Challenge is failing

Help
1

same problem , i changed the server i got same problem
please help

root@Ubuntu-Streaming / # sudo certbot -v --nginx -d beanstime.live

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Requesting a certificate for beanstime.live
Performing the following challenges:
http-01 challenge for beanstime.live
Waiting for verification...
Challenge failed for domain beanstime.live
http-01 challenge for beanstime.live

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: beanstime.live
  Type:   unauthorized
  Detail: 2a01:4f8:211:958::2: Invalid response from http://beanstime.live/.well-known/acme-challenge/AjwTgwqynhccJw_hCXO4GU3Dfy4xM096WwftqcaMRUI: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.

server {
    listen 80;
    server_name beanstime.live;

    root /var/www/beanstime.live/html; 

    index index.html index.htm;

    location / {
        try_files $uri $uri/ =404;
    }

    location ^~ /.well-known/acme-challenge/ {
        default_type "text/plain";
        root /var/www/beanstime.live/html;
    }
}
2

@brixxnatt Your problem is not the same. Their server returned the wrong data and yours is returning no data. Since you posted I see you have changed your DNS settings because you no longer have a valid A and/or AAAA record.

If you still have problems after you finish that please start a new thread. You will be shown a form asking for info. Please answer as much as you can. Thank you

2 Likes
3

Different problem entirely indeed, so I've moved the posts to a new thread.

If you opened this thread yourself in the Help section, you would have been provided with a questionnaire. All the answers to this questionnaire are required:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

4 Likes
4

The domain name beanstime.live does not exist.

http://whois.nic.live/ shows for beanstime.live

image
image1187×892 37.4 KB

2 Likes
5

Not sure why they felt the need to obfuscate the domain name:
root /var/www/tkdsstream.live/html;

2 Likes
6

So I could obfuscate my responses. :laughing:

2 Likes
7

yes those domains i forgot to revoke them when i changed servers
tkdsradio.live tkdsstream.live

we thought we should not put the domains here

8

What made you think that?

2 Likes
9

Also @brixxnatt what is the same problem?
Please fill out the form @Osiris ask for here Challenge is failing - #3 by Osiris

2 Likes
10

My domain is: tkdsradio.live

I ran this command: certbot --nginx -d tkdsradio.live

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for tkdsradio.live

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: tkdsradio.live
Type: unauthorized
Detail: 2a01:4f8:211:958::2: Invalid response from http://tkdsradio.live/.well-known/acme-challenge/1ooABKhPtBr7Qzk4TtL2V4TBpFcfFDl--ZOwKM7y7ZU: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version):Ubuntu 22.4

My hosting provider, if applicable, is: server provider Hetzner

I can login to a root shell on my machine (yes or no, or I don't know): YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.21.0

11

@brixxnatt try running with sudo like

sudo certbot --nginx -d tkdsradio.live

Also please show the output of sudo nginx -T and that must be an UPPER Case T for the - option.

2 Likes
12

Make sure your server block for that domain that listens on port 80 has a listen statement for IPv4 and a statement for IPv6 like

listen       [::]:80;
3 Likes
13

the sudo didnt work , the T command gave this

configuration file /etc/nginx/sites-enabled/tkdsradio.live:

server {
    listen 80;
    server_name tkdsradio.live www.tkdsradio.live;

    location / {
        proxy_pass http://localhost:99;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

configuration file /etc/nginx/sites-enabled/tkdsstream.live:

server {
    listen 80;
    server_name tkdsstream.live www.tkdsstream.live;

    root /var/www/tkdsstream.live/html;
    index index.html index.htm;

    location / {
        try_files $uri $uri/ =404;
    }

    location ^~ /.well-known/acme-challenge/ {
        allow all;
        root /var/www/tkdsstream.live/html;
    }
}
14

You need to add the listen statement that I showed. You add that just below the listen statement you already have. Without both of them those server blocks do not get chosen by Nginx to process IPV6 requests. Instead, a default nginx server block gets used. You can see the IPV6 address that Lets Encrypt server used in the error message.

3 Likes
15

I did what you told me , i checked everything , even dns ,

still same as above

16

Show us what you've done/changed and we can check it as well.

2 Likes
17

Your DNS is inconsistent but that shouldn't cause a problem with the Let's Encrypt cert request as long as you updated the listen statements as I described. Still, it is something you should fix. It will affect "regular" requests from clients that only support IPv6. This domain still has an AAAA record but none of your other 3 names have one.

tkdsstream.live.	43200	IN	AAAA	2a01:4f8:211:958::2

The --nginx plugin normally works very well. Your nginx config is probably not quite right or you have something very unusual in it.

Please show the entire output of sudo nginx -T
The output will be very long but that is needed to help debug your problem.

2 Likes
18

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.