Nginx Unauthorized

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: certbot --nginx

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?

1: ------
2: ------
4: -----

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 3
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from “\n\n404 Not Found\n\n

Not Found



My web server is (include version): nginx version: nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version):Ubuntu 18.04.1 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no

The server behind identifies itself as an Apache webserver:

osiris@client ~ $ curl -I
HTTP/1.1 200 OK
Date: Fri, 11 Jan 2019 21:32:29 GMT
Server: Apache
Upgrade: h2,h2c
Connection: Upgrade
Last-Modified: Tue, 16 Jul 2013 19:01:33 GMT
Accept-Ranges: bytes
Content-Length: 16291
Vary: Accept-Encoding,User-Agent
Content-Type: text/html

osiris@client ~ $ 

Is there some Apache reverse proxy or load balancer-like setup in between the web and your nginx server?

1 Like

Is this via ipv6?

With ipv4 I see a "Server: nginx/1.14.0 (Ubuntu)"

Ah, yes, a curl -v shows (among other things) the following:

* Connected to (2607:5300:203:1f45::45) port 80 (#0)

Let's Encrypt prefers IPv6, so that would be the reason for the error of @Nic He should update his AAAA record(s) to point to the correct server. Or delete the AAAA record if the correct server isn't IPv6 connected.

Good to know I didn’t think about IPv6. I’ll check that later.

Thanks for the lead.

It was exacly that. There was some DNS record for IPv6.

Thanks for the help.