Certbot failed to authenticate some domains (authenticator: nginx)

abkrim · September 10, 2023, 6:10am

My domain is: wiki.endesarrollo.ovh (but others 24 fails. All in server after more that 3 years using letsencrypt)

I ran this command:

certbot --nginx
certbot renew --force-renewal

It produced this output:
First

Error lets


(E)xpand/(C)ancel: E
Renewing an existing certificate for clientes.aicha.es and 16 more domains

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: castris.com
  Type:   unauthorized
  Detail: 176.31.31.228: Invalid response from http://castris.com/.well-known/acme-challenge/bEkocAu2aQeldcJ2Sek3zH5U4h_j71p9X_Dsm1wYm_c: 404

  Domain: castris.es
  Type:   unauthorized
  Detail: 2606:4700:3031::6815:36f6: Invalid response from http://castris.es/.well-known/acme-challenge/538HdHV5_yZ9YIGdbswM4sCmRbaaaA2LAGxdLbZDHR0: 404

  Domain: central.castris.com
  Type:   unauthorized
  Detail: 176.31.31.228: Invalid response from http://central.castris.com/.well-known/acme-challenge/japJXya-ML4zlcAS0qEMUchHU8h8KhkjETYqjxcJfWg: 404

  Domain: centralpostfix.castris.com
  Type:   unauthorized
  Detail: 176.31.31.228: Invalid response from http://centralpostfix.castris.com/.well-known/acme-challenge/LjydobOohzh6yb6WHrPVVj-_sIlb-RSX-TFdKDKSJ5M: 404

  Domain: clientes.aicha.es
  Type:   unauthorized
  Detail: 176.31.31.228: Invalid response from http://clientes.aicha.es/.well-known/acme-challenge/2erQS9DQ_6uEosFZRd_9d5QltLUmNiAhkgU912wFRm0: 404

  Domain: intranet.castris.com
  Type:   unauthorized
  Detail: 176.31.31.228: Invalid response from http://intranet.castris.com/.well-known/acme-challenge/gyuG8AiJHpx5pIas1GwVu3z-CNdQ29-IZN6uqVvirIM: 404

  Domain: manuales.castris.com
  Type:   unauthorized
  Detail: 2606:4700:3037::6815:3d92: Invalid response from http://manuales.castris.com/.well-known/acme-challenge/n4VsLITYI2dh8UZDBDbZ-OMVS1FN5XYzV1yvGTG1J1c: 404

  Domain: multimedia.castris.com
  Type:   unauthorized
  Detail: 2606:4700:3034::ac43:d374: Invalid response from http://multimedia.castris.com/.well-known/acme-challenge/xvgOMpBjMGXeeBq5vNPYwvCK5slQ-34UTc_58UcmnaU: 404

  Domain: sitelight.grupositelec.es
  Type:   unauthorized
  Detail: 176.31.31.228: Invalid response from http://sitelight.grupositelec.es/.well-known/acme-challenge/R-vyh37t61Kvis0v0jEURg6pzlKWvt_1xsoglgMh0w0: 404

  Domain: tabratino.com
  Type:   unauthorized
  Detail: 176.31.31.228: Invalid response from http://tabratino.com/.well-known/acme-challenge/z8Ys-c0X-DNazXa8TIRazaK_KcJIGBHN67yivLN_9mQ: 404

  Domain: time.castris.com
  Type:   unauthorized
  Detail: 2606:4700:3037::6815:3d92: Invalid response from http://time.castris.com/.well-known/acme-challenge/tMuGug4psZCLy2omwVl_LGEtXEmGrOBZwe-ngPOa01M: 404

  Domain: timetracker.castris.com
  Type:   unauthorized
  Detail: 2606:4700:3034::ac43:d374: Invalid response from http://timetracker.castris.com/.well-known/acme-challenge/aLLikPDXkhFTsgLO-kzVPq_aujwVlakLkvTBOPcpU9E: 404

  Domain: wiki.castris.com
  Type:   unauthorized
  Detail: 2606:4700:3037::6815:3d92: Invalid response from http://wiki.castris.com/.well-known/acme-challenge/6__Wel38yOA_3Woo4MOvqiF5ZUmYNNZ0hEXDZ1jtGio: 404

  Domain: wiki.endesarrollo.ovh
  Type:   unauthorized
  Detail: 176.31.31.228: Invalid response from http://wiki.endesarrollo.ovh/.well-known/acme-challenge/AheNY3qY--LXdFAsji6u9HaUnBcHnl5YYF7OKa7q7L4: 404

  Domain: www.castris.com
  Type:   unauthorized
  Detail: 2606:4700:3037::6815:3d92: Invalid response from http://www.castris.com/.well-known/acme-challenge/LWknKMnqyrt7u168q8kEV1FkZiWb9Qd_rV8jCtrH-r0: 404

  Domain: www.castris.es
  Type:   unauthorized
  Detail: 2606:4700:3031::6815:36f6: Invalid response from http://www.castris.es/.well-known/acme-challenge/YHqx47NN9uyK4931uR6Ccqflkcu7XGj2rEfvlgymeWw: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

second

❯ certbot renew --force-renewal
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/aicha.es-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for aicha.es and 5 more domains

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: aicha.es
  Type:   unauthorized
  Detail: 5.135.93.116: Invalid response from http://aicha.es/.well-known/acme-challenge/anc0nhdMQoMkQ6W_A2IF8bCOKkSk7jb6hGaKIxcaZkI: 404

  Domain: castris.com
  Type:   unauthorized
  Detail: 176.31.31.228: Invalid response from http://castris.com/.well-known/acme-challenge/6dTtQ_7LLNn-WvdfeYKG6sykgoAr7QQToOKgKMhIhrM: 404

  Domain: castris.es
  Type:   unauthorized
  Detail: 176.31.31.228: Invalid response from http://castris.es/.well-known/acme-challenge/5fh0eWDGDPh1Jmn9jIuC9W4_LSTzz7cAWK3PyHcGUIo: 404

  Domain: central.castris.com
  Type:   unauthorized
  Detail: 176.31.31.228: Invalid response from http://central.castris.com/.well-known/acme-challenge/d_UmxNRzJApjFP_lRgMRyCaa6dVZTXyo2H0N8Jln7gw: 404

  Domain: centralpostfix.castris.com
  Type:   unauthorized
  Detail: 176.31.31.228: Invalid response from http://centralpostfix.castris.com/.well-known/acme-challenge/auyostwq859zUTmxD-zQxE3MXeNWHSRg9TY30aVM3NU: 404

  Domain: www.aicha.es
  Type:   unauthorized
  Detail: 5.135.93.116: Invalid response from http://www.aicha.es/.well-known/acme-challenge/bQiMTN02s159tWM2S8WOI-lCaX9qo32OeUfEHygTogg: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Failed to renew certificate aicha.es-0001 with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/aicha.es-0002.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for aicha.es and 3 more domains

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: aicha.es
  Type:   unauthorized
  Detail: 5.135.93.116: Invalid response from http://aicha.es/.well-known/acme-challenge/PDqY_sm3zACfT-hptQFCSt05u2yH1dFqMim7xCUqhtQ: 404

  Domain: arabe.aicha.es
  Type:   unauthorized
  Detail: 5.135.93.116: Invalid response from http://arabe.aicha.es/.well-known/acme-challenge/9LGbAtlm-z_CyjdrvH1lRCG4cL__NPPq-0tD6qF7zp0: 404

  Domain: www.aicha.es
  Type:   unauthorized
  Detail: 5.135.93.116: Invalid response from http://www.aicha.es/.well-known/acme-challenge/3GpxfH148FagwdUprpW8ZTWejZ3NHwjf3t_ATAKOzwo: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Failed to renew certificate aicha.es-0002 with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/aicha.es.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for aicha.es and 6 more domains

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: 228.31.in.tamainut.net
  Type:   unauthorized
  Detail: 176.31.31.228: Invalid response from http://228.31.in.tamainut.net/.well-known/acme-challenge/WAoMCUInc3KoIIvxRpbxhoCJm49TndwiNVXzqZAgz80: 404

  Domain: aicha.es
  Type:   unauthorized
  Detail: 5.135.93.116: Invalid response from http://aicha.es/.well-known/acme-challenge/4foU1KgRynCiUFOxcDrv5Av9uHFzXhWTSWWUIPiygg4: 404

  Domain: castris.com
  Type:   unauthorized
  Detail: 176.31.31.228: Invalid response from http://castris.com/.well-known/acme-challenge/oZW7F0SvnzSBD6I4KwWEGkGrESRXSYSRQp43Bzkb_Eo: 404

  Domain: central.castris.com
  Type:   unauthorized
  Detail: 176.31.31.228: Invalid response from http://central.castris.com/.well-known/acme-challenge/Ksq8L55S2OjtevxnY64r7pour8UlESjoQtvKa-qCX3s: 404

