Certbot failing to authenticate domain during http-01 challenge on nginx + Flask app

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: citizenphage.com

I ran this command:

sudo certbot certonly --webroot -w /etc/nginx/ssl/bot -d citizenphage.com -v

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Requesting a certificate for citizenphage.com
Performing the following challenges:
http-01 challenge for citizenphage.com
Using the webroot path /etc/nginx/ssl/bot for all unmatched domains.
Waiting for verification...
Challenge failed for domain citizenphage.com
http-01 challenge for citizenphage.com

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: citizenphage.com
  Type:   unauthorized
  Detail: Invalid response from http://citizenphage.com/.well-known/acme-challenge/mEes54HEw7N0rkan-dztMWxzYO_FXrChPmOunTvNfwM [2001:8d8:100f:f000::2c3]: 204

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Running on nginx v.1.18.0

The operating system my web server runs on is (include version): ubuntu 20.04

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.19.0

My website is running in Flask + nginx + gunicorn.

I think the issue is my nginx config file, which looks like this:

server {
        listen 80;
        server_name citizenphage.com;

        location /static {
                alias /home/ubuntu/CPL/static;
        }
		
		location / {
                proxy_pass http://localhost:8000;
                include /etc/nginx/proxy_params;
                proxy_redirect off;
        }
		
        location ^~ /.well-known {
            root /etc/nginx/ssl/bot;
        }
}

but I confess I'm not really sure what it needs to contain for the certbot to work with a flask app. I've tried lots of different variations from different websites suggesting fixes, but they all appear to result in the same error.

Most grateful for any guidance!

output from from letsencrypt.log (if useful)

2021-09-15 19:35:11,706:DEBUG:urllib3.connectionpool:http://localhost:None "GET /v2/connections?snap=certbot&interface=content HTTP/1.1" 200 97
2021-09-15 19:35:12,085:DEBUG:certbot._internal.main:certbot version: 1.19.0
2021-09-15 19:35:12,086:DEBUG:certbot._internal.main:Location of certbot entry point: /snap/certbot/1434/bin/certbot
2021-09-15 19:35:12,086:DEBUG:certbot._internal.main:Arguments: ['--webroot', '-w', '/etc/nginx/ssl/bot', '-d', 'citizenphage.com', '-v', '--preconfigured-renewal']
2021-09-15 19:35:12,086:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-09-15 19:35:12,100:DEBUG:certbot._internal.log:Root logging level set at 20
2021-09-15 19:35:12,101:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None
2021-09-15 19:35:12,106:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: Authenticator, Plugin
Entry point: webroot = certbot._internal.plugins.webroot:Authenticator
Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0x7f451494bbb0>
Prep: True
2021-09-15 19:35:12,107:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.webroot.Authenticator object at 0x7f451494bbb0> and installer None
2021-09-15 19:35:12,107:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2021-09-15 19:35:12,114:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/200974670', new_authzr_uri=None, terms_of_service=None), 99b792c4c0a315132bbe2bf9f7ca2c8c, Meta(creation_dt=datetime.datetime(2021, 9, 14, 22, 17, 7, tzinfo=<UTC>), creation_host='ip-172-31-31-101.eu-west-1.compute.internal', register_to_eff=None))>
2021-09-15 19:35:12,115:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2021-09-15 19:35:12,117:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2021-09-15 19:35:12,710:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
2021-09-15 19:35:12,711:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 15 Sep 2021 19:35:12 GMT
Content-Type: application/json
Content-Length: 658
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "GzvAdZqUnLE": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2021-09-15 19:35:12,712:DEBUG:certbot._internal.display.obj:Notifying user: Requesting a certificate for citizenphage.com
2021-09-15 19:35:12,856:DEBUG:certbot.crypto_util:Generating RSA key (2048 bits): /etc/letsencrypt/keys/0005_key-certbot.pem
2021-09-15 19:35:12,860:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0005_csr-certbot.pem
2021-09-15 19:35:12,860:DEBUG:acme.client:Requesting fresh nonce
2021-09-15 19:35:12,861:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2021-09-15 19:35:13,009:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2021-09-15 19:35:13,010:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 15 Sep 2021 19:35:12 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0001v-iq0B6wABx3_IC5ODLYR3hUZgiZLb_Vy4byskAwGVA
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


