Can not create SSL Certificate on Ubuntu/NGINX


my problem is, that it's impossible to create a ssl certificate. That's strange because this is my second server (same brand, type, os and so on). On the first one all is okay. And now I have no clue what's going wrong. :wink:

My domain is: (IP:

I ran this command:

certbot --nginx --agree-tos --redirect --hsts --staple-ocsp --email -d

It produced this output:

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for
Waiting for verification...
Challenge failed for domain
http-01 challenge for
Cleaning up challenges
Some challenges have failed.


My web server is (include version) / The operating system my web server runs on is (include version):

Ubuntu 20.04 LTS
NGINX: 1.20.1

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of or certbot-auto --version if you're using Certbot): 0.40.0

Can someone help me please? :wink:

wtf is this?

Did you follow the instructions?

There are some nginx distributions out there which have "security" modules that create JavaScript interstitials, sort of like the Cloudflare captcha page. They look a lot like that snippet.

If that's the case here, @Cycs will need to figure out where it's coming from and turn it off, or exclude these requests.


It looks like it

#  curl -iL
HTTP/1.1 200 OK
Connection: close
Pragma: no-cache
cache-control: no-cache
Content-Type: text/html
Content-Length: 206

<!DOCTYPE html><html><title></title><script>var y=window</script><script>var x={o:'/44OLOWV/',c:1},z=2;function rsu(h){return(x.o).substr(0,x.c)+(x.o).substr(x.c+h)}y.location.assign(rsu(z))</script></html>
# curl -iL
HTTP/1.1 200 OK
Connection: close
Pragma: no-cache
cache-control: no-cache
Content-Type: text/html
Content-Length: 247

<!DOCTYPE html><html><title></title><script>var y=window</script><script>var x={o:'gNQabjb7uVN07mn7nKc41afgne8',t:'/ZofKl/.well-known/acme-c',h:'hallenge/sdFBYhiKxVlvdJbH'};function rsu(){return x.t+x.h+x.o}y.location.assign(rsu())</script></html>

(It logs IP addresses, so I could not see it on my desktop because I had opened a page in Firefox)

@_az that webserver f*king answers 200 on every path. You only get a 404 after the javascript redirect (and letsdebug doesn't catch this).

1 Like


because of you question - I uninstalled the formerly install certbot instance and used snap. But this also doesn't work. I get this output:

root@node02:~# certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Requesting a certificate for

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Type: unauthorized
Detail: Invalid response from []: "var x={o:'/LLLLLWhSp/.well-known/acme-challenge/UePRll-"

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

So ... it will not work.
Btw. you asked for the strange text ... I only copied the output from the shell. :wink:

Certbot version with snap is: 1.24.0

Uh ... sorry. I do not know.
I only installed the server from scratch. That means, I clicked on "install server with Ubuntu 20.04 LTS" on my providers panel. After that I installed NGINX in this way:

add-apt-repository ppa:ondrej/nginx
apt install nginx-core nginx-common nginx nginx-full

Is it wrong? I never had problems before with it. :frowning:

That's crazy. If I run this command I get the following:

curl -iL
HTTP/1.1 200 OK
Server: nginx/1.20.1
Date: Fri, 04 Mar 2022 21:20:25 GMT
Content-Type: text/html
Content-Length: 101
Last-Modified: Fri, 04 Mar 2022 19:27:48 GMT
Connection: keep-alive
ETag: "62226834-65"
Accept-Ranges: bytes

   <h1>This is Node02!</h1>

So do I if I use an IP address that opened a page with an actual browser.

1 Like
ls /etc/nginx/modules-enabled/
1 Like

ls /etc/nginx/modules-enabled/
50-mod-brotli.conf 50-mod-http-echo.conf 50-mod-http-image-filter.conf 50-mod-http-xslt-filter.conf 50-mod-stream.conf
50-mod-http-auth-pam.conf 50-mod-http-geoip2.conf 50-mod-http-subs-filter.conf 50-mod-mail.conf 70-mod-stream-geoip2.conf
50-mod-http-dav-ext.conf 50-mod-http-geoip.conf 50-mod-http-upstream-fair.conf 50-mod-ssl-ct.conf 70-mod-stream-geoip.conf

Ah, it's not actually nginx doing this.

The clue is that @9peppe's curl response does not contain the Server header. This is usually a dead giveaway that there's some kind of proxy sitting in front.

I'd contact your host. I think it's some kind of HTTP firewall on their side.

curl -Ii
HTTP/1.1 302 Found
Location: /KVkVN/.well-known/acme-challenge/Test_File-1234

curl -Ii
HTTP/1.1 302 Found
Location: /pYaZV/KVkVN/.well-known/acme-challenge/Test_File-1234

curl -Ii
HTTP/1.1 302 Found
Location: /NnMRd/pYaZV/KVkVN/.well-known/acme-challenge/Test_File-1234

curl -Ii
HTTP/1.1 302 Found
Location: /ehkSV/NnMRd/pYaZV/KVkVN/.well-known/acme-challenge/Test_File-1234

There seems to be no end to it.


Huh? What's going on there? Never seen before. :grimacing:
I don't know why this happens.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.