  Domain: centralpostfix.castris.com
  Type:   unauthorized
  Detail: 176.31.31.228: Invalid response from http://centralpostfix.castris.com/.well-known/acme-challenge/q6kBGh3Olt3-K64E29SHO8VRjNvKIqtoM3BGVHNxemY: 404

  Domain: www.aicha.es
  Type:   unauthorized
  Detail: 5.135.93.116: Invalid response from http://www.aicha.es/.well-known/acme-challenge/l-kXEYuaAPNmeLBBX7d2kratSG1nsNUJok9-goakIJo: 404

  Domain: www.castris.com
  Type:   unauthorized
  Detail: 176.31.31.228: Invalid response from http://www.castris.com/.well-known/acme-challenge/HrW2PtCrQ-YiXOCn6o1dZm-0bGeW2tOrbHlt_yy_5oo: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Failed to renew certificate aicha.es with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/castris.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for aicha.es and 19 more domains

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: aicha.es
  Type:   unauthorized
  Detail: 5.135.93.116: Invalid response from http://aicha.es/.well-known/acme-challenge/1nCcmWorvBjW3h-RwaZ2gMu4xT_7I0-ickO-Xw5RDms: 404

  Domain: arabe.aicha.es
  Type:   unauthorized
  Detail: 5.135.93.116: Invalid response from http://arabe.aicha.es/.well-known/acme-challenge/McaeTxcE60E6T2LqczSAVWtByCUsqWiyo1cTph3Qpek: 404

  Domain: castris.com
  Type:   unauthorized
  Detail: 176.31.31.228: Invalid response from http://castris.com/.well-known/acme-challenge/aNMqK8sCt7gIYDzLoiQ4YixilYe0-lbwQkMik9Ilzxo: 404

  Domain: castris.es
  Type:   unauthorized
  Detail: 176.31.31.228: Invalid response from http://castris.es/.well-known/acme-challenge/chCP2h43w1n1NH6pH5W7IbzkEiUTXpxBL0nhqzYEeJE: 404

  Domain: central.castris.com
  Type:   unauthorized
  Detail: 176.31.31.228: Invalid response from http://central.castris.com/.well-known/acme-challenge/5Qpfh93b7bVoOV-7VcXFQXSgKFw2P3283lSqALEEx7Y: 404

  Domain: centralpostfix.castris.com
  Type:   unauthorized
  Detail: 176.31.31.228: Invalid response from http://centralpostfix.castris.com/.well-known/acme-challenge/sQ13t2pEcJeLi33IhVsfka9w3vswQTLwuN1ZAbA84bQ: 404

  Domain: clientes.aicha.es
  Type:   unauthorized
  Detail: 176.31.31.228: Invalid response from http://clientes.aicha.es/.well-known/acme-challenge/o7tvutucHe2A_Ll896QtJRaoWAmuQNZcDJWVByjWzec: 404

  Domain: intranet.castris.com
  Type:   unauthorized
  Detail: 176.31.31.228: Invalid response from http://intranet.castris.com/.well-known/acme-challenge/F3vXvttYgAB7t-SEWGw3XOKN8WXo_UM8jHYoEJW-pFI: 404

  Domain: manuales.castris.com
  Type:   unauthorized
  Detail: 2606:4700:3037::6815:3d92: Invalid response from http://manuales.castris.com/.well-known/acme-challenge/EVW64eAb7GMSh5g--AMxgYnoHpv-F2TLP6ee36e_W_4: 404

  Domain: multimedia.castris.com
  Type:   unauthorized
  Detail: 2606:4700:3037::6815:3d92: Invalid response from http://multimedia.castris.com/.well-known/acme-challenge/EnoHRIa1IJ0NZDlvj1K1X0JGKCiDgWw-8bS3gD85hzs: 404

  Domain: swissknife.ovh
  Type:   unauthorized
  Detail: 2606:4700:3034::6815:4005: Invalid response from http://swissknife.ovh/.well-known/acme-challenge/HUCoU4raqC9Nq0_Lwc0qAguFdKYlOlR4p52y4I12zEY: 404

  Domain: tabratino.com
  Type:   unauthorized
  Detail: 176.31.31.228: Invalid response from http://tabratino.com/.well-known/acme-challenge/byNheOb5c9gSKB_SjnAEQwOFw4dc_cLp2QAS-I3KCXc: 404

  Domain: time.castris.com
  Type:   unauthorized
  Detail: 2606:4700:3037::6815:3d92: Invalid response from http://time.castris.com/.well-known/acme-challenge/gu7cavMEKfLQ3ixg9FjT2T91RMduABu1Qr6jf0XEN54: 404

  Domain: timetracker.castris.com
  Type:   unauthorized
  Detail: 2606:4700:3037::6815:3d92: Invalid response from http://timetracker.castris.com/.well-known/acme-challenge/njagezlkACnZqL3eOpA5xaj4UzPtyNXtiY0fvfStSG4: 404

  Domain: wiki.castris.com
  Type:   unauthorized
  Detail: 2606:4700:3034::ac43:d374: Invalid response from http://wiki.castris.com/.well-known/acme-challenge/nHahn6pp-zBHWhv_QcjPMz4ttDU8WujtCaKcP_6lRi8: 404

  Domain: wiki.endesarrollo.ovh
  Type:   unauthorized
  Detail: 176.31.31.228: Invalid response from http://wiki.endesarrollo.ovh/.well-known/acme-challenge/VvZELHxJQERH7zssXRyjnPzJVQN27I-En81PgM0_0ic: 404

  Domain: www.aicha.es
  Type:   unauthorized
  Detail: 5.135.93.116: Invalid response from http://www.aicha.es/.well-known/acme-challenge/_nDvTkwdcWHO7dPKmaqFEOt2BOGwcuOOlnbHamZ6cL4: 404

  Domain: www.castris.com
  Type:   unauthorized
  Detail: 176.31.31.228: Invalid response from http://www.castris.com/.well-known/acme-challenge/hhUSKjFoYLlG_a_70JNAm5BemlNlpXPC4y0vaFpgu7c: 404

  Domain: www.castris.es
  Type:   unauthorized
  Detail: 176.31.31.228: Invalid response from http://www.castris.es/.well-known/acme-challenge/ZTiJcbkUjHom5iNYBSN_3ORvMuBDw7TvCcDhsHVhjlU: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Failed to renew certificate castris.com with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/central.castris.com-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for aicha.es and 17 more domains
Failed to renew certificate central.castris.com-0001 with error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/failed-validation-limit/

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/central.castris.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for aicha.es and 6 more domains
Failed to renew certificate central.castris.com with error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/failed-validation-limit/

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/swissknife.ovh.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for clientes.aicha.es and 17 more domains
Failed to renew certificate swissknife.ovh with error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/failed-validation-limit/

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/tabratino.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for tabratino.com

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: tabratino.com
  Type:   unauthorized
  Detail: 176.31.31.228: Invalid response from http://tabratino.com/.well-known/acme-challenge/R8Wc8gK8pvomh6XnxGIv6iflWjyWjXmYYeI2Z5vQA2Y: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Failed to renew certificate tabratino.com with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/aicha.es-0001/fullchain.pem (failure)
  /etc/letsencrypt/live/aicha.es-0002/fullchain.pem (failure)
  /etc/letsencrypt/live/aicha.es/fullchain.pem (failure)
  /etc/letsencrypt/live/castris.com/fullchain.pem (failure)
  /etc/letsencrypt/live/central.castris.com-0001/fullchain.pem (failure)
  /etc/letsencrypt/live/central.castris.com/fullchain.pem (failure)
  /etc/letsencrypt/live/swissknife.ovh/fullchain.pem (failure)
  /etc/letsencrypt/live/tabratino.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
8 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): nginx version: nginx/1.24.0

The operating system my web server runs on is (include version): Ubuntu 20.04.6 LTS

My hosting provider, if applicable, is: Self

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Any panel.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.6.0

All sites is already managed by cerbot (Nginx config file)
Server has not ipv6

ens18: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 176.31.31.228  netmask 255.255.255.192  broadcast 176.31.31.255
        ether e6:af:6a:76:73:22  txqueuelen 1000  (Ethernet)
        RX packets 12722352  bytes 1280947651 (1.2 GB)
        RX errors 0  dropped 1740  overruns 0  frame 0
        TX packets 2628802  bytes 3698501426 (3.6 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

And nginx config has not ipv6 config.

For latest test, I dewactivate all domain proxy cloudflare.