2021-09-15 19:35:13,010:DEBUG:acme.client:Storing nonce: 0001v-iq0B6wABx3_IC5ODLYR3hUZgiZLb_Vy4byskAwGVA
2021-09-15 19:35:13,010:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "citizenphage.com"\n    }\n  ]\n}'
2021-09-15 19:35:13,012:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMjAwOTc0NjcwIiwgIm5vbmNlIjogIjAwMDF2LWlxMEI2d0FCeDNfSUM1T0RMWVIzaFVaZ2laTGJfVnk0Ynlza0F3R1ZBIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctb3JkZXIifQ",
  "signature": "QXPzczfhYcdeYUFUrXdXFHnwgskrlpuJ08JxH7ZsXeyOXRfskKFQNXTiq07ZI8p-YA00zGnQvl2cYz00uI-3XB8U-E-EqrqIuWqWo7s-DUL7PiPy2OR3w5H96CMS2eI33zGu6pcA2rhtbOH46xZg3hU_XHxfdvjoUyVrBTk5JaqzjJLhSznY_nHoA5smL88YmU4z00i4_hG7oCEpzplCsgCQ92L0MEJmA_0fTfX-fbQeP-DLwxb2YC8A-ka3XrsGN4fBsHIMIUBhRz1par_T8j9Ow_SjKSn8pBiF4OX5ty-IOSNeGJwzm3PkQgbehUkjxnitRGNjzAeJwwJYIEFz9w",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogImNpdGl6ZW5waGFnZS5jb20iCiAgICB9CiAgXQp9"
}
2021-09-15 19:35:13,909:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 339
2021-09-15 19:35:13,910:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Wed, 15 Sep 2021 19:35:13 GMT
Content-Type: application/json
Content-Length: 339
Connection: keep-alive
Boulder-Requester: 200974670
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/200974670/24717008660
Replay-Nonce: 000251TPyuwcG4CIuGq11XcO-k-VVh--T5GorYjT1CV2xec
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2021-09-22T19:35:13Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "citizenphage.com"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/31315688040"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/200974670/24717008660"
}
2021-09-15 19:35:13,910:DEBUG:acme.client:Storing nonce: 000251TPyuwcG4CIuGq11XcO-k-VVh--T5GorYjT1CV2xec
2021-09-15 19:35:13,910:DEBUG:acme.client:JWS payload:
b''
2021-09-15 19:35:13,912:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/31315688040:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMjAwOTc0NjcwIiwgIm5vbmNlIjogIjAwMDI1MVRQeXV3Y0c0Q0l1R3ExMVhjTy1rLVZWaC0tVDVHb3JZalQxQ1YyeGVjIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8zMTMxNTY4ODA0MCJ9",
  "signature": "lFXx_eBBj8kC4q4a_tEMM50iPnO04Ko4QRi6_iCMa2gLBvSaZCYwX8-35Nz2FGgvPIG_oEMtRHge6tcGjXQcV13iUkcn9y1m5he9DnUknh55KeyYP4aIYOO2y7dwN99I0YIb3NAptppmm0e30d9q-eyVq7aJaxvB0ZRuImOnHVcFjX2H0eXk03d8ElHGwATuCXoLUiDYHv98dYO4mqj39cq7aISyex39bwVp2Lf0GrgYSbia1UQlaqFXkR7HgENNGmrJDz8l_8EpFphZsgakOvvqb4MbzpLaKb0fp-W0swM4_cW5IOhEvHTWVJKSh2b_5ifLQ9cuaTSxb6xf7myVCw",
  "payload": ""
}
2021-09-15 19:35:14,075:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/31315688040 HTTP/1.1" 200 797
2021-09-15 19:35:14,076:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 15 Sep 2021 19:35:13 GMT
Content-Type: application/json
Content-Length: 797
Connection: keep-alive
Boulder-Requester: 200974670
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0001wV4B4Yuykdl76XYkVH7vSXTYiS0Rjmu3AUZDsMiJY2o
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "citizenphage.com"
  },
  "status": "pending",
  "expires": "2021-09-22T19:35:13Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/31315688040/pz-Nsw",
      "token": "mEes54HEw7N0rkan-dztMWxzYO_FXrChPmOunTvNfwM"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/31315688040/vq3mKg",
      "token": "mEes54HEw7N0rkan-dztMWxzYO_FXrChPmOunTvNfwM"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/31315688040/g3Kung",
      "token": "mEes54HEw7N0rkan-dztMWxzYO_FXrChPmOunTvNfwM"
    }
  ]
}
2021-09-15 19:35:14,076:DEBUG:acme.client:Storing nonce: 0001wV4B4Yuykdl76XYkVH7vSXTYiS0Rjmu3AUZDsMiJY2o
2021-09-15 19:35:14,077:INFO:certbot._internal.auth_handler:Performing the following challenges:
2021-09-15 19:35:14,077:INFO:certbot._internal.auth_handler:http-01 challenge for citizenphage.com
2021-09-15 19:35:14,077:INFO:certbot._internal.plugins.webroot:Using the webroot path /etc/nginx/ssl/bot for all unmatched domains.
2021-09-15 19:35:14,077:DEBUG:certbot._internal.plugins.webroot:Creating root challenges validation dir at /etc/nginx/ssl/bot/.well-known/acme-challenge
2021-09-15 19:35:14,079:DEBUG:certbot._internal.plugins.webroot:Attempting to save validation to /etc/nginx/ssl/bot/.well-known/acme-challenge/mEes54HEw7N0rkan-dztMWxzYO_FXrChPmOunTvNfwM
2021-09-15 19:35:14,079:DEBUG:acme.client:JWS payload:
b'{}'
