Cerbot certonly fails Google Compute VM

Hello

My domain is: dropin.today

I ran this command: /opt/certbot/bin/certbot certonly

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Python 3.8 support will be dropped in the next planned re
lease of Certbot - please upgrade your Python version.

How would you like to authenticate with the ACME CA?



1: Runs an HTTP server locally which serves the necessary
validation files under
the /.well-known/acme-challenge/ request path. Suitable i
f there is no HTTP
server already running. HTTP challenge only (wildcards no
t supported).
(standalone)
2: Saves the necessary validation files to a .well-known/
acme-challenge/
directory within the nominated webroot path. A separate H
TTP server must be
running and serving files from the webroot path. HTTP cha
llenge only (wildcards
not supported). (webroot)



Select the appropriate number [1-2] then [enter] (press '
c' to cancel): 2
Please enter the domain name(s) you would like on your ce
rtificate (comma and/or
space separated) (Enter 'c' to cancel): dropin.today
Requesting a certificate for dropin.today
Input the webroot for dropin.today: (Enter 'c' to cancel)
: /var/www/dropin.today/public

Certbot failed to authenticate some domains (authenticato
r: webroot). The Certificate Authority reported these pro
blems:
Domain: dropin.today
Type: connection
Detail: 104.196.57.33: Fetching http://dropin.today/.we
ll-known/acme-challenge/wW2JsyTzIpeGa68t14PtEkeE8AanAIXUR
zbU5fqB6eo: Connection refused

Hint: The Certificate Authority failed to download the te
mporary challenge files created by Certbot. Ensure that t
he listed domains serve their content from the provided -
-webroot-path/-w and that files created there can be down
loaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community
.letsencrypt.org. See the logfile /var/log/letsencrypt/le
tsencrypt.log or re-run Certbot with -v for more details.
root@drop-in-back-end-server:~#

My web server is (include version):

nginx version: nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version):

lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.6 LTS
Release: 18.04
Codename: bionic

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot
certbot 3.0.1

root@drop-in-back-end-server:~# cat /etc/nginx/sites-enab
led/default
server {
listen 80;
server_name dropin.today www.dropin.today;

root /var/www/dropin.today/public;                   
index index.html;                                    
                                                     
location / {                                         
    try_files $uri $uri/ =404;                       
}                                                    

}root@drop-in-back-end-server:~#

There's no nginx running on 104.196.57.33, the current IP address for dropin.today, at this moment.

A working webserver accessible over HTTP (redirect to HTTPS is allowed) is required for the webroot authenticator to work.

1 Like

Here's my /etc/nginx/sites-enab
led/default

server {
listen 80;
server_name dropin.today www.dropin.today;

root /var/www/dropin.today/public;
index index.html;

location / {
try_files $uri $uri/ =404;
}

do I need one titled dropin.today linked up appropriately?

The configuration of nginx isn't relevant if nginx isn't running to begin with. Perhaps you simply have to start nginx to get it running.

If nginx is running, maybe the IP address isn't correct?

Please note that this is not the "How to get my nginx running" Community. Please make sure nginx is running first and afterwards retry getting a certificate. If nginx is working properly and you're still having trouble, feel free to stop by here again.

1 Like

nginx says it's running

mark@drop-in-back-end-server:~$ !sudo
sudo su -
root@drop-in-back-end-server:~# systemctl status nginx
● nginx.service - A high performance web server and a rev
Loaded: loaded (/lib/systemd/system/nginx.service; ena
Active: active (running) since Sat 2025-04-05 20:24:52
Docs: man:nginx(8)
Process: 14890 ExecStop=/sbin/start-stop-daemon --quiet
Process: 14902 ExecStart=/usr/sbin/nginx -g daemon on;
Process: 14891 ExecStartPre=/usr/sbin/nginx -t -q -g da
Main PID: 14905 (nginx)
Tasks: 3 (limit: 4915)
CGroup: /system.slice/nginx.service
├─14521 nginx: worker process
├─14522 nginx: worker process
└─14905 nginx: master process /usr/sbin/nginx

Apr 05 20:24:52 drop-in-back-end-server systemd[1]: Start
Apr 05 20:24:52 drop-in-back-end-server systemd[1]: Start
lines 1-16/16 (END)

But there is nothing listening on port 80 (nor 443 for that matter):

osiris@erazer ~ $ curl -LIv http://dropin.today/
* Host dropin.today:80 was resolved.
* IPv6: (none)
* IPv4: 104.196.57.33
*   Trying 104.196.57.33:80...
* connect to 104.196.57.33 port 80 from 192.168.x.x port x failed: Connection refused
* Failed to connect to dropin.today port 80 after 186 ms: Could not connect to server
* closing connection #0
curl: (7) Failed to connect to dropin.today port 80 after 186 ms: Could not connect to server
osiris@erazer ~ $ 

Please doublecheck the IP address or any other issue that may prevent your website from not working. Please make sure nginx is working first and afterwards retry getting a certificate. If nginx is working properly and you're still having trouble, feel free to stop by here again.

You can use e.g. LetsDebug to test if your website is working properly or not. Currently it shows:

dropin.today has an A (IPv4) record (104.196.57.33) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.

1 Like

Understood.

Thank you!