2023-09-10 05:55:31,086:DEBUG:acme.client:Storing nonce: ScbuMwjjd8huVydoGUFFI9ratiSFx9y8bKgCzET1yRs24VUou_Q
2023-09-10 05:55:31,086:DEBUG:acme.client:JWS payload:
b''
2023-09-10 05:55:31,088:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/263048135456:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNzgzNzY1NDkiLCAibm9uY2UiOiAiU2NidU13ampkOGh1Vnlkb0dVRkZJOXJhdGlTRng5eThiS2dDekVUMXlSczI0VlVvdV9RIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8yNjMwNDgxMzU0NTYifQ",
  "signature": "E8jsBPIXf5v_-OjzgGczntjMUVpeCm9hui4FdTF4j-HzWRgd8Ycp88gtQYmcNjLIqEdOzu5cuTjAkVJYUNQoVX2gqP6_RKvHrjl-T5qJ7NR6banMCemblFGN4rhOc6lpT-0gdUhEjFZwLnHX44VPvtpvX_mun5xxOtXXgtuN3YDEmBQRx5sbKUq7qpVZsI9vd-PjvGkipD_RJV5l7u22THDboyaYvMwI2szdzypGhycVJchD9NU5jcvrfZp4vz1_yTg6GfzgFr8i4Gu8eFyKiM7voYF5cOfO6mpeafJdzjKowUHcNPl3q0Sm8GOQhwb2L3TgptLOvAsaQkgCpy-wgw",
  "payload": ""
}
2023-09-10 05:55:31,249:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/263048135456 HTTP/1.1" 200 1052
2023-09-10 05:55:31,250:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 10 Sep 2023 05:55:31 GMT
Content-Type: application/json
Content-Length: 1052
Connection: keep-alive
Boulder-Requester: 78376549
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: ScbuMwjjcdKUsXe14t1MHDnOqvPBFDNNT801ZmiDXDK6N2_2izA
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "wiki.endesarrollo.ovh"
  },
  "status": "invalid",
  "expires": "2023-09-17T05:55:18Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "176.31.31.228: Invalid response from http://wiki.endesarrollo.ovh/.well-known/acme-challenge/p6dFnV_YjZVsgPsuTDdwLMUwo3yPj9EXJ1Smtk_-nzE: 404",
        "status": 403
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/263048135456/7yQ-1Q",
      "token": "p6dFnV_YjZVsgPsuTDdwLMUwo3yPj9EXJ1Smtk_-nzE",
      "validationRecord": [
        {
          "url": "http://wiki.endesarrollo.ovh/.well-known/acme-challenge/p6dFnV_YjZVsgPsuTDdwLMUwo3yPj9EXJ1Smtk_-nzE",
          "hostname": "wiki.endesarrollo.ovh",
          "port": "80",
          "addressesResolved": [
            "176.31.31.228"
          ],
          "addressUsed": "176.31.31.228"
        }
      ],
      "validated": "2023-09-10T05:55:27Z"
    }
  ]
}

9peppe · September 10, 2023, 8:04am

Please forget this option ever existed. It doesn't do what you think it does.

I see several different IP addresses. Are all of those websites actually hosted by nginx on the machine Certbot is running on?

rg305 · September 10, 2023, 1:51pm

Me too.
The IPv4 addresses are all managed by castris.com
The IPv6 addresses are all managed by Cloudflare.com

Then the AAAA records should be removed from the zone.

rg305 · September 10, 2023, 1:53pm

Do you require using only one cert for all names?
[that won't scale past 100 names]

This may be easier to troubleshoot one name at a time.

abkrim · September 11, 2023, 5:09am

Ok.

Forget --force-renewal.

@9peppe whre you see two IP because renewal command, see a 2 doamins is not in server (are in other server). Not in nginx, but letsencrypt tries renewal

Example below. This doamins IS NOT in nginx, on this server, but latest renewal made in this server.

 certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Domain: www.aicha.es
  Type:   unauthorized
  Detail: 5.135.93.116: Invalid response from http://www.aicha.es/.well-known/acme-challenge/nkarSBju064-Bm8HDrSzbhnxKPy8j0xAHCW9PgK7it4: 404

@rg305 Thaks I thinked that needs a global ssl for all domains in server

but poblem is not this.

Try to get only first domain

❯ certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: clientes.aicha.es
2: wiki.aicha.es
3: castris.com
4: castris.es
5: central.castris.com
6: centralpostfix.castris.com
7: intranet.castris.com
8: manuales.castris.com
9: multimedia.castris.com
10: time.castris.com
11: timetracker.castris.com
12: wiki.castris.com
13: www.castris.es
14: www.castris.com
15: wiki.endesarrollo.ovh
16: sitelight.grupositelec.es
17: tabratino.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for clientes.aicha.es

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: clientes.aicha.es
  Type:   unauthorized
  Detail: 176.31.31.228: Invalid response from http://clientes.aicha.es/.well-known/acme-challenge/WP7KYzHDj2lFaTTccbKXngndTGHt_G7k1bAI333PsxU: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

❯ dig clientes.aicha.es

; <<>> DiG 9.16.1-Ubuntu <<>> clientes.aicha.es
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39966
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;clientes.aicha.es.		IN	A

;; ANSWER SECTION:
clientes.aicha.es.	300	IN	A	176.31.31.228

;; Query time: 8 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Mon Sep 11 05:07:28 UTC 2023
;; MSG SIZE  rcvd: 62

With a lets encrypt certifcate

Nombre común (CN) R3
Organización (O) Let's Encrypt
Unidad organizativa (OU)
Emitido el viernes, 23 de junio de 2023, 12:22:12
Vencimiento el jueves, 21 de septiembre de 2023, 12:22:11

Others with the same problem.

rg305 · September 11, 2023, 1:25pm

abkrim:

  Domain: clientes.aicha.es
  Type:   unauthorized
  Detail: 176.31.31.228: Invalid response from http://clientes.aicha.es/.well-known/acme-challenge/WP7KYzHDj2lFaTTccbKXngndTGHt_G7k1bAI333PsxU: 404

We need to see the entire nginx config to understand why it returns 404.
nginx -T

