Certbot failed to authenticate some domains (authenticator: nginx)

nare · October 23, 2024, 8:46am

Hi everyone,

Thanks so much for all your responses! I finally resolved the issue by temporarily disabling the automatic redirect to HTTPS.

For those facing similar problems, here's how I managed to fix it.

Original Certbot-Managed Server Block:

Certbot was automatically redirecting all traffic to HTTPS using the following server block:

server {
    if ($host = mentoring.cehrd.gov.np) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80;
    server_name mentoring.cehrd.gov.np;
    return 404; # managed by Certbot
}

Since Certbot needs HTTP for the ACME challenge, I had to temporarily disable the HTTPS redirect. Here's the modified server block:

Temporary Server Block:

server {
    # Temporarily disable HTTPS redirection
    # if ($host = yourwebsite.com) {
    #     return 301 https://$host$request_uri;
    # } # managed by Certbot

    listen 80;
    server_name yourwebsite.com;

    # Allow HTTP for the ACME challenge
    location /.well-known/acme-challenge/ {
        root /your-web-root-path;  # Adjust to your webroot path
    }

    # Comment out the 404 return for Certbot to work
    # return 404; # managed by Certbot
}

Step-by-Step Process:

Save the changes to your NGINX configuration file.
Restart NGINX:
```
sudo systemctl restart nginx
```
Run the renewal command:
```
sudo certbot renew
```
If you see the error "Another instance of Certbot is already running," kill the running process and try again:
```
sudo pkill certbot
```

If the issue persists, remove any Certbot lock files:

sudo rm /var/log/letsencrypt/.certbot.lock
sudo rm /var/lib/letsencrypt/lock
sudo rm /var/lib/letsencrypt/.certbot.lock

Ensure the ACME challenge directory exists:

sudo mkdir -p /your-web-root-path/.well-known/acme-challenge/

Set correct permissions for the directory:

sudo chown -R www-data:www-data /your-web-root-path/.well-known/
sudo chmod -R 755 /your-web-root-path/.well-known/

Reload NGINX:
```
sudo systemctl reload nginx
```

Create a test file to verify the ACME challenge directory:

sudo echo "test" > /your-web-root-path/.well-known/acme-challenge/test-file

Check if you can access the test file via your browser or curl:
```
curl http://yourwebsite.com/.well-known/acme-challenge/test-file
```
If it returns "test," your configuration is correct.
Finally, renew the certificate:
```
sudo certbot renew
```

Once the renewal is successful, don't forget to revert your server block back to redirect traffic to HTTPS:

server {
    if ($host = yourwebsite.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80;
    server_name yourwebsite.com;
    return 404; # managed by Certbot
}

That’s it! After following these steps, your certificate should be renewed, and HTTPS redirection will be back in place. I hope this helps anyone facing similar issues!

Topic		Replies	Views
Certbot not renewing over nginx Help	16	107	January 31, 2025
SSL renewal failing when using certbot renew Help	13	576	April 20, 2024
Certbot renewal failed with nginx Help	4	391	September 21, 2023
Certbot failed to authenticate some domains Help	11	2174	November 12, 2021
The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot Help	6	1761	January 26, 2023

Certbot failed to authenticate some domains (authenticator: nginx)

Original Certbot-Managed Server Block:

Temporary Server Block:

Step-by-Step Process:

Related topics