Lets encrypt server is resolving a different server for my domain and giving error renewing the certificate even though we are authorized


#1

Please help. Looks like lets encrypt server is resolving a different IP/server for my domain and giving error renewing the certificate even though we are authorized.

My domain is: www.ktmtoluca.com and many other included in the below command.

I ran this command: /root/letsencrypt/certbot-auto certonly --webroot --webroot-path=/usr/share/nginx/letsencryptbase --cert-name www.hondavallejo.com.mx -d www.hondavallejo.com.mx,www.hondaglezgallo.com.mx,www.honda-veracruz.com.mx,www.hondavision.com.mx,www.honda-xalapa.com.mx,www.hondaxochimilco.mx,www.hondareal.com,www.hondazaragoza.com.mx,www.autocom.mx,www.autowerk.com.mx,www.francomotors.mx,www.gruposuperautos.mx,www.nissanseminuevos.com.mx,www.puertadelago.com,www.acurachihuahua.com.mx,www.acuracumbres.com.mx,www.acuramonterrey.com.mx,www.acurapedregal.mx,www.acurasinaloa.com.mx,www.acurauniversidad.com.mx,www.plantatoluca.com,www.hyundaiaeropuerto.com.mx,www.hyundaidiamante.com.mx,www.hyundaivallejo.com.mx,www.hyundaivalmursaltillo.com,www.infiniticancun.mx,www.infinitichihuahua.mx,www.infinitiguadalajara.com,www.infinitileon.mx,www.infinitiyucatan.mx,www.infinitimonterrey.mx,www.infinitipolanco.mx,www.infinitiqueretaro.mx,www.infinitisatelite.mx,www.infinititoluca.mx,www.kiaprimavera.com,www.kiatexcoco.com.mx,www.ktmtoluca.com,www.mazdagalerias.com,www.mercedes-benzacapulco.com.mx,www.mercedes-benzcuernavaca.com.mx,www.mercedesbenzlaguna.com.mx,www.renaultaeropuerto.com.mx,www.renaultbuenavista.com.mx,www.renaultcancun.com.mx,www.suzukicuautitlan.com.mx,www.suzukipedregal.com.mx,www.suzukitabasco.com.mx,www.suzukituxtla.com.mx,hondavallejo.com.mx,hondaglezgallo.com.mx,honda-veracruz.com.mx,hondavision.com.mx,honda-xalapa.com.mx,hondaxochimilco.mx,hondareal.com,hondazaragoza.com.mx,autocom.mx,autowerk.com.mx,francomotors.mx,gruposuperautos.mx,nissanseminuevos.com.mx,puertadelago.com,acurachihuahua.com.mx,acuracumbres.com.mx,acuramonterrey.com.mx,acurapedregal.mx,acurasinaloa.com.mx,acurauniversidad.com.mx,plantatoluca.com,hyundaiaeropuerto.com.mx,hyundaidiamante.com.mx,hyundaivallejo.com.mx,hyundaivalmursaltillo.com,infiniticancun.mx,infinitichihuahua.mx,infinitiguadalajara.com,infinitileon.mx,infinitiyucatan.mx,infinitimonterrey.mx,infinitipolanco.mx,infinitiqueretaro.mx,infinitisatelite.mx,infinititoluca.mx,kiaprimavera.com,kiatexcoco.com.mx,ktmtoluca.com,mazdagalerias.com,mercedes-benzacapulco.com.mx,mercedes-benzcuernavaca.com.mx,mercedesbenzlaguna.com.mx,renaultaeropuerto.com.mx,renaultbuenavista.com.mx,renaultcancun.com.mx,suzukicuautitlan.com.mx,suzukipedregal.com.mx,suzukitabasco.com.mx,suzukituxtla.com.mx

It produced this output:

IMPORTANT NOTES:

My web server is (include version): nginx/1.12.2

The operating system my web server runs on is (include version): CentOS Linux release 7.3.1611 (Core)

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No


#2

Hi @omprakash_dubey

one ip-check:

Name: ktmtoluca.com
Addresses: 2607:f1c0:100f:f000::242
52.88.64.31

Name: suzukicuautitlan.com.mx
Address: 52.88.64.31

the first fails, the second isn’t reported, may be correct.

Is it possible that the ipv6 - address points to the right server and produces the correct result?

Yep - tested with https://letsdebug.net/www.ktmtoluca.com/2446 - the same error: Status 404 vs. Status 300:

www.ktmtoluca.com has both AAAA (IPv6) and A (IPv4) records. While they both appear to be accessible on the network, we have detected that they produce differing results when sent an ACME HTTP validation request. This may indicate that the IPv4 and IPv6 addresses may unintentionally point to different servers, which would cause validation to fail.
[Address Type=IPv4,Server=nginx,HTTP Status=404] vs [Address Type=IPv6,Server=Apache,HTTP Status=300]

Remove your ipv6 - entries, create the certificate. Maybe later fix the ipv6-configuration.


#3

Thanks for the clarification. It helped.

Regards
Om