Certbot failed to authenticate some domains (authenticator: nginx)

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: easygoshuttle.com.au

I ran this command: sudo certbot --nginx

It produced this output: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot.
Ensure the listed domains point to this nginx server and that it is accessible from the internet

My web server is (include version): nginx (gunicorn)

The operating system my web server runs on is (include version): Ubuntu 22,.04 LTS x64

My hosting provider, if applicable, is: vultr.com

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
Cmder (ssh connection using root)
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbort 1.28.0

The first thing I would check is if the IPv4 and IPv6 addresses in the DNS both point to your server IP. Let's Encrypt server will use IPv6 if an AAAA record exists in the DNS and in your case one does.

nslookup easygoshuttle.com.au
Address: 2401:c080:1800:4d18:5400:4ff:fe09:3d66

They should respond the same way but they don't. Which indicates to me a problem with your nginx config or the DNS A / AAAA record(s) are wrong.

The IPv4 (A record) returns a page talking about airport pickups (makes sense given your domain name). The IPv6 (AAAA record) returns a "Welcome to nginx" page.

Another example:

curl -I4 http://easygoshuttle.com.au
(using IPv4 I am redirected to /home/)

HTTP/1.1 302 Found
Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 19 Jun 2022 02:48:40 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Connection: keep-alive
Location: /home/
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin

curl -I6 http://easygoshuttle.com.au
(Using IPv6 your server replies OK with nginx default page)

HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 19 Jun 2022 02:48:44 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Sat, 18 Jun 2022 11:49:23 GMT
Connection: keep-alive
ETag: "62adbbc3-264"
Accept-Ranges: bytes

Hi, Mike Thank you for your reply. much appreciated. You said "IP4 and IP6 should respond the same way but they don't" Is this the main problem? I added IP6 in DNS yesterday. Do I have to delete IP6 address in DNS? Without IP6 address I think it should be fine. I will delete it and try again. Thanks a lot

After I delete IPv6 in DNS, All good now. it worked! Thank you so much.

I tried to log on easygo website but serious message pop up, saying "Your connection is not private. Attackers might be trying to steal your information from www.easygoshuttle.com.au"

Glad it is now working. I see you got an answer about your "not private" message too on another thread.

I just wanted to follow up about your IPv6 problem. If you are sure your DNS IPv6 address was correct then you likely had a config problem in nginx. In your nginx server block for this domain, did you add a listen option for IPv6? There are several ways to do it but you should have had a listen which had [::] in it. As examples for IPv4 and IPv6:

        listen       80;
        listen       [::]:80;
        listen       443 ssl;
        listen       [::]:443 ssl;

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.