certbot.errors.AuthorizationError: Some challenges have failed

Hi folks,

I’m trying to go through this tuto and I get weird behaviors.
For the record, I spent 5 hours on it before posting here, not 5 minutes.

Please find my main files:

init-letsencrypt.sh

#!/bin/bash

if ! [ -x "$(command -v docker-compose)" ]; then
  echo 'Error: docker-compose is not installed.' >&2
  exit 1
fi

domains=(www.lorem.com)
rsa_key_size=4096
data_path="./data/certbot"
email="vivian@lorem.com" # Adding a valid address is strongly recommended
staging=1 # Set to 1 if you're testing your setup to avoid hitting request limits

if [ -d "$data_path" ]; then
  read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision
  if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then
    exit
  fi
fi


if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then
  echo "### Downloading recommended TLS parameters ..."
  mkdir -p "$data_path/conf"
  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/tls_configs/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
  echo
fi

echo "### Creating dummy certificate for $domains ..."
path="/etc/letsencrypt/live/$domains"
mkdir -p "$data_path/conf/live/$domains"
docker-compose run --rm --entrypoint "\
  openssl req -x509 -nodes -newkey rsa:1024 -days 1\
    -keyout '$path/privkey.pem' \
    -out '$path/fullchain.pem' \
    -subj '/CN=localhost'" certbot
echo


echo "### Starting nginx ..."
docker-compose up --force-recreate -d nginx
echo

echo "### Deleting dummy certificate for $domains ..."
docker-compose run --rm --entrypoint "\
  rm -Rf /etc/letsencrypt/live/$domains && \
  rm -Rf /etc/letsencrypt/archive/$domains && \
  rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot
echo


echo "### Requesting Let's Encrypt certificate for $domains ..."
#Join $domains to -d args
domain_args=""
for domain in "${domains[@]}"; do
  domain_args="$domain_args -d $domain"
done

# Select appropriate email arg
case "$email" in
  "") email_arg="--register-unsafely-without-email" ;;
  *) email_arg="--email $email" ;;
esac

# Enable staging mode if needed
if [ $staging != "0" ]; then staging_arg="--staging"; fi

docker-compose run --rm --entrypoint "\
  certbot certonly --webroot -v --debug-challenges -w /var/www/certbot \
    $staging_arg \
    $email_arg \
    $domain_args \
    --rsa-key-size $rsa_key_size \
    --agree-tos \
    --force-renewal" certbot
echo

echo "### Reloading nginx ..."
docker-compose exec nginx nginx -s reload

docker-compose.yml

version: "3"

services:
  nginx:
    image: nginx:1.17
    container_name: xxx-nginx
    restart: unless-stopped
    volumes:
      - ./data/nginx:/etc/nginx/conf.d
      - ./data/certbot/conf:/etc/letsencrypt
      - ./data/certbot/www:/var/www/certbot
    ports:
      - "80:80"
      - "443:443"
    command: '/bin/sh -c ''while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g "daemon off;"'''

  certbot:
    image: certbot/certbot
    container_name: xxx-certbot
    restart: unless-stopped
    volumes:
      - ./data/certbot/conf:/etc/letsencrypt
      - ./data/certbot/www:/var/www/certbot
    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"

  nuxt:
    build: ./app/
    container_name: xxx-app
    restart: always
    ports:
      - "3333:3333"
    command: "npm run start"

nginx/default.conf

server {
    listen 80;
    server_name xxx.lorem.com;

    server_tokens off;

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }    
    
    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl;
    server_name xxx.lorem.com;
    server_tokens off;

    ssl_certificate /etc/letsencrypt/live/xxx.lorem.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/xxx.lorem.com/privkey.pem;

    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    
    location / {
        proxy_pass http://xxx.lorem.com;
        proxy_set_header    Host                $http_host;
        proxy_set_header    X-Real-IP           $remote_addr;
        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    }
}

And perhaps the most importing file, my error log:

Existing data found for xxx.lorem.com. Continue and replace existing certificate? (y/N) y
### Creating dummy certificate for xxx.lorem.com ...
Generating a RSA private key
..........................................+++++
...............+++++
writing new private key to '/etc/letsencrypt/live/xxx.lorem.com/privkey.pem'
-----

