Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com ), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
lukehero.com (also not working on all my main domains)
I ran this command:
sudo certbot
It produced this output:
Performing the following challenges:
http-01 challenge for lukehero.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. lukehero.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://lukehero.com/.well-known/acme-challenge/1zz39vhtcCcZcVDwqay_lIKLASWMimaCDO_Le8iDfKM [2600:3c00::f03c:91ff:feb8:11d3]: “\r\n404 Not Found\r\n<body bgcolor=“white”>\r\n
404 Not Found \r\n
”
IMPORTANT NOTES:
My web server is (include version):
nginx/1.10.3 (Ubuntu)
The operating system my web server runs on is (include version):
Ubuntu 16.04
My hosting provider, if applicable, is:
Linode
I can login to a root shell on my machine (yes or no, or I don’t know):
Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you’re using Certbot):
certbot 0.28.0
The folder .well-known does not exist when I check the dir. I manually created it and acme-challenge and put a file inside called test.txt. I cannot reach the file. The site totally does not work. However a subdomain site (analytics.lukehero.com ) does work fine.
Edit: Removed errors that were fixed. Did not resolve issue.
_az
February 24, 2019, 9:42pm
2
Yes, same with the main page. This seems to be the main problem.
Perhaps this warning is related:
You should have one server
block somewhere with:
server_name lukehero.com;
Hi @lukehero
first, fix that.
What's the content of that file? In line 59?
Second, you have ipv4 and ipv6 addresses. http is consistent (same http status ipv4 and ipv6), https is inconsistent. But /.well-known/acme-challenge isn't redirected, so now it's not critical.
Your certificate ( https://check-your-website.server-daten.de/?q=lukehero.com - there are the other informations)
CN=lukehero.com
22.01.2019
22.04.2019
expires in 57 days lukehero.com - 1 entry
is ok, but the www-version is missing.
PS: That
The folder .well-known does not exist when I check the dir. I manually created it and acme-challenge and put a file inside called test.txt.
is critical. So share your config file to find your webroot.
I just fixed this error. Still no change.
I also have another website that does work (zenqalendar.com ) and gives me the same error when trying to renew the cert.
Which file do I need to share? I'm still learning Linux / Servers
That page has the same (or more) problems ( https://check-your-website.server-daten.de/?q=zenqalendar.com ):
http + ipv4 redirects to https, http + ipv6 sends a 404. And https + ipv6 is blocked.
Perhaps your ipv6 configuration is missing or completely broken. Letsencrypt prefers ipv6, so that can't work.
And there are redirects http + /.well-known/acme-challenge -> https, but https + ipv6 doesn't work.
Your main nginx config file. Perhaps
/etc/nginx/nginx.conf
nginx.conf:
GNU nano 2.5.3 File: /etc/nginx/nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
#default_type application/octet-stream;
default_type text/html;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text$
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
Also for reference, sites-enabled/lukehero:
server {
server_name lukehero.com www.lukehero.com;
root /home/lukehero;
index index.php index.html index.htm;
location / {
try_files $uri $uri.html $uri/ @extensionless-php;
index index.html index.htm index.php;
#return 301 https://lukehero.com$request_uri;
}
location @extensionless-php {
rewrite ^(.*)$ $1.php last;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/lukehero.com/fullchain.pem; # managed by Ce$
ssl_certificate_key /etc/letsencrypt/live/lukehero.com/privkey.pem; # managed by $
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
# pass the PHP scripts to FastCGI server listening on (...)
#
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
# With php5-cgi alone:
#fastcgi_pass 127.0.0.1:9000;
# With php5-fpm:
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
}
}
server {
if ($host = lukehero.com) {
#return 301 https://$host$request_uri;
} # managed by Certbot
server_name lukehero.com www.lukehero.com;
listen 80;
return 404; # managed by Certbot
}
Where did you create .well-known/acme-challenge and the test-file?
I have tried in both
zenqalendar.com/.well-known/acme-challenge/test.txt
and
lukehero.com/.well-known/acme-challenge/test.txt
zenqalendar works when loading on http (not on https because the cert expired today) and I can load the test.txt
I have about 5 domains and all of them aren’t working to renew certs. But all my subdomains do seem to allow renewing.
