Failed to authenticate some domains when trying to issue a certificate for multiple domains on same vps

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: iridiandesigns.uk (also www.iridiandesigns.uk, api.iridiandesigns.uk and mail.iridiandesigns.uk)

I ran this command: certbot --nginx -d iridiandesigns.uk -d www.iridiandesigns.uk -d api.iridiandesigns.uk -d mail.iridiandesigns.uk

It produced this output:

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: api.iridiandesigns.uk
  Type:   unauthorized
  Detail: 2a02:4780:c:e27c::1: Invalid response from http://api.iridiandesigns.uk/.well-known/acme-challenge/Jao6KwfwXgfYZz5gCnR0k1HovxYD9SJalBdsisqndEI: 404

  Domain: iridiandesigns.uk
  Type:   unauthorized
  Detail: 2a02:4780:c:e27c::1: Invalid response from http://iridiandesigns.uk/.well-known/acme-challenge/uchV68jhRwxpwq3SmhWB7t0xuwGNWcy8GI1IJrk9QYo: 404

  Domain: www.iridiandesigns.uk
  Type:   unauthorized
  Detail: 2a02:4780:c:e27c::1: Invalid response from http://www.iridiandesigns.uk/.well-known/acme-challenge/3XMX-q3WMtrHHUh-hSSvNT1SjAQme4SVJQas8CvAKn8: 404

My web server is (include version): nginx v1.18.0

The operating system my web server runs on is (include version): Ubuntu 22.04

My hosting provider, if applicable, is: hostinger

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.7.2

To begin with, I am a dev, not a server admin, so I apologise if I get some of the terminology wrong.
I had set up a vps (following tutorials on digital ocean and hostinger, etc) and had the server running with certificates installed. When the certificates expired, I tried to renew them but got authentication errors. In trying to resolve it, I think I may have deleted the certificates. Now when I try to install new certificates, I get the error listed above. when I run:

nginx -s reload

I get:

nginx: [warn] could not build optimal proxy_headers_hash, you should increase either proxy_headers_hash_max_size: 512 or proxy_headers_hash_bucket_size: 64; ignoring proxy_headers_hash_bucket_size
nginx: [warn] conflicting server name "api.iridiandesigns.uk" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "iridiandesigns.uk" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "www.iridiandesigns.uk" on 0.0.0.0:80, ignored

The nginx config (if it helps) is:

server {
	server_name iridiandesigns.uk www.iridiandesigns.uk;
	root /home/stiofan/www/f_end/smccaffrey;
	
	location / {
		autoindex off;
		index index.html;
#		if ($http_origin ~* "^http://iridiandesigns.uk$|http://www.iridiandesigns.uk$") {
#	            add_header Access-Control-Allow-Origin "$http_origin";
#	            add_header Access-Control-Allow-Methods "OPTIONS, POST, GET";
#	            add_header Access-Control-Max-Age "3600";
#	            add_header Access-Control-Allow-Credentials "true";
# 	            add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range";
# 	            set $test  "A";
#	        }
#	        if ($request_method = 'OPTIONS') {
#	            set $test  "${test}B";
#	        }
#	        if ($test = "AB") {
#	            add_header Access-Control-Allow-Origin "$http_origin";
#	            add_header Access-Control-Allow-Methods "OPTIONS, DELETE, POST, GET, PATCH, PUT";
#	            add_header Access-Control-Max-Age "3600";
# 	            add_header Access-Control-Allow-Credentials "true";
#	            add_header Access-Control-Allow-Headers "Content-Type";
#	            return 204;
#	        }
#	        if ($test = "B") {
#	            return 403;
#	        }
#	        proxy_http_version  1.1;
#	        proxy_cache_bypass  $http_upgrade;
#	        proxy_set_header Upgrade           $http_upgrade;
#	        proxy_set_header Connection        "upgrade";
#	        proxy_set_header Host              $host;
#	        proxy_set_header X-Real-IP         $remote_addr;
#	        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
#	        proxy_set_header X-Forwarded-Proto $scheme;
#	        proxy_set_header X-Forwarded-Host  $host;
#	        proxy_set_header X-Forwarded-Port  $server_port;
#		include proxy_params;
#		proxy_pass http://unix:/run/gunicorn.sock;
		try_files $uri $uri/ /index.html;
	}

	location /assets/ {
		root /home/stiofan/www/f_end/smccaffrey;
	}

	location ~* ^.+\.(js|css|png|jpg|jpeg|gif|ico|html)$ {
		expires max;
	}


#    listen 443 ssl; # managed by Certbot
#    ssl_certificate /etc/letsencrypt/live/api.iridiandesigns.uk/fullchain.pem; # managed by Certbot
#    ssl_certificate_key /etc/letsencrypt/live/api.iridiandesigns.uk/privkey.pem; # managed by Certbot
#    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
#    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


