Failed to authenticate some domains when trying to issue a certificate for multiple domains on same vps

Well now at least IPv4 and IPv6 give the same response for curl
IPv4

>curl -4 -Ii http://iridiandesigns.uk/.well-known/acme-challenge/sometestfile
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 23 Oct 2023 19:55:26 GMT
Content-Type: text/html
Content-Length: 9910
Last-Modified: Tue, 11 Jul 2023 14:03:27 GMT
Connection: keep-alive
ETag: "64ad612f-26b6"
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Accept-Ranges: bytes

IPv6

>curl -6 -Ii http://iridiandesigns.uk/.well-known/acme-challenge/sometestfile
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 23 Oct 2023 19:55:29 GMT
Content-Type: text/html
Content-Length: 9910
Last-Modified: Tue, 11 Jul 2023 14:03:27 GMT
Connection: keep-alive
ETag: "64ad612f-26b6"
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Accept-Ranges: bytes

And https://letsdebug.net/iridiandesigns.uk/1648533 is happy with an OK;

Thanks Bruce5051, I see now I'm getting an 'All OK' response from the letsencrypt test

If you have a proper IPv6 address in your DNS you must also have an IPv6 listen statement in your nginx. But, the opposite is not true. It is fine to have nginx IPv6 listen statement but no AAAA record in your DNS. You just won't have IPv6 support then because no one can learn your IPv6 address. IPv6 is recommended if your ISP supports it.

Thanks MikeMcQ, I think you've resolved the mismatched addresses issue

Now you just have to figure out why your port 443 is blocked. Looks "filtered" so probably a firewall or some other comms related config for this port. It is affecting IPv4 and v6 equally.

this is what I'm seeing from ufw status:

 ufw status
Status: active

To                         Action      From
--                         ------      ----
Nginx Full                 ALLOW       Anywhere
22/tcp                     ALLOW       Anywhere
OpenSSH                    ALLOW       Anywhere
Dovecot IMAP               ALLOW       Anywhere
Dovecot Secure IMAP        ALLOW       Anywhere
Postfix                    ALLOW       Anywhere
Postfix SMTPS              ALLOW       Anywhere
Nginx Full (v6)            ALLOW       Anywhere (v6)
22/tcp (v6)                ALLOW       Anywhere (v6)
OpenSSH (v6)               ALLOW       Anywhere (v6)

so I'm not sure why it'd be filtered

They are not filtered now

>nmap -4 -Pn -p80,443 iridiandesigns.uk
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-23 20:07 UTC
Nmap scan report for iridiandesigns.uk (149.100.158.178)
Host is up (0.17s latency).
Other addresses for iridiandesigns.uk (not scanned): 2a02:4780:c:e27c::1

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds

>nmap -6 -Pn -p80,443 iridiandesigns.uk
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-23 20:07 UTC
Nmap scan report for iridiandesigns.uk (2a02:4780:c:e27c::1)
Host is up (0.15s latency).
Other addresses for iridiandesigns.uk (not scanned): 149.100.158.178

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds

Thanks for checking Bruce5051, I just reinstalled the certs and everything looks to be working now as expected, I guess it was the misconfiguration of my nginx conf file.

Note to self: don't delete cert files willy-nilly....

You appear to have resolved all of the issues, thanks MikeMcQ. Which reply should I mark as the solution?

And SSL Server Test: iridiandesigns.uk (Powered by Qualys SSL Labs) gets an A

Thanks for your help Bruce5051, I appreciate the time you've taken.

(Kinda want to frame that 'A' now...)

Your discretion. Whichever was the key to resolving the problem. You had a couple so pick from the buffet

Thanks MikeMcQ, I really appreciate the time you took to walk me through the resolution.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.