Certbot failing for one domain, but succeeding for another

I have two domains that I have both set up identically on NGINX server blocks. elnu.com has an installation of WordPress on it at the moment, and lakewoodlanguages.com has just a testing HTML page. When I originally ran the cerbot command, the challenge succeeded for lakewoodlanguages.com but for some reason failed for elnu.com. The certbot output here is when I ran the command a second time, and elnu.com still fails. The suggested troubleshooting in the output suggests that there may be an error in the DNS record. However, both are working fine so I don't think that's the case. I've looked around and I found a few threads with people who had similar problems, but none of them has a definitive fix. Any help would be greatly appreciated, thanks in advance!

My domains are: elnu.com, lakewoodlanguages.com

I ran this command: sudo certbot --nginx -d elnu.com -d www.elnu.com -d lakewoodlanguages.com -d www.lakewoodlanguages.com

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/lakewoodlanguages.com.conf)

It contains these names: lakewoodlanguages.com, www.lakewoodlanguages.com

You requested these names for the new certificate: elnu.com, www.elnu.com,
lakewoodlanguages.com, www.lakewoodlanguages.com.

Do you want to expand and replace this existing certificate with the new
certificate?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel: e
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for elnu.com
http-01 challenge for www.elnu.com
Waiting for verification...
Challenge failed for domain elnu.com
Challenge failed for domain www.elnu.com
http-01 challenge for elnu.com
http-01 challenge for www.elnu.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: elnu.com
   Type:   unauthorized
   Detail: Invalid response from
   http://elnu.com/.well-known/acme-challenge/NaTorwchCeRB6Xdzf3g9bP__XfD42Afn9KYC7zC5cXI
   [2604:a880:2:d0::185e:d001]: "<html>\r\n<head><title>404 Not
   Found</title></head>\r\n<body>\r\n<center><h1>404 Not
   Found</h1></center>\r\n<hr><center>nginx/1.18.0 (Ub"

   Domain: www.elnu.com
   Type:   unauthorized
   Detail: During secondary validation: Invalid response from
   http://www.elnu.com/.well-known/acme-challenge/RVWHN23E0CfQcF8IcwHyfms_Lv2Xd2FyzVbBqsktaSY
   [2604:a880:2:d0::185e:d001]: "<html>\r\n<head><title>404 Not
   Found</title></head>\r\n<body>\r\n<center><h1>404 Not
   Found</h1></center>\r\n<hr><center>nginx/1.18.0 (Ub"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 20.04.1 LTS

My hosting provider, if applicable, is: DigitalOcean

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.40.0

1 Like

For some reason, LE resolves the name to an IPv6 address.

2 Likes

Try it again with staging:

sudo certbot --nginx -d elnu.com -d www.elnu.com -d lakewoodlanguages.com -d www.lakewoodlanguages.com --dry-run
2 Likes

It says the following:

--dry-run currently only works with the 'certonly' or 'renew' subcommands ('run')

Which subcommand should I use? renew?

1 Like

certonly for now.

2 Likes

That IPv6 address is the correct address of the server. However, for some reason I only added the according AAAA record to elnu.com, and not lakewoodlanguages.com. I've deleted that record to see if for some reason that was the issue.

1 Like

Lakewood worked; So, I guess, the IPv6 was part of the problem with Elnu.

2 Likes

I've redone the original command (without certonly) and for some reason it worked this time, both have been secured. I have no clue why though. Do you think it could have anything to do with that AAAA record? That's the only thing that changed between the attempts. Thanks for the help!

2 Likes

Yes.

2 Likes