523 Error when tryng to certificate a new website

mjtf3 · April 29, 2024, 3:01pm

Hi iam trying to certificate my website and i would need some help

My domain is:
manuel-tornero.tech

I ran this command:
sudo site manuel-tornero.tech -ssl=on

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for manuel-tornero.tech and www.manuel-tornero.tech

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: manuel-tornero.tech
Type: unauthorized
Detail: 2606:4700:3032::ac43:a68e: Invalid response from http://manuel-tornero.tech/.well-known/acme-challenge/oQ4EEs-fo1uxChSsXMoSydtGi9nmZLscKUO0uCDf7aA: 523

Domain: www.manuel-tornero.tech
Type: unauthorized
Detail: 2606:4700:3030::6815:32c7: Invalid response from http://www.manuel-tornero.tech/.well-known/acme-challenge/olA-LyMU-2Eb1KwgcxEv4AP2IWRKlaBsaWfdgWqha8Q: 523

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

[ERROR] Unable to create the new certificate!

My web server is (include version):
nginx version: nginx/1.26.0

The operating system my web server runs on is (include version):
Ubuntu 22.04

My hosting provider, if applicable, is:
I use a Oracle Cloud VPS

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
i don't know what it refers to with control panel, i use cloudflare and if i try to go to the website it give me 523 error

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.10.0

rg305 · April 29, 2024, 4:14pm

Hi @mjtf3, and welcome to the LE community forum

Which name is it?

Bruce5051 · April 29, 2024, 4:22pm

https://letsdebug.net/manuel-tornero.tech/1912913

CloudflareCDN
WARNING
The domain manuel-tornero.tech is being served through Cloudflare CDN. Any Let's Encrypt certificate installed on the origin server will only encrypt traffic between the server and Cloudflare. It is strongly recommended that the SSL option 'Full SSL (strict)' be enabled.
https://support.cloudflare.com/hc/en-us/articles/200170416-What-do-the-SSL-options-mean-

I suspect this is the first think you should investigate and possibly correct
It is strongly recommended that the SSL option 'Full SSL (strict)' be enabled.
https://support.cloudflare.com/hc/en-us/articles/200170416-What-do-the-SSL-options-mean-

Plus a few like this one, this is the first. See the above link for all

UnexpectedHttpResponse
WARNING
Sending an ACME HTTP validation request to manuel-tornero.tech results in unexpected HTTP response 523 . This indicates that the webserver is misconfigured or misbehaving.
523

<!DOCTYPE html>
<!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->
<!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->
<!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->
<!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]-->
<head>


<title>manuel-tornero.tech | 523: Origin is unreachable</title>
<meta charset="UTF-8" />
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta http-equiv="X-UA-Compatible" content="IE=Edge" />
<meta name="robots" content="noindex, nofollow" />
<meta name="viewport" content="width=device-width,initial-scale=1" />
<link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/main.css" />


</head>
<body>
<div id="cf-wrapper">
<div id="cf-error-details" class="p-0">
<header class="mx-auto pt-10 lg:pt-6 lg:px-8 w-240 lg:w-full mb-8">
<h1 class="inline-block sm:block sm:mb-2 font-light text-60 lg:text-4xl text-black-dark leading-tight mr-2">
<span class="inline-block">Origin is unreachable</span>
<span class="code-label">Error code 523</span>
</h1>
<div>
Visit <a href="https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_523&utm_campaign=manuel-tornero.tech" target="_blank" rel="noopener noreferrer">cloudflare.com</a> for more information.
</div>
<div class="mt-3">2024-04-29 16:18:10 UTC</div>
</header>
<div class="my-8 bg-gradient-gray">
<div class="w-240 lg:w-full mx-auto">
<div class="clearfix md:px-8">

<div id="cf-browser-status" class=" relative w-1/3 md:w-full py-15 md:p-0 md:py-8 md:text-left md:border-solid md:border-0 md:border-b md:border-gray-400 overflow-hidden float-left md:float-none text-center">
<div class="relative mb-10 md:m-0">

