Certbot failed to authenticate some domains (nginx)

My domain is:
slayer.events
I ran this command:

sudo certbot certonly --nginx -d slayer.events
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for slayer.events

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported thes                                                                                                                                  e problems:
  Domain: slayer.events
  Type:   connection
  Detail: 3.147.126.58: Fetching http://slayer.events/.well-known/acme-challenge/pmKEEHIBc2nr0F_24fdaZdruSY                                                                                                                                  jRi5WsMJ8G9xi_9b0: Connection refused

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot.                                                                                                                                   Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsenc                                                                                                                                  rypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (ipv4):

The operating system my web server runs on is (include version): AWS

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is certbot

also my nginx temp file looks like this:

 server {
    listen 80;
    server_name slayer.events www.slayer.events;
    location / {
        proxy_pass http://localhost:4000;
    }
}

Hello @bkhebert, welcome to the Let's Encrypt community. :slightly_smiling_face:

Ports 80 & 443 seem to be closed (i.e. not accessible).

$ nmap -Pn -p80,443 slayer.events
Starting Nmap 7.80 ( https://nmap.org ) at 2025-02-04 15:20 PST
Nmap scan report for slayer.events (3.147.126.58)
Host is up (0.083s latency).
rDNS record for 3.147.126.58: ec2-3-147-126-58.us-east-2.compute.amazonaws.com

PORT    STATE  SERVICE
80/tcp  closed http
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 0.60 seconds

The HTTP-01 challenge states "The HTTP-01 challenge can only be done on port 80."

Best Practice - Keep Port 80 Open

Looks like you got your cert for slayer.events

Your nginx server_name also shows the www.slayer.events domain name. You need to re-do your Certbot command with two -d options one for each domain if you want to have a cert good for both.

Also, HTTPS (port 443) is still not working. Have you setup your EC2 Security Group to allow it inbound? Or any other firewall you might have?

Since you used certonly you also have to make a server block for port 443. The Mozilla Configurator is what Certbot uses in --nginx if you don't use certonly. See: Mozilla SSL Configuration Generator

2 Likes