Nginx Unauthorized


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: vulcanvulcap.com

I ran this command: certbot --nginx

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?


1: ------
2: ------
3: vulcanvulcap.com
4: -----
5: www.vulcanvulcap.com


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 3
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for vulcanvulcap.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. vulcanvulcap.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://vulcanvulcap.com/.well-known/acme-challenge/pL8fCAbYtBqO9aWSXXDjslOMcA7xxE17FRe5qq6eVbI: “\n\n404 Not Found\n\n

Not Found

\n<p”

IMPORTANT NOTES:

My web server is (include version): nginx version: nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version):Ubuntu 18.04.1 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no


#2

The server behind http://vulcanvulcap.com/ identifies itself as an Apache webserver:

osiris@client ~ $ curl -I http://vulcanvulcap.com/
HTTP/1.1 200 OK
Date: Fri, 11 Jan 2019 21:32:29 GMT
Server: Apache
Upgrade: h2,h2c
Connection: Upgrade
Last-Modified: Tue, 16 Jul 2013 19:01:33 GMT
Accept-Ranges: bytes
Content-Length: 16291
Vary: Accept-Encoding,User-Agent
Content-Type: text/html

osiris@client ~ $ 

Is there some Apache reverse proxy or load balancer-like setup in between the web and your nginx server?


#3

Is this via ipv6?

With ipv4 I see a “Server: nginx/1.14.0 (Ubuntu)”


#4

Ah, yes, a curl -v shows (among other things) the following:

* Connected to vulcanvulcap.com (2607:5300:203:1f45::45) port 80 (#0)

Let’s Encrypt prefers IPv6, so that would be the reason for the error of @Nic He should update his AAAA record(s) to point to the correct server. Or delete the AAAA record if the correct server isn’t IPv6 connected.


#5

Good to know I didn’t think about IPv6. I’ll check that later.

Thanks for the lead.


#6

It was exacly that. There was some DNS record for IPv6.

Thanks for the help.