Certbot failed to authenticate some domains (authenticator: nginx)

Hello,
I am using nginx to deploy an app with Amazon EC2. Http works correctly but when I try to generate ssl certificate i get the following error. I am completely new to this and to nginx so any help will be appreciated.

My domain is: calendar.laserpro.gr

I ran this command: sudo certbot --nginx

It produced this output:

Requesting a certificate for calendar.laserpro.gr

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: calendar.laserpro.gr
Type: unauthorized
Detail: 2a02:4780:27:1369:0:3811:2c66:2: Invalid response from http://calendar.laserpro.gr/.well-known/acme-challenge/bj23A30Twr51bf4biAPR4sR7VaVBQnpuKXt_bN_v0yw: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

My web server is (include version): nginx/1.24.0

The operating system my web server runs on is (include version):

NAME="Amazon Linux"
VERSION="2023"
ID="amzn"
ID_LIKE="fedora"

My hosting provider, if applicable, is:

Amazon EC2

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.11.0

Also, results from Let's Debug:

Test result for calendar.laserpro.gr using http-01

MultipleIPAddressDiscrepancy

Warning

calendar.laserpro.gr has multiple IP addresses in its DNS records. While they appear to be accessible on the network, we have detected that they produce differing results when sent an ACME HTTP validation request. This may indicate that some of the IP addresses may unintentionally point to different servers, which would cause validation to fail.

[Address=2a02:4780:27:1369:0:3811:2c66:2,Address Type=IPv6,Server=LiteSpeed,HTTP Status=404] vs [Address=13.51.159.206,Address Type=IPv4,Server=nginx/1.24.0,HTTP Status=404]

This is telling you exactly what the problem is. Make sure that both the IPv4 and IPv6 addresses in DNS point to your server, and that your server works on both. (If you're only using one or the other IP version, then you can remove the other, but best practice is for servers to be responding on both.)

6 Likes

Okay! Just to make sure, this has to do with the a-record pointing at my ec2 instance or further setup in nginx config file?

(by the way, my ec2 instance doesn't seem to have an IPv6 address at all if that plays a role to this)
image

If that is the case, you should probably remove the AAAA record that is telling the world that you do.

5 Likes

If you don't have IPv6 enabled you must remove the AAAA record from your DNS

To setup IPv6 for your VPC, see

6 Likes

Great, thank you everyone for your replies! I will do that and if I still have any problems I will let you know

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.