Certbot failed to authenticate some domains (authenticator: nginx)


In the README GitHub - certbot/certbot: Certbot is EFF's tool to obtain certs from Let's Encrypt and (optionally) auto-enable HTTPS on your server. It can also act as a client for any other CA that uses the ACME protocol. , I see:

  • Configuration changes are logged and can be reverted.

However, there are no instructions on how to see the changes log. I expect some of my nginx config to have been modified, but I do not see any changes. I'd like to inspect those in order to troubleshoot my issue.

Thank you!



It's a rare occasion when somebody asks about this! This functionality is usually only used directly by Certbot itself.

The backup files are stored in /var/lib/letsencrypt/backups/ and the changes are described in a file named CHANGES_SINCE.

Unfortunately the backups are only saved to disk for permanent changes, like installing a certificate. Temporary changes, like the ones done by the authenticator, are only kept in memory, and never saved to disk.

So unfortunately it will probably not help you in this instance.

If you really want to see the changes that Certbot makes, you can ask it to pause execution after making the nginx changes, with the --debug-challenges flag:

certbot certonly -d example.com --nginx --debug-challenges --dry-run

This will provide you an opportunity to open the nginx config files and look at them with your eyes.

Finally, for the nginx authenticator specifically, the changes are logged directly to /var/log/letsencrypt/letsencrypt.log.


Have you tried the "rollback" option?:

1 Like

Thank you for the great response! If I need to debug certbot in the future, I'll look at this reply.

However, I simply did sudo ufw disable and things worked. Ufw often does not help me. Or, maybe I misunderstand how it works.

1 Like


[It is supposed to be there to protect you]

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.