Certbot failed to authenticate some domains

Earthenware · December 22, 2021, 6:18pm

Hello, I'm new to LetsEncrypt. I hope this post is in the right place.

I have a domain to which I wish to add a cert. The web site is active: http://www.grollige.com/

I'm using Nginx and Ubuntu 20. I followed the installation instructions here: Certbot Instructions | Certbot

I followed the instructions line-for-line, including the part about snapd. When I ran the command 'certbot --nginx', I received the following...
blah blah blah
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: grollige.com
Type: unauthorized
Detail: Invalid response from http://grollige.com/.well-known/acme-challenge/PBPImD8Oj8G8Kcuz7dfcOsHEkDIFztdvknBBgxHWFYk [208.91.197.27]: "\n\n404 Not Found\n\n

Not Found

\n<p"
Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.
blah blah blah

I'm a little surprised at the reference to ' http://grollige.com/.well-known/acme-challenge/PBPImD8Oj8G8Kcuz7dfcOsHEkDIFztdvknBBgxHWFYk', as no such directory exists.

I also have a rather lengthy log file '/var/log/letsencrypt/letsencrypt.log', which I can published here if required.

I have no experience with certificates. Can anyone please help me to understand why this didn't work?

MikeMcQ · December 22, 2021, 7:11pm

Welcome to the community @Earthenware

Did you request a cert just for grollige.com or for that and www.grollige.com ?

I ask because each of these has a different public IP address in the DNS.

Name:   www.grollige.com
Address: 213.171.210.71

Name:   grollige.com
Address: 208.91.197.27

It is not required that they both be the same IP but they almost always are. And, if they are different they need a different discussion about getting certs.

Earthenware · December 22, 2021, 7:16pm

Hi,

It asked me which I wanted a cert for and I chose both. I don't recognise the '208.91.197.27' address. The ' 213.171.210.71' address is correct.

It was my intention that they both have the same address and that I should have a cert for both.

MikeMcQ · December 22, 2021, 7:21pm

Then you need to change your DNS record so it matches the www IP. Then retry getting certs for both and let us know. thanks

Update: Specifically, the A record for grollige.com is wrong but the A record for www.grollige.com has the correct IP. Dig (DNS lookup)

Earthenware · December 22, 2021, 7:29pm

I've updated the DNS record. I'll wait for it to propagate and report back. Thanks.

rg305 · December 22, 2021, 10:09pm

DNS propagation (between authoritative DNS systems) is generally very quick (less than one minute).

Earthenware · December 23, 2021, 4:11pm

I've just tested and it now seems to be OK.

Thank you for the assistance.

Do I need to actively close this thread or mark the problem as 'solved' somehow?

MikeMcQ · December 23, 2021, 4:19pm

You did. We're good. Thanks for the update.

system · January 22, 2022, 4:19pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.