abkrim · September 11, 2023, 2:43pm

nginx -T

user  www-data;
worker_processes  auto;
worker_rlimit_nofile    65535;
error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
    worker_connections  1024;
    use                 epoll;
    multi_accept        on;
}
http {
    sendfile                        on;
    tcp_nopush                      on;
    tcp_nodelay                     on;
    client_header_timeout           60s;
    client_body_timeout             60s;
    client_header_buffer_size       2k;
    client_body_buffer_size         256k;
    client_max_body_size            256m;
    large_client_header_buffers     4 8k;
    send_timeout                    60s;
    keepalive_timeout               30s;
    reset_timedout_connection       on;
    server_tokens                   off;
    server_name_in_redirect         off;
    server_names_hash_max_size      512;
    server_names_hash_bucket_size   512;
    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;
    log_format  main    '$remote_addr - $remote_user [$time_local] $request '
                        '"$status" $body_bytes_sent "$http_referer" '
                        '"$http_user_agent" "$http_x_forwarded_for"';
    log_format  bytes   '$body_bytes_sent';
    gzip                on;
    gzip_static         on;
    gzip_vary           on;
    gzip_comp_level     6;
    gzip_min_length     1024;
    gzip_buffers        16 8k;
    gzip_types text/css text/x-component application/x-javascript application/javascript text/javascript text/x-js text/richtext text/plain text/xsd text/xsl text/xml image/bmp application/java application/msword application/vnd.ms-fontobject application/x-msdownload image/x-icon application/json application/vnd.ms-access video/webm application/vnd.ms-project application/x-font-otf application/vnd.ms-opentype application/vnd.oasis.opendocument.database application/vnd.oasis.opendocument.chart application/vnd.oasis.opendocument.formula application/vnd.oasis.opendocument.graphics application/vnd.oasis.opendocument.spreadsheet application/vnd.oasis.opendocument.text audio/ogg application/pdf application/vnd.ms-powerpoint image/svg+xml application/x-shockwave-flash image/tiff application/x-font-ttf audio/wav application/vnd.ms-write application/font-woff application/font-woff2 application/vnd.ms-excel;
    gzip_proxied        any;
    gzip_disable        "MSIE [1-6]\.";
    proxy_redirect      off;
    proxy_set_header    Host            $host;
    proxy_set_header    X-Real-IP       $remote_addr;
    proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass_header   Set-Cookie;
    proxy_busy_buffers_size   512k;
    proxy_buffers       8 512k;
    proxy_buffer_size   256k;
    proxy_connect_timeout   30s;
    proxy_send_timeout  90s;
    proxy_read_timeout  90s;
    set_real_ip_from   103.21.244.0/22;
    set_real_ip_from   103.22.200.0/22;
    set_real_ip_from   103.31.4.0/22;
    set_real_ip_from   104.16.0.0/12;
    set_real_ip_from   108.162.192.0/18;
    set_real_ip_from   131.0.72.0/22;
    set_real_ip_from   141.101.64.0/18;
    set_real_ip_from   162.158.0.0/15;
    set_real_ip_from   172.64.0.0/13;
    set_real_ip_from   173.245.48.0/20;
    set_real_ip_from   188.114.96.0/20;
    set_real_ip_from   190.93.240.0/20;
    set_real_ip_from   197.234.240.0/22;
    set_real_ip_from   198.41.128.0/17;
    real_ip_header     CF-Connecting-IP;
    ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !MEDIUM";
    ssl_dhparam dh4096.pem;
    ssl_ecdh_curve secp384r1;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 1.1.1.1 8.8.8.8 valid=300s;
    resolver_timeout 5s;
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    proxy_cache_path /var/cache/nginx levels=2 keys_zone=cache:10m inactive=60m max_size=1024m;
    proxy_cache_key "$host$request_uri $cookie_user";
    proxy_temp_path  /var/cache/nginx/temp;
    proxy_ignore_headers Expires Cache-Control;
    proxy_cache_use_stale error timeout invalid_header http_502;
    proxy_cache_valid any 1d;
    map $http_cookie $no_cache {
        default 0;
        ~SESS 1;
        ~wordpress_logged_in 1;
    }
    open_file_cache          max=10000 inactive=30s;
    open_file_cache_valid    60s;
    open_file_cache_min_uses 2;
    open_file_cache_errors   off;
    map $sent_http_content_type $expires {
       default                    off;
       text/html                  epoch;
       text/css                   max;
       application/javascript     max;
       ~image/                    max;
    }
    include /etc/nginx/sites-enabled/*.conf;
    include /etc/nginx/conf.d/*.conf;
}
types {
    text/html                                        html htm shtml;
    text/css                                         css;
    text/xml                                         xml;
    image/gif                                        gif;
    image/jpeg                                       jpeg jpg;
    application/javascript                           js;
    application/atom+xml                             atom;
    application/rss+xml                              rss;
    text/mathml                                      mml;
    text/plain                                       txt;
    text/vnd.sun.j2me.app-descriptor                 jad;
    text/vnd.wap.wml                                 wml;
    text/x-component                                 htc;
    image/avif                                       avif;
    image/png                                        png;
    image/svg+xml                                    svg svgz;
    image/tiff                                       tif tiff;
    image/vnd.wap.wbmp                               wbmp;
    image/webp                                       webp;
    image/x-icon                                     ico;
    image/x-jng                                      jng;
    image/x-ms-bmp                                   bmp;
    font/woff                                        woff;
    font/woff2                                       woff2;
    application/java-archive                         jar war ear;
    application/json                                 json;
    application/mac-binhex40                         hqx;
    application/msword                               doc;
    application/pdf                                  pdf;
    application/postscript                           ps eps ai;
    application/rtf                                  rtf;
    application/vnd.apple.mpegurl                    m3u8;
    application/vnd.google-earth.kml+xml             kml;
    application/vnd.google-earth.kmz                 kmz;
    application/vnd.ms-excel                         xls;
    application/vnd.ms-fontobject                    eot;
    application/vnd.ms-powerpoint                    ppt;
    application/vnd.oasis.opendocument.graphics      odg;
    application/vnd.oasis.opendocument.presentation  odp;
    application/vnd.oasis.opendocument.spreadsheet   ods;
    application/vnd.oasis.opendocument.text          odt;
    application/vnd.openxmlformats-officedocument.presentationml.presentation
                                                     pptx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
                                                     xlsx;
    application/vnd.openxmlformats-officedocument.wordprocessingml.document
                                                     docx;
    application/vnd.wap.wmlc                         wmlc;
    application/wasm                                 wasm;
    application/x-7z-compressed                      7z;
    application/x-cocoa                              cco;
    application/x-java-archive-diff                  jardiff;
    application/x-java-jnlp-file                     jnlp;
    application/x-makeself                           run;
    application/x-perl                               pl pm;
    application/x-pilot                              prc pdb;
    application/x-rar-compressed                     rar;
    application/x-redhat-package-manager             rpm;
    application/x-sea                                sea;
    application/x-shockwave-flash                    swf;
    application/x-stuffit                            sit;
    application/x-tcl                                tcl tk;
    application/x-x509-ca-cert                       der pem crt;
    application/x-xpinstall                          xpi;
    application/xhtml+xml                            xhtml;
    application/xspf+xml                             xspf;
    application/zip                                  zip;
    application/octet-stream                         bin exe dll;
    application/octet-stream                         deb;
    application/octet-stream                         dmg;
    application/octet-stream                         iso img;
    application/octet-stream                         msi msp msm;
    audio/midi                                       mid midi kar;
    audio/mpeg                                       mp3;
    audio/ogg                                        ogg;
    audio/x-m4a                                      m4a;
    audio/x-realaudio                                ra;
    video/3gpp                                       3gpp 3gp;
    video/mp2t                                       ts;
    video/mp4                                        mp4;
    video/mpeg                                       mpeg mpg;
    video/quicktime                                  mov;
    video/webm                                       webm;
    video/x-flv                                      flv;
    video/x-m4v                                      m4v;
    video/x-mng                                      mng;
    video/x-ms-asf                                   asx asf;
    video/x-ms-wmv                                   wmv;
    video/x-msvideo                                  avi;
}
server {
    server_name central.castris.com;
    location / {
        root   /home/abkrim/web/central.castris.com/cpanel3-skel/public_html;
        index  index.html index.htm;
    }
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/swissknife.ovh/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/swissknife.ovh/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
    if ($host = central.castris.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
    server_name central.castris.com;
    listen 80;
    return 404; # managed by Certbot
}
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
server {
    server_name centralpostfix.castris.com;
    root        /var/www/postfixadmin/public;
    index       index.php index.html index.htm;
    access_log  /var/log/nginx/domains/centralpostfix.castris.com.log combined;
    error_log   /var/log/nginx/domains/centralpostfix.castris.com.error.log error;
    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }
    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }
    location / {
        try_files $uri $uri/ /index.php;
        if (!-e $request_filename)
        {
            rewrite ^(.+)$ /index.php?q=$1 last;
        }
        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
            expires     max;
        }
        location /postfixadmin {
            index index.php;
            try_files $uri $uri/ /postfixadmin/index.php;
        }
        location ~* \.php$ {
            fastcgi_split_path_info ^(.+?\.php)(/.*)$;
            if (!-f $document_root$fastcgi_script_name) {return 404;}
            fastcgi_pass  unix:/run/php/centralpostfix.castris.com.sock;
            fastcgi_index index.php;
            include         /etc/nginx/fastcgi_params;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        }
    }
    location ~* "/\.(htaccess|htpasswd)$" {
        deny    all;
