Error getting validation data

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: nikoskalfas.com || http://34.241.217.25/

I ran this command: sudo certbot --nginx -d nikoskalfas.com -d www.nikoskalfas.com

It produced this output:

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: nikoskalfas.com
Type: connection
Detail: During secondary validation: 76.223.67.189: Fetching http://nikoskalfas.com/.well-known/acme-challenge/EmSJBrcY79VRdJUHzCSaKeDGvibUF-EQzCcipVeQv74: Error getting validation data

Domain: www.nikoskalfas.com
Type: connection
Detail: During secondary validation: 13.248.213.45: Fetching http://www.nikoskalfas.com/.well-known/acme-challenge/SubEwMZ4JiFtfqZhNxEgIT9TaqFQpDgkIY1Wi8r_DZg: Error getting validation data

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

My web server is (include version): nginx (no idea)

The operating system my web server runs on is (include version): ubuntu (no idea)

My hosting provider, if applicable, is: 123reg

I can login to a root shell on my machine (yes or no, or I don't know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.9.0

I've been in this position a lot from different paths this last few days. I have documented my path to get to this point here: GitHub - NikolaosKalfas/Install-NGINX-Wordpress: Install NGINX & Wordpress

This is on an AWS EC2, and it looks like my security group allows for both port 80 and port 443 to be accessible.

Screenshot 2024-05-18 2034231574×279 21.4 KB

What I also don't understand is that when I visit my 34.241.217.25, I can see the nginx server page. When I visit 34.241.217.25/nikoskalfas.com where I expect to see the Wordpress set up page, I get a 403 forbidden error. Not sure if that's related...

Not sure if uploading the error log here is a good idea?:
certbot error log.txt (88.3 KB)

Welcome to the community @NikolaosKalfas

Thanks for all the great info. We may not need it but always helpful to see.

The "Secondary validation" part of the error is likely caused by a recent Let's Encrypt change.

Do you have geographic based firewall settings? If so a change will be needed

See this topic for an explanation

Hello @NikolaosKalfas, welcome to the Let's Encrypt community.

Here https://unboundtest.com/m/A/nikoskalfas.com/DPZJZBON I see 3 DNS A Records (IPv4),
not just the 2 show in the logs you provided.

Query results for A nikoskalfas.com

Response:
;; opcode: QUERY, status: NOERROR, id: 57169
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags: do; udp: 512

;; QUESTION SECTION:
;nikoskalfas.com.	IN	 A

;; ANSWER SECTION:
nikoskalfas.com.	0	IN	A	76.223.67.189
nikoskalfas.com.	0	IN	A	13.248.213.45
nikoskalfas.com.	0	IN	A	34.241.217.25

----- Unbound logs -----

And also here as well

image1243×611 20.6 KB

Here is a quick nmap check of each of the IPv4 Addresses, they do not all respond the same.

$ nmap -4 -Pn -p80,443 13.248.213.45
Starting Nmap 7.80 ( https://nmap.org ) at 2024-05-18 12:54 PDT
Nmap scan report for a67c48129651a0940.awsglobalaccelerator.com (13.248.213.45)
Host is up (0.012s latency).

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds

$ nmap -4 -Pn -p80,443 34.241.217.25
Starting Nmap 7.80 ( https://nmap.org ) at 2024-05-18 12:54 PDT
Nmap scan report for ec2-34-241-217-25.eu-west-1.compute.amazonaws.com (34.241.217.25)
Host is up (0.16s latency).

PORT    STATE  SERVICE
80/tcp  open   http
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 0.43 seconds

$ nmap -4 -Pn -p80,443 76.223.67.189
Starting Nmap 7.80 ( https://nmap.org ) at 2024-05-18 12:54 PDT
Nmap scan report for a67c48129651a0940.awsglobalaccelerator.com (76.223.67.189)
Host is up (0.0099s latency).

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds

And here are 3 quick curl checks on those 3 IPv4 Addresses, they do not all respond the same.

$ curl -Ii http://13.248.213.45/.well-known/acme-challenge/sometestfile
curl: (52) Empty reply from server

$ curl -Ii http://34.241.217.25/.well-known/acme-challenge/sometestfile
HTTP/1.1 404 Not Found
Server: nginx/1.24.0 (Ubuntu)
Date: Sat, 18 May 2024 19:58:31 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive

$ curl -Ii http://76.223.67.189/.well-known/acme-challenge/sometestfile
curl: (52) Empty reply from server

Hi Mike,

Thank you so much for taking the time to help on this. I think you might be on to something as by using one of the tools provided in that topic I see different results:

Screenshot 2024-05-18 2100361238×852 202 KB

However, I'm afraid I have no idea what this means, and how to resolve this. At the moment my ufw is inactive, and I haven't set up any other firewalls to my knowledge...

Hi Bruce,

Thank you for taking the time to help here as well!!

I'm not sure why these records would appear...? There is nothing like that set up in my domain provider

Screenshot 2024-05-18 2104461393×889 47.6 KB

@NikolaosKalfas,

Not sure I know what this line means

image1135×92 5.24 KB

Do you?

No idea either. I think I found that there. I guess I could remove it?

Here is what nslookup is showing, 3 IPv4 Addresses.

$ nslookup nikoskalfas.com ns77.domaincontrol.com.
Server:         ns77.domaincontrol.com.
Address:        97.74.108.49#53

Name:   nikoskalfas.com
Address: 76.223.67.189
Name:   nikoskalfas.com
Address: 13.248.213.45
Name:   nikoskalfas.com
Address: 34.241.217.25

Oh, the info @Bruce5051 showed is key. Forget what I said about the geo-block

You can see 2 of the IP in your DNS are connected to AWS Global Accelerator

This often happens when you have a URL Forward (or URL Redirect) service enabled in GoDaddy DNS settings. Usually we see just 2 IP so somehow you got what might be one correct IP but still the 2 related to the URL Forward / Redirect service.

Check your DNS Settings for something like that and disable them.

Not sure if the "parked" record could be the issue. This is all I can see in my DNS settings and it doesn't look there's any forwarding?

Screenshot 2024-05-18 2114481428×770 34.2 KB

I'm not sure if 123reg is using GoDaddy either. I guess it could be?

I can't add two images sorry:

Screenshot 2024-05-18 2114571424×785 39.6 KB

I saw your authoritive name servers look related to GoDaddy

I found this similar thread with instructions on disabling it. I think the "parking" is a symptom and will go away when you disable the forwarding. (I again spoke to soon - the person below just removed that parking entry to resolve it. See their other comments too)

This does look very similar to my case indeed, however I can't find any option to remove a forwarding in 123reg:

Screenshot 2024-05-18 2130001873×884 99.8 KB

I think 123reg is owned by GoDaddy, but I don't have an account on GoDaddy that would be linked with that domain. I've deleted the parked record, as it's one of the steps in the thread you linked in your final reply, but no luck

Your DNS looks much better. Only one IP pointing to your EC2

What is the symptom now? Because this looks promising

An aside, google says this:

123 Reg is a British domain registrar and web hosting company founded in 2000 and now under the ultimate ownership of GoDaddy.

I actually didn't think to rerun the certbot command as on the browser I still see no changes.

I've tried running it and it worked, the renewal simulation also worked. I guess it's a matter of browser cache now as it looks ok in an incognito window.

Thank you both for your help here guys @MikeMcQ @Bruce5051 ! This was troubling me for days!

Yes, very likely browser cache.

Your cert looks good and you redirect HTTP to HTTPS

Looking good indeed. Amazing. Thanks a lot!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.