Can not register a domain from the same server via nginx proxy

Please help, I run a proxy server to pass request to internal servers. Letsencypt renew worked with most domain/ sub domains but not with this domain (ketnoi.caobang.gov.vn)
My domain is: ketnoi.caobang.gov.vn

I ran this command:
sudo certbot certonly -d ketnoi.caobang.gov.vn --debug-challenges --dry-run
It produced this output:
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: ketnoi.caobang.gov.vn
Type: unauthorized
Detail: 2001:ee0:305:a::301: Invalid response from http://ketnoi.caobang.gov.vn/.well-known/acme-challenge/G2uI8zZffbdYI_C9DQk4Ih-NE2bZ1cVE8p1Oh0gyNeo: 404
My web server is (include version): nginx/1.14.1
The operating system my web server runs on is (include version): CentOs 8
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.31.0
/OTHER NOTES:
The above command work successfully with admin.ketnoi.caobang.gov.vn and api.ketnoi.caobang.gov.vn
Please help!

Your A record and your AAAA record are pointing to different machines. Point them both to the same one. :wink:

2 Likes

The proxy server machine has address of 10.86.19.83 and on the internal DNS server I have all the domains (admin.ketnoi.caobang.gov.vn and ketnoi.caobang.gov.vn, api.ketnoi.caobang.gov.vn) pointed at this address. (10.86.19.83)
I don't really understand the issue!

Do you see this difference?

# curl -4 -IL http://ketnoi.caobang.gov.vn/.well-known/acme-challenge/G2uI8zZffbdYI_C9DQk4Ih-NE2bZ1cVE8p1Oh0gyNeo
HTTP/1.1 404 Not Found
Server: nginx/1.14.1
Date: Fri, 14 Oct 2022 09:42:47 GMT
Connection: keep-alive

# curl -6 -IL http://ketnoi.caobang.gov.vn/.well-known/acme-challenge/G2uI8zZffbdYI_C9DQk4Ih-NE2bZ1cVE8p1Oh0gyNeo
HTTP/1.1 200 OK
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Cache-Control: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Pragma: no-cache
Content-Length: 246
3 Likes

So it means that I have to modify/remove the IPV6 DNS record of the ketnoi.caobang.gov.vn? This is so strange because last year (<90 days) ago, the auto renewing of ketnoi.caobang.gov.vn worked. I did not touch this letsencrypt SSL since 2 years ago then!

Somebody probably messed up with DHCP or SLAAC.

Find out your new IPv6 and update the record.

2 Likes

Ok,
Thanks 9peppe for your suports! it might be the upgrade of the dns service provider!
Anything I can do from proxy server (i.e Mapping on the firewall?)

I don't know enough about your system to tell.

It should just work once you correct the records.

3 Likes

My system is below:
INTERNET >> ROUTER/FIREWALL >> PROXY SERVER >> WEB SERVERS
Proxy server handles all request to different internal servers using 1 single public ip address!
I am not very knowledgeable at nginx configuration.
So far, please share a bit more with me on where possible I can do to avoid asking the DNS provider to remove AAAA record!

You should find out the proxy server's IP addresses and put those in your A and AAAA records.

From the proxy server shell:

curl -4 ifconfig.co

and

curl -6 ifconfig.co

NB, IPv6 could just go around your proxy server, and make the internal server answer directly. You should also check that.

2 Likes

Finally, I told the DNS guy to delete the IPV6 address
Great thank 9peppe!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.