Nginx "internal Error" Creating new Certificate

xxcuberxx2 · May 7, 2023, 11:05pm

I ran this command: nginx add let`s Encrypt Certificate

It produced this output:

Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-31" --agree-tos --email "myemail@gmail.com" --domains "paperless.mosesmazurek.de" --authenticator dns-google-domains --dns-google-domains-credentials "/etc/letsencrypt/credentials/credentials-31"
Saving debug log to /tmp/letsencrypt-log/letsencrypt.log
Encountered exception during recovery: certbot.errors.PluginError: Unable to rotate DNS challenges: 400 Client Error: Bad Request for url: https://acmedns.googleapis.com/v1/acmeChallengeSets/paperless.mosesmazurek.de:rotateChallenges
Unable to rotate DNS challenges: 400 Client Error: Bad Request for url: https://acmedns.googleapis.com/v1/acmeChallengeSets/paperless.mosesmazurek.de:rotateChallenges

at ChildProcess.exithandler (node:child_process:402:12)
at ChildProcess.emit (node:events:513:28)
at maybeClose (node:internal/child_process:1100:16)
at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)

My web server is (include version): Synology DSM 7.1.1-42962 Update 5

The operating system my web server runs on is (include version): Docker and Portainer (current version`s)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
I think so, if it means that I should log in with Synology's SSH service.

Lets Debug Massage:

AAAANotWorking

ERROR

paperless.mosesmazurek.de has an AAAA (IPv6) record (2a02:908:4f0:.............) but a test request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address. You should either ensure that validation requests to this domain succeed over IPv6, or remove its AAAA record.

Get "http://paperless.mosesmazurek.de/.well-known/acme-challenge/letsdebug-test": dial tcp [2a02:908:4f0:...................]:80: connect: permission denied

I forwarded the port forwardings of 80 and 443 on the Fritz.Box to the respective port of nginx.

If I now want to create the certificate in nginx I use as DNS provider "GoogleDomainsDNS". I enter my token and the respective domain in the field and still I get the above error message. Can anyone help me with this ?
I have it yesterday evening, after long rumprobieren (The above error message was also displayed to me there) managed to create a Certificat for Vaultwarden, dummerweiße I have deleted this for test purposes again and now I get only this error message. I really hope you can help me!!!
Thanks a lot !!!!

Translated with deepl because i am from germany

leeyc0 · May 8, 2023, 1:28am

Do your server/router have IPv6 enabled? If yes then make sure your server is reachable by IPv6 (such as opening port 80 and 443), if no then please remove AAAA DNS record.

_az · May 8, 2023, 1:31am

That seems wrong. You might need to set --dns-google-domains-zone "mosesmazurek.de".

xxcuberxx2 · May 8, 2023, 11:29am

Yes, on my FritzBox it says under Internet -> Online Monitor that IPv4 and IPv6 is connected.
For nginx I have also set up a port share for 443 and 80, for the respective port that is shown to me at portainer -> Container -> nginx_proxy_manager -> Published Ports.

xxcuberxx2 · May 8, 2023, 11:38am

Thank you very much !!!!
It worked !!!!!
I have entered under Google Domain -> DNS an entry for mosesmazurek.de, *.mosesmazurek.de and paperless.mosesmazurek.de, in each case for IPv4 and IPv6.
And as you say it at --dns-google-domains-zone "mosesmazurek.de" entered and it works.