Unable to issue SSL cert for root domain, subdomains worked without a hitch

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: spicy-se.com

I ran this command: I'm using Trellis, which itself is running this command
cmd = (
'/usr/bin/env python /usr/local/letsencrypt/acme_tiny.py '
'--quiet '
'--ca https://acme-v02.api.letsencrypt.org '
'--account-key /var/lib/letsencrypt/account.key '
'--csr /var/lib/letsencrypt/csrs/{0}-{1}.csr '
'--acme-dir /home/forge/letsencrypt'
).format(site, letsencrypt_cert_ids[site])

It produced this output:
Challenge did not pass for {0}: {1}".format(domain, authorization))\nValueError: Challenge did not pass for spicy-se.com: {u'status': u'invalid', u'challenges': [{u'status': u'invalid', u'validationRecord': [{u'url': u'http://spicy-se.com/.well-known/acme-challenge/EAwoAH35cKolPXpMdOc9tBatOcr2PBUFrTVvxaEIa6A', u'hostname': u'spicy-se.com', u'addressUsed': u'2a01:238:20a:202:1088::', u'port': u'80', u'addressesResolved': [u'', u'2a01:238:20a:202:1088::']}], u'url': u'https://acme-v02.api.letsencrypt.org/acme/chall-v3/214212054687/gBoWmw', u'token': u'EAwoAH35cKolPXpMdOc9tBatOcr2PBUFrTVvxaEIa6A', u'error': {u'status': 403, u'type': u'urn:ietf:params:acme:error:unauthorized', u'detail': u'2a01:238:20a:202:1088::: Invalid response from http://spicy-se.com/.well-known/acme-challenge/EAwoAH35cKolPXpMdOc9tBatOcr2PBUFrTVvxaEIa6A: 404'}, u'validated': u'2023-03-26T17:52:24Z', u'type': u'http-01'}], u'identifier': {u'type': u'dns', u'value': u'spicy-se.com'}, u'expires': u'2023-04-02T17:52:19Z'}

The operating system my web server runs on is (include version):
Ubuntu 18.04

My hosting provider, if applicable, is:
Digital Ocean

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): I'm using Trellis (GitHub - roots/trellis: WordPress LEMP stack with PHP 8.1, Composer, WP-CLI and more)

I just spun up a new VPS earlier today. Pointed spicy-se.com to it as well as 5 subdomains. I set up SSL via Letsencrypt for all of them. All the subdomains worked right away without an issue, but the root domain does not want to work.

The root domain had a SSL cert issued by another registrar recently. I deactivated that but I have a feeling it's possibly related to my problems.

The domain is accessible via http, if I try to download the acme-challenge file it's also accessible so no idea why the error above says it gets a 404.

Anyone able to tell me why this is happening please?

Many thanks!

Probably due to the IPv6 address for spicy-se.com: using IPv4 I'm getting a response from nginx, just as with your subdomains, but when I use IPv6, an Apache webserver is answering the request.

Also, the IPv4 address is from DO, but your IPv6 is from Strato.


Supplemental, here is a display of the DNS DNS Spy report for spicy-se.com
showing the only one is spicy-se.com with an IPv6 Address (i.e. DNS record AAAA)


Thank you! it was indeed the ipv6. Removed that and it worked right away after that.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.