Certbot don't work with gunicorn + nginx

My domain is: bizdin.kg

I ran this command: ./letsencrypt-auto

It produced this output: To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

My web server is (include version): Ubunut 18 + nginx+ gunicorn

My hosting provider, if applicable, is: linode

I can login to a root shell on my machine (yes or no, or I don’t know):yes

Hi @Eliotnand

there is a check of your domain, ~~ one hour old - https://check-your-website.server-daten.de/?q=bizdin.kg

You have ipv4- and ipv6 addresses:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
bizdin.kg A 172.104.136.252 yes 1 0
A 192.168.133.75 yes 1 0
AAAA 2a01:7e01::f03c:91ff:fe14:8abf yes
AAAA 2a01:7e01::f03c:91ff:feb0:f43d yes
AAAA fe80::f03c:91ff:fe14:8abf yes
www.bizdin.kg A 172.104.136.252 yes 1 0
AAAA 2a01:7e01::f03c:91ff:feb0:f43d yes

Some addresses are private, remove these.

Y bizdin.kg
192.168.133.75
warning: Private ip address found: 192.168.0.0 to 192.168.255.255: Class C - 256 private net, every with 256 addresses
Y bizdin.kg
fe80::f03c:91ff:fe14:8abf
warning: Private ip address found: fe80:0000:0000:0000:0000:0000:0000:0000 to fe80:ffff:ffff:ffff:ffff:ffff:ffff:ffff: Link-local address

But critical: Your ipv6 has other answers:

Ipv4 is redirected, ipv6 doesn't answer or is blocked:

K http://bizdin.kg/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 172.104.136.252, Status 301
http://bizdin.kg/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 2a01:7e01::f03c:91ff:fe14:8abf, Status -2
configuration problem - different ip addresses with different status
K http://bizdin.kg/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 172.104.136.252, Status 301
http://bizdin.kg/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 2a01:7e01::f03c:91ff:feb0:f43d, Status 403
configuration problem - different ip addresses with different status
K http://www.bizdin.kg/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 172.104.136.252, Status 301
http://www.bizdin.kg/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 2a01:7e01::f03c:91ff:feb0:f43d, Status 403
configuration problem - different ip addresses with different status
K http://bizdin.kg/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 2a01:7e01::f03c:91ff:fe14:8abf, Status -2
http://bizdin.kg/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 2a01:7e01::f03c:91ff:feb0:f43d, Status 403
configuration problem - different ip addresses with different status

Letsencrypt prefers ipv6, so this is critical.

Update your configuration and recheck your domain.

@JuergenAuer, Thanks but I want to create HTTPS domain on other ip.
In new ip will be new version of site. ‘172.104.136.252’ will stay

Now it’s ~~ better. Your last check ( https://check-your-website.server-daten.de/?q=bizdin.kg ):

Domainname Http-Status redirect Sec. G
http://bizdin.kg/
172.104.136.252 200 1.326 H
http://bizdin.kg/
2a01:7e01::f03c:91ff:feb0:f43d 200 0.213 H
http://www.bizdin.kg/
172.104.136.252 200 0.146 H
http://www.bizdin.kg/
2a01:7e01::f03c:91ff:feb0:f43d 200 0.200 H
https://bizdin.kg/
172.104.136.252 -2 1.070 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 172.104.136.252:443
https://bizdin.kg/
2a01:7e01::f03c:91ff:feb0:f43d -2 1.083 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it [2a01:7e01::f03c:91ff:feb0:f43d]:443
https://www.bizdin.kg/
172.104.136.252 -2 1.064 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 172.104.136.252:443
https://www.bizdin.kg/
2a01:7e01::f03c:91ff:feb0:f43d -2 1.087 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it [2a01:7e01::f03c:91ff:feb0:f43d]:443
http://bizdin.kg/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
172.104.136.252 301 http://bizdin.kg/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de/ 0.053 D
Visible Content:
http://www.bizdin.kg/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
172.104.136.252 301 http://www.bizdin.kg/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de/ 0.046 D
Visible Content:
http://bizdin.kg/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
2a01:7e01::f03c:91ff:feb0:f43d 403 0.050 M
Forbidden
Visible Content: 403 Forbidden nginx
http://bizdin.kg/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de/ 403 1.097 M
Forbidden
Visible Content: 403 Forbidden nginx
http://www.bizdin.kg/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
2a01:7e01::f03c:91ff:feb0:f43d 403 0.043 M
Forbidden
Visible Content: 403 Forbidden nginx
http://www.bizdin.kg/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de/ 403 0.057 M
Forbidden
Visible Content: 403 Forbidden nginx

Your ipv6 + http + / works. Https doesn’t work, but that’s not critical.

But ipv4

• http://www.bizdin.kg/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de

is redirected to

• http://www.bizdin.kg/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de/

with a slash at the end. ipv6 + http has a http status 403.

That status is cricitcal. So check your directory permissions, add /.well-known/acme-challenge and change (chmod) 755.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.