"Certbot failed to authenticate some domains (authenticator: nginx)"

pxfreelance · September 12, 2023, 12:13am

My domain is: ample.ng

I ran this command (s):

sudo certbot certonly --force-renew -d ample.ng
sudo certbot --nginx -d ample.ng -d www.ample.ng
sudo certbot --nginx [and then selected the domains from the list]

It produced this output:

  Domain: ample.ng
  Type:   unauthorized
  Detail: 2a01:7e01::f03c:93ff:fe4b:85b3: Invalid response from http://ample.ng/.well-known/acme-challenge/GSS43hAfQqrYJoRDkWxhshPjFqrwp3USghwtAwLPxyE: 404

  Domain: www.ample.ng
  Type:   unauthorized
  Detail: 2a01:7e01::f03c:93ff:fe4b:85b3: Invalid response from http://www.ample.ng/.well-known/acme-challenge/xJK9oG3TgvPLsSgzrDBy5M9T5L6FxIpgcY3bJ_qMRp8: 404

My web server is (include version): NGINX 1.18.0

The operating system my web server runs on is (include version): Ubuntu 22.04.3 LTS

My hosting provider, if applicable, is: Self; all served on Linode

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

NGINX Config file: /etc/nginx/sites-available/ample.ng.conf

server {
        # Bind the TCP port 80
        #list [::]:80;

        # Root directory
        root                    /var/www/html/ample.ng;

        # Index page
        #index                  index.php index.html index.htm;

        # Server
        server_name             ample.ng www.ample.ng;
        #server_name            139.144.177.88;

        # Redirect to https
        if ($scheme != "https"){
                return          301 https://$host$request_uri;
        }

        location / {
                #index index.php index.html index.htm;
                #try_files $uri $uri/ =404;
                try_files       $uri $uri/ /index.php$is_args$args;
                index           index.php index.html index.htm;
        }

        # Setup PHP
        location ~* \.php$ {
                fastcgi_pass    unix:/run/php/php8.1-fpm.sock;
                include         fastcgi_params;
                fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
                fastcgi_param   SCRIPT_NAME     $fastcgi_script_name;
        }

        # Setup for phpMyAdmin
        location ^~ /accessdb/ {
                allow 127.0.0.1;        #allow localhost
                allow 139.144.177.88;   #allow server IP
                allow 160.152.0.0/16;   #allow Smile IP and it's ranges
                allow 197.210.0.0/16;   #allow MTN IP and it's ranges
                deny all;               #deny all other sources

                # Index page for phpMyAdmin
                index           index.php index.html index.htm;

                location ~ \.php$ {
                        include         snippets/fastcgi-php.conf;
                        fastcgi_pass    unix:/var/run/php/php8.1-fpm.sock;
                }
        }

        # Disable .htaccess from being served
        location ~ /\.ht {
                deny all;
        }

        listen 443 ssl; # managed by Certbot
        ssl_certificate /etc/letsencrypt/live/ample.ng/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/ample.ng/privkey.pem; # managed by Certbot
        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}


server {
        if ($host = ample.ng) {
                return 301 https://$host$request_uri;
        } # managed by Certbot

        listen                  80;
        server_name             ample.ng www.ample.ng;
        return                  404; # managed by Certbot
}

Lets Encrypt Renewal: /etc/letsencrypt/renewal/ample.ng.conf

# renew_before_expiry = 30 days
version = 2.6.0
archive_dir = /etc/letsencrypt/archive/ample.ng
cert = /etc/letsencrypt/live/ample.ng/cert.pem
privkey = /etc/letsencrypt/live/ample.ng/privkey.pem
chain = /etc/letsencrypt/live/ample.ng/chain.pem
fullchain = /etc/letsencrypt/live/ample.ng/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 6c377c21762f1e84e3c58391b18918dc
authenticator = nginx
installer = nginx
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa

9peppe · September 12, 2023, 12:34am

Is this your IPv6 address? Is your server block listening on IPv6?

MikeMcQ · September 12, 2023, 12:35am

Neither of those server blocks has a listen clause for IPv6. But, your DNS has an AAAA for IPv6 and Let's Encrypt servers use that when present.

Either add the needed listen's or remove the AAAA if you don't support IPv6

Osiris · September 12, 2023, 1:06am

Please don't use this option of you don't know what it actually does. It does NOT magically make authentication errors go away. That wouldn't make sense.

rg305 · September 12, 2023, 1:14am

The nginx server clearly supports IPv6:

curl -Ii6 www.ample.ng
HTTP/1.1 404 Not Found
Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 12 Sep 2023 01:12:36 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive

So, it's:

MikeMcQ · September 12, 2023, 2:02am

Yes, probably the same nginx. But, I was speaking broadly about whether they can and are willing to support IPv6 when I said "if you dont support" I think they should but not everyone is comfortable.

9peppe · September 12, 2023, 2:21am

It could be supported but go to the default virtualhost, I think.

MikeMcQ · September 12, 2023, 2:43am

Agree. It could be and I think it likely is that same nginx instance. Because of the missing listen statements for IPv6 I mentioned earlier those requests don't land in the proper server block.

Whether they can and want to manage IPv6 going forward is a separate question. Again, I think they should but ... I probably should have been more verbose in my original explanation

pxfreelance · September 12, 2023, 8:39am

Yes, that is my IPv6.

Kindly point me in the right direction please.

pxfreelance · September 12, 2023, 8:41am

Please, kindly point me in the right direction.

pxfreelance · September 12, 2023, 8:44am

Hello Chiefs @rg305 @MikeMcQ and for every other person who will likely comment to help, I will be honest that I've done all what I can but maybe I'm not doing something right hence I had to come here for assistance. Please, point me in the right direction on what to do to get this issue fixed.

Every help is super appreciated cos at this point, I do not know what to do.

Many thanks.

9peppe · September 12, 2023, 9:22am

Add

listen [::]:80

wherever

listen 80

is.

Eventually do the same with 443.

pxfreelance · September 12, 2023, 10:08am

Thank you

pxfreelance · September 12, 2023, 10:15am

Many thanks to all who made a suggestion and helped. I have been able to fix it. While waiting for your amazing responses, I decided to remove the certificate for the domain so that I can install a new one. I did that using:

sudo certbot certificates #List the current available certificates
sudo certbot delete --cert-name ample.ng #Remove the certificate

I also checked the configuration file "ample.nf.conf" and removed all SSL references..in fact, I created a new basic configuration file.

I checked NGINX to make sure everything was okay and then restarted the server after which I requested for a new certificate for the domain "ample.ng" and "www.ample.ng".

Many thanks again to the community and everyone who contributed.