My domain is:
public4.pagefreezer.com
I ran this command:
certbot --nginx -d public4.pagefreezer.com
It produced this output:
Domain: public4.pagefreezer.com
Type: unauthorized
Detail: 2606:4700:3108::ac42:287a: Invalid response from
http://public4.pagefreezer.com/.well-known/acme-challenge/BYBp6gjLEyZv0ME1kkuh4HMSBbWKo9VrNUJDLVre_6I:
4
My web server is (include version):
nginx version: nginx/1.18.0 (Ubuntu)
The operating system my web server runs on is (include version):
Ubuntu 20.04.6 LTS
My hosting provider, if applicable, is:
AWS and Cloudflare
I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
Cloudflare
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.40.0
I suspect what's happening here is that my A record DNS record for the domain is directed to an IP address. This is a load balancer and there are some Firewall/NAT rules that deliver the traffic to the local Nginx server.
However, on the local Nginx server, the internet traffic exists the network with a different public IP address.
Not sure if this is the issues or not. I have also disabled proxying for the domain in Cloudflare where it returns the IPv4 address and not the IPv6 address, but this still does not work
Welcome @djquazzi
Let's start with this one. Proxying of your domain is still active at Cloudflare. Is this what you expect right now?
public4.pagefreezer.com. 0 IN A 172.66.40.122
public4.pagefreezer.com. 0 IN A 172.66.43.134
public4.pagefreezer.com. 0 IN AAAA 2606:4700:3108::ac42:2b86
public4.pagefreezer.com. 0 IN AAAA 2606:4700:3108::ac42:287a
Yes, A and AAAA records are for IPv4 and IPv6 addresses. But, proxying at Cloudflare uses their CDN. Which is different than a Load Balancer.
Do you also have a Load Balancer active at AWS? If so, can you explain more about how you want all these pieces to work together?
Because the --nginx option you chose requires an HTTP request on port 80 to reach the nginx server you ran Certbot on. With lots of "things" in between that can get tricky.
2 Likes
Hi there
Yes, with Clouflare proxy disabled
host public4.pagefreezer.com
public4.pagefreezer.com has address 216.168.59.28
216.168.59.28 is a an IP of a Firewall (Not AWS)
This traffic is NAT'ed to an internal loadbalancer - http://loadbalancer.org (sorry, should have specified that)
That is directed to the internal Nginx server
On the Nginx server:
curl ifconfig.me
216.168.59.182
With lots of "things" in between that can get tricky
is most likely this issue. Also I have been able to to get this to work fine with other internal servers when they are not going through the loadbalancer, but do have different IP addresses (A record and internet public IP of the local Nginx server). So, Im guessing this is not the issue
Ah, so you tried disabling it but then re-enabled it. I thought you meant you left it un-proxied because when I saw the DNS those 4 A/AAAA records showed as proxied. Just wanted to make sure.
Right now it looks like your nginx is trying to handle an HTTP request in an HTTPS server block. Getting an HTTP 400 reply to HTTP requests. See: Let's Debug
Something in your routing likely wrong. Check your nginx error / access logs for confirmation.
2 Likes
If you have complex http traffic routing that will make port 80 traffic difficult to direct to the right server it's sometimes easier to switch to a DNS challenge (e.g. Welcome to certbot-dns-cloudflare’s documentation! — certbot-dns-cloudflare 0 documentation).
However your certbot version (0.4?) would be 6 years old now and will require an upgrade first. You might want to consider just using an "origin certificate" provided by cloudflare, and use cloudflares proxied https instead, if upgrading will be difficult.
4 Likes
Thank you!
The certbot-dns-cloudflare option worked perfectly
Happy days
4 Likes