_az
February 24, 2019, 10:10pm
11
Are you using --nginx
or --webroot
? That config looks like it should work with --nginx
.
The port 80 HTTP 404 is of course unconditional, if you look at its configuration:
Webroot has no way to succeed in that case.
lukehero:
I have tried in both
In which directory did you create these subdirectories?
When running certbot? I just use
sudo certbot
_az
February 24, 2019, 10:12pm
14
Try
sudo certbot renew -a nginx --dry-run
(This will override webroot, if it was being used, which I don’t know).
The subdomains are inside the same folder as all sites (/home)
This is the output:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/zenqalendar.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.zenqalendar.com
http-01 challenge for zenqalendar.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (zenqalendar.com) from /etc/letsencrypt/renewal/zenqalendar.com.conf produced an unexpected error: Failed authorization procedure. www.zenqalendar.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficientauthorization :: Invalid response from http://www.zenqalendar.com/.well-known/acme-challenge/fsUyxfz3cRAZreCQwKdgcXOqtrv9a4JpC9hFhfZTkFo [2600:3c00::f03c:91ff:feb8:11d3]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>", zenqalendar.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://zenqalendar.com/.well-known/acme-challenge/GhRf139TMvHbMQQGVIGo0rk7Xr3ypwu9thei99GmUT8 [2600:3c00::f03c:91ff:feb8:11d3]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>". Skipping.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/analytics.tubehero.io.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for analytics.tubehero.io
Waiting for verification...
Cleaning up challenges
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/analytics.tubehero.io/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/maketesters.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for maketesters.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (maketesters.com) from /etc/letsencrypt/renewal/maketesters.com.conf produced an unexpected error: Failed authorization procedure. maketesters.com(http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://maketesters.com/.well-known/acme-challenge/TixsDyPb2OYmI2bDfSAIW10jTVZvL729zjr6ArqIN4I [2600:3c00::f03c:91ff:feb8:11d3]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>". Skipping.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/analytics.lukehero.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for analytics.lukehero.com
Waiting for verification...
Cleaning up challenges
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/analytics.lukehero.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/lukehero.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for lukehero.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (lukehero.com) from /etc/letsencrypt/renewal/lukehero.com.conf produced an unexpected error: Failed authorization procedure. lukehero.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://lukehero.com/.well-known/acme-challenge/Hs4yt1IyJx08j2eh4IxT7QpR1pnMXA9IytUgC2DhuPc [2600:3c00::f03c:91ff:feb8:11d3]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>". Skipping.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/freshjobs.io.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for freshjobs.io
http-01 challenge for www.freshjobs.io
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (freshjobs.io) from /etc/letsencrypt/renewal/freshjobs.io.conf produced an unexpected error: Failed authorization procedure. freshjobs.io (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://freshjobs.io/.well-known/acme-challenge/L5x8sUX7vxwCALG2SPHoagepgm1xBbWA6TpTmhBXvQg [2600:3c00::f03c:91ff:feb8:11d3]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>", www.freshjobs.io (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.freshjobs.io/.well-known/acme-challenge/3O7jUjYKtD5VWraBu-reQedDNJKae6G7UgJoI_mAQ2U [2600:3c00::f03c:91ff:feb8:11d3]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>". Skipping.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/uk.freshjobs.io.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for uk.freshjobs.io
Waiting for verification...
Cleaning up challenges
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/uk.freshjobs.io/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/expenses.lukehero.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for expenses.lukehero.com
Waiting for verification...
Cleaning up challenges
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/expenses.lukehero.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/tubehero.io.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for tubehero.io
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (tubehero.io) from /etc/letsencrypt/renewal/tubehero.io.confproduced an unexpected error: Failed authorization procedure. tubehero.io (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://tubehero.io/.well-known/acme-challenge/cZe_e2Ks4YIK-TvifedTV_Nqmybz1rLymKKJtXXg7h0 [2600:3c00::f03c:91ff:feb8:11d3]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>". Skipping.