2021-09-15 19:35:14,081:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/31315688040/pz-Nsw:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMjAwOTc0NjcwIiwgIm5vbmNlIjogIjAwMDF3VjRCNFl1eWtkbDc2WFlrVkg3dlNYVFlpUzBSam11M0FVWkRzTWlKWTJvIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbC12My8zMTMxNTY4ODA0MC9wei1Oc3cifQ",
  "signature": "Qbgo3f4OdsgyoLegh2um2JmgmMPrf78oQHhRdjS087MFxvH2Yd9HQ8K4Fz71E3iE7k-XaAqxVJFTsyKD_Z6-mmqHgkIO371ZZxqa_B5Q1iDgosZEd_qNjcNe-Ni044bFPDTVaGLRYpW5ulRwgBXn9d8-956NxnpojLyMf5D-sc7wPjtyCDISfNRvDWVddNWpE_Z2m6UcJgCkWpJIGzFLYxFLV-6Iu2K1wMihPQEksn07BPpZu70HZqZsMfrFAkHKPxcl25VKWi1KL7b23If90mUDumTLfXQpeQneYO2ILyY8DcBg8V8HNKoBA8jSaM5PZe0SN80E0W5FOGeQzLZfHQ",
  "payload": "e30"
}
2021-09-15 19:35:14,340:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/31315688040/pz-Nsw HTTP/1.1" 200 186
2021-09-15 19:35:14,340:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 15 Sep 2021 19:35:14 GMT
Content-Type: application/json
Content-Length: 186
Connection: keep-alive
Boulder-Requester: 200974670
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz-v3/31315688040>;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/31315688040/pz-Nsw
Replay-Nonce: 0002WtasUozanb1r_OPetDE7nvEN7Lb9tt3Ha51mCF6AWmE
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/31315688040/pz-Nsw",
  "token": "mEes54HEw7N0rkan-dztMWxzYO_FXrChPmOunTvNfwM"
}
2021-09-15 19:35:14,341:DEBUG:acme.client:Storing nonce: 0002WtasUozanb1r_OPetDE7nvEN7Lb9tt3Ha51mCF6AWmE
2021-09-15 19:35:14,341:INFO:certbot._internal.auth_handler:Waiting for verification...
2021-09-15 19:35:15,342:DEBUG:acme.client:JWS payload:
b''
2021-09-15 19:35:15,344:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/31315688040:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMjAwOTc0NjcwIiwgIm5vbmNlIjogIjAwMDJXdGFzVW96YW5iMXJfT1BldERFN252RU43TGI5dHQzSGE1MW1DRjZBV21FIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8zMTMxNTY4ODA0MCJ9",
  "signature": "K05OJbpguiJEODHHtwyxqWarI0G6htv7dX59Tn8Zf3A9mlXVcMjIAA_PChvAgmm5Y3j0YVlB8ayfyUjnleOh89jl8OVlXGBfLNEGTiKGEfyKCEr30QX-579ULuBKiZtJKIQ27RG_2r6vRCHS5GUwBKiuZSF-cbKWdZ1ZE_GqvKQug6oNh5ksSom8tNGZhcg5l9eznzkkaOqlDQqXj_nfIkN-7taa85i1YK3t28l5wQumv19cPkLxroXuxXW2xUQtEBIXvXBSn864LNbYExhIYDki1HiTwhO93IjWyQg7kNeVbfp7bqeTT9afJCEzRSnAewJcLU6MbSsfXXxF70Q1bA",
  "payload": ""
}
2021-09-15 19:35:15,689:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/31315688040 HTTP/1.1" 200 1090
2021-09-15 19:35:15,690:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 15 Sep 2021 19:35:15 GMT
Content-Type: application/json
Content-Length: 1090
Connection: keep-alive
Boulder-Requester: 200974670
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 00024sdMMd2rboeWzLbxDjlfcbEAdfbGtEYkerVfn6cInOc
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "citizenphage.com"
  },
  "status": "invalid",
  "expires": "2021-09-22T19:35:13Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "Invalid response from http://citizenphage.com/.well-known/acme-challenge/mEes54HEw7N0rkan-dztMWxzYO_FXrChPmOunTvNfwM [2001:8d8:100f:f000::2c3]: 204",
        "status": 403
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/31315688040/pz-Nsw",
      "token": "mEes54HEw7N0rkan-dztMWxzYO_FXrChPmOunTvNfwM",
      "validationRecord": [
        {
          "url": "http://citizenphage.com/.well-known/acme-challenge/mEes54HEw7N0rkan-dztMWxzYO_FXrChPmOunTvNfwM",
          "hostname": "citizenphage.com",
          "port": "80",
          "addressesResolved": [
            "217.160.0.29",
            "2001:8d8:100f:f000::2c3"
          ],
          "addressUsed": "2001:8d8:100f:f000::2c3"
        }
      ],
      "validated": "2021-09-15T19:35:14Z"
    }
  ]
}
2021-09-15 19:35:15,690:DEBUG:acme.client:Storing nonce: 00024sdMMd2rboeWzLbxDjlfcbEAdfbGtEYkerVfn6cInOc
2021-09-15 19:35:15,691:INFO:certbot._internal.auth_handler:Challenge failed for domain citizenphage.com
2021-09-15 19:35:15,691:INFO:certbot._internal.auth_handler:http-01 challenge for citizenphage.com
2021-09-15 19:35:15,691:DEBUG:certbot._internal.display.obj:Notifying user: 
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: citizenphage.com
  Type:   unauthorized
  Detail: Invalid response from http://citizenphage.com/.well-known/acme-challenge/mEes54HEw7N0rkan-dztMWxzYO_FXrChPmOunTvNfwM [2001:8d8:100f:f000::2c3]: 204

