Issue with creating certificates for subdomains


I’m having some trouble setting up certificates for new subdomains. I already have some subdomains and the main domain set on a server, and I want to create those new subdomains on a separate server. I created the “” A/AAAA records pointing at this new server but it does not want to work aka create the certificate. The logs I give are for only 1 subdomain but I actually create 7, which works seamlessly for the initial subdomains.

My domain is:

I ran this command: sudo certbot --nginx

It produced this output:
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from [2001:bc8:4400:2000::2027]: <\html>\r\n404 Not Found\r\n<body bgcolor=“white”>\r\n

404 Not Found



My web server is (include version): nginx/1.14.0

The operating system my web server runs on is (include version): Ubuntu Server 18.04

My hosting provider, if applicable, is: Hexonet (via Scaleway for the servers)

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

Hi @pierrz,

Right now the IPv4 version of the site and the IPv6 version are returning different content, suggesting that they point to different servers or else that the nginx process has not been given parallel or equivalent configurations for both. I think this is at the root of the problem because the Let’s Encrypt CA is checking the site in IPv6, but perhaps Certbot is only able to configure the site to satisfy the challenge in IPv4. You should make sure that the configurations are more closely equivalent, or else remove the IPv6 AAAA record.

1 Like

Hello @schoen

If by configurations you mean the Nginx’s ones then they are almost identical on both servers, only changes are the server names within the conf blocks …
How can you see that “IPv4 version of the site and the IPv6 version are returning different content” ?
Why “Certbot is only able to configure the site to satisfy the challenge in IPv4” ?

Thanks !

Hi @pierrz,

I don’t know the underlying configuration reason for this difference, but I saw the difference by running

curl -4
curl -6

on a machine that has both IPv4 and IPv6 connectivity. Both of these give a reply, but the output returned is very different!

I think they’re likely to be the same server because with curl -v, both of them show Server: nginx/1.14.0 (Ubuntu) in the HTTP protocol headers.

1 Like

You might need to check that the nginx listen directives associated with these server blocks, or elsewhere in your nginx configuration, are set up the way you expect (I’m not familiar enough with them to know exactly what to recommend).

Ok thanks for the tip with curl :slight_smile:
I’ll look further into nginx configuration …

You’ll likely find a

listen 80;

It should be a

listen 80;
listen [::]:80;

@9peppe Spot on! It inserted that for each server block and certbot managed to do its thing …
Thank you so much !

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.