Despite several checks certbot returns failed on http-01 challenge with 404

My domain is:
mail.fascist-library.com
I ran this command:
cerbot --nginx
It produced this output:

Requesting a certificate for mail.fascist-library.com and www.mail.fascist-library.com
Performing the following challenges:
http-01 challenge for mail.fascist-library.com
http-01 challenge for www.mail.fascist-library.com
Waiting for verification...
Challenge failed for domain mail.fascist-library.com
Challenge failed for domain www.mail.fascist-library.com
http-01 challenge for mail.fascist-library.com
http-01 challenge for www.mail.fascist-library.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: mail.fascist-library.com
   Type:   unauthorized
   Detail: 2001:19f0:5:6855:5400:4ff:fe42:3231: Invalid response from
   http://mail.fascist-library.com/.well-known/acme-challenge/u2sUa2bnVIwg5Zot0jqK75GncngyaJ1tc8CV5DfQsuM:
   404

   Domain: www.mail.fascist-library.com
   Type:   unauthorized
   Detail: 2001:19f0:5:6855:5400:4ff:fe42:3231: Invalid response from
   http://www.mail.fascist-library.com/.well-known/acme-challenge/4TSHVV80J49h5vr1uDVCoqKukcuNXRvQy0VFG4crEc4:
   404

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version):

nginx 1.18.0

The operating system my web server runs on is (include version):
Debian 11
My hosting provider, if applicable, is:
Vultr
I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
Certbot 1.12.0

I have double, triple, and quadruple checked that my DNS is setup correctly and that port 80 is open. I even used letsdebug.net to be sure it passes http-01. I have the main site, just fascist-library.com, running https just fine also using certbot. I even removed https from it and used certbot again and it worked perfectly. They are both hosted on the same server.

Hi @herbertwatson, and welcome to the LE community forum :slight_smile:

Well then...
Allow me to point out the obvious:

curl -Ii6 mail.fascist-library.com
HTTP/1.1 200 OK
Server: nginx/1.18.0
Content-Length: 612

curl -Ii4 www.mail.fascist-library.com
HTTP/1.1 200 OK
Server: nginx/1.18.0
Content-Length: 944

IPv4 and IPv6 do NOT return the same site/content.

curl -6 mail.fascist-library.com
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>
4 Likes

what could be causing this?

Your nginx vhost config is only listening on IPv4.
OR
The IPv6 listener is on another system [not likely].
OR
Other systems are involved [like a proxy] that aren't configured correctly [very unlikely].
OR
...
We/I could go on and on.

4 Likes

That is very unusual. What do I need to do in order to correct this? I do not believe I did anything different between the main site and the mail site.

If you show the nginx vhost config file, we can review it with you.

4 Likes
server {

        root /var/www/library;

        index index.html index.htm index.nginx-debian.html;

        server_name mail.fascist-library.com www.mail.fascist-library.com;

        location / {
                try_files $uri $uri/ =404;
        }
}

When you checked your server, did you do it via IPv4 AND IPv6?

3 Likes

I am unsure on how to do this.

1 Like

That vhost doesn't even have a listen statement.
I doubt that is in use.

6 Likes

You would need to have a test system that has both IPv4 and IPv6 addresses.
Try showing:
ipconfig
OR
ifconfig

4 Likes

Going back to the nginx configuration...
Try showing the full output, with:
nginx -T
[that's a capital T]

5 Likes

I am very sorry for my ignorance. I improperly copied the base configuration I made and completely left out the listen statement. Adding it back completely solved my issue. Thank you for pointing it out.

2 Likes

No worries.
Cheers from Miami :beers:
and Happy New Year!!!!!!!

5 Likes

Or on some linux systems

ip addr
4 Likes