Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
music.jordanpicton.xyz
I ran this command: sudo certbot -v --nginx -d jordanpicton.xyz
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Requesting a certificate for jordanpicton.xyz
Performing the following challenges:
http-01 challenge for jordanpicton.xyz
Waiting for verification...
Challenge failed for domain jordanpicton.xyz
http-01 challenge for jordanpicton.xyz
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: jordanpicton.xyz
Type: unauthorized
Detail: The key authorization file from the server did not match this challenge. Expected "C0eBdELqUFvSskRWK9LN9uU5uL1UW05iXnocGjYHWxI.1p5yWDAxv8N_XD8Ic93lZEnYnYbWFwVdeJ5aZh5T9uI" (got "X-Frame-Options: SAMEORIGIN\r\nX-Content-Type-Options: nosniff\r\nX-XSS-Protection: 1; mode")
Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.
Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
Yeah sorry I meant the music.jordanpicton.xyz.
This was all working before I updated and now I've got multiple issues across a bunch of domains.
But fun to see that I've caused another issue haha.
I'm not fully sure what you're asking me to do here in all honestly.
The only domain I got certbot to work with would have been my forums one when I setup Discourse, which is currently broken as well because of my updates.
Though I most likely have broken the NGINX side of things more than anything really. As some work and then others don't, I was honestly just trying to secure things up a little more but don't know much about this stuff so I've messed up haha.
Your Content Security Policy header shouldn't contain any newlines (RFC 9110: HTTP Semantics) and have you tried running certbot with the correct subdomain?
Yeah I'm kind of rethinking everything at the moment since I've got certbot applying a certificate for my forums which did work until the updates. But the rest of my domains where going through cloudflare and manually assigning the certs.
So I'm going to sit back view my options and setup something better hopefully. I'd like to use certbot I think because of Discourse using it but if I could I'd probably use cloudflare for it but I've just got to see what I can do really.
Have you considered using a Cloudflare Origin CA certificate for your server? Those are very easy to setup. And, do not require using Certbot (or any other standalone ACME Client) to get or renew a cert.
You get this cert from Cloudflare and can set its expiration far in the future. This Origin CA cert is only good for domains proxied at Cloudflare.
I was using these originally for my websites though the forums certbot one was broken mostly. Plus I wouldn't say my network is the best when it comes to security so I removed it all and started to redo most of it a few hours ago.
Though I'd be looking for sysadmin help honestly as I'd want to make sure I'm doing what I can though I'm not sure where I'd start or where to find the help. But safe to say I'm not using certbot anymore currently.
