Invalid response 204 for the main domain

My domain is: themos.com www.themos.com fptp.themos.com

I ran this command: sudo certbot --nginx

It produced this output:

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: themos.com
  Type:   unauthorized
  Detail: 2607:f1c0:100f:f000::25b: Invalid response from http://themos.com/.well-known/acme-challenge/hj0u5TY73iCof9F3tkr-pyzEGa6dH5tdSnS57nfO3z4: 204

  Domain: www.themos.com
  Type:   unauthorized
  Detail: 2607:f1c0:100f:f000::25b: Invalid response from http://www.themos.com/.well-known/acme-challenge/xg07i7ZmezSMPZcWxU-gylqLq2Bi8f48-oNAwIz8TEE: 204

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

My web server is (include version): nginx/1.24.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 24.04

My hosting provider, if applicable, is: https://www.hostinger.com/

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.9.0

Before creating a new topic I've reviewed all possible materials both here and over other resources. The problem is a bit tricky. I've tried all suggested methods including creating a test file in the /.well-known/acme-challenges/ directory and trying to access it outside of my network (including from mobile phone). I've also tried to run certbot with --debug-challenges flag so it stopped after creating a test file and provided me URL of it. I could open it with status 200 and there was the correct expected value provided on the page. The trickiest part is that I can generate a valid certificate for my fptp.themos.com domain, but www.themos.com and themos.com domains fails with 204 status. Both domain addresses points to my VPS. I have the same nginx configuration for all domains. Any ideas what could be the root cause?

I see two IPs and two different web servers:

curl -Ii4 themos.com
HTTP/1.1 200 OK
Server: nginx/1.24.0 (Ubuntu)     <<<<<<<<<<<<<<<<<<<<<<<<<
Date: Wed, 10 Jul 2024 16:48:52 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 26164
Connection: keep-alive
X-Powered-By: Express
Access-Control-Allow-Origin: https://api.calendly.com
Vary: Origin
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Sun, 07 Jul 2024 18:20:46 GMT
ETag: W/"6634-1908e6d4f49"
curl -Ii6 themos.com
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 229
Connection: keep-alive
Keep-Alive: timeout=15
Date: Wed, 10 Jul 2024 16:48:55 GMT
Server: Apache     <<<<<<<<<<<<<<<<<<<<<<<<<
Last-Modified: Thu, 28 Sep 2017 21:52:36 GMT
ETag: "e5-55a46ed2389f5"
Accept-Ranges: bytes
4 Likes

Hi, rg305. Thank you for your support!
That's really strange, because I've configured everything with nginx. There is even no an Apache on my VPS:

~$ apache2 -v
Command 'apache2' not found, but can be installed with:
sudo apt install apache2-bin

The problem is in incorrect domain configuration?

2 Likes

The problem starts in DNS:

Name:      themos.com
Addresses: 2607:f1c0:100f:f000::25b
           89.116.51.173
5 Likes

That's my fault, sorry for being inattentive. Will come back after fixing my DNS and trying to certificate the domains again!

3 Likes

So here I am. The problem was in partly incorrectly configured domain. There was a correct A record and incorrect AAAA record, so my main domain was pointing on 2 different API addresses. So if you have a problem with getting certificate, please, recheck that your DNS are correct. Don't forget to check also IPv6, not only IPv4. You can use some open resources like:

To re-check that A and AAAA records of your domain are pointing to your VPS ip address.

The https://letsdebug.net test site checks for that specifically and shows a nice message if that happens.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.