}

server {
	server_name api.iridiandesigns.uk;

	location = /favicon.ico { access_log off; log_not_found off; }

	location /static/ {
		autoindex on;
		root /home/stiofan/www/b_end/portfolio;
	}

	location /contact {
		if ($http_origin ~* "^https?://iridiandesigns\.uk|www\.iridiandesigns\.uk$") {
			add_header Access-Control-Allow-Origin "$http_origin" always;
			add_header Access-Control_Methods "POST, OPTIONS" always;
			add_header Access-Control-Max-Age "3600";
			add_header Access-Control-Allow-Credentials "true" always;
	 	        add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range";			
			set $cors_p "A";
		}

		if ($request_method = 'OPTIONS') {
			set $cors_p "${cors_p}B";
		}

		if ($cors_p = "AB") {
			add_header Access-Control-Allow-Origin "$http_origin" always;
			add_header Access-Control-Allow-Methods "OPTIONS, GET, POST" always;
			add_header Access-Control-Max-Age "3600";
			add_header Access-Control-Allow-Authentication "true";
			add_header Access-Control-Allow-Headers "Content-Type";
			return 204;
		}

		if ($cors_p = "B") {
			return 403;
		}

		proxy_http_version 1.1;
		proxy_cache_bypass $http_upgrade;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection "upgrade";
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;
		proxy_set_header X-Forwarded-Host $host;
		proxy_set_header X-Forwarded-Port $server_port;

		include proxy_params;
		proxy_pass http://unix:/run/gunicorn.sock;
	}

	location / {
		set $cors '';
		if ($http_origin ~ '^https?://iridiandesigns\.uk|www\.iridiandesigns\.uk') 		{
		        set $cors 'true';
		}

		if ($cors = 'true') {
		        add_header Access-Control-Allow-Origin "$http_origin" always;
		        add_header Access-Control-Allow-Credentials "true" always;
		        add_header Access-Control-Allow-Methods "GET, PUT, DELETE, OPTIONS" always;
		        add_header Access-Control-Allow-Headers "Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With" always;
		        # required to be able to read Authorization header in frontend
		        #add_header 'Access-Control-Expose-Headers' 'Authorization' always;
		}

		if ($request_method = 'OPTIONS') {
		        add_header Access-Control-Max-Age "3600";
		        add_header Content-Type "text/plain charset=UTF-8";
		        add_header Content-Length "0";
		        return 204;
		}
		include proxy_params;
		proxy_pass http://unix:/run/gunicorn.sock;
	}

	location ~* ^.+\.(js|css|png|jpg|jpeg|gif|ico|html)$ {
		root /home/stiofan/www/b_end/portfolio;
		expires max;
	}

#    listen 443 ssl; # managed by Certbot
#    ssl_certificate /etc/letsencrypt/live/api.iridiandesigns.uk/fullchain.pem; # managed by Certbot
#    ssl_certificate_key /etc/letsencrypt/live/api.iridiandesigns.uk/privkey.pem; # managed by Certbot
#    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
#    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


}
server {
    if ($host = api.iridiandesigns.uk) {
        return 308 https://$host$request_uri;
    } # managed by Certbot


	listen 80;
	server_name api.iridiandesigns.uk;
    return 404; # managed by Certbot


}


server {
    if ($host = www.iridiandesigns.uk) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = iridiandesigns.uk) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


	listen 80;
	server_name iridiandesigns.uk www.iridiandesigns.uk;
    return 404; # managed by Certbot




}

I have tried commenting out the directives linking the (now deleted) certificates, otherwise nginx complains that they don't exist.

I'm trying to remove the references to the old certificates and simply issue new ones, but cannot seem to get past the error listed above.
Any help is appreciated.

