Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: cxchatbot.basf.host
I ran this command: sudo certbot --nginx
It produced this output: Obtaining a new certificate
Performing the following challenges:
http-01 challenge for cxchatbot.basf.host
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. cxchatbot.basf.host (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 2a02:4780:8:324:0:1d49:de64:1: Invalid response from http://cxchatbot.basf.host/.well-known/acme-challenge/7IXhrlImKG9gtzHicG5wSwStoYrDDM7OjuVJhWKIneE: 404
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
My web server is (include version):
nginx version: nginx/1.14.0 (Ubuntu)
The operating system my web server runs on is (include version): Ubuntu 18
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0
Your DNS has both A and AAAA records. Let's Encrypt will use the AAAA record for IPv6 if present. You can see the IPv6 address in your error message 2a02:4780:8:324:0:1d49:de64:1
I get different responses from both IPv4 and IPv6 address. You should ensure they both point to the right server. If your IPv6 address is correct we need to explore why you got a 404 error. So, let us know how you resolved your DNS records.
curl -I4 cxchatbot.basf.host (uses IPv4 address)
curl: (7) Failed to connect to cxchatbot.basf.host port 80 after 12 ms: Connection refused
curl -I6 cxchatbot.basf.host (uses IPv6)
HTTP/1.1 403 Forbidden
Connection: Keep-Alive
Keep-Alive: timeout=5, max=100
date: Mon, 01 Aug 2022 13:21:24 GMT
server: LiteSpeed
This the command that is recommended in my application's ssl Installation. So I did this before and It worked but now it is not working. Now when I am trying this command it is showing above error.
@rg305@MikeMcQ Initially I have used the application Documentation and there they have mentioned the commands for the SSl using certbot, then after 90 days my SSL expired so I was trying to reinstall the certificate so remove the nginx as well as certbot and started the fresh installation. But now it is showing the above error. Yes The IP is correct.
@MikeMcQ When I run curl -4 it is showing the IP, But when I run Curl -6 It is showing ubuntu@cxchatbot:~$ curl -6 http://ifconfig.co
curl: (7) Couldn't connect to server
And, the failure for IPv6 shows that is not working. You should remove the AAAA address from your DNS. That did not look like your server anyway as a litespeed server was responding on that address which is closer to Apache than nginx.
That is one problem.
Another is you do not have port 80 open to your IPv4 address. Are you running in an AWS EC2 instance? Because that is where your IPv4 address points to. If so, you need to update your EC2 Security Group to allow port 80 and 443.
@MikeMcQ Yes EC2 am using and All the ports are open. Previously it was working fine. What I did is just doing the fresh installation of Certbot. To install a new cetificate. Because early one was expired for this domain.
Would you please confirm the value. Because the IP in your public DNS does not have the needed ports open.
If you don't have an Elastic IP AWS may assign a new IP address if you restart your EC2 instance. I am trying to help you but it is difficult as your descriptions don't match what I see from the public internet.
nmap cxchatbot.basf.host
rDNS record for 3.14.157.185: ec2-3-14-157-185.us-east-2.compute.amazonaws.com
PORT STATE SERVICE
22/tcp open ssh
3000/tcp open ppp
4000/tcp open remoteanything
5432/tcp open postgresql
I see you still have not removed the AAAA address. You should do that.
All the ports are open. I am doing the same thing as done before but this time I am getting these errors.
What does this mean @MikeMcQ :
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for cxchatbot.basf.host
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. cxchatbot.basf.host (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 2a02:4780:8:324:0:1d49:de64:1: Invalid response from http://cxchatbot.basf.host/.well-known/acme-challenge/X1Pb8L29Zp0x41ahWR-xy5HBlqSHBDyshR_CkBedyMw: 404
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.