Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.
My web server is (include version): nginx version: nginx/1.18.0 (Ubuntu)
The operating system my web server runs on is (include version): ubuntu server 22.04 (VM)
My hosting provider, if applicable, is: Not Applicable, self hosted.
I can login to a root shell on my machine (yes or no, or I don't know): yes
The --nginx option you chose uses an HTTP Challenge to an existing nginx server. But, Let's Encrypt cannot reach that domain using HTTP.
Your nginx must be available from the public internet but it is not. The Let's Debug test site is helpful as you make changes to your config. Often this is a firewall or wrongly configured router. Especially review any NAT routing in a router.
Thank you @MikeMcQ for the quick response!
Some elemental questions:
Regarding "The --nginx option you chose uses an HTTP Challenge to an existing nginx server. But, Let's Encrypt cannot reach that domain using HTTP."
Must I use a specific option running nginx to be able to have the certificate? If yes which one?
Regarding: "The Let's Debug test site is helpful as you make changes to your config."
I saw that tool in another post and used it (without any knowledge of its black magic) And I passed the DNS test but failed HTTP and TLS tests. Is it necessary to pass all 3 tests for get the certificate?
Regarding: "Often this is a firewall or wrongly configured router."
In my router I have NAT type configured as "fullcone". In my server I have UFW configured as follows:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip
To Action From
25 ALLOW IN Anywhere
80 ALLOW IN Anywhere
443 ALLOW IN Anywhere
25 (v6) ALLOW IN Anywhere (v6)
80 (v6) ALLOW IN Anywhere (v6)
443 (v6) ALLOW IN Anywhere (v6)
Is there any additional configuration necessary, that I'm missing?
Additional:
I tried port forwarding to the above ports but the output of the certbot command was the same.
The --nginx plugin option is perfectly fine. I was just stating it uses the HTTP Challenge (as opposed to a DNS or TLS-ALPN challenge).
The Let's Debug HTTP test is important to pass when using the HTTP Challenge (as you are). It would be rare for that to fail yet still be able to succeed using an HTTP Challenge to get a cert.
Those firewall settings looked okay so check all the other components. In short, make sure you can reach your nginx server with HTTP from the public internet.
You may need to check with your ISP to ensure they allow requests on port 80 to reach you. Some residential services do not.
You could maybe automate a DNS Challenge and use the certs for HTTPS (TLS) on a port they do allow. DNS Challenges are often more difficult to setup but far from impossible.
I found this and this but I have no idea what to do with this information (it might seam I can't put 2+2 together)
I'm trying to find a step-by-step guide, because unfortunately this is my expertise level on this stuff. I'm a mechanic by trade not a techninja, but I like to get out of my conforst zone
If someone could point me a direction I'll appreciate!
All the ports may be blocked. My experience says it is much more likely you have a config problem and much less likely an ISP issue. (because that's what we see here more).
But, if you can proceed you have options.
You are already using Cloudflare as your DNS provider. Certbot supports that and see its docs here (link here)
If you will only use standard ports you could "proxy" your domain name at Cloudflare to use their CDN. That handles HTTPS between any client and it CDN Edge. You could then use their Origin CA Cert for HTTPS between its CDN Edge and your origin server.
The Origin CA Cert is a one-time process. It has some limitations like won't work for email servers.
I'll do something else now. For this and other issues I'll change ISP, then I'll get back to this project.
I guess I can live a couple of months without my fancy email aliases.
Thank you so much @MikeMcQ !!!