Hello @IridianDreamer, welcome to the Let's Encrypt community. :slightly_smiling_face:

Using the online tool Let's Debug yields these results https://letsdebug.net/iridiandesigns.uk/1648461

MultipleIPAddressDiscrepancy
Warning
iridiandesigns.uk has multiple IP addresses in its DNS records. While they appear to be accessible on the network, we have detected that they produce differing results when sent an ACME HTTP validation request. This may indicate that some of the IP addresses may unintentionally point to different servers, which would cause validation to fail.
[Address=2a02:4780:c:e27c::1,Address Type=IPv6,Server=nginx/1.18.0 (Ubuntu),HTTP Status=404] vs [Address=149.100.158.178,Address Type=IPv4,Server=nginx/1.18.0 (Ubuntu),HTTP Status=200] 

Basically not all of the IP Addresses are giving the same responses.

1 Like

Hi Bruce5051,

Thanks for your response.
I have looked at the DNS records and I have a A records pointing to the domain and IPv4 addresses and an AAAA record pointing to the IPv6 address, is there something else I'm missing?

3 Likes

IPv4 response is NOT what I expect, as the file is not present.

>curl -4 -Ii http://iridiandesigns.uk/.well-known/acme-challenge/sometestfile
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 23 Oct 2023 18:40:29 GMT
Content-Type: text/html
Content-Length: 9910
Last-Modified: Tue, 11 Jul 2023 14:03:27 GMT
Connection: keep-alive
ETag: "64ad612f-26b6"
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Accept-Ranges: bytes

IPv6 response is what I expect, as the file is not present.

>curl -6 -Ii http://iridiandesigns.uk/.well-known/acme-challenge/sometestfile
HTTP/1.1 404 Not Found
Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 23 Oct 2023 18:40:41 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
1 Like

Are they both pointing to the same server?

1 Like

Also, for general nginx information you might find nginx documentation and https://forum.nginx.org/ helpful.

1 Like

Side note: Port 443 is being filtered, therefor not accessible by the public Internet.

$ nmap -Pn -p80,443 www.iridiandesigns.uk
Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-23 18:57 UTC
Nmap scan report for www.iridiandesigns.uk (149.100.158.178)
Host is up (0.19s latency).
Other addresses for www.iridiandesigns.uk (not scanned): 2a02:4780:c:e27c::1
rDNS record for 149.100.158.178: iridiandesigns.uk

PORT    STATE    SERVICE
80/tcp  open     http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 3.55 seconds
1 Like

Your two server blocks that were for your certs no longer listen on port 443 because you commented that line out. The default is to listen on port 80.

But, you have other server blocks listening on port 80 so that's why the duplicate errors on startup.

You should either temporarly remove the cert based server blocks. Or, just put the listen 443 back in. You could create self-signed certs in place temporarily.

As you now know, deleting certs requires great care to do correctly
https://eff-certbot.readthedocs.io/en/latest/using.html#safely-deleting-certificates

3 Likes

Thanks for your info Bruce, I was checking the DNS records but I'm not sure how to tell if the IPv6 is pointing to the same domain (I thought it was). The vps has the IPv4 and IPv6 addresses assigned to it, so I thought having the A record and AAAA records pointing to them respectively as well as CNAME records with the domain names that it would link them all together. (Apologies, I am definately not versed in server administration, just a programmer).
I'm not sure how port 443 became filtered, I don't recall configuring it for that, I used UFW to open all the relevant ports for nginx.

3 Likes

You are correct about deleting the certs, I will not be blindly following tutorials/ forum answers in future lol.

So basically, I should comment out anything in the config which is related to certbot? like the 2 server entries?
Or would you recommend issuing self signed certs temporarily, as per the article you linked? (apologies to MikeMcQ, I hadn't noticed you were the one who linked the atricle)

Not exactly.

You could try:

  1. Remove the two server blocks that have the listen 80; in them which are just the redirects to HTTPS
  2. Remove the lines you commented out for listen 443 ssl; and the cert config lines from the two larger server blocks.
  3. In the remaining two large server blocks add a listen 80; statement in each one. While nginx defaults to this port I don't think Certbot does and might be confused if it is missing.

This should put nginx back in the same state you had prior to using Certbot the first time. Restart nginx and make sure your site is visible from HTTP (since HTTPS will no longer work and you need HTTP working to satisfy HTTP Challenge). The Let's Debug test site (link here) is good to verify.

Once that works try running Certbot to get a fresh cert.

3 Likes

Thanks MikeMcQ, I'll try that now

1 Like

Also, while you have an AAAA record in DNS for IPv6 your nginx server blocks are not listening for it and won't receive those requests.

