Can't create new certificate for new private domain

Hello Lets Encrypt Community,

I am running Nextcloud on a nginx Server since some time at home.
Because of a dynamic IP adress, I am using a dynDNS provider like noip.com (cloud.noip.com).
I certificated this domain and were able to excess it without problems.
Now I own a private domain (mydom.net).

What I did:
I created a subdomain (cloud.mydom.net) and made a CNAME entry to the DynDNS domain (cloud.noip.com). If I try to access the web server with https://cloud.mydom.net I get a certificate error because the server's certificate is for cloud.noip.com not for cloud.mydom.net. So far so good.

So I changed the nginx config file for the new domain and tried to run:

sudo certbot certonly --webroot -w /var/www/html/ -d cloud.mydom.net -m me@mydom.net --agree-tos

And get a 403 Frobidden error:

Domain: cloud.mydom.net
Type:   unauthorized
Detail: Invalid response from
https://cloud.noip.com/.well-known/acme-challenge/YYXSsvHWNb6n2qr0-60rJqq1rXaU-cna-gi806koBBY
[MY.IP.AD.DR]: "<html>\r\n<head><title>403
Forbidden</title></head>\r\n<body
bgcolor=\"white\">\r\n<center><h1>403
Forbidden</h1></center>\r\n<hr><center>"

Could it be because of an already installed certificate on the server? (The old one from cloud.noip.com. The files are still in /etc/letsencrypt/live/cloud.noip.com/)
I don't know if this had to do something with the problem, but I can only access my Nextcloud Server if I type https:// cloud.mydom.net

[EDIT 1]
I restarted the Server and get as expected the error: /etc/letsencrypt/live/cloud.mydom.net/ not found

But if I run certbot again I get another Error

Domain: cloud.mydom.net
Type:   connection
Detail: Fetching
http://cloud.mydom.net/.well-known/acme-challenge/qY2nGPBGB7eZIzBEhJ_t8R9KRRwf5wvbrfCJg4gJhfc:
Connection refused

[EDIT 2]
Now I tried to make a certificate for another subdomain (home.mydom.net) and added an A Record with my current IP. If I run the same certbot command I get the error:

 The client lacks sufficient authorization
 Domain: home.mydom.net
 Type:   unauthorized
 Detail: Invalid response from
 http://home.mydom.net/.well-known/acme-challenge/lMEdqQyQcILIWEHIMhN1yB7SLd1Wixm6x2qEy-jbI6A
 [2001:8d8:100f:f000::2e0]: 204

[EDIT 3]

I tried it again with the cloud.noip.com domain directly and it works fine if I run the same certbot command again.

Here you find my records for both subdomains:

[EDIT 4]

Where should be the .well-known folder located? I can't find it anywhere.

Thank you for helping

Hi @GoGoWe

please answer the following questions.


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

My domain is: Does this really matter?

I ran this command: Already provided

It produced this output: Already provided

My web server is (include version): nginx v 1.10.3

The operating system my web server runs on is (include version): Debian 9.6

My hosting provider, if applicable, is: 1und1.de

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no pure shell

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.28.0

Yes. Many things can be debugged by other members of the forum externally. By withholding the relevant hostnames, you can't be helped optimally.

So no chance to get help without providing the domain?

Only want tipps what I could try.

EDIT 2 looks weird. did you only added A record? or AAAA to? certbot accessed to an IP address, and a webserver replied with 204(no content). why that record even exist?

I only added A record right. There was a standard AAAA record and I removed it and tried again but nothing changed. But I tried to access my webpage with home.mydom.net and get 204 no content. So I think I messed something up in the records.

I will post my records of cloud.mydom.net

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.