<span class="cf-icon-browser block md:hidden h-20 bg-center bg-no-repeat"></span>
<span class="cf-icon-ok w-12 h-12 absolute left-1/2 md:left-auto md:right-0 md:top-0 -ml-6 -bottom-4"></span>

</div>
<span class="md:block w-full truncate">You</span>
<h3 class="md:inline-block mt-3 md:mt-0 text-2xl text-gray-600 font-light leading-1.3">

Browser

</h3>
<span class="leading-1.3 text-2xl text-green-success">Working</span>
</div>

<div id="cf-cloudflare-status" class=" relative w-1/3 md:w-full py-15 md:p-0 md:py-8 md:text-left md:border-solid md:border-0 md:border-b md:border-gray-400 overflow-hidden float-left md:float-none text-center">
<div class="relative mb-10 md:m-0">
<a href="https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_523&utm_campaign=manuel-tornero.tech" target="_blank" rel="noopener noreferrer">
<span class="cf-icon-cloud block md:hidden h-20 bg-center bg-no-repeat"></span>
<span class="cf-icon-ok w-12 h-12 absolute left-1/2 md:left-auto md:right-0 md:top-0 -ml-6 -bottom-4"></span>
</a>
</div>
<span class="md:block w-full truncate">Amsterdam</span>
<h3 class="md:inline-block mt-3 md:mt-0 text-2xl text-gray-600 font-light leading-1.3">
<a href="https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_523&utm_campaign=manuel-tornero.tech" target="_blank" rel="noopener noreferrer">
Cloudflare
</a>
</h3>
<span class="leading-1.3 text-2xl text-green-success">Working</span>
</div>

<div id="cf-host-status" class="cf-error-source relative w-1/3 md:w-full py-15 md:p-0 md:py-8 md:text-left md:border-solid md:border-0 md:border-b md:border-gray-400 overflow-hidden float-left md:float-none text-center">
<div class="relative mb-10 md:m-0">

<span class="cf-icon-server block md:hidden h-20 bg-center bg-no-repeat"></span>
<span class="cf-icon-error w-12 h-12 absolute left-1/2 md:left-auto md:right-0 md:top-0 -ml-6 -bottom-4"></span>

</div>
<span class="md:block w-full truncate">manuel-tornero.tech</span>
<h3 class="md:inline-block mt-3 md:mt-0 text-2xl text-gray-600 font-light leading-1.3">

Host

</h3>
<span class="leading-1.3 text-2xl text-red-error">Error</span>
</div>

</div>
</div>
</div>

<div class="w-240 lg:w-full mx-auto mb-8 lg:px-8">
<div class="clearfix">
<div class="w-1/2 md:w-full float-left pr-6 md:pb-10 md:pr-0 leading-relaxed">
<h2 class="text-3xl font-normal leading-1.3 mb-4">What happened?</h2>
<p>The origin web server is not reachable.</p>
</div>
<div class="w-1/2 md:w-full float-left leading-relaxed">
<h2 class="text-3xl font-normal leading-1.3 mb-4">What can I do?</h2>
<h3 class="text-15 font-semibold mb-2">If you're a visitor of this website:</h3>
<p class="mb-6">Please try again in a few minutes.</p>

<h3 class="text-15 font-semibold mb-2">If you're the owner of this website:</h3>
<p><span>Check your DNS Settings. A 523 error means that Cloudflare could not reach your host web server. The most common cause is that your DNS settings are incorrect. Please contact your hosting provider to confirm your origin IP and then make sure the correct IP is listed for your A record in your Cloudflare DNS Settings page.</span> <a rel="noopener noreferrer" href="https://support.cloudflare.com/hc/en-us/articles/200171946-Error-523">Additional troubleshooting information here.</a></p>
</div>
</div>
</div>