You should make sure all the server blocks have either
listen [::]:80; (if http)
or
listen [::]:443 ssl; (for https)

3 Likes

I'm getting the error Bruce5051 had noted earlier regarding the multiple addresses. apparently the IPv6 address isn't configured to point to the same domain, I'm not sure why though. I have set the AAAA record in the DNS to point to the IPv6 address assigned to the VPS, and I have a CNAME for each of the domains (with and without www as well as api) I even have an spf record which lists both IP addresses

We may have cross-posted. See my prior post about the IPv6 listen clauses

3 Likes

I'll update the configs with the listen [::]:443 ssl; entries now and try again.

edit: I have included the IPv6 listen clauses, reloaded nginx and am getting an error indicating

nginx: [emerg] no "ssl_certificate" is defined for the "listen ... ssl" directive in /etc/nginx/sites-enabled/

No, if you have a listen 80; for IPv4 then you should have a matching listen [::]:80; for IPv6.

Same for HTTPS server blocks, if you have a listen 443 ssl; then you have a matching listen [::]:443 ssl statement.

You should not mix port 80 and 443 in the same server block. It is technically possible but should only be done by experts for unusual cases.

Why don't you show us your nginx config statements. You should only have two large server blocks remaining and these should be listening on port 80 (both IPv4 and v6). They should not have anything related to cert config in them. I was trying to help you restore nginx after you deleted your certs.

3 Likes

Ok, I'm probably getting myself confused. Here is the current state of the config file:

server {
	server_name iridiandesigns.uk www.iridiandesigns.uk;
	root /home/stiofan/www/f_end/smccaffrey;
        listen 80;
        listen [::]:80;
	
	location / {
		autoindex off;
		index index.html;
#		if ($http_origin ~* "^http://iridiandesigns.uk$|http://www.iridiandesigns.uk$") {
#	            add_header Access-Control-Allow-Origin "$http_origin";
#	            add_header Access-Control-Allow-Methods "OPTIONS, POST, GET";
#	            add_header Access-Control-Max-Age "3600";
#	            add_header Access-Control-Allow-Credentials "true";
# 	            add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range";
# 	            set $test  "A";
#	        }
#	        if ($request_method = 'OPTIONS') {
#	            set $test  "${test}B";
#	        }
#	        if ($test = "AB") {
#	            add_header Access-Control-Allow-Origin "$http_origin";
#	            add_header Access-Control-Allow-Methods "OPTIONS, DELETE, POST, GET, PATCH, PUT";
#	            add_header Access-Control-Max-Age "3600";
# 	            add_header Access-Control-Allow-Credentials "true";
#	            add_header Access-Control-Allow-Headers "Content-Type";
#	            return 204;
#	        }
#	        if ($test = "B") {
#	            return 403;
#	        }
#	        proxy_http_version  1.1;
#	        proxy_cache_bypass  $http_upgrade;
#	        proxy_set_header Upgrade           $http_upgrade;
#	        proxy_set_header Connection        "upgrade";
#	        proxy_set_header Host              $host;
#	        proxy_set_header X-Real-IP         $remote_addr;
#	        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
#	        proxy_set_header X-Forwarded-Proto $scheme;
#	        proxy_set_header X-Forwarded-Host  $host;
#	        proxy_set_header X-Forwarded-Port  $server_port;
#		include proxy_params;
#		proxy_pass http://unix:/run/gunicorn.sock;
		try_files $uri $uri/ /index.html;
	}

	location /assets/ {
		root /home/stiofan/www/f_end/smccaffrey;
	}

	location ~* ^.+\.(js|css|png|jpg|jpeg|gif|ico|html)$ {
		expires max;
	}
     listen [::]:80;

#    listen 443 ssl; # managed by Certbot
#    ssl_certificate /etc/letsencrypt/live/api.iridiandesigns.uk/fullchain.pem; # managed by Certbot
#    ssl_certificate_key /etc/letsencrypt/live/api.iridiandesigns.uk/privkey.pem; # managed by Certbot
#    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
#    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


