My domain is: earnanswers.com

I ran this command: sudo certbot -v --nginx -d earnanswers.com -d www.earnanswers.com

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Requesting a certificate for earnanswers.com and www.earnanswers.com
Performing the following challenges:
http-01 challenge for www.earnanswers.com
Waiting for verification...
Challenge failed for domain www.earnanswers.com
http-01 challenge for www.earnanswers.com

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: www.earnanswers.com
Type: unauthorized
Detail: XXXX:XXXX::XXXX:XXXX:XXXX:XXXX: Invalid response from http://www.earnanswers.com/.well-known/acme-challenge/NUPPolRYa9tmIrwaKYPpRD56xVCcymigvfOZGPliO5g: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
nginx version: nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version):
Linux localhost 5.15.0-60-generic #66-Ubuntu SMP Fri Jan 20 14:29:49 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

My hosting provider, if applicable, is:
Linode

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.9.0

More Information:

My certificate expired. Prior to expiry everything worked. Then I go on my website on HTTPS and see a privacy warning, and see that my certificates are "invalid".

I log to my terminal server and try to generate new certificates and as you can see i'm getting this authentication message. I need my website up ASAP. Help would be appreciated!

Have you always had an IPv6 address in your DNS? Because that is an IPv6 address in the error message. And, is your nginx server block configured to listen on IPv6?

The above error means your nginx did not reply with the correct info (a 404 Not Found) when Let's Encrypt requested the token.

If your nginx server block for that domain isn't listening for IPv6 that can happen.

Show us your server block for that domain for port 80 if you want us to check that.

Hello @Carrot, welcome to the Let's Encrypt community.

Your webserver configuration need to be adjusted to be compatible with Certbot, that will make will make temporary changes.

sudo nano earnanswers.com

server {

# listen 80;
# server_name earnanswers.com www.earnanswers.com;

# Redirect all HTTP requests to HTTPS
# return 301 https://$host$request_uri;

}

server {

listen 80;

# listen [::]:443 ssl ipv6only=on; # managed by Certbot
# listen 443 ssl; # managed by Certbot
server_name earnanswers.com www.earnanswers.com;

# SSL Configuration
# ssl_certificate /etc/letsencrypt/live/earnanswers.com/fullchain.pem; # managed by Cerbot
# ssl_certificate_key /etc/letsencrypt/live/earnanswers.com/privkey.pem; # managed by Cerbot
# include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Cerbot
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

# Root and Index Files
root /var/www/earnanswers.com/html;
index index.html index.htm index.nginx-debian.html;

# Specific 301 Redirect
rewrite ^/blog-element/taches-recurrentes-sur-ubuntu-cron$ /blog-element/tâches-récurrentes-sur-ubuntu-cron permanent;
rewrite ^/blog-element/controle-acces-a-base-de-roles-rbac$ /blog-element/contrôle-accès-à-base-de-rôles-rbac permanent;
rewrite ^/blog-element/controle-dacces-a-base-de-roles-rbac$ /blog-element/contrôle-accès-à-base-de-rôles-rbac permanent;
rewrite ^/blog-element/roles-en-wordpress$ /blog-element/rôles-en-wordpress;
rewrite ^/blog-element/couche-2-modele-OSI$ /blog-element/couche-2-modèle-OSI permanent;
rewrite ^/blog-element/peptides-de-collagene-verisol-avis$ /blog-element/peptides-de-collagène-verisol-avis permanent;
rewrite ^/blog-element/liens-pour-creer-un-bot-twitter-personnalise-ia$ /blog-element/liens-pour-créer-un-bot-twitter-personnalisé-ia permanent;
rewrite ^/blog-element/taches-recurrentes-sur-ubuntu-cron$ /blog-element/tâches-récurrentes-sur-ubuntu-cron permanent;


