Certbot failed to authenticate some domains

rajnivp · March 23, 2023, 3:27pm

Getting this error. my nginx configuration is fine and i'm able access my site. my A and AAAA records also fine on my AWS instance.

Requesting a certificate for i-factory.co.in

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: i-factory.co.in
Type: unauthorized
Detail: 2406:da1a:755:7100:fcb7:2954:719c:c3e1: Invalid response from http://i-factory.co.in/.well-known/acme-challenge/S5vS1vgRIJwB_2
R0VI6dwkIcHH6AIym98Zbrq71EK9A: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains po
int to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-ru
n Certbot with -v for more details.

rg305 · March 23, 2023, 3:43pm

Hi @rajnivp, and welcome to the LE community forum

It seems that IPv4 and IPv6 are not exactly the same.
Notice the different content lengths for each:

curl -Ii4 i-factory.co.in/.well-known/acme-challenge/Test_File-1234
HTTP/1.1 404 Not Found
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 23 Mar 2023 15:38:35 GMT
Content-Type: application/json
Content-Length: 22       <<<<<<<<<<<<<<<<<<<<
Connection: keep-alive

curl -Ii6 i-factory.co.in/.well-known/acme-challenge/Test_File-1234
HTTP/1.1 404 Not Found
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 23 Mar 2023 15:38:42 GMT
Content-Type: text/html
Content-Length: 162       <<<<<<<<<<<<<<<<<<<<
Connection: keep-alive

Please use the staging environment for testing.
Also, try placing a test text file in the expected challenge location to confirm it can be reached from the Internet via IPv6.
As shown by the error message, the failure was over IPv6 [because, when present, LE prefers the IPv6 path over IPv4]:

Bruce5051 · March 23, 2023, 3:44pm

Supplemental information; port 443 is present closed; at least for IPv4.

$ nmap -Pn i-factory.co.in
Starting Nmap 7.80 ( https://nmap.org ) at 2023-03-23 15:43 UTC
Nmap scan report for i-factory.co.in (13.235.110.19)
Host is up (0.24s latency).
Other addresses for i-factory.co.in (not scanned): 2406:da1a:755:7100:fcb7:2954:719c:c3e1
rDNS record for 13.235.110.19: ec2-13-235-110-19.ap-south-1.compute.amazonaws.com
Not shown: 996 filtered ports
PORT     STATE  SERVICE
22/tcp   open   ssh
80/tcp   open   http
443/tcp  closed https
5000/tcp closed upnp

Nmap done: 1 IP address (1 host up) scanned in 14.77 seconds

rg305 · March 23, 2023, 3:46pm

More HTTP IPv6/IPv4 noticeable differences:

curl -Ii4 i-factory.co.in
HTTP/1.1 405 Method Not Allowed
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 23 Mar 2023 15:45:01 GMT
Content-Type: application/json
Content-Length: 31          <<<<<<<<<<<<<<<<<<<<
Connection: keep-alive
allow: POST

curl -Ii6 i-factory.co.in
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 23 Mar 2023 15:45:07 GMT
Content-Type: text/html
Content-Length: 612          <<<<<<<<<<<<<<<<<<<<
Last-Modified: Wed, 22 Mar 2023 12:20:14 GMT
Connection: keep-alive
ETag: "641af27e-264"
Accept-Ranges: bytes

MikeMcQ · March 23, 2023, 4:48pm

Not just the length differs

The IP's both are AWS. They either point to the same nginx which is configured to process IPv4 and IPv6 differently (which is almost always wrong). OR, the IP's point to two different nginx which are similar in some ways but different in other important ways.

If you can run this command and upload the resulting upload.txt file we can give more specific advice. Make sure to use a capital T. The results will be fairly long.

sudo nginx -T >upload.txt

If you can't figure out how to upload a file using the post menu upload button just copy/paste the (very long) output and add 3 backticks before and after like:
```
output of: sudo nginx -T
```

rajnivp · March 23, 2023, 7:46pm

upload.txt (8.6 KB)
i'm attaching generated upload.txt

rg305 · March 23, 2023, 7:53pm

please also show the outputs of:
netstat -pant | grep nginx
ifconfig | grep inet

MikeMcQ · March 23, 2023, 7:59pm

Thanks. One thing is you do not have a listen for IPv6 in your server block for your domain. You have one in your default server so that is causing some confusion.

Add this:

	listen [::]:80;

After the listen 80; in this file like this:

# configuration file /etc/nginx/sites-enabled/i-factory.co.in:
server { 
	client_max_body_size 64M; 
	listen 80; 
	listen [::]:80;
	server_name 13.235.110.19 i-factory.co.in;

And, what was the exact certbot command you used? We need to know that to advise how to proceed.

rajnivp · March 23, 2023, 8:13pm

certbot command used: sudo certbot --nginx

output of netstat -pant | grep nginx:
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 811240/nginx: maste
tcp6 0 0 :::80 :::* LISTEN 811240/nginx: maste

output of ifconfig | grep inet:
inet 172.26.14.85 netmask 255.255.240.0 broadcast 172.26.15.255
inet6 fe80::b4:f0ff:fec4:5d82 prefixlen 64 scopeid 0x20
inet6 2406:da1a:755:7100:fcb7:2954:719c:c3e1 prefixlen 128 scopeid 0x0
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10

MikeMcQ · March 23, 2023, 8:14pm

That might work now as long as you've restarted (not just reloaded) nginx.

A restart is needed after changing port assignments (usually).

rajnivp · March 23, 2023, 8:17pm

Adding listen [::]:80; worked. Thank you so much!

system · April 22, 2023, 8:18pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.