Certbot failed to authenticate some domains (authenticator: nginx)

yogatrista · June 18, 2023, 6:30pm

Hey,
I try to generete certificate my ubuntu server but I keep having failed challenges.

The output when Im try to generete using this command sudo certbot certonly --nginx -d develop-api.humahire.com

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for develop-api.humahire.com

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: develop-api.humahire.com
  Type:   unauthorized
  Detail: 13.229.214.187: Invalid response from http://develop-api.humahire.com/.well-known/acme-challenge/CuHxbbxSQeA5_hURT2Klaxoh8tI891Rxzs4VcMhCKkM: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

I already delete IP6 on my dns record but still having failed challenges.

And heres my nginx config

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 768;
        # multi_accept on;
}

http {

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        types_hash_max_size 2048;
        # server_tokens off;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        ##
        # Gzip Settings
        ##

        gzip on;

        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;

        server {
                listen 80;
                server_name develop-api.humahire.com;

                location /.well-known/acme-challenge {
                        root /var/www/html;
                        default_type "text/plain";
                }

        # Redirect HTTP to HTTPS if desired
        # Uncomment the following lines if you want to redirect HTTP to HTTPS
        #listen 443 ssl;
        #ssl_certificate /path/to/ssl_certificate.pem;
        #ssl_certificate_key /path/to/ssl_certificate_key.pem;
        #return 301 https://$host$request_uri;
        }
}


#mail {
#       # See sample authentication script at:
#       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#       # auth_http localhost/auth.php;
#       # pop3_capabilities "TOP" "USER";
#       # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#       server {
#               listen     localhost:110;
#               protocol   pop3;
#               proxy      on;
#       }
#
#       server {
#               listen     localhost:143;
#               protocol   imap;
#               proxy      on;
#       }
#}

Thank you

Bruce5051 · June 18, 2023, 7:07pm

Hello @yogatrista, welcome to the Let's Encrypt community.

Yet I see, using the online tool https://unboundtest.com/, IPv6 Addresses, via a CNAME, here https://unboundtest.com/m/AAAA/develop-api.humahire.com/P2GF2Z3J

Query results for AAAA develop-api.humahire.com

Response:
;; opcode: QUERY, status: NOERROR, id: 19893
;; flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags: do; udp: 512

;; QUESTION SECTION:
;develop-api.humahire.com.	IN	 AAAA

;; ANSWER SECTION:
develop-api.humahire.com.	0	IN	CNAME	div2po1h6ba50.cloudfront.net.
div2po1h6ba50.cloudfront.net.	0	IN	AAAA	2600:9000:21c4:3e00:3:6330:8500:21
div2po1h6ba50.cloudfront.net.	0	IN	AAAA	2600:9000:21c4:2a00:3:6330:8500:21
div2po1h6ba50.cloudfront.net.	0	IN	AAAA	2600:9000:21c4:1200:3:6330:8500:21
div2po1h6ba50.cloudfront.net.	0	IN	AAAA	2600:9000:21c4:9600:3:6330:8500:21
div2po1h6ba50.cloudfront.net.	0	IN	AAAA	2600:9000:21c4:1a00:3:6330:8500:21
div2po1h6ba50.cloudfront.net.	0	IN	AAAA	2600:9000:21c4:3000:3:6330:8500:21
div2po1h6ba50.cloudfront.net.	0	IN	AAAA	2600:9000:21c4:d600:3:6330:8500:21
div2po1h6ba50.cloudfront.net.	0	IN	AAAA	2600:9000:21c4:7400:3:6330:8500:21

----- Unbound logs -----
Jun 18 19:05:13 unbound[388520:0] notice: init module 0: validator

yogatrista · June 18, 2023, 7:33pm

Hi @Bruce5051 Thank you for the respond, appreciate it!

So do I need to disable the cloudfront first to generate the certificate?

yogatrista · June 18, 2023, 7:35pm

Oh @Bruce5051 sorry I think I missconfig my dns record, thank you for the answer btw

system · July 18, 2023, 7:35pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.