Problem with getting certificate

vlmart · August 12, 2022, 8:58am

I have problem with getting ssl-certificate for server name olympmo.ru

The domain is accessable from internet by 80 and 443 (I have manually configured certificate for now)

On the same host I have also another nginx virtual host (server name) reg.olympmo.ru - and there no problem with certbot, it works.

Could you please check ip address for olympmo.ru in your DNS? It must be: 84.201.188.125. Because I'm not found the requests from certbot log in nginx log.

My domain is: olympmo.ru

I ran this command: sudo certbot --nginx

It produced this output:
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for olympmo.ru

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: olympmo.ru
Type: unauthorized
Detail: 2a03:6f00:6:1::57f9:26fd: Invalid response from https://olympmo.ru/.well-known/acme-challenge/mqvfgArB-XS7XewZLtNaJl8YkcJw2xYbOd7PUg0Ii2g: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): nginx 1.18.0

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is: yandex.cloud

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.29.0

MikeMcQ · August 12, 2022, 1:30pm

Welcome to the community @vlmart

You have both an A and AAAA record in your DNS for olympmo.ru for both an IPv4 and IPv6 address. That's fine but they each point to a different server. Let's Encrypt server will use AAAA when present and this one is failing. You can see the IPv6 address in the error message starting with 2a03:6f00. You should correct your AAAA address or remove it if you do not use IPv6.

You only have an A record for your reg.olympmo.ru domain so that is why that is different.

nslookup olympmo.ru

A    Address: 84.201.188.125
AAAA Address: 2a03:6f00:6:1::57f9:26fd

rg305 · August 12, 2022, 9:10pm

I see two different nginx servers:

curl -Ii4 olympmo.ru
Server: nginx/1.18.0 (Ubuntu)

curl -Ii6 olympmo.ru
Server: nginx/1.20.2

curl -Ii4 https://olympmo.ru/
Server: nginx/1.18.0 (Ubuntu)

curl -Ii6 https://olympmo.ru/
server: nginx/1.20.2

MikeMcQ · August 12, 2022, 9:28pm

So did I

rg305 · August 12, 2022, 11:01pm

TL;DR
LOL

vlmart · August 14, 2022, 8:48am

Thank you so much! I removed incorrect AAAA record in my domain settings and now certbot works!

system · September 13, 2022, 8:48am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.