New SSL generation on Ngnix fails when domain has AAAA record

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:baronhouse.com

I ran this command:certbot --nginx -d baronhouse.com -d www.baronhouse.com

It produced this output:

Domain: www.baronhouse.com
Type: unauthorized
Detail: 2600:3c08::f03c:95ff:fe70:2dc2: Invalid response from http://www.baronhouse.com/.well-known/acme-challenge/BS2ZUQsNJBU3dADuwexDy3ORFIGE4lxgT7Bix98v7Lo: 404

My web server is (include version): nginx/1.24.0

The operating system my web server runs on is (include version): Ubuntu 24.04

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 2.9.0

I was getting this error even though the IPv6 address was correctly pointing to baronhouse.com and www.baronhouse.com

The .well-known and acme-challenge folders were not created even after I added the following code to the domain's Nginx config file:

location ~ /.well-known/acme-challenge/ {
allow all;
}

I could only fix it by deleting the AAAA records for the domain.The SSL was generated and installed in the first attempt after removing these records.

Can anyone decipher why the error occurred though the AAAA records were present and why removing them enabled certbot to generate the SSL?

Answering my own question, thanks to this tip:

The nginx file was missing the listen directive for ipv6.

4 Likes

The strangest thing happened. After adding the listen directive for ipv6 in the Nginx config file, I went back and added the ipv6 dns records for the domain. Within a few mins, the site broke with an SSL error.
For now, I have gone back and deleted the dns records and the site is up again.

I don't see any problem with either cert you got today. So, did you update ALL your server blocks for IPv6? What syntax did you use for the port 443 listen?

Was it like this: listen [::]:443 ssl;

If all your server blocks had the correct listen, then make sure the AAAA address was correct. Try using SSL Server Test (Powered by Qualys SSL Labs) to test it

4 Likes

Ah, thanks. I checked and it was just listen 443 ssl; # managed by Certbot

So, I added the ipv6 directive for Port 80 but not 443. Will fix

Update: Fixed and working. Many thanks, @MikeMcQ

3 Likes