Certbot can not retrieve verification file on my site but curl is able to retrieve it

My domain is: cardaviz.app

I ran this command: certbot certonly --manual
After manually creating the files on my web server, I verified that I can fetch them with curl successfully

curl http://cardaviz.app/.well-known/acme-challenge/hsyFgnreCbAaI6RMWuKzvaU3yKSsqxoA2z7d50kM034

hsyFgnreCbAaI6RMWuKzvaU3yKSsqxoA2z7d50kM034.Of2sfdB_Gxfx5hdETrVrcTPK3A6TfAMq2quOoDshJ9

but when certbot tries to fetch them it claims that it gets 400 Bad Request.

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): cardaviz.app
Requesting a certificate for cardaviz.app


Create a file containing just this data:

hsyFgnreCbAaI6RMWuKzvaU3yKSsqxoA2z7d50kM034.Of2sfdB_Gxfx5hdETrVrcTPK3A6TfAMq2quOoDshJ9c

And make it available on your web server at this URL:

http://cardaviz.app/.well-known/acme-challenge/hsyFgnreCbAaI6RMWuKzvaU3yKSsqxoA2z7d50kM034


Press Enter to Continue

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: cardaviz.app
Type: connection
Detail: 2a03:b0c0:1:d0::116c:2001: Fetching http://cardaviz.app/.well-known/acme-challenge/hsyFgnreCbAaI6RMWuKzvaU3yKSsqxoA2z7d50kM034: Error getting validation data

Hint: The Certificate Authority failed to verify the manually created challenge files. Ensure that you created these in the correct location.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

and in letsencrypt.log, I see the following
{
"identifier": {
"type": "dns",
"value": "cardaviz.app"
},
"status": "invalid",
"expires": "2023-09-10T22:31:21Z",
"challenges": [
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:connection",
"detail": "2a03:b0c0:1:d0::116c:2001: Fetching http://cardaviz.app/.well-known/acme-challenge/hsyFgnreCbAaI6RMWuKzvaU3yKSsqxoA2z7d50kM034: Error getting validation data",
"status": 400
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/261111039096/o01gPQ",
"token": "hsyFgnreCbAaI6RMWuKzvaU3yKSsqxoA2z7d50kM034",
"validationRecord": [
{
"url": "http://cardaviz.app/.well-known/acme-challenge/hsyFgnreCbAaI6RMWuKzvaU3yKSsqxoA2z7d50kM034",
"hostname": "cardaviz.app",
"port": "80",
"addressesResolved": [
"159.65.34.99",
"2a03:b0c0:1:d0::116c:2001"
],
"addressUsed": "2a03:b0c0:1:d0::116c:2001"
}
],
"validated": "2023-09-03T22:33:47Z"
}
]
}

My web server is (include version): nginx 1.18.0

The operating system my web server runs on is (include version): Ubuntu 22.04

My hosting provider, if applicable, is: digitalocean

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.6.0

Welcome @pierre.boudreau

It looks like you have a problem with your IPv6 address in your DNS. Let's encrypt will favor that when present. See

7 Likes

Thanks! This was indeed the problem. Removed the AAAA record and it worked.

2 Likes

Hoping that you considered fixing the IPv6 connectivity instead of just removing.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.