Certbot failed to authenticate some domains (authenticator: nginx) while using playit.gg to tunnel pteradactyl panel website

My domain is: serverpanel.obsidiusnet.au

I ran this command: certbot certonly --nginx -d staffpanel.obsidiusnet.au

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for staffpanel.obsidiusnet.au

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: staffpanel.obsidiusnet.au
  Type:   unauthorized
  Detail: 2606:4700:20::ac43:4844: Invalid response from https://playit.gg: "<!DOCTYPE html><html lang=\"en\"><head><meta charSet=\"utf-8\"/><meta name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>"

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): nginx/1.24.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 24.04.1 LTS

My hosting provider, if applicable, is: Self host

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.9.0

I am using playit.gg to tunnel pteradactyl panel. I am following the instructions on "Creating SSL Certificates" Creating SSL Certificates | Pterodactyl and whenever I run the command "certbot certonly --nginx -d staffpanel.obsidiusnet.au" I get the error above.

Hello @Grandalfwise, welcome to the Let's Encrypt community. :slightly_smiling_face:

Trying the HTTP-01 ACME Challenge gets redirected to https://playit.gg

$ curl -Ii http://staffpanel.obsidiusnet.au/.well-known/acme-challenge/sometestfile
HTTP/1.1 302 Moved Temporarily
Server: playit-cloud
Location: https://playit.gg

Following the redirection to https://playit.gg, note the .well-known/acme-challenge/<TOKEN> doesn't get passed on in the redirection.

$ curl -k -Ii https://playit.gg
HTTP/2 200
date: Thu, 09 Jan 2025 04:26:31 GMT
content-type: text/html; charset=utf-8
vary: Accept-Encoding
last-modified: Thu, 09 Jan 2025 03:33:34 GMT
cache-control: max-age=1200
cf-cache-status: HIT
age: 2795
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=S6biKd6iFlVoYigLF%2FFBvzSqzQyI%2FoyPI36eWyRXlGspWiUBabSMoXihrCHupoy8NCg2WWCB%2Fhii8mP5U9VVJPRccnW17y7Mvd9qAplosSkY4Ii%2Fzzzx76eNaw%3D%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
cf-ray: 8ff1ab6d0f156c8a-SEA
server-timing: cfL4;desc="?proto=TCP&rtt=12476&min_rtt=11839&rtt_var=4343&sent=6&recv=8&lost=0&retrans=0&sent_bytes=3403&recv_bytes=777&delivery_rate=244615&cwnd=252&unsent_bytes=0&cid=0e951ab62b918723&ts=41&x=0"

Edit

Also the CNAME point to band-gg.gl.at.ply.gg which has 2 IP Addresses an IPv4 and an IPv6
both need respond the same.

$ nslookup staffpanel.obsidiusnet.au
Server:         127.0.0.53
Address:        127.0.0.53#53

Non-authoritative answer:
staffpanel.obsidiusnet.au       canonical name = band-gg.gl.at.ply.gg.
Name:   band-gg.gl.at.ply.gg
Address: 147.185.221.25
Name:   band-gg.gl.at.ply.gg
Address: 2602:fbaf:808:1::19
1 Like

Hey @Bruce5051 thanks for the information. Do you have any idea's on how I can fix the problem of staffpanel.obsidiusnet.au redirecting to playit.gg instead of to the pterodactyl panel?

1 Like

I was able to fix the problem by using the command: certbot -d example.com --manual --preferred-challenges dns certonly.
I can't automatically renew the ssl cert but it works.

2 Likes