        return  404;
    }
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/swissknife.ovh/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/swissknife.ovh/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
    if ($host = centralpostfix.castris.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
    server_name centralpostfix.castris.com;
    listen 80;
    return 404; # managed by Certbot
}
fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;
fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  REQUEST_SCHEME     $scheme;
fastcgi_param  HTTPS              $https if_not_empty;
fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;
fastcgi_param  REDIRECT_STATUS    200;
server {
    server_name castris.com www.castris.com castris.es www.castris.es;
    root        /home/abkrim/web/castris.com/public_html;
    index       index.php index.html;
    access_log  /home/abkrim/logs/nginx/castris.com.log combined;
    error_log   /home/abkrim/logs/nginx/castris.com.error.log error;
    location ~* \.(js|css|png|jpg|jpeg|gif|mpg|avi)$ {
        expires    +60d;
        log_not_found off;
        access_log off;
    }
    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }
    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }
    location / {
	try_files $uri $uri/ /index.php$is_args$args;
        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js|avi|mpg)$ {
            expires     max;
            access_log off;
        }
        location ~ [^/]\.php(/|$) {
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            if (!-f $document_root$fastcgi_script_name) {
                return  404;
            }
            fastcgi_pass    unix:/var/run/php/castris.com.sock;
            fastcgi_index   index.php;
            include         /etc/nginx/fastcgi_params;
        }
    }
    error_page  403 /error/404.html;
    error_page  404 /error/404.html;
    error_page  500 502 503 504 /error/50x.html;
    location /error/ {
        alias   /home/abkrim/web/castris.com/document_errors/;
    }
    location ~* "/\.(htaccess|htpasswd|user.ini)$" {
        deny    all;
        return  404;
    }
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/swissknife.ovh/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/swissknife.ovh/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
    if ($host = www.castris.es) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
    if ($host = castris.es) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
    if ($host = castris.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
    if ($host = www.castris.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
    server_name castris.com www.castris.com castris.es www.castris.es;
    listen 80;
    return 404; # managed by Certbot
}
server {
    server_name clientes.aicha.es;
    root        /home/laravel/web/clientes.aicha.es/public;
    index       index.php;
    charset utf-8;
    access_log  /home/laravel/logs/nginx/clientes.aicha.es.log combined;
    error_log   /home/laravel/logs/nginx/clientes.aicha.es.error.log error;
    client_max_body_size 20M;
    gzip               on;
    gzip_proxied    no-cache no-store private expired auth;
    gzip_static         on;
    gzip_vary           on;
    gzip_comp_level     6;
    gzip_min_length     1024;
    gzip_buffers        16 8k;
    gzip_types          text/plain text/css text/javascript text/js text/xml application/json application/javascript application/x-javascript application/xml application/xml+rss applicatio\
n/x-font-ttf image/svg+xml font/opentype;
    gzip_disable        "MSIE [1-6]\.";
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";
    location ~* \.(js|css|png|jpg|jpeg|gif|mpg|avi)$ {
        expires    +60d;
        log_not_found off;
        access_log off;
    }
    location ~* \.pdf$ {
        add_header Cache-Control no-store;
    }
    if (!-e $request_filename) {
        rewrite ^(.+)$ /index.php?q= last;
    }
    location / {
	try_files $uri $uri/ =404;
        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
            expires     max;
            access_log off;
        }
        location ~ [^/]\.php(/|$) {
            if (!-f $document_root$fastcgi_script_name) {
                return  404;
            }
            fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
            fastcgi_pass    unix:/var/run/php/lientes.aicha.es.sock;
            fastcgi_index   index.php;
            include         /etc/nginx/fastcgi_params;
        }
    }
    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  {
	access_log off;
	log_not_found off;
	allow all;
    }
    location ~* "/\.(htaccess|htpasswd|user.ini|php.ini|env|ht)$" {
        deny    all;
        return  404;
    }
    location ~* "/*.log$" {
        deny    all;
        return  404;
    }
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/swissknife.ovh/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/swissknife.ovh/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
    if ($host = clientes.aicha.es) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
    server_name clientes.aicha.es;
    listen 80;
    return 404; # managed by Certbot
}
server {
    server_name intranet.castris.com;
    root        /home/intranet/web/intranet.castris.com/public_html;
    index       index.php index.html;
    access_log  /home/intranet/logs/nginx/intranet.castris.com.log combined;
    error_log   /home/intranet/logs/nginx/intranet.castris.com.error.log error;
    location ~* \.(js|css|png|jpg|jpeg|gif|mpg|avi)$ {
        expires    +60d;
        log_not_found off;
        access_log off;
    }
    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }
    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }
    location / {
	try_files $uri $uri/ /index.php$is_args$args;
        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js|avi|mpg)$ {
            expires     max;
            access_log off;
        }
        location ~ [^/]\.php(/|$) {
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            if (!-f $document_root$fastcgi_script_name) {
                return  404;
            }
            fastcgi_pass    unix:/var/run/php/intranet.castris.com.sock;
            fastcgi_index   index.php;
            fastcgi_buffers 16 32k;
            fastcgi_buffer_size 64k;
            fastcgi_busy_buffers_size 64k;
            include         /etc/nginx/fastcgi_params;
        }
    }
    location ~* "/\.(htaccess|htpasswd)$" {
        deny    all;
        return  404;
    }
    listen 443 ssl http2; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/swissknife.ovh/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/swissknife.ovh/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
    include /home/intranet/conf/web/whmcs.conf;
}
server {
    if ($host = intranet.castris.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
    server_name intranet.castris.com;
    listen 80;
    return 404; # managed by Certbot
}
    location ~ /announcements/?(.*)$ {
        rewrite ^/(.*)$ /index.php?rp=/announcements/$1;
    }
    location ~ /download/?(.*)$ {
        rewrite ^/(.*)$ /index.php?rp=/download$1;
    }
    location ~ /knowledgebase/?(.*)$ {
        rewrite ^/(.*)$ /index.php?rp=/knowledgebase/$1;
    }
    location ~ /store/ssl-certificates/?(.*)$ {
        rewrite ^/(.*)$ /index.php?rp=/store/ssl-certificates/$1;
    }
    location ~ /store/sitelock/?(.*)$ {
        rewrite ^/(.*)$ /index.php?rp=/store/sitelock/$1;
    }
    location ~ /store/website-builder/?(.*)$ {
        rewrite ^/(.*)$ /index.php?rp=/store/website-builder/$1;
    }
    location ~ /store/order/?(.*)$ {
        rewrite ^/(.*)$ /index.php?rp=/store/order/$1;
    }
    location ~ /domain/renew/?(.*)$ {
        rewrite ^/(.*)$ /index.php?rp=/domain/renew$1;
    }
    location ~ /account/paymentmethods/?(.*)$ {
        rewrite ^/(.*)$ /index.php?rp=/account/paymentmethods$1;
    }
    location ~ /password/reset/?(.*)$ {
        rewrite ^/(.*)$ /index.php?rp=/password/reset/$1;
    }
    location ~ /account/security/?(.*)$ {
        rewrite ^/(.*)$ /index.php?rp=/account/security$1;
    }
    location ~ /subscription?(.*)$ {
        rewrite ^/(.*)$ /index.php?rp=/subscription$1;
    }
    location ~ /auth/provider/google_signin/finalize/?(.*)$ {
        rewrite ^/(.*)$ /index.php?rp=auth/provider/google_signin/finalize$1;
    }
location ~ /dotcom/(addons|apps|search|domains|help\/license|services|setup|utilities\/system\/php-compat)(.*) {
        rewrite ^/(.*)$ /dotcom/index.php?rp=/dotcom/$1$2 last;
    }
    location ~ /dotcom/client/?(.*)/paymethods/?(.*)$ {
        rewrite ^/(.*)$ /dotcom/index.php?rp=/client/?(.*)/paymethods/$1;
    }
    location ~ /dotcom/setup/auth/?(.*)$ {
        rewrite ^/(.*)$ /dotcom/index.php?rp=/setup/auth/$1;
    }
    location ~ /dotcom/client/?(.*)/tickets/?(.*)$ {
        rewrite ^/(.*)$ /dotcom/index.php?rp=/client/?(.*)/tickets/$1;
    }
    location ~ /dotcom/client/?(.*)/invoice/?(.*)/capture/?(.*)$ {
        rewrite ^/(.*)$ /dotcom/index.php?rp=/client/?(.*)/invoice/?(.*)/capture/$1;
    }
    location ~ /dotcom/account/security/two-factor/?(.*)$ {
        rewrite ^/(.*)$ /dotcom/index.php?rp=/dotcom/account/security/two-factor/$1;
    }
    location ~ /dotcom/search/intellisearch?(.*)$ {
        rewrite ^/(.*)$ /dotcom/index.php?rp=/search/intellisearch/$1;
    }
    location ^~ /vendor/ {
        deny all;
        return 403;
    }
server {
    server_name manuales.castris.com;
    root        /home/abkrim/web/manuales.castris.com/public_html;
    index       index.html;
    access_log  /home/abkrim/logs/nginx/manuales.castris.com.log combined;
    error_log   /home/abkrim/logs/nginx/manuales.castris.com.error.log error;
    location ~* \.(js|css|png|jpg|jpeg|gif|mpg|avi)$ {
        expires    +60d;
        log_not_found off;
        access_log off;
    }
    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }
    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }
    location / {
        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js|avi|mpg)$ {
            expires     max;
            access_log off;
        }
    }
    location ~* "/\.(htaccess|htpasswd|env)$" {
        deny    all;
        return  404;
    }
    listen 443 ssl http2; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/swissknife.ovh/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/swissknife.ovh/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
    if ($host = manuales.castris.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
    server_name manuales.castris.com;
    listen 80;
    return 404; # managed by Certbot
}
server {
    server_name multimedia.castris.com;
    root        /home/abkrim/web/multimedia.castris.com/public_html;
    index       index.html;
    access_log  /home/abkrim/logs/nginx/multimedia.castris.com.log combined;
    error_log   /home/abkrim/logs/nginx/multimedia.castris.com.error.log error;
    location ~* \.(js|css|png|jpg|jpeg|gif|mpg|avi|mov)$ {
        expires    +60d;
        log_not_found off;
        access_log off;
    }
    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }
    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }
    location / {
        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js|avi|mpg)$ {
            expires     max;
            access_log off;
        }
	 include /home/abkrim/conf/web/autoindex.conf;
    }
    location ~* "/\.(htaccess|htpasswd)$" {
        deny    all;
        return  404;
    }
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/swissknife.ovh/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/swissknife.ovh/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
    if ($host = multimedia.castris.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
