Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
https://cloud.faass.eu
I ran this command:
certbot renew --dry-run -vvv
It produced this output:
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: cloud.faass.eu
Type: connection
Detail: Fetching http://cloud.faass.eu/.well-known/acme-challenge/lGRcvEyPdMBSWjVFkXUCqlmQ7vzmsyp5amZ3YLR8tCU: Connection refused
My web server is (include version):
nginx version: nginx/1.20.2
The operating system my web server runs on is (include version):
freebsd-version
12.3-RELEASE-p2
My hosting provider, if applicable, is:
none
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.22.0
Hi!
I am trying to renew my certificate for some days now and tried a lot of things to get it working.
My nginx normally does not listen on Port 80, so I user the nginx-plugin to create a temporary config for the renewal.
When running certbot renew, this config is created and written to /usr/local/etc/nginx and ./letsencrypt:
(nginx.conf):
user www;
worker_processes auto;
This default error log path is compiled-in to make sure configuration parsing
errors are logged somewhere, especially during unattended boot when stderr
isn't normally logged anywhere. This path will be touched on every nginx
start regardless of error log location configured here. See
https://trac.nginx.org/nginx/ticket/147 for more info.
#error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;
load_module /usr/local/libexec/nginx/ngx_stream_module.so;
events {
worker_connections 1024;
}
http {
include /usr/local/etc/letsencrypt/le_http_01_cert_challenge.conf;
server_names_hash_bucket_size 128;
include mime.types;
(.........)
and the included file:
root@ProxyDMZ:~ # cat le_http_01_cert_challenge.conf
server{listen 80;server_name cloud.faass.eu;root /var/db/letsencrypt/http_01_nonexistent;location = /.well-known/acme-challenge/mIq4sCUIZmhKstSl-zANhKytN6z61Q_Hm62-zUOa5r0{default_type text/plain;return 200 mIq4sCUIZmhKstSl-zANhKytN6z61Q_Hm62-zUOa5r0.0QTF0O8SjxYNL_GH5X72f2am95dc96J9aE_KZbeEYPU;}}
Problem is: The plugin seems to miss the config reload of nginx, when I look at the open sockets while running the renew only 443 is open.
For testing that I'v copied those two files while the renew was running and failed.
After that point I manually copied both to their directory and did a "service nginx reload", now the Challenge is available and working:
URL="http://cloud.faass.eu"$(cat /usr/local/etc/letsencrypt/le_http_01_cert_challenge.conf | sed -n -e 's/^.location = //p' | sed 's/{.//' )
curl -v $URL
- Trying 176.198.153.26:80...
- Connected to cloud.faass.eu (176.198.153.26) port 80 (#0)
GET /.well-known/acme-challenge/mIq4sCUIZmhKstSl-zANhKytN6z61Q_Hm62-zUOa5r0 HTTP/1.1
Host: cloud.faass.eu
User-Agent: curl/7.80.0
Accept: /
- Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx/1.20.2
< Date: Fri, 04 Mar 2022 12:14:35 GMT
< Content-Type: text/plain
< Content-Length: 87
< Connection: keep-alive
< Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
< - Connection #0 to host cloud.faass.eu left intact
mIq4sCUIZmhKstSl-zANhKytN6z61Q_Hm62-zUOa5r0.0QTF0O8SjxYNL_GH5X72f2am95dc96J9aE_KZbeEYPU#
Is there anything I can do to tell certbot to reload the nginx config and wait fa few seconds after creating the temp config files?
Or am I missing something different? 
Thanks and greetings from Germany,
Philipp