Cant generate or renew ssl certificates (Invalid response from .well-known/acme-challenge/)

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: hiration.com

I ran this command:sudo certbot --redirect --nginx -d test-company-v1.hiration.com

It produced this output:Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for test-company-v1.hiration.com

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: test-company-v1.hiration.com
Type: unauthorized
Detail: 3.101.63.44: Invalid response from Online Resume Builder: Create Resume within minutes "\n <script src="https://kit.fontawesome[.]com/4b1f44125a.js" crossorigin="anonymous">\n <meta charset="utf-"

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): nginx

The operating system my web server runs on is (include version): Ubuntu 18.04.6 LTS

My hosting provider, if applicable, is: godaddy

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 2.6.0

Show us your nginx config

Your DNS for your root domain and this test domain have different IP addresses. That is fine but is that what you expect? And, both IP point to separate AWS EC2 instances.

Are these the correct IP for the two domain names?

dig +noall +answer A test-company-v1.hiration.com
test-company-v1.hiration.com. 241 IN    A       3.101.63.44
dig +noall +answer A hiration.com
hiration.com.           66      IN      A       35.160.90.82

yes these ips are correct my root domain is situated on different server.

my config file if that helps --

server {
       server_name test-company-v1.hiration.com;
        root /home/ubuntu/b2b_deployment;
        index /home/ubuntu/b2b_deployment/test-company-v1.html;
        access_log /var/log/nginx/test-company-v1-domain-access.log;
        error_log /var/log/nginx/test-company-v1-error.log;
       location / {
               try_files $uri $uri/ /test-company-v1.html;
                #try_files $uri $uri/ =404;
       }
       include /etc/nginx/git-block.conf;

}

root nginx.conf ---user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
	worker_connections 768;
	# multi_accept on;
}

http {

	##
	# Basic Settings
	##
        server {
		listen 80;
		
  		server_name _;
		location ~ /\.env(/|$) {
   			 deny all;
		}	
	}

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;
	# server_tokens off;

	server_names_hash_bucket_size 164;
	# server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# SSL Settings

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
	ssl_prefer_server_ciphers on;

	##
	# Logging Settings
	##

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	##
	# Gzip Settings
	##

	gzip on;

	# gzip_vary on;
	# gzip_proxied any;
	# gzip_comp_level 6;
	# gzip_buffers 16 8k;
	# gzip_http_version 1.1;
	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
}

#mail {
#	# See sample authentication script at:
#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
# 
#	# auth_http localhost/auth.php;
#	# pop3_capabilities "TOP" "USER";
#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
# 
#	server {
#		listen     localhost:110;
#		protocol   pop3;
#		proxy      on;
#	}
# 
#	server {
#		listen     localhost:143;
#		protocol   imap;
#		proxy      on;
#	}
#}

root config

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
	worker_connections 768;
	# multi_accept on;
}

http {

	##
	# Basic Settings
	##
        server {
		listen 80;
		
  		server_name _;
		location ~ /\.env(/|$) {
   			 deny all;
		}	
	}

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;
	# server_tokens off;

	server_names_hash_bucket_size 164;
	# server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# SSL Settings

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
	ssl_prefer_server_ciphers on;

	##
	# Logging Settings
	##

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	##
	# Gzip Settings
	##

	gzip on;

	# gzip_vary on;
	# gzip_proxied any;
	# gzip_comp_level 6;
	# gzip_buffers 16 8k;
	# gzip_http_version 1.1;
	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
}

#mail {
#	# See sample authentication script at:
#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
# 
#	# auth_http localhost/auth.php;
#	# pop3_capabilities "TOP" "USER";
#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
# 
#	server {
#		listen     localhost:110;
#		protocol   pop3;
#		proxy      on;
#	}
# 
#	server {
#		listen     localhost:143;
#		protocol   imap;
#		proxy      on;
#	}
#}

config for test-company-v1.hiration.com

server {
       server_name test-company-v1.hiration.com;
        root /home/ubuntu/b2b_deployment;
        index /home/ubuntu/b2b_deployment/test-company-v1.html;
        access_log /var/log/nginx/test-company-v1-domain-access.log;
        error_log /var/log/nginx/test-company-v1-error.log;
       location / {
               try_files $uri $uri/ /test-company-v1.html;
                #try_files $uri $uri/ =404;
       }
       include /etc/nginx/git-block.conf;

}

getting these error from last 5-6 days was working fine from last 2-3 years

please add three backticks before and after the file you pasted, on a line by themselves. ```

The presently being served Certificate is for the domain 2u.hiration.com
see here https://decoder.link/sslchecker/test-company-v1.hiration.com/443
and here https://decoder.link/sslchecker/2u.hiration.com/443
Both 2u.hiration.com and test-company-v1.hiration.com map to the same IPv4 Address.