    server_name multimedia.castris.com;
    listen 80;
    return 404; # managed by Certbot
}
        location / {
               autoindex off;
               autoindex_exact_size off;
               autoindex_format html;
               autoindex_localtime on;
       }
server {
    server_name sitelight.grupositelec.es;
    root        /home/sitelight/web/sitelight.grupositelec.es/sitelight/dist;
    index       index.html;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-Content-Type-Options "nosniff";
    charset utf-8;
    access_log  /home/sitelight/logs/web/sitelight.grupositelec.es.log combined;
    error_log   /home/sitelight/logs/web/sitelight.grupositelec.es.error.log error;
    expires $expires;
    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }
    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }
    location / {
        root  /home/sitelight/web/sitelight.grupositelec.es/sitelight/dist/;
	index index.html;
        try_files $uri $uri/ /index.html;
        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
	    access_log        off;
            log_not_found     off;
            expires     max;
        }
    }
    location ~* "/\.(htaccess|htpasswd|env)$" {
        deny    all;
        return  404;
    }
    location ~ /\.(?!well-known).* {
        deny all;
    }
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/swissknife.ovh/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/swissknife.ovh/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
    if ($host = sitelight.grupositelec.es) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
    listen 80;
    server_name sitelight.grupositelec.es;
    return 404; # managed by Certbot
}
server {
    server_name tabratino.com;
    root        /home/abkrim/web/tabratino.com/public_html;
    index       index.html;
    access_log  /home/abkrim/logs/nginx/tabratino.com.log combined;
    error_log   /home/abkrim/logs/nginx/tabratino.com.error.log error;
    location ~* \.(js|css|png|jpg|jpeg|gif|mpg|avi)$ {
        expires    +60d;
        log_not_found off;
        access_log off;
    }
    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }
    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }
    location / {
        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js|avi|mpg)$ {
            expires     max;
            access_log off;
        }
    }
    location ~* "/\.(htaccess|htpasswd)$" {
        deny    all;
        return  404;
    }
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/swissknife.ovh/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/swissknife.ovh/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
    if ($host = tabratino.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
    server_name tabratino.com;
    listen 80;
    return 404; # managed by Certbot
}
server {
    server_name time.castris.com;
    root /home/kimai/web/time.castris.com/public;
    index index.php;
    access_log off;
    error_log /home/kimai/logs/nginx/time.castris.com.error.log error;
    log_not_found off;
    location ~ /\.ht {
        deny all;
    }
    location ~* \.(js|css|png|jpg|jpeg|gif|mpg|avi)$ {
        expires    +60d;
        log_not_found off;
        access_log off;
    }
    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }
    location = /robots.txt {
        deny all;
        log_not_found off;
        access_log off;
    }
    location / {
        try_files $uri /index.php$is_args$args;
    }
    location ~ ^/index\.php(/|$) {
        fastcgi_pass unix:/var/run/php/tt82.sock;
        fastcgi_split_path_info ^(.+\.php)(/.*)$;
        include /etc/nginx/fastcgi_params;
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PHP_ADMIN_VALUE "open_basedir=$document_root/..:/home/kimai/tmp/";
        internal;
    }
    location ~ \.php$ {
        return 404;
    }
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/swissknife.ovh/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/swissknife.ovh/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
    if ($host = time.castris.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
    listen 80 default_server;
    server_name time.castris.com;
    return 404; # managed by Certbot
}
server {
    server_name timetracker.castris.com;
    root /home/kimai/web/timetracker.castris.com/public;
    index index.php;
    access_log off;
    error_log /home/kimai/logs/nginx/timetracker.castris.com.error.log error;
    log_not_found off;
    location ~ /\.ht {
        deny all;
    }
    location ~* \.(js|css|png|jpg|jpeg|gif|mpg|avi)$ {
        expires    +60d;
        log_not_found off;
        access_log off;
    }
    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }
    location = /robots.txt {
        deny all;
        log_not_found off;
        access_log off;
    }
    location / {
        try_files $uri /index.php$is_args$args;
    }
    location ~ ^/index\.php(/|$) {
        fastcgi_pass unix:/var/run/php/tt.sock;
        fastcgi_split_path_info ^(.+\.php)(/.*)$;
        include /etc/nginx/fastcgi_params;
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PHP_ADMIN_VALUE "open_basedir=$document_root/..:/home/kimai/tmp/";
        internal;
    }
    location ~ \.php$ {
        return 404;
    }
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/swissknife.ovh/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/swissknife.ovh/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
    if ($host = timetracker.castris.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
    listen 80;
    server_name timetracker.castris.com;
    return 404; # managed by Certbot
}
server {
    server_name wiki.aicha.es;
    root        /home/aicha/web/wiki.aicha.es/BookStack/public;
    index       index.php;
    access_log  /home/aicha/logs/nginx/wiki.aicha.es.log combined;
    error_log   /home/aicha/logs/nginx/wiki.aicha.es.error.log error;
    location ~* \.(js|css|png|jpg|jpeg|gif|mpg|avi)$ {
        expires    +60d;
        log_not_found off;
        access_log off;
    }
    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }
    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }
    location / {
	try_files $uri $uri/ /index.php?$query_string;
        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
            expires     max;
            access_log off;
        }
        location ~ [^/]\.php(/|$) {
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            if (!-f $document_root$fastcgi_script_name) {
                return  404;
            }
            fastcgi_pass    unix:/var/run/php/wikiaicha.es.sock;
            fastcgi_index   index.php;
            include         /etc/nginx/fastcgi_params;
        }
    }
    location ~* "/\.(htaccess|htpasswd|user.ini|php.ini|env)$" {
        deny    all;
        return  404;
    }
    location ~* "/debug.log$" {
        deny    all;
        return  404;
    }
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/swissknife.ovh/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/swissknife.ovh/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
    if ($host = wiki.aicha.es) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
    listen      176.31.31.228:80;
    server_name wiki.aicha.es;
    return 404; # managed by Certbot
}
server {
    server_name wiki.castris.com;
    root        /home/laravel/web/BookStack/public;
    index       index.php;
    charset utf-8;
    access_log  /home/laravel/logs/nginx/wiki.castris.com.log combined;
    error_log   /home/laravel/logs/nginx/wiki.castris.com.error.log error;
    gzip                on;
    gzip_static         on;
    gzip_vary           on;
    gzip_comp_level     6;
    gzip_min_length     1024;
    gzip_buffers        16 8k;
    gzip_types          text/plain text/css text/javascript text/js text/xml application/json application/javascript application/x-javascript application/xml application/xml+rss applicatio\
n/x-font-ttf image/svg+xml font/opentype;
    gzip_proxied        any;
    gzip_disable        "MSIE [1-6]\.";
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";
    location ~* \.(js|css|png|jpg|jpeg|gif|mpg|avi)$ {
        expires    +60d;
        log_not_found off;
        access_log off;
    }
    location / {
        try_files $uri $uri/ /index.php?$query_string;
        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
            expires     max;
            access_log off;
        }
        location ~ [^/]\.php(/|$) {
            if (!-f $document_root$fastcgi_script_name) {
                return  404;
            }
            fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
            fastcgi_pass    unix:/var/run/php/wiki.castris.com.sock;
            fastcgi_index   index.php;
            include         /etc/nginx/fastcgi_params;
        }
    }
    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  {
	access_log off;
	log_not_found off;
	allow all;
    }
    location ~* "/\.(htaccess|htpasswd|user.ini|php.ini|env)$" {
        deny    all;
        return  404;
    }
    location ~* "/*.log$" {
        deny    all;
        return  404;
    }
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/swissknife.ovh/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/swissknife.ovh/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
    if ($host = wiki.castris.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
    server_name wiki.castris.com;
    listen 80;
    return 404; # managed by Certbot
}
server {
    server_name wiki.endesarrollo.ovh;
    root        /home/laravel/web/wiki.endesarrollo.ovh/public;
    index       index.php;
    charset utf-8;
    access_log  /home/laravel/logs/nginx/wiki.endesarrollo.ovh.log combined;
    error_log   /home/laravel/logs/nginx/wiki.endesarrollo.ovh.error.log error;
    gzip                on;
    gzip_static         on;
    gzip_vary           on;
    gzip_comp_level     6;
    gzip_min_length     1024;
    gzip_buffers        16 8k;
    gzip_types          text/plain text/css text/javascript text/js text/xml application/json application/javascript application/x-javascript application/xml application/xml+rss applicatio\
n/x-font-ttf image/svg+xml font/opentype;
    gzip_proxied        any;
    gzip_disable        "MSIE [1-6]\.";
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";
    location ~* \.(js|css|png|jpg|jpeg|gif|mpg|avi)$ {
        expires    +60d;
        log_not_found off;
        access_log off;
    }
    location / {
        try_files $uri $uri/ /index.php?$query_string;
        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
            expires     max;
            access_log off;
        }
        location ~ [^/]\.php(/|$) {
            if (!-f $document_root$fastcgi_script_name) {
                return  404;
            }
            fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
            fastcgi_pass    unix:/var/run/php/wiki.endesarrollo.ovh.sock;
            fastcgi_index   index.php;
            include         /etc/nginx/fastcgi_params;
        }
    }
    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  {
	access_log off;
	log_not_found off;
	allow all;
    }
    location ~* "/\.(htaccess|htpasswd|user.ini|php.ini|env)$" {
        deny    all;
        return  404;
    }
    location ~* "/*.log$" {
        deny    all;
        return  404;
    }
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/swissknife.ovh/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/swissknife.ovh/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
    if ($host = wiki.endesarrollo.ovh) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
    server_name wiki.endesarrollo.ovh;
    listen 80;
    return 404; # managed by Certbot
}
server {
}