### Starting nginx ...
Recreating xxx-nginx ... 
Recreating xxx-nginx ... done

### Deleting dummy certificate for xxx.lorem.com ...

### Requesting Let's Encrypt certificate for xxx.lorem.com ...
Root logging level set at 10
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requested authenticator webroot and installer None
Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7f4e79936e10>
Prep: True
Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7f4e79936e10> and installer None
Plugins selected: Authenticator webroot, Installer None
Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-staging-v02.api.letsencrypt.org/acme/acct/11519950', new_authzr_uri=None, terms_of_service=None), 803e21903d9d8cfa20499d0bb2bd2586, Meta(creation_dt=datetime.datetime(2019, 11, 8, 15, 32, 18, tzinfo=<UTC>), creation_host='13b6b54e68c0'))>
Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org:443
https://acme-staging-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 724
Received response:
HTTP 200
Server: nginx
Date: Fri, 08 Nov 2019 16:33:48 GMT
Content-Type: application/json
Content-Length: 724
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "21IRDSaUJLI": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-staging-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org/docs/staging-environment/"
  },
  "newAccount": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert"
}
Obtaining a new certificate
Generating key (4096 bits): /etc/letsencrypt/keys/0015_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0015_csr-certbot.pem
Requesting fresh nonce
Sending HEAD request to https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce.
https://acme-staging-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
Received response:
HTTP 200
Server: nginx
Date: Fri, 08 Nov 2019 16:33:49 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0002tUBK5GOg9sYqNGtZVk8sAu5CvI2kCg6CZ2ubFK7OzKU
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


Storing nonce: 0002tUBK5GOg9sYqNGtZVk8sAu5CvI2kCg6CZ2ubFK7OzKU
JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "xxx.lorem.com"\n    }\n  ]\n}'
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMTUxOTk1MCIsICJub25jZSI6ICIwMDAydFVCSzVHT2c5c1lxTkd0WlZrOHNBdTVDdkkya0NnNkNaMnViRks3T3pLVSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctb3JkZXIifQ",
  "signature": "eUu7ijFJznEuhHIbsGZXEIFMVnVGQ7q3B_afLKLkdEeHreuggZq9GgBycDZrsbMHxojVkwwRdFV59tSL6uJ_PLYnsat9nsRgU9EDnFpCgUlXwvPiek43_yXVczB2VHtgYdx8bL1jxnAWUCwlJVmfMy-Y1Jptjn10-Jvolsemr5-jQrn5P7Be1-ibVqi7iqA8rYY8ZeWw7YJdpaF3lR_i1VBQsaLcnE4-fGIn7CTDMdOKqZGlTY4ac-41dDpHtzZ7yQV3yU6nBaXakenBoubInvctfc5T6jQ_HVchKW1R2Qoysy1Hki-j24t2cJaet7BZwyNV-mF3lN6-BGWfbz7qQzfPdoFFzDaPNmPBsnu1y1sBmtTBgHCJ1YjQQTbYmACwIvcTRzGTUbqLFS0avjCXvZOsK08j6yaDP3uSvpPCB9qaV2v_7_Lqlcir66i0--EiVHEKvXiFVe345EudGg6Q9_sjw93FqpMo3TAKpOuLYRZQIZJxfnpeCCTt8jCREcNUUFp05Q17pCf03pv25F2EK_g61HLdrDUQNva8IvtNMEzm6HQUE23HfNRyFHogYODUlAGMB2ygAdFUhje9SA4YgWXwCvDKSrct-EN4bODp8hfLjfhHbx1Gp5__-8IkKPNNyKAnxvggI9iJYSnazOwsog0gquCrljmjNzDwctZNsPI",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogInByb2pvLm9jdXMuY29tIgogICAgfQogIF0KfQ"
