Help, how to regenerate letsencrypt with a new domain and new subdomain?

Help
1

hi, i have a webserver on ubuntu 20.04 with nginx , before the letsencrypt ssl working normallu with old domain name , and now i try to regenerate new letsencrypt ssl with new domain name and new subdomain name, but it's always failed.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: (new) bentanihotel.id and admin.bentanihotel.id

I ran this command:
sudo certbot --nginx -d bentanihotel.id -d admin.bentanihotel.id

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for bentanihotel.id and admin.bentanihotel.id

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: bentanihotel.id
Type: unauthorized
Detail: 2a02:4780:3:c062::59: Invalid response from http://bentanihotel.id/.well-known/acme-challenge/oewhGoVKc2MKSwBMc14yBy2rq98sGv_QH5DNLrZorBM: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
Ubuntu server 20.04 , nextjs , nginx ,and certbot
The operating system my web server runs on is (include version):
ubuntu server 20.04
My hosting provider, if applicable, is:
DIgitalocean
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.8.0

please advice,

Thanks n regards,

2 Likes
2

Hi @ingenetic, and welcome to the LE community forum :slight_smile:

The name "bentanihotel.id" has two IPs:

Addresses: 2a02:4780:3:c062::59
           159.223.35.200

The two IPs are being served by different web servers:

curl -Ii4 bentanihotel.id
HTTP/1.1 200 OK
Server: nginx     <<<<<<<<<<<<<<<<<<<<<<<<<
Date: Sun, 21 Jan 2024 12:10:42 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Cache-Control: private, no-cache, no-store, max-age=0, must-revalidate
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Referrer-Policy: origin

curl -Ii6 bentanihotel.id
HTTP/1.1 301 Moved Permanently
Connection: Keep-Alive
Keep-Alive: timeout=5, max=100
x-powered-by: Niagahoster
content-type: text/html; charset=UTF-8
location: https://bentanihotel.id/
date: Sun, 21 Jan 2024 12:10:48 GMT
server: LiteSpeed     <<<<<<<<<<<<<<<<<<<<<<<<<
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
vary: User-Agent

Please check the IPs and correct the needful.

5 Likes
3

hi rg305,
it's mean i have to delete one ip ?
is it this ip address : 2a02:4780:3:c062::59 ??
is it right ? i should delete that ip address and try to generate letsencrypt ssl again ?
or what i have to do ?

Please advice.

Best regards,

4

Those IP addresses should point to your nginx server.

You can find what they are many ways. One is to run these commands on that server

curl -4 https://ifconfig.io
curl -6 https://ifconfig.io

If the -6 command does not show any address you should remove the AAAA record from your DNS.

The DNS IP need to be correct for anyone to reach your server using IPv4 or v6

4 Likes
5

hi, here the result for curl -4 https://ifconfig.io & curl -6 https://ifconfig.io

user@bentani:~# curl -6 https://ifconfig.io from my webserver

curl: (7) Couldn't connect to server

user@bentani:~# curl -4 https://ifconfig.io
159.223.35.200

is it safe to remove this dns record : 2a02:4780:3:c062::59 ?

please advice

Regards,

4 Likes
6

Yes, it seems that your server is not IPv6 enabled.

5 Likes
7

Hi rg305,

for my knowledge , may i know how you could know that a domain name has two ip ?
like on the first reply from you ?

because i already generate letsencrypt for other domains name, ex: one of my domain name which using letsencrypt ssl, has AAAA dns record too with IPv6 on zone editor cpanel, but i can issue letsencrypt ssl without any issue ? but this one being an issue .

please advice,

Best regards,

1 Like
8

The Let's Debug test site is good to find comms config problems
https://letsdebug.net

Use a DNS lookup tool (like dig or nslookup from command prompt) to view your DNS records. Or, check your DNS config panel.

The https://unboundtest.com site is a reliable way to check various record types similar to how Let's Encrypt servers look them up.

In fact, both unboundtest and Let's Debug are still seeing your AAAA record:

Notice the server for IPv6 is not nginx but the "imunify360-webshield". And, you could not use IPv6 to connect to ifconfig.io

5 Likes
9

What is that domain name?

You can have A and AAAA records but they must both be valid. For your bentanihotel.id domain the IPv6 (AAAA) IP is not.

4 Likes
10

nslookup bentanihotel.id

3 Likes
11

What is that domain name?

for ex : tarad**.com
it has AAAA record, but i have no issue when generate letsencrypt ssl ? what different both of them ? why the one being issue and the other not beeing an issue ?
once again , this questions for my knowledge .

Thanks n regards,

1 Like
12

It is hard to say exactly why this other name "works".
It's IPv4 and IPv6 replies are not identical:

curl -Ii4 taradmc.com/.well-known/acme-challeng/Test_File-1234
HTTP/1.1 301 Moved Permanently
Date: Mon, 22 Jan 2024 04:47:44 GMT
Server: Apache/2.4.41 (Ubuntu)
Location: https://taradmc.com/.well-known/acme-challeng/Test_File-1234
Content-Type: text/html; charset=iso-8859-1

curl -Ii6 taradmc.com/.well-known/acme-challeng/Test_File-1234
HTTP/1.1 404 Not Found
Date: Mon, 22 Jan 2024 04:47:48 GMT
Server: Apache
Content-Type: text/html; charset=iso-8859-1
3 Likes
13

Hi rg305 & MikeMcQ

Now i've generate letsencrypt successfully .
Really thanks for help & advice to solve the problems.
I've learn something new in here ..

Best regards,

4 Likes
14

Looks fine from here https://decoder.link/sslchecker/taradmc.com/443
Also on Windows 10 using Google Chrome Version 120.0.6099.225 (Official Build) (64-bit) I have no issues.

image
image1194×771 129 KB

Did you clear your web browser's cache?

2 Likes
15

Also this domain seems fine too https://decoder.link/sslchecker/bentanihotel.id/443

image
image1003×748 97.8 KB

3 Likes
17

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.