Can not renew SSL certificate - Ubuntu 20.04 -Apache2

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: BigBangGamers.org

I ran this command: sudo certbot --apache

It produced this output: Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: bigbanggamers.org
Type: unauthorized
Detail: 2607:f1c0:1801:17::1: Invalid response from http://bigbanggamers.org/.well-known/acme-challenge/1p69NbrwDVGGpess4om5j2rcQvgJ-Amm_Vz_SsGoMCs: 404

Domain: www.bigbanggamers.org
Type: unauthorized
Detail: 2607:f1c0:1801:17::1: Invalid response from http://www.bigbanggamers.org/.well-known/acme-challenge/IztsTqw4J1IJfcXKGxpNzdhqacZtD_QFvdeKim1FWjs: 404

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

My web server is (include version): a Linux VPS

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is: Ionos

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 5.2.2

This site was set up years ago and has self renew fine until a couple of months ago and just failed out of the blue with no known changes other than apt update and apt upgrade

in an attempt to troubleshoot, I have an index.html that does display at url http://www.bigbanggamers.org/.well-known/acme-challenge/
and I don't know if the following is a clue but in the log I see mention of nginx server which I don't think should be as I am using apache2

2025-12-31 12:06:08,250:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall/737219571/635914238746/30EMdw HTTP/1.1" 200 194
2025-12-31 12:06:08,250:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx

You (now) have an AAAA record in your DNS config for IPv6. Let's Encrypt prefers IPv6 when an AAAA record is available.

But, responses from your system using IPv6 are different than if using IPv4. This is almost always because the AAAA record value is wrong.

An nginx server replies for IPv6 requests. An Apache server replies for IPv4

See test results: Let's Debug

Have you recently modified your DNS setup? Or, did Ionos add this maybe?

I have not made any changes to anything regarding records or DNS info etc. I called ionos and they were not much help at all. I see there is info from IPv4 and IPv6 (2607:f1c0:f049:9700::1) is the info for ipv6 and all I have at my disposal is to delete it. Am I ok to just remove what I can regarding ipv6 info and just use 74.208.35.177 only?
thanks for your relp by the way!

You could just delete the AAAA record but I'd worry it may be restored if you don't know where it came from. I'd also be concerned that something is updating your DNS without your knowledge. That would bother me a great deal

A curl using IPv6 sees a page that talks about Plesk. Do you use Plesk or did you try setting it up recently? Perhaps it added that DNS record.

curl -i6 http://bigbanggamers.org
HTTP/1.1 200 OK
Server: nginx
Last-Modified: Tue, 03 Jun 2025 20:43:27 GMT

<!doctype html>
<html lang="en">
<head>
    <meta charset="utf-8">
    <title>Web Server's Default Page</title>
    <meta name="copyright" content="Copyright 1999-2025. WebPros International GmbH. All rights reserved.">
    <script src="https://assets.plesk.com/static/default-website-content/public/default-server-index.js"></script>
</head>
<body>
    <h2>What is Plesk</h2>
    <p>
        Plesk is a <a href="https://www.plesk.com">hosting panel</a> with simple and secure web server, website and web apps management tools. It is specially designed to help web professionals manage web, DNS, mail and other services through a comprehensive and user-friendly GUI. Plesk is about intelligently managing servers, apps, websites and hosting businesses, on both traditional and cloud hosting.

An HTTPS request using IPv6 fails because the cert does not contain your domain name in it. Which makes sense. The cert has this domain name in it. Do you recognize that?

echo | openssl s_client -6 -connect bigbanggamers.org:443 | head -20

Certificate chain
 0 s:CN = 96924bc.online-server.cloud
   i:C = US, O = Let's Encrypt, CN = R12
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Nov  2 18:14:37 2025 GMT; NotAfter: Jan 31 18:14:36 2026 GMT

plesk is something they offer but I don't have anything to do with. I removed the AAAA records (domain and www.domian) and in my /etc/netplan 00-blahblah.yaml I only have ipv4 defined as true (default file generated by ubuntu 20 installer). I reran the certbot --apache and it passed without error. So, I think I am resolved (at least partially for now) I will keep an eye out for DNS record changes and might look to change hosting. Thanks so much for your help sir! any other words of wisdom will be greatly appreciated!

You are very welcome.

My only other words of wisdom are to say anyone connecting to your system using IPv6 would have seen that Plesk page rather than your server. It was not a problem unique to Let's Encrypt.

And, they likely would have seen a "Not Secure" site warning because of the invalid cert first. Only after acknowledging that would they have been shown the Plesk page. All in all an unpleasant experience for your visitors.