Certbot failed to authenticate some domains

Getting this error. my nginx configuration is fine and i'm able access my site. my A and AAAA records also fine on my AWS instance.

Requesting a certificate for i-factory.co.in

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: i-factory.co.in
Type: unauthorized
Detail: 2406:da1a:755:7100:fcb7:2954:719c:c3e1: Invalid response from http://i-factory.co.in/.well-known/acme-challenge/S5vS1vgRIJwB_2
R0VI6dwkIcHH6AIym98Zbrq71EK9A: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains po
int to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-ru
n Certbot with -v for more details.

Hi @rajnivp, and welcome to the LE community forum :slight_smile:

It seems that IPv4 and IPv6 are not exactly the same.
Notice the different content lengths for each:

curl -Ii4 i-factory.co.in/.well-known/acme-challenge/Test_File-1234
HTTP/1.1 404 Not Found
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 23 Mar 2023 15:38:35 GMT
Content-Type: application/json
Content-Length: 22       <<<<<<<<<<<<<<<<<<<<
Connection: keep-alive

curl -Ii6 i-factory.co.in/.well-known/acme-challenge/Test_File-1234
HTTP/1.1 404 Not Found
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 23 Mar 2023 15:38:42 GMT
Content-Type: text/html
Content-Length: 162       <<<<<<<<<<<<<<<<<<<<
Connection: keep-alive

Please use the staging environment for testing.
Also, try placing a test text file in the expected challenge location to confirm it can be reached from the Internet via IPv6.
As shown by the error message, the failure was over IPv6 [because, when present, LE prefers the IPv6 path over IPv4]:


Supplemental information; port 443 is present closed; at least for IPv4.

$ nmap -Pn i-factory.co.in
Starting Nmap 7.80 ( https://nmap.org ) at 2023-03-23 15:43 UTC
Nmap scan report for i-factory.co.in (
Host is up (0.24s latency).
Other addresses for i-factory.co.in (not scanned): 2406:da1a:755:7100:fcb7:2954:719c:c3e1
rDNS record for ec2-13-235-110-19.ap-south-1.compute.amazonaws.com
Not shown: 996 filtered ports
22/tcp   open   ssh
80/tcp   open   http
443/tcp  closed https
5000/tcp closed upnp

Nmap done: 1 IP address (1 host up) scanned in 14.77 seconds

More HTTP IPv6/IPv4 noticeable differences:

curl -Ii4 i-factory.co.in
HTTP/1.1 405 Method Not Allowed
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 23 Mar 2023 15:45:01 GMT
Content-Type: application/json
Content-Length: 31          <<<<<<<<<<<<<<<<<<<<
Connection: keep-alive
allow: POST

curl -Ii6 i-factory.co.in
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 23 Mar 2023 15:45:07 GMT
Content-Type: text/html
Content-Length: 612          <<<<<<<<<<<<<<<<<<<<
Last-Modified: Wed, 22 Mar 2023 12:20:14 GMT
Connection: keep-alive
ETag: "641af27e-264"
Accept-Ranges: bytes

Not just the length differs :slight_smile:

The IP's both are AWS. They either point to the same nginx which is configured to process IPv4 and IPv6 differently (which is almost always wrong). OR, the IP's point to two different nginx which are similar in some ways but different in other important ways.

If you can run this command and upload the resulting upload.txt file we can give more specific advice. Make sure to use a capital T. The results will be fairly long.

sudo nginx -T >upload.txt

If you can't figure out how to upload a file using the post menu upload button just copy/paste the (very long) output and add 3 backticks before and after like:
output of: sudo nginx -T


upload.txt (8.6 KB)
i'm attaching generated upload.txt

1 Like

please also show the outputs of:
netstat -pant | grep nginx
ifconfig | grep inet


Thanks. One thing is you do not have a listen for IPv6 in your server block for your domain. You have one in your default server so that is causing some confusion.

Add this:

	listen [::]:80;

After the listen 80; in this file like this:

# configuration file /etc/nginx/sites-enabled/i-factory.co.in:
server { 
	client_max_body_size 64M; 
	listen 80; 
	listen [::]:80;
	server_name i-factory.co.in; 

And, what was the exact certbot command you used? We need to know that to advise how to proceed.


certbot command used: sudo certbot --nginx

output of netstat -pant | grep nginx:
tcp 0 0* LISTEN 811240/nginx: maste
tcp6 0 0 :::80 :::* LISTEN 811240/nginx: maste

output of ifconfig | grep inet:
inet netmask broadcast
inet6 fe80::b4:f0ff:fec4:5d82 prefixlen 64 scopeid 0x20
inet6 2406:da1a:755:7100:fcb7:2954:719c:c3e1 prefixlen 128 scopeid 0x0
inet netmask
inet6 ::1 prefixlen 128 scopeid 0x10

1 Like

That might work now as long as you've restarted (not just reloaded) nginx.

A restart is needed after changing port assignments (usually).


Adding listen [::]:80; worked. Thank you so much!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.