My domain is: direbox.net, shop.direbox.net
I ran this command: sudo certbot renew --dry-run
It produced this output:
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: direbox.net
Type: unauthorized
Detail: 23.227.38.65: Invalid response from http://direbox.net/.well-known/acme-challenge/ecT0PrzanUcimuPGwsRgumXBnsqvmD_SdBlUUqhnkGY: 404
Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.
Failed to renew certificate direbox.net with error: Some challenges have failed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/direbox.net/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
My web server is (include version): nginx/1.18.0
The operating system my web server runs on is (include version): Ubuntu 20.04
My hosting provider, if applicable, is: FranTech
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 3.1.0
Problem Description
Heya Certbot community! I'm stumped and truly need your help. I've used Certbot successfully for years but this situation has put me in a pickle.
The subdomain shop.direbox.net is managed by Shopify, who automatically created an A record and a CNAME record for the subdomain. That domain works just fine.
My main website, direbox.net, is hosted separately on a VPS, so I created a second A record pointing to the VPS IP and configured NGINX as usual for port 80 traffic only to the root domain. Everything worked fine until I ran Certbot.
The first few times I ran Certbot, it failed with a 404 and NGINX produced a 403 Cloudflare error in the browser. Then for some reason it worked and I had SSL for a few hours. Then it stopped working and the --dry-run command started failing as well.
Poking around the LetsEncrypt logs, I noticed this:
{
"identifier": {
"type": "dns",
"value": "direbox.net"
},
"status": "invalid",
"expires": "2025-02-16T23:43:58Z",
"challenges": [
{
"type": "http-01",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/184031914/16008052234/cqet2w",
"status": "invalid",
"validated": "2025-02-09T23:43:59Z",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "23.227.38.65: Invalid response from http://direbox.net/.well-known/acme-challenge/ecT0PrzanUcimuPGwsRgumXBnsqvmD_SdBlUUqhnkGY: 404",
"status": 403
},
"token": "ecT0PrzanUcimuPGwsRgumXBnsqvmD_SdBlUUqhnkGY",
"validationRecord": [
{
"url": "http://direbox.net/.well-known/acme-challenge/ecT0PrzanUcimuPGwsRgumXBnsqvmD_SdBlUUqhnkGY",
"hostname": "direbox.net",
"port": "80",
"addressesResolved": [
"23.227.38.65",
"205.185.122.219"
],
"addressUsed": "23.227.38.65"
}
]
}
]
}
The addressUsed field is Shopify's IP address, though in addressesResolved it does list my VPS IP second. So I know this has something to do with a conflict between the SSL/TLS cert issued directly by Shopify and the one I'm trying to issue separately for the root domain.
But I have no idea where to go from here! Any help would be greatly appreciated.
So the issue was with my DNS configuration. I changed Shopify's