rg305 · September 11, 2023, 6:29pm

The only thing out of the ordinary is this line:
listen 176.31.31.228:80;
Which should be:
listen 80;

It seems the --nginx plugin is being confused by your config.
In some places there are location statements within location statements...
Try:

certbot certonly \
--webroot -w /home/laravel/web/clientes.aicha.es/public \
-d clientes.aicha.es

MikeMcQ · September 11, 2023, 11:31pm

Your nginx config is somewhat complex and may need more than the default of 1 second to reload. You could try this

--nginx-sleep-seconds NGINX_SLEEP_SECONDS
      Number of seconds to wait for nginx configuration
      changes to apply when reloading. (default: 1)

If it has been working maybe only a few seconds should be enough. Maybe something changed recently to make the reload slightly slower

certbot --nginx --nginx-sleep-seconds 5

abkrim · September 13, 2023, 7:41am

tries and sem problem.

Only for one domain.

Requesting a certificate for clientes.aicha.es

certbot --nginx --nginx-sleep-seconds 15
... 

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: clientes.aicha.es
  Type:   unauthorized
  Detail: 176.31.31.228: Invalid response from http://clientes.aicha.es/.well-known/acme-challenge/l2a8tw9EP9KEZNeAQDNB7p-QZmBKBlo_jIWzcZaYs5Q: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

@rg305

certbot certonly --webroot -w /home/laravel/web/clientes.aicha.es/public -d clientes.aicha.es
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for clientes.aicha.es

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: clientes.aicha.es
  Type:   unauthorized
  Detail: 176.31.31.228: Invalid response from http://clientes.aicha.es/.well-known/acme-challenge/SHwJxcUO_aJtJViHcn3lc6bm7fx7ZRAOfMS_8ciaAVA: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Curious.

This config has been working for the last 2 years... with no problem.

rg305 · September 13, 2023, 1:24pm

Let's try accessing a test file from the expected challenge location:

mkdir -p /home/laravel/web/clientes.aicha.es/public/.well-known/acme-challenge
echo "test-file" > /home/laravel/web/clientes.aicha.es/public/.well-known/acme-challenge/Test_File-1234
Then test access to file (from Internet) with:
http://clientes.aicha.es/.well-known/acme-challenge/Test_File-1234

mari.kalambet · September 14, 2023, 6:27am

Oh, thank you very much

rg305 · September 14, 2023, 1:10pm

Are you able to access the file from the Internet?

mari.kalambet · September 15, 2023, 9:07am

The file could not be downloaded unfortunately, the problem with the certificate was solved otherwise.

abkrim · September 15, 2023, 9:43am

Well.

I've create dir

❯ la /home/laravel/web/clientes.aicha.es/public/.well-known/acme-challenge
ls: cannot access '/home/laravel/web/clientes.aicha.es/public/.well-known/acme-challenge': No such file or directory
❯ mkdir /home/laravel/web/clientes.aicha.es/public/.well-known/acme-challenge
> echo "test-file" > /home/laravel/web/clientes.aicha.es/public/.well-known/acme-challenge/Test_File-1234

And if I try http://clientes.aicha.es/.well-known/acme-challenge/Test_File-1234 browser download file with content test-file

After this... exit too root and

certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: clientes.aicha.es
2: wiki.aicha.es
... 
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for clientes.aicha.es

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: clientes.aicha.es
  Type:   unauthorized
  Detail: 176.31.31.228: Invalid response from http://clientes.aicha.es/.well-known/acme-challenge/S_I0cHYi8X0rVj6DSgJQRFmCOBjU-W_11Qy9-77xPwg: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Fail and in debug mode

2023-09-15 09:40:37,526:DEBUG:certbot_nginx._internal.parser:Writing nginx conf tree to /etc/nginx/sites-enabled/clientes.aicha.es.conf:
server {rewrite ^(/.well-known/acme-challenge/.*) $1 break; # managed by Certbot


    server_name clientes.aicha.es;
    root        /home/laravel/web/clientes.aicha.es/public;
    index       index.php;
    charset utf-8;
    access_log  /home/laravel/logs/nginx/clientes.aicha.es.log combined;
    error_log   /home/laravel/logs/nginx/clientes.aicha.es.error.log error;

    ## Invoiceninja
    client_max_body_size 20M;
    gzip               on;
    # gzip_types      application/javascript application/x-javascript text/javascript text/plain application/xml application/json;
    gzip_proxied    no-cache no-store private expired auth;
    #gzip_min_length 1000;

    # gzip                on;
    gzip_static         on;
    gzip_vary           on;
    gzip_comp_level     6;
    gzip_min_length     1024;
    gzip_buffers        16 8k;
    gzip_types          text/plain text/css text/javascript text/js text/xml application/json application/javascript application/x-javascript application/xml application/xml+rss applicatio\
n/x-font-ttf image/svg+xml font/opentype;
    # gzip_proxied        any;
    gzip_disable        "MSIE [1-6]\.";



    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";

    location ~* \.(js|css|png|jpg|jpeg|gif|mpg|avi)$ {
        expires    +60d;
        log_not_found off;
        access_log off;
    }

    location ~* \.pdf$ {
        add_header Cache-Control no-store;
    }

    if (!-e $request_filename) {
        rewrite ^(.+)$ /index.php?q= last;
    }


    location / {
        # try_files $uri $uri/ /index.php?$query_string;
	try_files $uri $uri/ =404;


        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
            expires     max;
            access_log off;
        }

        location ~ [^/]\.php(/|$) {
            if (!-f $document_root$fastcgi_script_name) {
                return  404;
            }

            fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
            fastcgi_pass    unix:/var/run/php/lientes.aicha.es.sock;
            fastcgi_index   index.php;
            include         /etc/nginx/fastcgi_params;
        }
    }

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  {
	access_log off;
	log_not_found off;
	allow all;
    }


    location ~* "/\.(htaccess|htpasswd|user.ini|php.ini|env|ht)$" {
        deny    all;
        return  404;
    }

    location ~* "/*.log$" {
        deny    all;
        return  404;
    }


    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/swissknife.ovh/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/swissknife.ovh/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot



location = /.well-known/acme-challenge/_MXwcsg4HihLPxD7NWb52c-B6WNVSN8YkkYEotUkGOs{default_type text/plain;return 200 _MXwcsg4HihLPxD7NWb52c-B6WNVSN8YkkYEotUkGOs.Br-BNggJ8_ZwacbnJ5_G__2vCy6biKgn_fMyxpIGMLo;} # managed by Certbot

}
server {rewrite ^(/.well-known/acme-challenge/.*) $1 break; # managed by Certbot


    if ($host = clientes.aicha.es) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    server_name clientes.aicha.es;

    listen 80;
    return 404; # managed by Certbot


location = /.well-known/acme-challenge/_MXwcsg4HihLPxD7NWb52c-B6WNVSN8YkkYEotUkGOs{default_type text/plain;return 200 _MXwcsg4HihLPxD7NWb52c-B6WNVSN8YkkYEotUkGOs.Br-BNggJ8_ZwacbnJ5_G__2vCy6biKgn_fMyxpIGMLo;} # managed by Certbot