}

server {
	server_name api.iridiandesigns.uk;
	listen 80;
        listen [::]:80;

	location = /favicon.ico { access_log off; log_not_found off; }

	location /static/ {
		autoindex on;
		root /home/stiofan/www/b_end/portfolio;
	}

	location /contact {
		if ($http_origin ~* "^https?://iridiandesigns\.uk|www\.iridiandesigns\.uk$") {
			add_header Access-Control-Allow-Origin "$http_origin" always;
			add_header Access-Control_Methods "POST, OPTIONS" always;
			add_header Access-Control-Max-Age "3600";
			add_header Access-Control-Allow-Credentials "true" always;
	 	        add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range";			
			set $cors_p "A";
		}

		if ($request_method = 'OPTIONS') {
			set $cors_p "${cors_p}B";
		}

		if ($cors_p = "AB") {
			add_header Access-Control-Allow-Origin "$http_origin" always;
			add_header Access-Control-Allow-Methods "OPTIONS, GET, POST" always;
			add_header Access-Control-Max-Age "3600";
			add_header Access-Control-Allow-Authentication "true";
			add_header Access-Control-Allow-Headers "Content-Type";
			return 204;
		}

		if ($cors_p = "B") {
			return 403;
		}

		proxy_http_version 1.1;
		proxy_cache_bypass $http_upgrade;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection "upgrade";
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;
		proxy_set_header X-Forwarded-Host $host;
		proxy_set_header X-Forwarded-Port $server_port;

		include proxy_params;
		proxy_pass http://unix:/run/gunicorn.sock;
	}

	location / {
		set $cors '';
		if ($http_origin ~ '^https?://iridiandesigns\.uk|www\.iridiandesigns\.uk') 		{
		        set $cors 'true';
		}

		if ($cors = 'true') {
		        add_header Access-Control-Allow-Origin "$http_origin" always;
		        add_header Access-Control-Allow-Credentials "true" always;
		        add_header Access-Control-Allow-Methods "GET, PUT, DELETE, OPTIONS" always;
		        add_header Access-Control-Allow-Headers "Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With" always;
		        # required to be able to read Authorization header in frontend
		        #add_header 'Access-Control-Expose-Headers' 'Authorization' always;
		}

		if ($request_method = 'OPTIONS') {
		        add_header Access-Control-Max-Age "3600";
		        add_header Content-Type "text/plain charset=UTF-8";
		        add_header Content-Length "0";
		        return 204;
		}
		include proxy_params;
		proxy_pass http://unix:/run/gunicorn.sock;
	}

	location ~* ^.+\.(js|css|png|jpg|jpeg|gif|ico|html)$ {
		root /home/stiofan/www/b_end/portfolio;
		expires max;
	}

#    listen 443 ssl; # managed by Certbot
#    ssl_certificate /etc/letsencrypt/live/api.iridiandesigns.uk/fullchain.pem; # managed by Certbot
#    ssl_certificate_key /etc/letsencrypt/live/api.iridiandesigns.uk/privkey.pem; # managed by Certbot
#    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
#    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


}

the certbot stuff which was commented is still there, but still commented, should I have just removed it completely?

You should make the changes below but I don't see any listens on port 443 so I don't know why nginx is complaining about missing ssl certificates.

Was there a file name given at the end of this message?

"listen ... ssl" directive in /etc/nginx/sites-enabled/

As for the changes needed

Ok, in the above server block you should remove all these lines below

     listen [::]:80;  (you have this twice so are deleting only the second one)

#    listen 443 ssl; # managed by Certbot
#    ssl_certificate /etc/letsencrypt/live/api.iridiandesigns.uk/fullchain.pem; # managed by Certbot
#    ssl_certificate_key /etc/letsencrypt/live/api.iridiandesigns.uk/privkey.pem; # managed by Certbot
#    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
#    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

In the above server block just remove the below commented lines. They will just be confusing later although are not hurting anything at the moment.

#    listen 443 ssl; # managed by Certbot
#    ssl_certificate /etc/letsencrypt/live/api.iridiandesigns.uk/fullchain.pem; # managed by Certbot
#    ssl_certificate_key /etc/letsencrypt/live/api.iridiandesigns.uk/privkey.pem; # managed by Certbot
#    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
#    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
3 Likes

There is a file name after the "listen ... ssl" directive in /etc/nginx/sites-enabled/ but I din't think it necessary to include it since its only my name lol.

I will make the changes you suggested now.
Also, when I ran the site check ang to the error about the multiple sites (IPv6 not pointing to the same domain) I checked this: IPv6 Support - Let's Encrypt.
which indicates I should remove the AAAA record (or at least thats how I'm reading it). I had it in there simply to try to future-proof the site. What would you suggest?

edit: I've made the changes you suggested and am not getting any more errors when I reload nginx