Certbot SSL certificate failed for nginx server

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
www.jaspberrypi.de jaspberrypi.de

I ran this command:
sudo certbot --nginx

It produced this output:
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: jaspberrypi.de
Type: dns
Detail: no valid A records found for jaspberrypi.de; no valid AAAA records found for jaspberrypi.de

My web server is (include version):

The operating system my web server runs on is (include version):
Raspbian GNU/Linux 10 (buster)

My hosting provider, if applicable, is:
Hosting my back-end and front-end on my raspberrypi 4 and administrating the DNS via GoDaddy.com. Additionally, I have a No-Ip account for having a static IP.

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.31.0

Hey guys,

As mentioned in the question I have a problem with generating a SSL certificate for my website with certbot. I am pretty new to this general topic and I am trying to find a way through this, so go easy on me. I have my domain jaspberrypi.de and www.jaspberrypi.de hosted with goDaddy.com and there i have a CNAME entry for my no-ip address jaspberrypi.ddns.net where I have a A record to my public IP. First of all, I was not sure whether I should get a certificate for my two domains jaspberrypi.de and wwww.jaspberrypi.de or for the jaspberrypi.ddns.net address. So, I tried both. However, it gives me an error when I try to generate the certificate for jaspberrypi.de and www.jaspberrypi.de as can be seen in the form above. Contrary, I was able to generate the certificate for the jaspberrypi.ddns.net address but instead of working I get an 404 Error now from my nginx when I try to enter my website. Below you can find the config file of my successful genereated SSL certificate.

upstream loadbalancer {
  server localhost:3500;
  server localhost:3501;
  server localhost:3502;
  server localhost:3503;

server {

        index index.html index.htm index.nginx-debian.html;
        server_name jaspberrypi.ddns.net;

        # react app & front-end files
        location / {
                root /home/pi/Documents/projects/todo/todo/build;
                try_files $uri /index.html;

        location /api/ {
                proxy_pass http://loadbalancer/;
                proxy_buffering off;
                proxy_cache off;
                proxy_set_header Host $host;
                proxy_set_header Connection '';
                proxy_http_version 1.1;
                chunked_transfer_encoding off;

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/jaspberrypi.ddns.net/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/jaspberrypi.ddns.net/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


server {
    if ($host = jaspberrypi.ddns.net) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

        server_name jaspberrypi.ddns.net;
    listen 80;
    return 404; # managed by Certbot


So, to summarize my questions: For which addresses I should generate the SSL certificate to work (In case the first option was the right one, what is the solution to the problem I am facing) and for my working SSL certificate for the other address why do I get a 404 error here and how to solve that? I have returned to my website without SSL certificate meanwhile, in case somebody wonders why there is no 404 Error on the website now.

This sounds clear enough. You know that jaspberrypi.de and www.jaspberrypi.de are two different names, for DNS, right? Each of them needs the appropriate A/AAAA records.

Oh... You cannot cname jaspberrypi.de

So the simple advice is to check if your DNS provider supports some kind of alias or aname record, or use www.jaspberrypi.de only.


The ANAME RR is not standardised unfortunately.


Neither is alias. They're the same, a provider feature that clones A/AAAA records.


Some big DNS providers support that. AWS Route53 supports symbolic names for apex A record (they call it an Alias A record) although just for other AWS services. Cloudflare has CNAME flattening which results in allowing CNAME for apex domain. I also saw DNS Made Easy (DigiCert) advertises such a service too (ANAME).

I can only personally vouch for Route53 :slight_smile:


Thanks for the fast replies guys! I forgot to mention that the www.jaspberrypi.de is/should be forwarded from goDaddy from jaspberrypi.de. I guess then only www.jaspberrypi.de is relevant here. Thanks for the advice I will check on that! I will also look at other DNS providers then I guess. However, does that mean to summarize it that when I have a CNAME DNS entry that is pointing to my no-ip address that this is not possible since CNAME entries are problematic here, right?

Nevertheless, I tried to set up the SSL certificate according to 9peppe when I got it right just for www.jaspberrypi.de and this time another error occured saying:

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: wwww.jaspberrypi.de
  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up A for wwww.jaspberrypi.de - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for wwww.jaspberrypi.de - check that a DNS record exists for this domain

So, still a problem but this time slightly different. The thing is when I use dnschecker.org or run host www.jaspberrypi.de I can directly find the IP address/A record for this address but somehow certbot not. I mean if CNAME is just not working with certbot thats a reason but I am just struggling to understand why.

TYPO; One too many "w"s.


Oh, the fun to have imagining another W word in front of www :slight_smile: !


Oops this was a really stupid mistake. Thanks for noticing! I fixed it and the SSL certificate was now gerenated, thanks!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.