}

2023-09-15 09:40:38,552:DEBUG:acme.client:JWS payload:
b'{}'
2023-09-15 09:40:38,553:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/264624577906/G_ZIXw:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNzgzNzY1NDkiLCAibm9uY2UiOiAieTVCZUtFUlU4MkloUXI4NTZkMVpYQWFTb0V6dkpvT01fampUQVlfN25fRlhpQXhodUdVIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbC12My8yNjQ2MjQ1Nzc5MDYvR19aSVh3In0",
  "signature": "d7AppbsGHuTNWDhJ4INufuxQGAA189lyI6uKp_Wtx2PSCp1Bn7IGuJi9E1umwJozmjlFP2Uz5thc1pvB3uG82tKXsGpIynabx328mHyRB4NncPcuRVaWK3L12QqLsw6MspfcAGiIrYQjHwiIJxYzI6He3I4bSIQE6GRf4T1hJibFNT6IZG929yI70s1iNrxppF-jm_QohCcrtJpQITr13rLRu0sg7JIC1dRELux8pZ4Mu0oWL556yIUaK_OsONCnHEC43qgAgq8oYZgtlT-okMlSVc1UTXsDGvuieoWKsecjJ3rZrL3um3-U16QLpL25d6j67uicAAXAJqa5E_QDGg",
  "payload": "e30"
}
2023-09-15 09:40:38,688:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/264624577906/G_ZIXw HTTP/1.1" 200 187
2023-09-15 09:40:38,689:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 15 Sep 2023 09:40:38 GMT
Content-Type: application/json
Content-Length: 187
Connection: keep-alive
Boulder-Requester: 78376549
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz-v3/264624577906>;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/264624577906/G_ZIXw
Replay-Nonce: 3kCpO4BeacrMy22s7zML-Cc-mAnFdCLhOqsNU_dus3YsPU-ksq4
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/264624577906/G_ZIXw",
  "token": "_MXwcsg4HihLPxD7NWb52c-B6WNVSN8YkkYEotUkGOs"
}
2023-09-15 09:40:38,689:DEBUG:acme.client:Storing nonce: 3kCpO4BeacrMy22s7zML-Cc-mAnFdCLhOqsNU_dus3YsPU-ksq4
2023-09-15 09:40:38,689:INFO:certbot._internal.auth_handler:Waiting for verification...
2023-09-15 09:40:39,691:DEBUG:acme.client:JWS payload:
b''
2023-09-15 09:40:39,692:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/264624577906:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNzgzNzY1NDkiLCAibm9uY2UiOiAiM2tDcE80QmVhY3JNeTIyczd6TUwtQ2MtbUFuRmRDTGhPcXNOVV9kdXMzWXNQVS1rc3E0IiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8yNjQ2MjQ1Nzc5MDYifQ",
  "signature": "SLs4VzpDOaChi5p9uV2GRvt8rn6DGgiiyu8pvXoxIv-E3QYI8KreRQ18m4oRj6tWNWpfFbs_jSKihPfkg4wuwgRv9C12YTlw9mrKkoENSNouYMqb1OfyyK-Y7xeOb6dFf4V6p7PnZEH4NqPHw5HPb-LK8fijdMaVhOIh_FmGT4_It9B-SJXuJKXGbOdPKFXQ4r3dOH2F_hfuNcxdQZp3F3iEp3N_PV3tiAFiLXtx5UXg-q_311dx_X3_AQQ-0YQoE5gubjJiQXHnLD6EmKS4bTxLke1cLYVUYPpRMdpUKUdkp-uEJxEu4TturySF6FzpG7XtPTtvdFwduzMvdi6CqA",
  "payload": ""
}
2023-09-15 09:40:39,825:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/264624577906 HTTP/1.1" 200 1036
2023-09-15 09:40:39,825:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 15 Sep 2023 09:40:39 GMT
Content-Type: application/json
Content-Length: 1036
Connection: keep-alive
Boulder-Requester: 78376549
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: y5BeKERUsLx34X_AL7x7yzW6RY2dPqbJ_z0Wi269nJHrdHWmcy4
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "clientes.aicha.es"
  },
  "status": "invalid",
  "expires": "2023-09-22T09:40:36Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "176.31.31.228: Invalid response from http://clientes.aicha.es/.well-known/acme-challenge/_MXwcsg4HihLPxD7NWb52c-B6WNVSN8YkkYEotUkGOs: 404",
        "status": 403
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/264624577906/G_ZIXw",
      "token": "_MXwcsg4HihLPxD7NWb52c-B6WNVSN8YkkYEotUkGOs",
      "validationRecord": [
        {
          "url": "http://clientes.aicha.es/.well-known/acme-challenge/_MXwcsg4HihLPxD7NWb52c-B6WNVSN8YkkYEotUkGOs",
          "hostname": "clientes.aicha.es",
          "port": "80",
          "addressesResolved": [
            "176.31.31.228"
          ],
          "addressUsed": "176.31.31.228"
        }
      ],
      "validated": "2023-09-15T09:40:38Z"
    }
  ]
}
2023-09-15 09:40:39,825:DEBUG:acme.client:Storing nonce: y5BeKERUsLx34X_AL7x7yzW6RY2dPqbJ_z0Wi269nJHrdHWmcy4
2023-09-15 09:40:39,826:INFO:certbot._internal.auth_handler:Challenge failed for domain clientes.aicha.es
2023-09-15 09:40:39,826:INFO:certbot._internal.auth_handler:http-01 challenge for clientes.aicha.es
2023-09-15 09:40:39,826:DEBUG:certbot._internal.display.obj:Notifying user:
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: clientes.aicha.es
  Type:   unauthorized
  Detail: 176.31.31.228: Invalid response from http://clientes.aicha.es/.well-known/acme-challenge/_MXwcsg4HihLPxD7NWb52c-B6WNVSN8YkkYEotUkGOs: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

2023-09-15 09:40:39,826:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/snap/certbot/3024/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/snap/certbot/3024/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2023-09-15 09:40:39,826:DEBUG:certbot._internal.error_handler:Calling registered functions
2023-09-15 09:40:39,826:INFO:certbot._internal.auth_handler:Cleaning up challenges
2023-09-15 09:40:41,320:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/snap/certbot/3024/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/snap/certbot/3024/lib/python3.8/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
  File "/snap/certbot/3024/lib/python3.8/site-packages/certbot/_internal/main.py", line 1864, in main
    return config.func(config, plugins)
  File "/snap/certbot/3024/lib/python3.8/site-packages/certbot/_internal/main.py", line 1447, in run
    new_lineage = _get_and_save_cert(le_client, config, domains,
  File "/snap/certbot/3024/lib/python3.8/site-packages/certbot/_internal/main.py", line 141, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/snap/certbot/3024/lib/python3.8/site-packages/certbot/_internal/client.py", line 517, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/snap/certbot/3024/lib/python3.8/site-packages/certbot/_internal/client.py", line 428, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/snap/certbot/3024/lib/python3.8/site-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "/snap/certbot/3024/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/snap/certbot/3024/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2023-09-15 09:40:41,321:ERROR:certbot._internal.log:Some challenges have failed.

MikeMcQ · September 15, 2023, 10:48am

Is that test file still there? Because I cannot see it

curl -i http://clientes.aicha.es/.well-known/acme-challenge/Test_File-1234
HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 15 Sep 2023 10:47:52 GMT

abkrim · September 15, 2023, 2:25pm

https://diwan.tamainut[.]net/index.php/s/DQGJLEWEoexDsYK

When put in the browser, browser say: Save file.

logs:

❯ cat  /home/laravel/logs/nginx/clientes.aicha.es*log | grep .well-known
81.32.57.118 - - [15/Sep/2023:09:35:01 +0000] "GET /.well-known/acme-challenge/Test_File-1234 HTTP/2.0" 200 10 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36"
81.32.57.118 - - [15/Sep/2023:09:37:27 +0000] "GET /.well-known/acme-challenge/Test_File-1234 HTTP/2.0" 304 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36"
81.32.57.118 - - [15/Sep/2023:14:19:16 +0000] "GET /.well-known/acme-challenge/Test_File-1234 HTTP/2.0" 304 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36"

MikeMcQ · September 15, 2023, 2:36pm

I did not look at your MP4 but did you use HTTP to get the file? Or HTTPS?

Because it needs to work with HTTP but only works with HTTPS

curl -I http://clientes.aicha.es/.well-known/acme-challenge/Test_File-1234
HTTP/1.1 404 Not Found
Server: nginx

curl -I https://clientes.aicha.es/.well-known/acme-challenge/Test_File-1234
HTTP/2 200
server: nginx
content-type: application/octet-stream
content-length: 10
last-modified: Fri, 15 Sep 2023 09:34:50 GMT

abkrim · September 15, 2023, 2:47pm

Server is active.

Configuration, is already modified by cerbot.
Redirect to HTTPS is configured by cerbot.

server {
    if ($host = clientes.aicha.es) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    server_name clientes.aicha.es;

    listen 80;
    return 404; # managed by Certbot

}

I'm lost.

I don't understand anything.

MikeMcQ · September 15, 2023, 2:55pm

Oh, sorry, my mistake. The nginx authenticator works differently than webroot and does not use challenge files. ~~A 404 is the expected response with HTTP in this case.~~ A 404 with your server block is wrong. It should have redirected to HTTPS.

Can we check that only one nginx is active? The Certbot log looks correct and should have returned the correct value.

Show results of these:

sudo ps -eF | grep nginx
sudo systemctl status --no-pager -l nginx
curl https://ifconfig.io

Topic		Replies	Views
Certbot failed to authenticate some domains Help	12	1308	May 31, 2022
Certbot failed to authenticate some domains (authenticator: nginx) Help	10	128	November 22, 2024
Certbot failed to authenticate some domains (authenticator: nginx) Help	19	1942	January 31, 2023
Certbot failed to authenticate some domains (authenticator: nginx) Help	1	200	March 30, 2024
Certbot failed to authenticate some domains (authenticator: nginx) Help	8	19934	February 19, 2023

Certbot failed to authenticate some domains (authenticator: nginx)

Related topics