Certbot stopped working with nginx

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: dimage.se

I ran this command: sudo certbot --nginx

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.


1: dimage.se


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Renewing an existing certificate for dimage.se

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: dimage.se
Type: unauthorized
Detail: 2a01:4f8:d0a:1231::2: Invalid response from http://dimage.se/.well-known/acme-challenge/42d3n4Kgv1KgNtVbUnTfTGqNCvItpBFiXEREoafB3Zk: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): nginx/1.24.0

The operating system my web server runs on is (include version): Manjaro aarch64 6.7.8-1-MANJARO-RPI4

My hosting provider, if applicable, is: self-hosted

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.10.0

Hello @kerabromsmu, welcome to the Let's Encrypt community. :slightly_smiling_face:

Using the online tool Let's Debug yields these results https://letsdebug.net/dimage.se/1952442?debug=y

MultipleIPAddressDiscrepancy
WARNING
dimage.se has multiple IP addresses in its DNS records. While they appear to be accessible on the network, we have detected that they produce differing results when sent an ACME HTTP validation request. This may indicate that some of the IP addresses may unintentionally point to different servers, which would cause validation to fail.
[Address=2a01:4f8:d0a:1231::2,Address Type=IPv6,Server=Apache,HTTP Status=404] vs [Address=217.31.190.236,Address Type=IPv4,Server=nginx/1.24.0,HTTP Status=301,Number of Redirects=1,Final HTTP Status=404]

There is more than one IP Address for the domain name (which is fine), but they do not all reply the same.

HTTPRecords
DEBUG
A and AAAA records found for this domain
dimage.se. 0 IN A 217.31.190.236
dimage.se. 0 IN AAAA 2a01:4f8:d0a:1231::2

Edit:
Using curl

Using IPv4

>curl -4 -Ii http://dimage.se/.well-known/acme-challenge/C4Sg5MD2YiOgtFvb7cuOSnd3aDobuWvlB0zzRz6e
HTTP/1.1 301 Moved Permanently
Server: nginx/1.24.0
Date: Mon, 13 May 2024 23:43:29 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
Location: https://dimage.se/.well-known/acme-challenge/C4Sg5MD2YiOgtFvb7cuOSnd3aDobuWvlB0zzRz6e

Using IPv6, note the difference from above

>curl -6 -Ii http://dimage.se/.well-known/acme-challenge/C4Sg5MD2YiOgtFvb7cuOSnd3aDobuWvlB0zzRz6e
HTTP/1.1 404 Not Found
Date: Mon, 13 May 2024 23:43:36 GMT
Server: Apache
Content-Type: text/html; charset=iso-8859-1

Using IPv4 for the redirect

> curl -4 -k -Ii https://dimage.se/.well-known/acme-challenge/C4Sg5MD2YiOgtFvb7cuOSnd3aDobuWvlB0zzRz6e
HTTP/1.1 404 Not Found
Server: nginx/1.24.0
Date: Mon, 13 May 2024 23:43:52 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 153
Connection: keep-alive

Edit: also see these as well

3 Likes

Thank you! It turned out my provider doesn't support IPv6, so removing the AAAA strings from my DNS settings solved the problem.

2 Likes

But now, after renewing the certificate and restarting the web server, the browser tells me that the site is not secure

@kerabromsmu,

The domain name dimage.se https://decoder.link/sslchecker/dimage.se/443 shows the certificate is fine and matching the domain name. And here SSL Server Test: dimage.se (Powered by Qualys SSL Labs) an A.

The domain name www.dimage.se https://decoder.link/sslchecker/www.dimage.se/443 shows the certificate is NOT matching the domain name.

I suspect you want the certificate to have both domain names dimage.se and www.dimage.se the the SANs.

As shown here also

Edit:

Also here dimage.se - Make your website better - DNS, redirects, mixed content, certificates shows "DNS-problem - authoritative Nameserver refused, not defined or timeout"

2 Likes