$ nslookup test-company-v1.hiration.com ns55.domaincontrol.com.
Server:         ns55.domaincontrol.com.
Address:        97.74.107.28#53

Name:   test-company-v1.hiration.com
Address: 3.101.63.44

$ nslookup 2u.hiration.com ns55.domaincontrol.com.
Server:         ns55.domaincontrol.com.
Address:        97.74.107.28#53

Name:   2u.hiration.com
Address: 3.101.63.44

test-company-v1.hiration.com config

server {
       server_name test-company-v1.hiration.com;
        root /home/ubuntu/b2b_deployment;
        index /home/ubuntu/b2b_deployment/test-company-v1.html;
        access_log /var/log/nginx/test-company-v1-domain-access.log;
        error_log /var/log/nginx/test-company-v1-error.log;
       location / {
               try_files $uri $uri/ /test-company-v1.html;
                #try_files $uri $uri/ =404;
       }
	location ^~ /.well-known/acme-challenge/ {
        default_type "text/plain";
        root /home/ubuntu/b2b_deployment/.well-known/acme-challenge/; # Replace with the actual path to your ACME challenge directory
    }
       include /etc/nginx/git-block.conf;

}

root config

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
	worker_connections 768;
	# multi_accept on;
}

http {

	##
	# Basic Settings
	##
        server {
		listen 80;
		
  		server_name _;
		location ~ /\.env(/|$) {
   			 deny all;
		}	
	}

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;
	# server_tokens off;

	server_names_hash_bucket_size 164;
	# server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# SSL Settings

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
	ssl_prefer_server_ciphers on;

	##
	# Logging Settings
	##

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	##
	# Gzip Settings
	##

	gzip on;

	# gzip_vary on;
	# gzip_proxied any;
	# gzip_comp_level 6;
	# gzip_buffers 16 8k;
	# gzip_http_version 1.1;
	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
}

#mail {
#	# See sample authentication script at:
#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
# 
#	# auth_http localhost/auth.php;
#	# pop3_capabilities "TOP" "USER";
#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
# 
#	server {
#		listen     localhost:110;
#		protocol   pop3;
#		proxy      on;
#	}
# 
#	server {
#		listen     localhost:143;
#		protocol   imap;
#		proxy      on;
#	}
#}

Using curl -o test-company-v1.txt http://test-company-v1.hiration.com, I've attached test-company-v1.txt does it match the contents of

test-company-v1.txt (4.6 KB)

yes it matches

Where does the domain name 2u.hiration.com come from and served from?
Same config file?

it is on same server but 2u.hiration.com config file is different

If you check Post #8 you'll see that the certificate being served is for 2u.hiration.com.

i have checked your post i think it is happening bcz currently ssl certificate is not generated for test-company-v1.hiration.com so for https request it is redirecting it somehow to wrong html & server.

please help if you found something wrong here

Can you use the upload button on the post menu and upload the log file at?

/var/log/letsencrypt/letsencrypt.log

You will need to copy that to a .txt file first

letsencrypt.txt (136.0 KB)
truncated last 2000 lines only bcz file is too large

Can you try

sudo certbot --redirect --nginx -d test-company-v1.hiration.com --nginx-sleep-seconds 10

You have a lot of server blocks in that nginx config. With the --nginx plugin certbot makes changes to your server block and then does an nginx reload asynchronously. Sometimes it takes more than 1 second (the default) for that to work and if the challenge comes in before that it won't get the proper value returned.

The log showed the correct values placed in that server block so above is the first thing to check

tried above command same result

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for test-company-v1.hiration.com

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: test-company-v1.hiration.com
Type: unauthorized
Detail: 3.101.63.44: Invalid response from Online Resume Builder: Create Resume within minutes "\n <script src="https://kit.fontawesome.com/4b1f44125a.js\" crossorigin="anonymous">\n <meta charset="utf-"

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet