Certbot failed to authenticate some domains (authenticator: nginx)

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: chemist-mrsnermeen.com

I ran this command: sudo certbot --nginx -d chemist-mrsnermeen.com

It produced this output: Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems: Domain: chemist-mrsnermeen.com Type: unauthorized Detail: 2a02:4780:27:1571:0:190b:7a25:2: Invalid response from http://chemist-mrsnermeen.com/.well-known/acme-challenge/cQSDZlda1TODVDgfbsCIi7LyFHOjXB1wypJ70PbI_m8: 404 Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

My web server is (include version): nginx (1.24.0)

The operating system my web server runs on is (include version): Ubuntu (24.04)

My hosting provider, if applicable, is: Hostinger

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot (2.11.0)

2

Hello @PeterNatig, welcome to the Let's Encrypt community. :slightly_smiling_face:

Using the online tool Let's Debug yields these results https://letsdebug.net/chemist-mrsnermeen.com/2159037

MultipleIPAddressDiscrepancy
Warning
chemist-mrsnermeen.com has multiple IP addresses in its DNS records. While they appear to be accessible on the network, we have detected that they produce differing results when sent an ACME HTTP validation request. This may indicate that some of the IP addresses may unintentionally point to different servers, which would cause validation to fail.
[Address=2a02:4780:27:1571:0:190b:7a25:2,Address Type=IPv6,Server=LiteSpeed,HTTP Status=404] vs [Address=178.16.131.98,Address Type=IPv4,Server=nginx/1.24.0 (Ubuntu),HTTP Status=404]

All of the IP Addresses need to respond the same; presently they are not.

image
image1034×766 10.3 KB

Edit:
This is common with Hostinger to assign an IPv6 Address and the user doesn't know it.
Most likey the solution to delete the IPv6 DNS AAAA Records.

Edit 2:
@MikeMcQ beat me to the Hostinger issue. :slight_smile:

1 Like
3

We see these multiple times per day it seems. Hostinger sets up an AAAA record for IPv6 that points to their own parking or sales home page (a LiteSpeed server).

Yet, when people setup their actual servers the AAAA record never gets deleted.

Please remove that record or replace it with one that is for your actual server. You could help us out by complaining to Hostinger too :slight_smile:

4 Likes
4

Much better looking DNS now.

image
image1029×417 5.62 KB

2 Likes
5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.