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 355
Received response:
HTTP 201
Server: nginx
Date: Fri, 08 Nov 2019 16:33:49 GMT
Content-Type: application/json
Content-Length: 355
Connection: keep-alive
Boulder-Requester: 11519950
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/order/11519950/60509153
Replay-Nonce: 0002d_thn50OPYUbaGIfCqJFbisnxyD1Hy19kLbjXooClNg
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2019-11-15T16:33:49.73815071Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "xxx.lorem.com"
    }
  ],
  "authorizations": [
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/19815850"
  ],
  "finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/11519950/60509153"
}
Storing nonce: 0002d_thn50OPYUbaGIfCqJFbisnxyD1Hy19kLbjXooClNg
JWS payload:
b''
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/19815850:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMTUxOTk1MCIsICJub25jZSI6ICIwMDAyZF90aG41ME9QWVViYUdJZkNxSkZiaXNueHlEMUh5MTlrTGJqWG9vQ2xOZyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8xOTgxNTg1MCJ9",
  "signature": "KZ7llK_j4mZIYamX7xhVkHSUnavih30MWEY4Kl_mzcYdNHtOd_hGSNG0FFU3ZsVFuu4XIzmfUyIW3esdSIHllOM41DdC_HVe8d0sIxuN75V7cs59ltAPMCZoeiG64XBwxJDsBtDV2WdJ35DVv7UPqCfcX9Ntw0T9LkooCQaRGJCstAPlx2MiVb2uf6gJIPqY8-O4thKUA-_DbzMDeew0PDMtlHYHa_qQZOvaajgY4vTFtF188Q8DsfEyLASpkony3f_Hlw7S6IuDDrZhLUyAbvKgwJDeTkYOOyiizxzf8JnEvEG4JyKNZsfLhMCxst1W4dDYlbESYXAKQSY_bBhbFaDCzVAOQ_T5--Cc3iq8MSVITyB4h0vGq7dJHVJloobTBDg7azuNN3ERnsZLuIKO0_wFQ7HoGyFP_2AQ8VPKgCDP6MXf34Whv9O9InciBuAO8QKkNrpxBmLlrXD8ndcDQ53pD6gtlStvBIADHuee2L9zxoqIu5sOxmbmAWCHIPCQDYDIOTbad3WPYS6N6aiIdjoNwTbtN-bXys5CzYfeSw9nRugyWz9geTg9MhpYqo_HIWqFQfVMW-3ER2g7kwc-IYTb_jZt2MdE5IW_ydJEq7Q7M_vcEvGOLuYfpZjE74deaHl5NSiw2JUW6mYtSylWxXgxRVdChhRZtjh5UlspHWU",
  "payload": ""
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/19815850 HTTP/1.1" 200 810
Received response:
HTTP 200
Server: nginx
Date: Fri, 08 Nov 2019 16:33:50 GMT
Content-Type: application/json
Content-Length: 810
Connection: keep-alive
Boulder-Requester: 11519950
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0002pQ68YQCYousjJoEJZ1sTVmzmaAAtuPCBHN7FLfOiQU4
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "xxx.lorem.com"
  },
  "status": "pending",
  "expires": "2019-11-15T16:33:49Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/19815850/PmKNmQ",
      "token": "dkzqQxktAdggktPN5t4gT3ckwh70o3hmSc28g_yhE8U"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/19815850/xRpPTQ",
      "token": "dkzqQxktAdggktPN5t4gT3ckwh70o3hmSc28g_yhE8U"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/19815850/-6VPpg",
      "token": "dkzqQxktAdggktPN5t4gT3ckwh70o3hmSc28g_yhE8U"
    }
  ]
}
Storing nonce: 0002pQ68YQCYousjJoEJZ1sTVmzmaAAtuPCBHN7FLfOiQU4
Performing the following challenges:
http-01 challenge for xxx.lorem.com
Using the webroot path /var/www/certbot for all unmatched domains.
Creating root challenges validation dir at /var/www/certbot/.well-known/acme-challenge
Attempting to save validation to /var/www/certbot/.well-known/acme-challenge/dkzqQxktAdggktPN5t4gT3ckwh70o3hmSc28g_yhE8U
Waiting for verification...