location ~ /.well-known {
    allow all;
}

# location / {
    # try_files $uri $uri/ =404;
# }

# Other Locations
location / {
    proxy_pass http://localhost:3000;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_set_header Host $host;
    proxy_cache_bypass $http_upgrade;
}

location /sub/ {
    proxy_pass http://localhost:3002;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_set_header Host $host;
    proxy_cache_bypass $http_upgrade;
}

location /robots.txt {
    alias /var/www/earnanswers.com/html/robots.txt;
}

}

sudo nano second.earnanswers.com

Server block for redirecting HTTP to HTTPS

server {

# listen 80;
# listen [::]:80;
# server_name second.earnanswers.com www.second.earnanswers.com;

# Redirect all HTTP requests to HTTPS
# return 301 https://$host$request_uri; # managed by Certbot

}

Server block for handling HTTPS requests

server {

listen 80;
listen [::]:80;


# listen [::]:443 ssl; # managed by Certbot
# listen 443 ssl; # managed by Certbot
server_name second.earnanswers.com www.second.earnanswers.com;

# SSL Configuration
# ssl_certificate /etc/letsencrypt/live/second.earnanswers.com/fullchain.pem; # managed by Certbot
# ssl_certificate_key /etc/letsencrypt/live/second.earnanswers.com/privkey.pem; # managed by Certbot
# include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

# Root and Index Files
root /var/www/second.earnanswers.com/html;
index index.html index.htm index.nginx-debian.html;


# Location block for /croncurlpoc
location /croncurlpoc/ {
    # Allow only the server itself
    allow 127.0.0.1;
    allow ::1; # For IPv6 localhost
    deny all;

    proxy_pass http://localhost:3001;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_set_header Host $host;
    proxy_cache_bypass $http_upgrade;
}

# Location block
location / {
    proxy_pass http://localhost:3001;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_set_header Host $host;
    proxy_cache_bypass $http_upgrade;
}

}

Your port 80 server block for second subdomain listens properly for IPv4 and v6.

But, your earnanswers and its www subdomain server block only listens IPv4. You need to add the IPv6 listen to it

I was able to generate the certificates for earnanswers.com. Thank you!

Now, when trying to generate the certificates for subdomain second, when executing this:

sudo certbot -v --nginx -d second.earnanswers.com -d www.second.earnan
swers.com

The output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Requesting a certificate for second.earnanswers.com and www.second.earnanswers.com
Performing the following challenges:
http-01 challenge for www.second.earnanswers.com
Waiting for verification...
Challenge failed for domain www.second.earnanswers.com
http-01 challenge for www.second.earnanswers.com

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: www.second.earnanswers.com
  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up A for www.second.earnanswers.com - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for www.second.earnanswers.com - check that a DNS record exists for this domain

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Records:
second XXX:XXX::XXXX:XXXX:XXXX:XXXX Default
second XXX.XX.XX.XXX Default

I go on linode to add a AAAA record for the second subdomain for the IPv6 address (It was missing).
I did it 10 min ago. Tried to regenerate the certificates, and same issue.

Do I need to wait 24h of so, for the changes to "propagate"?

Appreciate the assistance.

Carrot.

Yes, but you did not add an A and AAAA record for the www subdomain of that.

Those are missing for www.second.earnanswers.com

No. Let's Encrypt queries the authoritive DNS servers directly

My A/AAAA Record

earnanswers.com	XXX.XX.XX.XXX	Default

earnanswers.com	XXX:XXX::XXXX:XXXX:XXXX:XXXX	Default

mail	XXX.XX.XX.XXX	Default

mail	XXX:XXX::XXXX:XXXX:XXXX:XXXX	Default

second	XXX:XXX::XXXX:XXXX:XXXX:XXXX	Default

second	XXX.XX.XX.XXX	Default

www	XXX.XX.XX.XXX	Default

www	XXX:XXX::XXXX:XXXX:XXXX:XXXX	Default

Do I add

www.second XXX.XX.XX.XXX
www.second XXX:XXX::XXXX:XXXX:XXXX:XXXX

or do I add

www.second.earnanswers.com XXX.XX.XX.XXX
www.second.earnanswers.com XXX:XXX::XXXX:XXXX:XXXX:XXXX

?

