Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: kacper.grzybnia.de
I ran this command: certbot certonly --nginx --dry-run -d kacper.grzybnia.de -vv
It produced this output: # certbot certonly --nginx --dry-run -d kacper.grzybnia.de -vvRoot logging lev - Pastebin.com
My web server is (include version): nginx/1.14.2
The operating system my web server runs on is (include version): Debian 10
My hosting provider, if applicable, is: AlphaVPS
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of
certbot --version or
certbot-auto --version if you're using Certbot): certbot 1.27.0
Additional notes: When I added
--nginx-sleep-seconds and set it to some high number so I was able to go through changes in nginx's config myself, before certbot managed to make the requests, I was getting appropriate responses to the challenge URL (for example http://kacper.grzybnia.de/.well-known/acme-challenge/a1Y-bBmgmfpUsmnuqW4dBW-W98yir5vOf6rMPbHKlbU), but remote requests failed anyway.
When I'm making the requests, the nginx access.log looks like this:
[24/Jun/2022:02:46:22 -0400] "GET /.well-known/acme-challenge/a1Y-bBmgmfpUsmnuqW4dBW-W98yir5vOf6rMPbHKlbU HTTP/1.1" kacper.grzybnia.de kacper.grzybnia.de /.well-known/acme-challenge/a1Y-bBmgmfpUsmnuqW4dBW-W98yir5vOf6rMPbHKlbU 200 87 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0"
and when certbot does, it looks like this:
[24/Jun/2022:02:46:23 -0400] "GET /.well-known/acme-challenge/a1Y-bBmgmfpUsmnuqW4dBW-W98yir5vOf6rMPbHKlbU HTTP/1.1" pihole.grzybnia.de kacper.grzybnia.de /.well-known/acme-challenge/a1Y-bBmgmfpUsmnuqW4dBW-W98yir5vOf6rMPbHKlbU 404 143 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
I modified nginx's logs like so to get the relevant info:
log_format combined_server '[$time_local] ' '"$request" $server_name $host $uri $status $body_bytes_sent ' '"$http_referer" "$http_user_agent"';
If you take a look at the remote request, it does get matched on a totally different
My full nginx config: # configuration file /etc/nginx/nginx.conf:user www-data;worker_processes au - Pastebin.com