Certbot refuses to allow my AAAA through after a reinstall

Hello! I've been using Certbot for a while here cleanly, the past two months or so, but I was having a heap of trouble with my server and memleaks (long story), so I ended up reinstalling Debian 13.

Things were working perfectly before, but now I'm having trouble with obtaining the certificate because of my IPv6 address, which is 2a0f:85c1:356:3522::/64. I can only input it into my registrar as 2a0f:85c1:356:3522::, however. This seemed to work the first time, but the second time around it's causing issues with certbot?

Removing the AAAA records means it will work, but I wanted to check to see if I can fix it w/o just gutting the IPv6 entirely, first. The regular template of information is below, but if you need something else, please let me know.


My domain is: http://forgettable.xyz/

I ran this command: certbot --nginx

It produced this output:

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: forgettale.xyz
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for forgettale.xyz - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for forgettale.xyz - check that a DNS record exists for this domain

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

My web server is (include version): nginx version: nginx/1.26.3

The operating system my web server runs on is: Debian 13 (Trixie)

I can login to a root shell on my machine.

The version of my client is certbot 4.0.0.

you should set full ipv6 address of your server (NOT router) in DNS record, and open traffic to that ip:port in your router

4 Likes

@_fp welcome to the community! :slightly_smiling_face:

Please check the spelling of your domain, seemingly a b is missing.

4 Likes

damn, i'm SILLY. I spent ALL day messing around and THAT was my main problem. how did i not see that :confused: embarassing, ty

Okay, That was really dumb of me, ty. I would still like to clear up the issue(s) that Let's Debug sees though, if possible.

With the full IPv6, including the /64, my Registrar's DNS editor refuses to accept it. Also, all ports are open by default (silly, but I was gonna add ufw AFTER i get everything set up, just to make my life with setting up services as easy as pie), so I doubt that's the problem.

that's a subnet, not a single ip addrerss:
lets see ip a in server and look at result
whats your router?

5 Likes

ip a results:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether bc:24:11:e7:b4:f1 brd ff:ff:ff:ff:ff:ff
altname enp0s18
altname enxbc2411e7b4f1
inet 65.87.7.195/24 brd 65.87.7.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 2a0f:85c1:356:3522::1/48 scope global
valid_lft forever preferred_lft forever
inet6 fe80::be24:11ff:fee7:b4f1/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever

I guess I didn't clarify, but it IS a VPS, my bad - so I don't have access to a router myself, just basic information from the terminal.

then you should fine with 2a0f:85c1:356:3522::1 in AAAA record (end 1 needed)

7 Likes

Alright! Sorry for the kerfuffle, but it's all working now :slight_smile:

Appreciate your guy's help, and may your pillows be cool on both sides.

3 Likes