The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: lainmobiliaria.com.py

I ran this command:

  1. sudo certbot
  2. sudo certbot --nginx
  3. sudo certbot --nginx -d lainmobiliaria.com.py -d www.lainmobiliaria.com.py
  4. sudo certbot certonly -d lainmobiliaria.com.py --standalone

It produced this output:

file.config in /etc/nginx/sites-enabled

server {
    listen 80;
    listen [::]:80;
            server_name lainmobiliaria.com.py www.lainmobiliaria.com.py;
                gzip on;
                gzip_types      text/plain application/xml;
                gzip_proxied    no-cache no-store private expired auth;
                gzip_min_length 1000;

    location / {
        root /var/www/lainmobiliaria.com.py/inmobiliaria-front/dist;
        index index.html;
        try_files $uri $uri/ =404;
    }

    location /api {
        proxy_set_header   X-Forwarded-For $remote_addr;
        proxy_set_header   Host $http_host;
        proxy_pass         http://127.0.0.1:8021;
    }
}

root@ubuntu-virtual-machine:/var/log/letsencrypt# sudo certbot --nginx

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

7: lainmobiliaria.com.py
8: www.lainmobiliaria.com.py
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):

----

Requesting a certificate for lainmobiliaria.com.py

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: lainmobiliaria.com.py
  Type:   unauthorized
  Detail: 2800:6c0:2::11: Invalid response from http://lainmobiliaria.com.py/.well-known/acme-challenge/HJCa4tHgx3J-P8oMwSCzUcM1OGHEAKGBLurpOtQFR8g: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

root@ubuntu-virtual-machine:/var/log/letsencrypt# cat letsencrypt.log

2023-11-14 09:32:43,749:DEBUG:urllib3.connectionpool:http://localhost:None "GET /v2/connections?snap=certbot&interface=content HTTP/1.1" 200 97
2023-11-14 09:32:43,851:DEBUG:certbot._internal.main:certbot version: 2.7.4
2023-11-14 09:32:43,852:DEBUG:certbot._internal.main:Location of certbot entry point: /snap/certbot/3462/bin/certbot
2023-11-14 09:32:43,852:DEBUG:certbot._internal.main:Arguments: ['--nginx', '-v', '--preconfigured-renewal']
2023-11-14 09:32:43,852:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2023-11-14 09:32:43,858:DEBUG:certbot._internal.log:Root logging level set at 20
2023-11-14 09:32:43,859:DEBUG:certbot._internal.plugins.selection:Requested authenticator nginx and installer nginx
2023-11-14 09:32:43,993:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: Authenticator, Installer, Plugin
Entry point: EntryPoint(name='nginx', value='certbot_nginx._internal.configurator:NginxConfigurator', group='certbot.plugins')
Initialized: <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7fe102c45a30>
Prep: True
2023-11-14 09:32:43,994:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7fe102c45a30> and installer <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7fe102c45a30>
2023-11-14 09:32:43,994:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator nginx, Installer nginx
2023-11-14 09:32:44,025:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/156304050', new_authzr_uri=None, terms_of_service=None), c1a23fcf73c071e3727c2f76f83101aa, Meta(creation_dt=datetime.datetime(2021, 8, 10, 17, 0, 31, tzinfo=<UTC>), creation_host='ubuntu-virtual-machine', register_to_eff=None))>
2023-11-14 09:32:44,025:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2023-11-14 09:32:44,026:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2023-11-14 09:32:44,641:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 752
2023-11-14 09:32:44,641:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 14 Nov 2023 12:32:44 GMT
Content-Type: application/json
Content-Length: 752
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "Wh1HRR7ugek": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "renewalInfo": "https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-01/renewalInfo/",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2023-11-14 09:32:57,573:ERROR:certbot._internal.log:Exiting due to user request.

My web server is (include version):

The operating system my web server runs on is (include version): ubuntu lts 20.04.6

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): c-panel ferozzo

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Hi @Ernesto, and welcome to the LE community forum :slight_smile:

You domain has two IPs:

Name:      lainmobiliaria.com.py
Addresses: 2800:6c0:2::11
           181.122.62.122

LE prefers IPv6 when present.

Notice that Apache is serving your IPv6 address:

curl -Ii6 lainmobiliaria.com.py
HTTP/1.1 200 OK
Date: Tue, 14 Nov 2023 13:02:42 GMT
Server: Apache     <<<<<<<<<<<<<<<<<<<<<<<<<
X-Powered-By: PHP/7.2.34
Upgrade: h2,h2c
Connection: Upgrade
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8

And nginx is only serving the IPv4 address:

curl -Ii4 lainmobiliaria.com.py
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)     <<<<<<<<<<<<<<<<<<<<<<<<<
Date: Tue, 14 Nov 2023 13:02:48 GMT
Content-Type: text/html
Content-Length: 845
Last-Modified: Mon, 13 Nov 2023 15:12:44 GMT
Connection: keep-alive
ETag: "65523cec-34d"
Accept-Ranges: bytes

Check that your server is at those IP addresses, with:
curl -6 ifconfig.io
curl -4 ifconfig.io

If the numbers don't match, you may need to update the DNS entries.
Also, while testing, please use the LE staging environment [NOT production].

5 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.