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Challenges loaded. Press continue to submit to CA. Pass "-v" for more info about
challenges.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
JWS payload:
b'{\n  "resource": "challenge",\n  "type": "http-01"\n}'
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/19815850/PmKNmQ:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMTUxOTk1MCIsICJub25jZSI6ICIwMDAycFE2OFlRQ1lvdXNqSm9FSloxc1RWbXptYUFBdHVQQ0JITjdGTGZPaVFVNCIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbC12My8xOTgxNTg1MC9QbUtObVEifQ",
  "signature": "FDYkuxb4R5dc1ZBRJfezgMw2D_OSt7y4nAqoplXs4F0D2N8Esvnl9hiVFhd3MlbbYLdsVz-_EQ1vbnc0NPUzVVK1MtFI_w-3aMNuIJnGIAgn1coIffZZKfha8mQD9gRffhuIFUP8xVDMNR8rcpsN9WNiHnDeuz_pUJqOGGDiqGy0-SITfiCff9cTKqYOykbgsPsfBO4taY1KHq1nGP2H6pQvlboEu4_ALKzH7UUP3UaHxejq5FLLrHYLqHMsVqLSegJU4OjxrxCMl3g6_ygrNunrO36ctgiIgN9WNgld4I5mOOEGkfz6UVjvmfGmKwlWl7fcqsGyy-9jBgG_bgvPbBFX7YRsahdBvlb7nJaLNs5lBqFWUCgnGLO0PuMbDgVTqFUwrcGM91UerwV66GK2AItNxvV9DAcXRGorVnYEindt22p7OsbXA8iO50X-Hegp0ficXfLuBKnbc5IxW0R_o5ew8eU3nQ27170DpEE5wh65exlQJgm1-XYItbDL00XdpxkVcGkvE3jhQpuvwSWv1MGgxkuVU2uV3eSPw6wB0iQxHHzk6vl5kD9GbtC7Lqx9TaadkLHWQm1rl7PjHjJS5O5cYvIWqlUaDFVOfyABub-J5Dd_FHIWHjKNZz8hFIW8AyNOsxP50VotU9xN5ypc5m4OkLfJWFuXSuOCBqwRdp0",
  "payload": "ewogICJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLAogICJ0eXBlIjogImh0dHAtMDEiCn0"
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/19815850/PmKNmQ HTTP/1.1" 200 191
Received response:
HTTP 200
Server: nginx
Date: Fri, 08 Nov 2019 16:35:08 GMT
Content-Type: application/json
Content-Length: 191
Connection: keep-alive
Boulder-Requester: 11519950
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/19815850>;rel="up"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/19815850/PmKNmQ
Replay-Nonce: 0002uVhZwVzdVbFWDpcL52c_gOmusK7spQSTfRTrB1N4I9o
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/19815850/PmKNmQ",
  "token": "dkzqQxktAdggktPN5t4gT3ckwh70o3hmSc28g_yhE8U"
}
Storing nonce: 0002uVhZwVzdVbFWDpcL52c_gOmusK7spQSTfRTrB1N4I9o
JWS payload:
b''
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/19815850:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMTUxOTk1MCIsICJub25jZSI6ICIwMDAydVZoWndWemRWYkZXRHBjTDUyY19nT211c0s3c3BRU1RmUlRyQjFONEk5byIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8xOTgxNTg1MCJ9",
  "signature": "EIKVD-rBIyCXBwsMk-w7Ejs_VgAbcp5ry2oKvSFKnP9T6ze66aq-rk-SAMZAWyrOObarYAB7jMZGNCJzk2-ODIIVQBACY2LXxvwfWj42IItIf77NyFc6dIUgw17r-3fPLMpWCR7meTyzTVDzVjzqJsn5bQw4pGTlXvAPl_6BtH8MB4d9qKokOYWd19qVSRRFpygm6ITLCTaqryl-t-lb5XFRFVrYtkChRetdyhr8WXHgEbO8D59wuoYYLN_W3R2MOlbb_qBKYmTs6ekxH00ofD-nx13HHi-lqskbFT0sjG6Mtqe8yM4ui8KWGipG5Gacwme3_YW_Lf2cJDgHStSyVJacegDQa05fePwYEiZfHCEw6fkChNyxT0iGKDOdTUIf7tYLpMFIBi341zjdN5qEAShqx4hFoqSlYHv0K1OWvKgv5S4DvJXPwH2zMKIVJDIGFI6J69HH-Hjru_XhLp9mN62LLaeRsVyfiiRgT5PKwo7uLm_mRiysa_m9BwciCalZKEhQlMoswiUOkCnSJaeXTEGdJtdE-VWk7uPblNQUTgL-yM7x_tAuftiwNbZCi56jHXjeVkEEx_NKfptihb_hkjAj_C0D6IX3G0d_8alwnl9BtwsJgPAhHx5s349nQ8B3oX808cEIkeSZPixKY3KIYCc1wtYE99kUCq1BDroZqlE",
  "payload": ""
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/19815850 HTTP/1.1" 200 1407
Received response:
HTTP 200
Server: nginx
Date: Fri, 08 Nov 2019 16:35:10 GMT
Content-Type: application/json
Content-Length: 1407
Connection: keep-alive
Boulder-Requester: 11519950
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0002m0OY7qa_ElRdf4p40LyJeqReobHWSx3G8FMn4I0ganA
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "xxx.lorem.com"
  },
  "status": "invalid",
  "expires": "2019-11-15T16:33:49Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:connection",
        "detail": "Fetching http://xxx.lorem.com/.well-known/acme-challenge/dkzqQxktAdggktPN5t4gT3ckwh70o3hmSc28g_yhE8U: Connection refused",
        "status": 400
      },
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/19815850/PmKNmQ",
      "token": "dkzqQxktAdggktPN5t4gT3ckwh70o3hmSc28g_yhE8U",
      "validationRecord": [
        {
          "url": "http://xxx.lorem.com/.well-known/acme-challenge/dkzqQxktAdggktPN5t4gT3ckwh70o3hmSc28g_yhE8U",
          "hostname": "xxx.lorem.com",
          "port": "80",
          "addressesResolved": [
            "157.230.115.5"
          ],
          "addressUsed": "157.230.115.5"
        }
      ]
    },
    {
      "type": "dns-01",
      "status": "invalid",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/19815850/xRpPTQ",
      "token": "dkzqQxktAdggktPN5t4gT3ckwh70o3hmSc28g_yhE8U"
    },
    {
      "type": "tls-alpn-01",
      "status": "invalid",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/19815850/-6VPpg",
      "token": "dkzqQxktAdggktPN5t4gT3ckwh70o3hmSc28g_yhE8U"
    }
  ]
}
Storing nonce: 0002m0OY7qa_ElRdf4p40LyJeqReobHWSx3G8FMn4I0ganA
Challenge failed for domain xxx.lorem.com
http-01 challenge for xxx.lorem.com
Reporting to user: The following errors were reported by the server:

Domain: xxx.lorem.com
Type:   connection
Detail: Fetching http://xxx.lorem.com/.well-known/acme-challenge/dkzqQxktAdggktPN5t4gT3ckwh70o3hmSc28g_yhE8U: Connection refused

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
Encountered exception:
Traceback (most recent call last):
  File "/opt/certbot/src/certbot/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/opt/certbot/src/certbot/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

Calling registered functions
Cleaning up challenges
Removing /var/www/certbot/.well-known/acme-challenge/dkzqQxktAdggktPN5t4gT3ckwh70o3hmSc28g_yhE8U
All challenges cleaned up
Exiting abnormally:
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 11, in <module>
    load_entry_point('certbot', 'console_scripts', 'certbot')()
  File "/opt/certbot/src/certbot/main.py", line 1378, in main
    return config.func(config, plugins)
  File "/opt/certbot/src/certbot/main.py", line 1265, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/opt/certbot/src/certbot/main.py", line 121, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/opt/certbot/src/certbot/client.py", line 417, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/opt/certbot/src/certbot/client.py", line 348, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/opt/certbot/src/certbot/client.py", line 396, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/opt/certbot/src/certbot/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/opt/certbot/src/certbot/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: xxx.lorem.com
   Type:   connection
   Detail: Fetching
   http://xxx.lorem.com/.well-known/acme-challenge/dkzqQxktAdggktPN5t4gT3ckwh70o3hmSc28g_yhE8U:
   Connection refused

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

### Reloading nginx ...
2019/11/08 16:35:12 [notice] 10#10: signal process started

Before Press Enter to Continue I discovered that a file is written:

data/certbot/www/.well-known/acme-challenge/dvDDPLEGxXGzDcOMIp2mF-U6bH1u82te3wjysJebbU4

Is anyone has an idea/advice/suggestion?
At this stage, any help is more than welcome!

1 Like

Hi @Vivian

please share your domain name so it’s possible to check your domain.

My domain name is:
projo.ocus.com

Your domain doesn’t answer - https://check-your-website.server-daten.de/?q=projo.ocus.com

Domainname Http-Status redirect Sec. G
http://projo.ocus.com/
157.230.115.5 -2 1.076 V
ConnectFailure - Unable to connect to the remote server
https://projo.ocus.com/
157.230.115.5 -2 1.077 V
ConnectFailure - Unable to connect to the remote server
http://projo.ocus.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
157.230.115.5 -2 1.094 V
ConnectFailure - Unable to connect to the remote server

Creating a Letsencrypt certificate via http validation: A working port 80 webserver is required.

Works it internal? If yes, there may be a firewall or another blocking instance.

There

is another user, same tutorial, the same problem.

Perhaps the tutorial is incomplete.

1 Like

Really interesting!
Thanks for your investigation!
I created an issue on the Github repository.
As soon as I get an answer, I’ll keep you updated.

1 Like

I already solved my issue.
The tutorial was fine. I just accidentally erased a word in the configuration file. :slightly_smiling_face:

2 Likes

Ah, thanks for reporting back, good to know. Happens :wink:

I’m wondering if the problem comes from nginx.

Just before to launch the challenge:

I double check if I have my key:
2
:white_check_mark:

My images are running:


:white_check_mark:

But I only have my tcp6 opened:

Is it ok for the challenge?

Checked your domain - you don’t have an ipv6 - address - https://check-your-website.server-daten.de/?q=projo.ocus.com

Host T IP-Address is auth. ∑ Queries ∑ Timeout
projo.ocus.com A 157.230.115.5 Frankfurt am Main/Hesse/Germany (DE) - DigitalOcean, LLC No Hostname found yes 1 0
AAAA yes

There is only one ipv4. If your nginx handles only ipv6 -> that can’t work.

Sorry, I’m currently working on it :confused:

Thank you for your time and your patience @jurgenhaas