Certbot failed to authenticate some domains (authenticator: nginx)

My domain is:

devc0n.nl

I ran this command:

sudo certbot --nginx -v

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): devc0n.nl
Requesting a certificate for devc0n.nl
Performing the following challenges:
http-01 challenge for devc0n.nl
Waiting for verification...
Challenge failed for domain devc0n.nl
http-01 challenge for devc0n.nl

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: devc0n.nl
  Type:   unauthorized
  Detail: 2a05:d018:964:c0b:ca65:7773:2dd7:d9bd: Invalid response from http://devc0n.nl/.well-known/acme-challenge/eQrxeLL1W9lEMHIwQ0_lEbywHcAw5YcUAmpM8jDnEwQ: "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2 Final//EN\">\n<!doctype html><html lang=\"nl\"><head> <meta charset=\"UTF-8\"> <meta name="

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.

My web server is (include version):

nginx/1.18.0

The operating system my web server runs on is (include version):

Debian GNU/Linux 11 (bullseye)

My hosting provider, if applicable, is:

hardware = RaspberryPi 3b

I can login to a root shell on my machine (yes or no, or I don't know):

yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 1.32.2

I'm sorry to bother you guys with this :see_no_evil:

I've gotten a good suggested topic once i posted this question and i have figured it out.

I still had an AAAA record with an IPv6 in the DNS records. which was then quite obviously pinged by CertBot. As i don't have an IPv6 address, i just deleted this from my DNS records on the domain provider. and the issue was resolved!

4 Likes

Hello @devc0n, welcome to the Let's Encrypt community. :slightly_smiling_face:

Let's Debug results for HTTP-01 Challenge https://letsdebug.net/devc0n.nl/1344019 show that Port 80 is not open, please click through to the results.

Best Practice - Keep Port 80 Open

However I see with nmap Port 80 is open on both IPv6 & IPv4; Port 443 is open on IPv6 and closed on IPv4.

>nmap -6 -Pn devc0n.nl
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-20 15:35 UTC
Stats: 0:00:30 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 37.95% done; ETC: 15:36 (0:00:51 remaining)
Nmap scan report for devc0n.nl (2a05:d018:964:c0b:ca65:7773:2dd7:d9bd)
Host is up (0.13s latency).
Other addresses for devc0n.nl (not scanned): 92.109.54.16
Not shown: 998 filtered tcp ports (no-response)
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 68.30 seconds

>nmap -4 -Pn devc0n.nl
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-20 15:34 UTC
Nmap scan report for devc0n.nl (92.109.54.16)
Host is up (0.15s latency).
Other addresses for devc0n.nl (not scanned): 2a05:d018:964:c0b:ca65:7773:2dd7:d9bd
rDNS record for 92.109.54.16: 92-109-54-16.cable.dynamic.v4.ziggo.nl
Not shown: 998 filtered tcp ports (no-response)
PORT    STATE  SERVICE
80/tcp  open   http
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 76.01 seconds
2 Likes

I'll check again in a couple of minutes to let DNS propagate.

1 Like

Yep; Let's Debug results look OK now https://letsdebug.net/devc0n.nl/1344035

1 Like

First of all, thank you for the quick reply!

and regarding the 443 port, i should probably enable that port in my nginx config right? to force traffic on the https routing.

4 Likes

Glad you fixed it already. Just a technical point ... Certbot is not the one "pinging" it. Certbot is the ACME Client and makes the cert request. But, it is the Let's Encrypt ACME Servers that make HTTP requests to your domain.

As for port 443, I see it open

4 Likes

Supplemental information, as do I presently.

$ nmap -4 -Pn devc0n.nl
Starting Nmap 7.80 ( https://nmap.org ) at 2023-01-20 15:40 UTC
Nmap scan report for devc0n.nl (92.109.54.16)
Host is up (0.20s latency).
rDNS record for 92.109.54.16: 92-109-54-16.cable.dynamic.v4.ziggo.nl
Not shown: 998 filtered ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 14.01 seconds
2 Likes