<div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid border-0 border-t border-gray-300">
<p class="text-13">
<span class="cf-footer-item sm:block sm:mb-1">Cloudflare Ray ID: <strong class="font-semibold">87c09b3d29d3b7ae</strong></span>
<span class="cf-footer-separator sm:hidden">&bull;</span>
<span id="cf-footer-item-ip" class="cf-footer-item hidden sm:block sm:mb-1">
Your IP:
<button type="button" id="cf-footer-ip-reveal" class="cf-footer-ip-reveal-btn">Click to reveal</button>
<span class="hidden" id="cf-footer-ip">2a01:4f9:c012:ccd0::1</span>
<span class="cf-footer-separator sm:hidden">&bull;</span>
</span>
<span class="cf-footer-item sm:block sm:mb-1"><span>Performance &amp; security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_523&utm_campaign=manuel-tornero.tech" id="brand_link" target="_blank">Cloudflare</a></span>

</p>
<script>(function(){function d(){var b=a.getElementById("cf-footer-item-ip"),c=a.getElementById("cf-footer-ip-reveal");b&&"classList"in b&&(b.classList.remove("hidden"),c.addEventListener("click",function(){c.classList.add("hidden");a.getElementById("cf-footer-ip").classList.remove("hidden")}))}var a=document;document.addEventListener&&a.addEventListener("DOMContentLoaded",d)})();</script>
</div><!-- /.error-footer -->


</div>
</div>
</body>
</html>


Trace:
@0ms: Making a request to http://manuel-tornero.tech/.well-known/acme-challenge/letsdebug-test (using initial IP 2606:4700:3030::6815:32c7)
@0ms: Dialing 2606:4700:3030::6815:32c7
@173ms: Server response: HTTP 301 Moved Permanently
@173ms: Received redirect to https://manuel-tornero.tech/.well-known/acme-challenge/letsdebug-test
@174ms: Dialing 2606:4700:3030::6815:32c7
@341ms: Server response: HTT

mjtf3 · April 29, 2024, 4:29pm

oh sorry, its manuel-tornero.tech

rg305 · April 29, 2024, 4:30pm

I'd say CF isn't able to reach your server.

mjtf3 · April 29, 2024, 4:32pm

looking for in the internet i found it may had something to do with the firewall, now its working but only if i deactivate ssl in the server and in cloudflare, if i activate the ssl in the server and the full(strict) mode in cloudflare it still gives me the 523 error

mjtf3 · April 29, 2024, 4:36pm

it should be, it has the A and CNAME dns and the server has the 80 and 443 ports open

rg305 · April 29, 2024, 4:38pm

Perhaps there is a firewall blocking them?

Bruce5051 · April 29, 2024, 4:38pm

However you have DNS AAAA Records which is IPv6 and it is preferred by Let's Encrypt.

mjtf3 · April 29, 2024, 4:44pm

and how do i eliminate it, it doesnt appear in CF nor in the domain site, or do i also have to stablish IPV6 for my server?

linkp · April 29, 2024, 4:54pm

Those are Cloudflare proxy IPs and have no relationship to whether IPv6 or IPv4 are available on the origin. Cloudflare prefers using IPv4 to the origin when both IP4 and IPv6 origin IPs are known to Cloudflare. Any proxied hostname will publish both A and AAAA records.

Cloudflare IPs are also anycast IPs and different IPs can be returned for the same hostnames. This is not anything to be concerned about.

There is no need to establish an IPv6 connection between Cloudflare and the origin.

Bruce5051 · April 29, 2024, 4:54pm

Thanks @linkp!

mjtf3 · April 29, 2024, 4:59pm

oh thanks

Bruce5051 · April 29, 2024, 5:16pm

Yet from the Let's Debug shows the IPv6 being tried first.

HTTPCheck
DEBUG
Requests made to the domain
Request to: manuel-tornero.tech/2606:4700:3030::6815:32c7, Result: [Address=2606:4700:3030::6815:32c7,Address Type=IPv6,Server=cloudflare,HTTP Status=301,Number of Redirects=1,Final HTTP Status=523], Issue: UnexpectedHttpResponse
Trace:
@0ms: Making a request to http://manuel-tornero.tech/.well-known/acme-challenge/letsdebug-test (using initial IP 2606:4700:3030::6815:32c7)
@0ms: Dialing 2606:4700:3030::6815:32c7
@173ms: Server response: HTTP 301 Moved Permanently
@173ms: Received redirect to https://manuel-tornero.tech/.well-known/acme-challenge/letsdebug-test
@174ms: Dialing 2606:4700:3030::6815:32c7
@341ms: Server response: HTTP 523