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

2021-09-15 19:35:15,692:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/snap/certbot/1434/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 90, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/snap/certbot/1434/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 178, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2021-09-15 19:35:15,692:DEBUG:certbot._internal.error_handler:Calling registered functions
2021-09-15 19:35:15,692:INFO:certbot._internal.auth_handler:Cleaning up challenges
2021-09-15 19:35:15,692:DEBUG:certbot._internal.plugins.webroot:Removing /etc/nginx/ssl/bot/.well-known/acme-challenge/mEes54HEw7N0rkan-dztMWxzYO_FXrChPmOunTvNfwM
2021-09-15 19:35:15,692:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2021-09-15 19:35:15,692:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/snap/certbot/1434/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/snap/certbot/1434/lib/python3.8/site-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/snap/certbot/1434/lib/python3.8/site-packages/certbot/_internal/main.py", line 1572, in main
    return config.func(config, plugins)
  File "/snap/certbot/1434/lib/python3.8/site-packages/certbot/_internal/main.py", line 1432, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/snap/certbot/1434/lib/python3.8/site-packages/certbot/_internal/main.py", line 133, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/snap/certbot/1434/lib/python3.8/site-packages/certbot/_internal/client.py", line 454, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/snap/certbot/1434/lib/python3.8/site-packages/certbot/_internal/client.py", line 384, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/snap/certbot/1434/lib/python3.8/site-packages/certbot/_internal/client.py", line 434, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "/snap/certbot/1434/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 90, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/snap/certbot/1434/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 178, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2021-09-15 19:35:15,693:ERROR:certbot._internal.log:Some challenges have failed.

Your websites responds differently between IPv4 and IPv6.

For some reason your IPv6 site redirects to http://54.195.224.28/. This by the way is probably not something you actually want for two reasons: a redirect to an IP address would show just the IP address in the clients address bar instead of your domain name. Also, Let's Encrypt doesn't issue certificates for IP addresses currently. A second thing would be that the IPv4 address returned by your IPv6 host isn't the same as the IPv4 address of your hostname.

1 Like