS you need to set them at your registrar too (gandi). See the warning messages for details:

The digital ocean tech is probably seeing the "right" IP because they are checking just their name servers and not walking the DNS tree. You can use unboundtest.com to check DNS as it uses a similar method to Let's Encrypt servers.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.