Please help, I run a proxy server to pass request to internal servers. Letsencypt renew worked with most domain/ sub domains but not with this domain (ketnoi.caobang.gov.vn)
My domain is: ketnoi.caobang.gov.vn
I ran this command:
sudo certbot certonly -d ketnoi.caobang.gov.vn --debug-challenges --dry-run
It produced this output:
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Detail: 2001:ee0:305:a::301: Invalid response from http://ketnoi.caobang.gov.vn/.well-known/acme-challenge/G2uI8zZffbdYI_C9DQk4Ih-NE2bZ1cVE8p1Oh0gyNeo: 404
My web server is (include version): nginx/1.14.1
The operating system my web server runs on is (include version): CentOs 8
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of
certbot --version or
certbot-auto --version if you're using Certbot): certbot 1.31.0
The above command work successfully with admin.ketnoi.caobang.gov.vn and api.ketnoi.caobang.gov.vn
Your A record and your AAAA record are pointing to different machines. Point them both to the same one.
The proxy server machine has address of 10.86.19.83 and on the internal DNS server I have all the domains (admin.ketnoi.caobang.gov.vn and ketnoi.caobang.gov.vn, api.ketnoi.caobang.gov.vn) pointed at this address. (10.86.19.83)
I don't really understand the issue!
Do you see this difference?
# curl -4 -IL http://ketnoi.caobang.gov.vn/.well-known/acme-challenge/G2uI8zZffbdYI_C9DQk4Ih-NE2bZ1cVE8p1Oh0gyNeo
HTTP/1.1 404 Not Found
Date: Fri, 14 Oct 2022 09:42:47 GMT
# curl -6 -IL http://ketnoi.caobang.gov.vn/.well-known/acme-challenge/G2uI8zZffbdYI_C9DQk4Ih-NE2bZ1cVE8p1Oh0gyNeo
HTTP/1.1 200 OK
X-XSS-Protection: 1; mode=block
Content-Type: text/html; charset=utf-8
So it means that I have to modify/remove the IPV6 DNS record of the ketnoi.caobang.gov.vn? This is so strange because last year (<90 days) ago, the auto renewing of ketnoi.caobang.gov.vn worked. I did not touch this letsencrypt SSL since 2 years ago then!
Somebody probably messed up with DHCP or SLAAC.
Find out your new IPv6 and update the record.
Thanks 9peppe for your suports! it might be the upgrade of the dns service provider!
Anything I can do from proxy server (i.e Mapping on the firewall?)
I don't know enough about your system to tell.
It should just work once you correct the records.
My system is below:
INTERNET >> ROUTER/FIREWALL >> PROXY SERVER >> WEB SERVERS
Proxy server handles all request to different internal servers using 1 single public ip address!
I am not very knowledgeable at nginx configuration.
So far, please share a bit more with me on where possible I can do to avoid asking the DNS provider to remove AAAA record!
You should find out the proxy server's IP addresses and put those in your A and AAAA records.
From the proxy server shell:
curl -4 ifconfig.co
curl -6 ifconfig.co
NB, IPv6 could just go around your proxy server, and make the internal server answer directly. You should also check that.
Finally, I told the DNS guy to delete the IPV6 address
Great thank 9peppe!
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.