The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: tickets2go.net

I ran this command: sudo certbot --nginx

It produced this output:
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: tickets2go.net
Type: unauthorized
Detail: 2607:f1c0:100f:f000::200: Invalid response from http://tickets2go.net/.well-known/acme-challenge/JcYej9d42CxJmApnr_4yw05LBUfBHtDr4IPLecv8Dx0: 204

Domain: www.tickets2go.net
Type: unauthorized
Detail: 2607:f1c0:100f:f000::200: Invalid response from http://www.tickets2go.net/.well-known/acme-challenge/XtcHqapxSTecztGpFByzmyKqHXgyQlXnFKxQITjnx_Q: 204

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): nginx/1.18.0

The operating system my web server runs on is (include version): ubuntu 22

My hosting provider, if applicable, is: ionos

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.6.0

Does this IPv6 address belong to you?

Is your webserver listening on IPv6?

ss -tulpn6 src :80

yes the IPv6 belongs to me.
Its weird that my subdomains work fine, they are able to obtain ssl but not the main domain.
the comand ss -tulpn6 src :80 gives the following result

Netid      State       Recv-Q      Send-Q            Local Address:Port             Peer Address:Port      Process      
tcp        LISTEN      0           511                        [::]:80                       [::]:*

add sudo

but if your subdomains work the issue most likely is in the server block.

Compare your subdomain server block with the one that's not working, paying special attention to any listen statement.

i always use sudo
i have tripple checked server code and its the same

That output doesn't make sense to me. I don't want to tell you to try rebooting, but I also want to.

i even reinstalled everything on my server from the os to all dependencies. but same results. subdomains get ssl but original domain fails

Then the config is not the same, then. Show us.

Something to look at is that IPv4 is replied to by Apache but IPv6 is nginx. Let's Encrypt server prefers the IPv6 address so is getting replied to by Apache not nginx.

Both addresses should get the same result.

curl -I4 http://tickets2go.net/
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)

curl -I6 http://tickets2go.net/
HTTP/1.1 200 OK
Server: Apache

on my end curl -I6 http://tickets2go.net/ gives the below output
curl: (7) Failed to connect to tickets2go.net port 80 after 1 ms: No route to host
Also note that i donot have apache installed

Well, an Apache server is responding to IPv6 requests. And, it looks like your IPv6 outbound request failed. So, maybe your AAAA record in the DNS is not correct? Are you sure you have IPv6 support enabled?

Do both of these work? They should show your public IP for each

curl -4 https://ifconfig.io
curl -6 https://ifconfig.io

yes, i deleted the AAAA record in my dns settings and it worked. thanks

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.