The following certs could not be renewed:
/etc/letsencrypt/live/zenqalendar.com/fullchain.pem (failure)
/etc/letsencrypt/live/maketesters.com/fullchain.pem (failure)
/etc/letsencrypt/live/lukehero.com/fullchain.pem (failure)
/etc/letsencrypt/live/freshjobs.io/fullchain.pem (failure)
/etc/letsencrypt/live/tubehero.io/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
The following certs were successfully renewed:
/etc/letsencrypt/live/analytics.tubehero.io/fullchain.pem (success)
/etc/letsencrypt/live/analytics.lukehero.com/fullchain.pem (success)
/etc/letsencrypt/live/uk.freshjobs.io/fullchain.pem (success)
/etc/letsencrypt/live/expenses.lukehero.com/fullchain.pem (success)
The following certs could not be renewed:
/etc/letsencrypt/live/zenqalendar.com/fullchain.pem (failure)
/etc/letsencrypt/live/maketesters.com/fullchain.pem (failure)
/etc/letsencrypt/live/lukehero.com/fullchain.pem (failure)
/etc/letsencrypt/live/freshjobs.io/fullchain.pem (failure)
/etc/letsencrypt/live/tubehero.io/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: freshjobs.io
Type: unauthorized
Detail: Invalid response from
http://freshjobs.io/.well-known/acme-challenge/L5x8sUX7vxwCALG2SPHoagepgm1xBbWA6TpTmhBXvQg
[2600:3c00::f03c:91ff:feb8:11d3]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404
Not Found</h1></center>\r\n<hr><center>"
Domain: www.freshjobs.io
Type: unauthorized
Detail: Invalid response from
http://www.freshjobs.io/.well-known/acme-challenge/3O7jUjYKtD5VWraBu-reQedDNJKae6G7UgJoI_mAQ2U
[2600:3c00::f03c:91ff:feb8:11d3]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404
Not Found</h1></center>\r\n<hr><center>"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
- The following errors were reported by the server:
Domain: lukehero.com
Type: unauthorized
Detail: Invalid response from
http://lukehero.com/.well-known/acme-challenge/Hs4yt1IyJx08j2eh4IxT7QpR1pnMXA9IytUgC2DhuPc
[2600:3c00::f03c:91ff:feb8:11d3]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404
Not Found</h1></center>\r\n<hr><center>"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
- The following errors were reported by the server:
Domain: maketesters.com
Type: unauthorized
Detail: Invalid response from
http://maketesters.com/.well-known/acme-challenge/TixsDyPb2OYmI2bDfSAIW10jTVZvL729zjr6ArqIN4I
[2600:3c00::f03c:91ff:feb8:11d3]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404
Not Found</h1></center>\r\n<hr><center>"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
- The following errors were reported by the server:
Domain: tubehero.io
Type: unauthorized
Detail: Invalid response from
http://tubehero.io/.well-known/acme-challenge/cZe_e2Ks4YIK-TvifedTV_Nqmybz1rLymKKJtXXg7h0
[2600:3c00::f03c:91ff:feb8:11d3]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404
Not Found</h1></center>\r\n<hr><center>"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
- The following errors were reported by the server:
Domain: www.zenqalendar.com
Type: unauthorized
Detail: Invalid response from
http://www.zenqalendar.com/.well-known/acme-challenge/fsUyxfz3cRAZreCQwKdgcXOqtrv9a4JpC9hFhfZTkFo
[2600:3c00::f03c:91ff:feb8:11d3]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404
Not Found</h1></center>\r\n<hr><center>"
Domain: zenqalendar.com
Type: unauthorized
Detail: Invalid response from
http://zenqalendar.com/.well-known/acme-challenge/GhRf139TMvHbMQQGVIGo0rk7Xr3ypwu9thei99GmUT8
[2600:3c00::f03c:91ff:feb8:11d3]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404
Not Found</h1></center>\r\n<hr><center>"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
As written: Your ipv6 is broken.
Your domains have ipv6, your subdomains perhaps not.
So first step: Remove your ipv6 addresses.
How is this done?
Apologies, I am very new to this still.
Yep, your subdomain analytics.lukehero.com
doesn’t have an ipv6.
lukehero:
How is this done?
In your dns settings. There, where you manage your domains.
If you have ipv6 / AAAA entries, but your server doesn't work with ipv6, that's terrible. Letsencrypt prefers ipv6 -> dead.