I don't want to broadcast the domains and IP addresses here, so I have to go with imaginary ones instead.
Let's say the domains are the following:
the-server.addr
not-the-server.addr
I'm on the-server.addr via SSH and I can request for a new certificate just fine. When I try to renew the requested certificate, I then get the following error:
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: the-server.addr
Type: unauthorized
Detail: [IPv6 address of not-the-server.addr] Invalid response from https://not-the-server.addr/.well-known/acme-challenge/[**REDACTED**]: 404
I have no idea what to do, except for manually removing the old certificate and getting a new one each time the requested certificate is about to expire.
When you opened this thread in the Help section, you should have been provided with a questionnaire. Maybe you didn't get it somehow (which is weird), or you've decided to delete it (and make our life a lot harder). In any case, all the answers to this questionnaire are required:
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
Your the-server domain redirected the HTTP request from Let's Encrypt to HTTPS for not-the-server. That's the only way we could see HTTPS in the failing URL.
Then not-the-server fails as it doesn't know how to handle the challenge given you want a cert for the-server