Renewal for root domain fail, for subdomain works

Please fill out the fields below so we can help you better.

My domain is:

I ran this command: /opt/letsencrypt/letsencrypt-auto renew

It produced this output:
Processing /etc/letsencrypt/renewal/

Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for
http-01 challenge for
Waiting for verification…
Cleaning up challenges
Attempting to renew cert ( from /etc/letsencrypt/renewal/ produced an unexpected error: Failed authorization procedure. (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from "

404 Not Found

Not Found

<p". Skipping.

My web server is (include version): nginx/1.10.3

The operating system my web server runs on is (include version): Debian Stretch - 9.1

My hosting provider, if applicable, is: VPS is in, domain is from

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Is there some change in DNS query from let’s encrypt server side? I use this command for renewal successfully for a year. But now it don’t work.
Server setup is correct (i don’t change it), .well-known is accesible, when i run renewal i can see, that it creates dir acme-challenge and two files (one is for root domain and second is for alias/subdirectory www, www in dns is CNAME of root domain and for this renewal success) in it.
So i think that problem is only in resolve the dns query - but i don’t know what to doo. It is root record so i don’t understand it why for subdomain it works without any problem and root have trouble.

Have someone some idea, how to solve it?

Hi @JSteinhaisl,

Your main domain and have AAAA records (IPv6 address) but other subdomains that you use like default, mail and wiki don’t have AAAA records and that is the reason you can’t issue the certs.

One server is reachable using IPv6 address but it is not configured in the same way as if you try to reach your domain using IPv4.

Using IPv4:

$ curl -IkL4
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Mon, 07 Aug 2017 18:22:48 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive

HTTP/1.1 404 Not Found
Server: nginx
Date: Mon, 07 Aug 2017 18:22:48 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive

Using IPv6:

$ curl -IkL6
HTTP/1.1 404 Not Found
Date: Mon, 07 Aug 2017 18:23:38 GMT
Server: Apache
Content-Type: text/html; charset=iso-8859-1

So using IPv4 you reach a nginx server but using IPv6 you reach an Apache server… :wink: since a couple of months ago, Let’s Encrypt prefers IPv6 over IPv4 so you have 2 options, remove AAAA records for your domains or configure your server correctly so you can answer both requests, via IPv4 and via IPv6.


Hi @sahsanu,
many thanks for your help.

I saw ivp6 AAA in DNS record, but server use only ipv4 so I never think about it.
Im so stupid that i never think about ivp6 record.
You have my greatest thanks. :vulcan_salute: :+1:

Best regards

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.