I got 404 Error when Acquiring let's encript certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
Ekene Ekene
I ran this command:
sudo certbot --nginx -d jesuschristmind.org -d www.jesuschristmind.org
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for jesuschristmind.com
Waiting for verification...
Challenge failed for domain jesuschristmind.com
http-01 challenge for jesuschristmind.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: jesuschristmind.com
    Type: unauthorized
    Detail: Invalid response from
    https://jesuschristmind.com/.well-known/acme-challenge/NuaFMRCV_PVElHT6Zp6vzMeTp1RT4NUb4d_ojT0mU7Y
    [2606:4700::6810:f34e]: 404

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.
    My web server is (include version):
    nginx
    The operating system my web server runs on is (include version):
    ubuntu
    My hosting provider, if applicable, is:
    Digital Ocean
    I can login to a root shell on my machine (yes or no, or I don't know):
    Yes
    I'm using a control panel to manage my site (no, or provide the name and version of the control panel):Yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
Certbot

Are you using Cloudflare or DigitalOcean directly? (Probably the latter, since your NS records point to DigitalOcean)

You have to fix your A and AAAA records so that they point to your server (and your server only)

1 Like

i have fix the dns but still didn't work
i have added the A and AAAA record to point to my digital ocean ubutu droplet. am using digital ocean directly

if u enter the domain it will show you a nginx server as a symbol that the A record is inserted well

Adding is not enough. They have to be the only ones present for that "dns label" (the single domain/subdomain)

1 Like


that is a picture of how my configuration looks

the other record are not deletable

If you are not using Cloudflare anymore you have to remove the AAAA records pointing to 2606:4700:.... and the A records pointing to 104.16.x.y

Is that the cloudflare panel or the digitalocean one?

1 Like

This is where the problem is coming from
These Records seems permanent because they seems not removable because they are managed by the digital ocean app.
I was refused removing those A and AAAA records

I don't know digitalocean too well. Maybe you can remove them by disabling some cloudflare integration? (make sure you're not breaking other websites and droplets in doing so)

1 Like

Okay- can you please check back on this Question later. So that i can get back to you.

seems These records are not removable

You need to speak with your DSP about those DNS entries:
[about half of their entries shown are not what is being seen from the Internet]

jesuschristmind.org     nameserver = ns1.digitalocean.com
jesuschristmind.org     nameserver = ns2.digitalocean.com
jesuschristmind.org     nameserver = ns3.digitalocean.com
2 Likes

I don't think anything is wrong with the DNS records.

From what I remember, DigitalOcean use Cloudflare infrastructure for their DNS hosting, and jesuschristmind.org looks like an ordinary domain with the Cloudflare proxy enabled.

You have a fairly old version of Certbot and there is a fix relevant to --nginx and Cloudflare in Certbot v1.13.0. If you can, I recommend installing the Certbot snap and try using it instead.

If you can't do that, you might have to set your Cloudflare encryption setting to "Flexible", but I'm not sure whether that's accessible from the way DigitalOcean have integrated things.

1 Like

But... there are two cloudflare IPs and a DigitalOcean IP... how is that supposed to work?

(oh, I get it now. ns{1,2,3}.digitalocean.com points to cloudflare IPs.)

1 Like

Ah, you are right, there's a mixture of IPs.

Those non-Cloudflared IPs (164.92.205.143 and 2a03:b0c0:3:d0::19c3:1001) don't seem to host the website in question at all. The IPv4 address is just a blank nginx server and the IPv6 address doesn't even seem to be online.

The Cloudflare IP addresses, on the other hand, do serve a valid website.

Is @udunanka trying to set up a second server? I am not clear on what the role of this second droplet is, if it's not hosting the current website?

2 Likes

Neither am I.

I assumed the spurious IPs were the cloudflare ones. If they're the right ones, I might start to suspect that this is some kind of automatic digitalocean-cloudflare integration for this droplet.

1 Like

I think digital ocean is messing around with me
I forgot to tell you guys that https://jesuschristmind.com/ or https://jesuschristmind.org/ works even without an ssl certificate installed.
https://www.esuschristmind.com/ do not work at all and that is why am installing ssl certificate.
www.jesuschristmind.com do not work.
jesuschristmind.com do not work at all.
I think digital ocean is messed up.

They "work" because CloudFlare is handling those IPs (and those certs):

Name:      jesuschristmind.org
Addresses: 2606:4700::6810:f44e
           2606:4700::6810:f34e
           104.16.243.78
           104.16.244.78
Aliases:   www.jesuschristmind.org
1 Like

What do you thinkl i should do to make www. and https://www work now since i find it difficult to use with lets encrypt

Have you spoken with CloudFlare about this "problem"?

1 Like