Error 404 - Unauthorized - First time creating SSL

cristianoprogramador · June 23, 2023, 1:45pm

My sub-domain is: api.createburger.com.br

I ran this command: sudo certbot certonly --webroot -w /var/www/createburger -d api.createburger.com.br

It produced this output:
root@vpsapplication:/var/www/createburger# sudo certbot certonly --webroot -w /var/www/createburger -d api.createburger.com.br
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for api.createburger.com.br
Using the webroot path /var/www/createburger for all unmatched domains.
Waiting for verification...
Challenge failed for domain api.createburger.com.br
http-01 challenge for api.createburger.com.br
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: api.createburger.com.br
Type: unauthorized
Detail: 2a02:4780:13:905:0:1624:8c09:3: Invalid response from
http://api.createburger.com.br/.well-known/acme-challenge/9GXuwIxrbOWLshsz6D0xA0rvi6SlpI4cJ5Rh3UOGWR8:
404

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

My web server is (include version):

The operating system my web server runs on is (include version): Ubuntu 20

My hosting provider, if applicable, is: Hostinger

I can login to a root shell on my machine: Yes

My nginx file is like this:
server {
listen 80;
server_name _;

location / {
root /var/www/createburger;
index index.html index.htm;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
try_files $uri $uri/ /index.html;
}
}

server {
listen 80;
server_name api.createburger.com.br;

location / {
    proxy_pass http://89.116.214.215:3031;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_set_header Host $host;
    proxy_cache_bypass $http_upgrade;
}
   location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /var/www/createburger;

}

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.40.0

MikeMcQ · June 23, 2023, 2:02pm

A couple things ...

First, your listen in nginx server block does not listen for IPv6. Yet, you have an AAAA record in your DNS for IPv6. Let's Encrypt servers will use IPv6 when an AAAA record is present (and fallback to IPv4 only for certain kinds of timeouts).

If you want to support IPv6 each of your server blocks should listen for it.

Second, the IPv6 AAAA record may not even be pointing to your server. The Let's Debug test result explains this

cristianoprogramador · June 23, 2023, 2:13pm

I change my nginx to:

server {
listen 80;
listen [::]:80;
server_name _;

location / {
root /var/www/createburger;
index index.html index.htm;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
try_files $uri $uri/ /index.html;
}
}

server {
listen 80;
listen [::]:80;
server_name api.createburger.com.br;

location / {
    proxy_pass http://89.116.214.215:3031;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_set_header Host $host;
    proxy_cache_bypass $http_upgrade;
}
   location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /var/www/createburger;

}

And still doesnt work, got the same error when i try:
root@vpsapplication:/var/www/createburger# sudo certbot certonly --webroot -w /var/www/createburger -d api.createburger.com.br
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for api.createburger.com.br
Using the webroot path /var/www/createburger for all unmatched domains.
Waiting for verification...
Challenge failed for domain api.createburger.com.br
http-01 challenge for api.createburger.com.br
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: api.createburger.com.br
Type: unauthorized
Detail: 2a02:4780:13:905:0:1624:8c09:3: Invalid response from
http://api.createburger.com.br/.well-known/acme-challenge/pD57yK6B4yphOhyoI_CNSQo4hENgPvBIC_Fqcb6GgYI:
404

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

MikeMcQ · June 23, 2023, 2:14pm

And now look at the let's debug test results. Your two ip addresses are pointing to different places

cristianoprogramador · June 23, 2023, 2:27pm

WOWWWW YEAHHH kkkkk sorry, i forgot to config the Ipv6, oh you are THE MAN, thank you soo much

system · July 23, 2023, 2:27pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.