Why this is was happened on my vps?

Keneni · December 23, 2024, 7:13am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:https://menshdigitalbds.com/

I ran this command: sudo certbot --nginx -d menshdigitalbds.com -d www.menshdigitalbds.com;

It produced this output:

My web server is (include version): root@srv656664:/etc/nginx/sites-available# sudo certbot --nginx -d menshdigitalbds.com -d www.menshdigitalbds.com;
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for menshdigitalbds.com and www.menshdigitalbds.com

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: menshdigitalbds.com
Type: unauthorized
Detail: 2a02:4780:4a:1273:dbac:d615:4f47:16ce: Invalid response from http://menshdigitalbds.com/.well-known/acme-challenge/bQzvhV0IPaMVw0zuu9wolqCLQ1Yz3hrChKFP3roMNqc: 404

Domain: www.menshdigitalbds.com
Type: unauthorized
Detail: 2a02:4780:4b:bdcc:3655:e6b:f797:b11: Invalid response from http://www.menshdigitalbds.com/.well-known/acme-challenge/IL0LY2MK-tNAkWLES7t7foKiPJbVGuCEtE3z17O9uC4: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

The operating system my web server runs on is (include version): Ubuntu 22

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 2.9.0

9peppe · December 23, 2024, 10:19am

The most likely cause for that is having an AAAA record pointing to a different machine, or a webserver that's only listening on ipv4.

MikeMcQ · December 23, 2024, 2:49pm

You have an "hcdn" server replying to requests for your domain on both IPv4 and v6. Can you explain how the works with your nginx server?

Request to: www.menshdigitalbds.com/2a02:4780:30:5474:e92f:f078:bc8e:90e0, Result: [Address=2a02:4780:30:5474:e92f:f078:bc8e:90e0,Address Type=IPv6,Server=hcdn

Does hcdn pass through HTTP requests on port 80 to nginx?

HTTPS requests to your domain have a valid cert that is still good for 48 days. Would you explain what this new cert is for?

Bruce5051 · December 24, 2024, 8:53pm

Hello @Keneni,

Using the online tool Let's Debug yields these results https://letsdebug.net/menshdigitalbds.com/2318955?debug=y

MultipleIPAddressDiscrepancy
Warning
menshdigitalbds.com has multiple IP addresses in its DNS records. While they appear to be accessible on the network, we have detected that they produce differing results when sent an ACME HTTP validation request. This may indicate that some of the IP addresses may unintentionally point to different servers, which would cause validation to fail.
[Address=2a02:4780:42:8c1d:8c82:ecd7:2425:e0e9,Address Type=IPv6,Server=hcdn,HTTP Status=404] vs [Address=46.202.154.98,Address Type=IPv4,Server=nginx/1.24.0 (Ubuntu),HTTP Status=404]

Which was commented by previous posters.

Using curl showing both IPv4 and IPv6 check one can see distinct differences.

IPv4 check got Server: nginx/1.24.0 (Ubuntu)

>curl -4 -Ii http://menshdigitalbds.com/.well-known/acme-challenge/sometestfile
HTTP/1.1 404 Not Found
Server: nginx/1.24.0 (Ubuntu)
Date: Tue, 24 Dec 2024 20:44:40 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 2448
Connection: keep-alive
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
Cross-Origin-Opener-Policy: same-origin
Vary: origin

IPv6 check got Server: hcdn

>curl -6 -Ii http://menshdigitalbds.com/.well-known/acme-challenge/sometestfile
HTTP/1.1 404 Not Found
Date: Tue, 24 Dec 2024 20:44:51 GMT
Content-Type: text/html
Content-Length: 150
Connection: keep-alive
Vary: Accept-Encoding
platform: hostinger
panel: hpanel
content-security-policy: upgrade-insecure-requests
x-turbo-charged-by: LiteSpeed
Server: hcdn
alt-svc: h3=":443"; ma=86400
x-hcdn-request-id: 200a63b5a3e8f8c4e8cc14a925aaf72f-fra-edge1

Either make the IPv6 Address (DNS AAAA Record) point to the same machine as the IPv4 Address or remove the IPv6 Address (at least to start with).

Please see Unable to generate SSL - #2 by MikeMcQ

Supplemental Port 443 is being filtered (i.e. access being blocked) on IPv4.

$ nmap -Pn -p80,443 menshdigitalbds.com
Starting Nmap 7.80 ( https://nmap.org ) at 2024-12-24 20:56 UTC
Nmap scan report for menshdigitalbds.com (46.202.154.98)
Host is up (0.16s latency).
Other addresses for menshdigitalbds.com (not scanned): 2a02:4780:42:8c1d:8c82:ecd7:2425:e0e9
rDNS record for 46.202.154.98: srv656664.hstgr.cloud

PORT    STATE    SERVICE
80/tcp  open     http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 3.10 seconds

IPv4 curl cannot access HTTPS

>curl -4 -Ii https://menshdigitalbds.com/.well-known/acme-challenge/sometestfile
curl: (28) Failed to connect to menshdigitalbds.com port 443 after 75000 ms: Could not connect to server

IPv6 curl can access HTTPS

>curl -6 -Ii https://menshdigitalbds.com/.well-known/acme-challenge/sometestfile
HTTP/2 404
date: Tue, 24 Dec 2024 21:18:04 GMT
content-type: text/html
content-length: 150
vary: Accept-Encoding
platform: hostinger
panel: hpanel
content-security-policy: upgrade-insecure-requests
server: hcdn
alt-svc: h3=":443"; ma=86400
x-hcdn-request-id: fb92dcda79f0111eb920b61b47331751-fra-edge2

Also from a DNS IP Address view

Keneni · December 25, 2024, 6:51am

I removed from my DNS IPv6

   server {
    listen 80;
#    listen [::]:80;
    server_name menshdigitalbds.com www.menshdigitalbds.com;
#    server_name 46.202.154.98;
    location = /favicon.ico { access_log off; log_not_found off; }
    location /static/ {

        root /var/www/birhubackend/birhumind;
    }

    location / {
        include proxy_params;
        proxy_pass http://unix:/run/gunicorn.sock;

    }
}

Keneni · December 25, 2024, 7:28am

It's all good. We have not detected any issues.

system · January 24, 2025, 7:29am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Certbot failed to authenticate some domains Help	4	494	May 5, 2022
Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet Help	7	2599	October 21, 2022
Hint: The Certificate Authority failed to verify the temporary nginx configurati on changes made by Certbot. Ensure the listed domains point to thi Help	6	2556	August 27, 2022
Certbot failed to authenticate some domains Help	2	324	July 22, 2023
Certbot for domain failed: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot Help	11	1018	October 25, 2023

Why this is was happened on my vps?

Related topics