"invalid response: 404" with nginx reverse proxy for ntfy

dawnofdonuts · November 16, 2023, 4:50am

My domain is: cojajo.com (the one I cant get a certificate for is ntfy.cojajo.com)

I ran this command: certbot certonly

It produced this output:

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: ntfy.cojajo.com
  Type:   unauthorized
  Detail: 2001:19f0:1000:1c27:5400:4ff:fe70:3095: Invalid response from http://ntfy.cojajo.com/.well-known/acme-challenge/WlKbW04fkT2nMilcAzaQLADnZ3iLDBcS8MIjtevX8pM: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): nginx/1.18.0

The operating system my web server runs on is (include version): Debian 11

My hosting provider, if applicable, is: vultr

I can login to a root shell on my machine: yes

I'm using a control panel to manage my site: no

The version of my client is: certbot 2.6.0

also I tried to use certbot too many times and it failed so I got rate limited but I can still do --test-cert

rg305 · November 16, 2023, 7:04am

Hi @dawnofdonuts, and welcome to the LE community forum

The name ntfy.cojajo.com has two IP addresses:

Addresses: 2001:19f0:1000:1c27:5400:4ff:fe70:3095
           149.28.227.53

The IPv4 address returns a web site.
But the IPv6 address returns:
curl -6 ntfy.cojajo.com

<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>

LE prefers IPv6 when present.
So, you will need to do one of:

modify the nginx code to also serve IPv6
show: nginx -T
remove the IPv6 address from DNS

[and not just for LE, any client using IPv6 can't reach your site (as it is now)].

dawnofdonuts · November 16, 2023, 7:06pm

wow ok I added listen [::]:80; and listen [::]:443; and it worked.
thanks!