Request to: manuel-tornero.tech/2606:4700:3032::ac43:a68e, Result: [Address=2606:4700:3032::ac43:a68e,Address Type=IPv6,Server=cloudflare,HTTP Status=301,Number of Redirects=1,Final HTTP Status=523], Issue: UnexpectedHttpResponse
Trace:
@0ms: Making a request to http://manuel-tornero.tech/.well-known/acme-challenge/letsdebug-test (using initial IP 2606:4700:3032::ac43:a68e)
@0ms: Dialing 2606:4700:3032::ac43:a68e
@243ms: Server response: HTTP 301 Moved Permanently
@243ms: Received redirect to https://manuel-tornero.tech/.well-known/acme-challenge/letsdebug-test
@243ms: Dialing 2606:4700:3032::ac43:a68e
@424ms: Server response: HTTP 523

Request to: manuel-tornero.tech/172.67.166.142, Result: [Address=172.67.166.142,Address Type=IPv4,Server=cloudflare,HTTP Status=301,Number of Redirects=1,Final HTTP Status=523], Issue: UnexpectedHttpResponse
Trace:
@0ms: Making a request to http://manuel-tornero.tech/.well-known/acme-challenge/letsdebug-test (using initial IP 172.67.166.142)
@0ms: Dialing 172.67.166.142
@244ms: Server response: HTTP 301 Moved Permanently
@244ms: Received redirect to https://manuel-tornero.tech/.well-known/acme-challenge/letsdebug-test
@244ms: Dialing 172.67.166.142
@427ms: Server response: HTTP 523

Request to: manuel-tornero.tech/104.21.50.199, Result: [Address=104.21.50.199,Address Type=IPv4,Server=cloudflare,HTTP Status=301,Number of Redirects=1,Final HTTP Status=523], Issue: UnexpectedHttpResponse
Trace:
@0ms: Making a request to http://manuel-tornero.tech/.well-known/acme-challenge/letsdebug-test (using initial IP 104.21.50.199)
@0ms: Dialing 104.21.50.199
@198ms: Server response: HTTP 301 Moved Permanently
@198ms: Received redirect to https://manuel-tornero.tech/.well-known/acme-challenge/letsdebug-test
@198ms: Dialing 104.21.50.199
@375ms: Server response: HTTP 523

linkp · April 29, 2024, 5:19pm

It doesn't matter.

End user -> IPv6 -> Cloudflare -> IPv4 -> Origin

Bruce5051 · April 29, 2024, 5:20pm

Oh, so Cloudflare is a proxy (in some sense, either forward or reverse) in this use case.

linkp · April 29, 2024, 5:35pm

mjtf3 · April 29, 2024, 5:43pm

the dns should be correct and the web works if a disable the ssl

Bruce5051 · April 29, 2024, 5:51pm

Here is a list of issued certificates crt.sh | manuel-tornero.tech, the latest being 2024-04-29.

This big thing I see is redirection from:

https://manuel-tornero.tech to https://manuel-tornero.tech/

$ curl -Ii https://manuel-tornero.tech
HTTP/2 301
date: Mon, 29 Apr 2024 17:49:38 GMT
content-type: text/html
content-length: 167
location: https://manuel-tornero.tech/
cache-control: max-age=3600
expires: Mon, 29 Apr 2024 18:49:38 GMT
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Xlz2emM8y14Cdc7%2B5x328W8YwS2j2zLqxQwjSQTcVCXTtr4O%2FJcZSYZVedEHA7oscOnAa7b0YYytWzlEX5Lqu5aw2ZQoOmthdCccidJPxAt5LEkDUgl0EwQDmi0x1CUbY443r6Gi"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
cf-ray: 87c1213bce0deb9b-SEA

And with this online tool https://www.redirect-checker.org/ it is shown here too:

Bruce5051 · April 29, 2024, 5:53pm

Also your 523 is gone now with Let's Debug.