Certbot failed to authenticate some domains when renewing existing certificates

Hi all,

The ssl certificate for my website was working just fine until recently when I started getting the following error message:
NET::ERR_CERT_DATE_INVALID
Subject: spacs-money.com
Issuer: R3
Expires on: Jul 11, 2021
Current date: Jul 20, 2021

It seems that the certificate has expired. I got the following error when trying to renew it.

My domain is: spacs-money.com

I ran this command: sudo certbot --nginx

It produced this output: Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: spacs-money.com
Type: unauthorized
Detail: Invalid response from http://spacs-money.com/.well-known/acme-challenge/5tbiIzPfsa79gd6aXfryJhqv8svnCUI2lKoFOjLHENo [2600:3c00::f03c:92ff:fe2f:92d7]: "\r\n404 Not Found\r\n\r\n

404 Not Found

\r\n
nginx/1.18.0 (Ub"

My web server is (include version): Nginx

The operating system my web server runs on is (include version): Ubuntu

My hosting provider, if applicable, is: Ubuntu 20.10

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.17.0

1 Like

It looks like your nginx server is responding to HTTP requests differently, based on whether the visitor is using IPv4 or IPv6:

IPv4:

# curl -X GET -I -4 spacs-money.com/.well-known/acme-challenge/xx
HTTP/1.1 301 Moved Permanently
Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 20 Jul 2021 07:32:43 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive
Location: https://spacs-money.com/.well-known/acme-challenge/xx

IPv6:

# curl -X GET -I -6 spacs-money.com/.well-known/acme-challenge/xx
HTTP/1.1 404 Not Found
Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 20 Jul 2021 07:32:46 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive

It might help to post the nginx configuration for the spacs-money.com virtual host here, and maybe we'll be able to see why it's not treating the two address families the same way.

3 Likes

Thanks a lot for looking into this. Here's my Nginx settings:

# the upstream component nginx needs to connect to
upstream django {
    server unix:///home/alexa/spacs_money_project/spacs_money_project.sock;
}

# configuration of the server
server {
    server_name 45.33.13.202 spacs-money.com www.spacs-money.com;
    charset     utf-8;

    # max upload size
    client_max_body_size 1024M;

    # Django media and static files
    location /research_files {
        alias /home/alexa/spacs_money_project/research_files;
    }

    location /media  {
        alias /home/alexa/spacs_money_project/static/images;
    }
    location /static {
        alias /home/alexa/spac_money_project/static;
    }


    # Send all non-media requests to the Django server.
    location / {
        uwsgi_pass  django;
        include     /home/alexa/spacs_money_project/uwsgi_params;
    }

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/spacs-money.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/spacs-money.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


}

server {
    if ($host = www.spacs-money.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = spacs-money.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen      80;
#    listen      [::]:80;
    server_name 45.33.13.202 spacs-money.com www.spacs-money.com;
    return 404; # managed by Certbot




}
1 Like

Looks relevant, since IPv6 is behaving differently. Why is it commented out?

1 Like

I am really not sure why that line was commented out. After making it execute again I was able to run certbot successfully. Thank you again for the assistance.

2 Likes