New error because I made too many requests ....

sudo certbot -v --nginx -d second.earnanswers.com -d www.second.earnanswers.com

Output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Requesting a certificate for second.earnanswers.com and www.second.earnanswers.com
An unexpected error occurred:
Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/failed-validation-limit/
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Different panels work differently. Sometimes they need the whole name and some just the extra parts before the base name. Some need a trailing period some do not. I don't remember how yours works.

But, it looks like you figured it out as I see A and AAAA for both those names now.

You just have to wait an hour due to too many failures

You should be testing with https://letsdebug.net to avoid these rate limits with Let's Encrypt production system

And, you can use https://unboundtest.com to check DNS similar to how LE does it

Likely, these.
[but test them out]

@rg305 @MikeMcQ
Thanks guys i'm working on it, I was able to generate the certs.

My certificates are set.

Is the auto-renew system setup?

If not:

Now, I want a auto cert renewal system setup.

My cert renewal system got lost it seems.

sudo systemctl status certbot.timer

Unit certbot.timer could not be found.

Chat GPT's solution:

Manual Cron Job Setup:

If you don't find a cron job for Certbot, you can set one up manually. Open the root user's crontab for editing:

sudo crontab -e

Add a line to run certbot renew twice daily:

0 */12 * * * certbot renew --quiet

This command will silently attempt to renew any certificates that are within 30 days of expiration.

What do you guys think? Is this the way to go to setup a robust renewal system?

FYI: I installed certbot using:

apt install certbot python3-certbot-nginx

Please refer to the Certbot docs rather than chatGPT.

https://eff-certbot.readthedocs.io/en/latest/using.html#automated-renewals

This especially is a bad idea. It creates load spikes on the LE Servers. Sure, you are just a couple certs but the '0' minute is overused by so many it can create problems.

See this FAQ answers from LE about that

Further to my previous post at one time it looked like you had the snap install rather than the apt one. If sudo certbot --version is not at least 2.9 it would be best to restore that.

See below and follow each step carefully. Ubuntu readily supports snap

I think you should listen to humans - not bots.

The downfall of human society...

sudo systemctl status snap.certbot.renew.timer
● snap.certbot.renew.timer - Timer renew for snap application certbot.renew
     Loaded: loaded (/etc/systemd/system/snap.certbot.renew.timer; enabled; vendor preset: enabled)
     Active: active (waiting) since Thu 2024-02-08 21:10:08 UTC; 1 month 5 days ago
    Trigger: Sat 2024-03-16 00:16:00 UTC; 2h 22min left
   Triggers: ● snap.certbot.renew.service

Feb 08 21:10:08 localhost systemd[1]: Started Timer renew for snap application certbot.renew.

Am I good with the auto renew for the certificates?

Get with the 2030 program amigo!

The timer looks good. You can test the renew right now with below. It will not affect your existing certs

sudo certbot renew --dry-run

You can also check your certs in 61 days to see if they renewed with

sudo certbot certificates

And also check the cert your server is using from a browser or other tool like SSLLabs.com in 61 days to make sure it is using the fresh cert.

Once you test the first renewal they should be fine after. It's always a good idea to have some sort of monitoring system in place to alert you when things go wrong. There are many such services online or which you can setup manually yourself.

If only AI anno 2024 were as good as the AI from 2030.. Meaning: currently AI is often (not always) quite terrible I'm afraid. Cute with the whole language model thing, but actually intelligent? No.. Far from it.

The problem with that is: if you're not knowledgeable with regard to the topic at hand, you don't have a clue the )#(*$() the AI bot is talking. It all sounds quite right, because it's a language model: it knows quite well how to present anything, true or false. Only if you have at least some knowledge about the topic, you recognise the flaws in the answers and claims.