Help adding certs for one of my subdomains (Previous one worked fine)

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: git.momoyon.org, www.git.momoyon.org

I ran this command:

$certbot

Which interactively let me select the domains i want to add HTTPS for.
I selected 2 3 from:
1: momoyon.org
2: git.momoyon.org
3: www.git.momoyon.org
4: mail.momoyon.org
5: www.mail.momoyon.org
6: www.momoyon.org

Everything else has HTTPS already.

It produced this output: `Requesting a certificate for git.momoyon.org and www.git.momoyon.org

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: git.momoyon.org
Type: unauthorized
Detail: 2401:c080:3000:36e1:5400:5ff:fe42:b43a: Invalid response from http://git.momoyon.org/.well-known/acme-challenge/BGenIO-njx4QbK-k9MZ0cS0dSmVXyPOGmAzFgM454ro: 404

Domain: www.git.momoyon.org
Type: unauthorized
Detail: 2401:c080:3000:36e1:5400:5ff:fe42:b43a: Invalid response from http://www.git.momoyon.org/.well-known/acme-challenge/OHM5jC2qFgtZXN8wDX4vz47QC3u6DoRVtFazMHOIemg: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.`

My web server is (include version): nginx version: nginx/1.22.1

The operating system my web server runs on is (include version): Linux momoyon 6.1.0-31-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.128-1 (2025-02-07) x86_64 GNU/Linux

My hosting provider, if applicable, is: https://vultr.com

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.1.0

Additional Info which i think could be helpful:

/var/log/letsencrypt/letsencrypt.log: 2025-05-11 09:31:20,787:DEBUG:certbot._internal.main:certbot version: 2.1.0202 - Pastebin.com

I use https://epik.com as my registrar for my doman.

Here are the CNAME (Subdomain) DNS Records for it:
NOTE: text inside is what i filled in.

  • Host [www.git] .momoyon.org Points to [momoyon.org.] TTL[300]
  • Host [git] .momoyon.org Points to [momoyon.org.] TTL[300]
  • Host [www.mail] .momoyon.org Points to [momoyon.org.] TTL[300]
  • Host [mail] .momoyon.org Points to [momoyon.org.] TTL[300]
2

Welcome @momoyon

You don't have any listen statements in your "git" server block. nginx then defaults to listening only on port 80 for IPv4 only. Your domain has IPv6 AAAA record in the DNS and Let's Encrypt uses that first when available. You need to add listen statements for both IPv4 and IPv6.

Further, you have a server block in this same config file that has only two listen statements. What is the purpose of that? It seems to me you should just move those two listen statements into your "git" server block and then delete that tiny one.

Below is your config file from the log you provided:

File: /etc/nginx/sites-enabled/git:

server {
 	server_name www.git.momoyon.org git.momoyon.org;
 
	root /var/www/gitweb;
 
	location /index.cgi {
		root /usr/share/gitweb/;
		include fastcgi_params;
		gzip off;
		fastcgi_param SCRIPT_NAME $uri;
		fastcgi_param GITWEB_CONFIG /etc/gitweb.conf;
		fastcgi_pass unix:/var/run/fcgiwrap.socket;
	}
	location / {
		root /usr/share/gitweb/;
		index index.cgi;
	}
}
 
server {
	listen 80;
	listen [::]:80;
}

The two listen statements in the tiny 4-line server block at the end of that config file belong in the server block above. Then, remove this 4-line server block.

4 Likes
3

Ok thank you that worked! As for the server block with the two listen statements, i put it there when i was trying pretty much everything to make it work. Since my momoyon.org one has them in a seperate server block. it has some other statements too but those ones had # managed by CertBot, so i didnt add those. I guess i should have tried after adding the listen statements to the main block before doing this. I knew it was something stupid...

Anyways thanks for the clear answer Mike!

4 Likes