Certbot --nginx renew fails - Challenge failed for domain

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
whatbank.ca
www.whatbank.ca

I ran this command:
sudo certbot --nginx -d whatbank.ca -d www.whatbank.ca

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for whatbank.ca
http-01 challenge for www.whatbank.ca
Waiting for verification...
Challenge failed for domain whatbank.ca
Challenge failed for domain www.whatbank.ca
http-01 challenge for whatbank.ca
http-01 challenge for www.whatbank.ca
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: whatbank.ca
   Type:   unauthorized
   Detail: Invalid response from
   https://whatbank.ca/.well-known/acme-challenge/qln2LHOVpkBLW1IyncvvsPZ-ztKOnO7BtRaItcuH-pg
   [75.2.60.5]: "<!DOCTYPE html>\n<html lang=\"en-us\">\n<head>\n
   <meta charset=\"utf-8\">\n<meta name=\"viewport\"
   content=\"width=device-width, initial"

   Domain: www.whatbank.ca
   Type:   unauthorized
   Detail: Invalid response from
   https://whatbank.ca/.well-known/acme-challenge/OnhfsGooTL8nXqopJZuBh3hMXZg3IlrTQLudYQmRhYk
   [75.2.60.5]: "<!DOCTYPE html>\n<html lang=\"en-us\">\n<head>\n
   <meta charset=\"utf-8\">\n<meta name=\"viewport\"
   content=\"width=device-width, initial"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version):
nginx version: nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version):

Distributor ID: Ubuntu
Description: Ubuntu 20.04.3 LTS
Release: 20.04
Codename: focal

My hosting provider, if applicable, is:
Digital Ocean

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.40.0

The file /etc/nginx/sites-available/whatbank.ca is:

server {
    if ($host = www.whatbank.ca) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    
    if ($host = whatbank.ca) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

   
   listen 80;
   server_name whatbank.ca www.whatbank.ca;
   return 301 https://$server_name$request_uri;
}
server {
   listen 443 ssl;
   server_name whatbank.ca www.whatbank.ca;
    ssl_certificate /etc/letsencrypt/live/whatbank.ca-0001/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/whatbank.ca-0001/privkey.pem; # managed by Certbot
   ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
   ssl_prefer_server_ciphers on;
   ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;

   location / {
#       proxy_pass https://infallible-hypatia-9e85e7.netlify.app;
#       proxy_redirect http://178.128.239.248:3838/ https://$host/;
       proxy_http_version 1.1;
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection $connection_upgrade;
       proxy_read_timeout 20d;
   }
}

Does this have something to do with NGINX thinking that the challenge request is a 404 error and redirecting the page to Page Not Found

If so, how do I edit /etc/nginx/sites-available/whatbank.ca so that Certbot challenge requests are treated properly?

Is the domain name a typo? All other spots it is .ca but in that command it is .com

Sorry. My error. I updated the renew command and output with the correct .ca domains. Same error.

No problem. Well, it is still an error but it definitely is not the same error

I am a little puzzled why the message says "certificate is due for renewal". You most recently got a cert just a few weeks ago which expires late Feb. Normally renewals are started 30 days before expiry. Have you changed that? What does this command show:

sudo certbot certificates

And, why is that location / for the proxy only partially commented out? If you are not using it just remove it or comment out all those lines. Perhaps certbot is confused by a partial configuration. I did not test that but something to check. We can review logs and other details if that does not resolve it.

Here is the result of
sudo certbot certificates:

law@ubuntu-1vcpu-1gb:~$ sudo certbot certificates
[sudo] password for law: 
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: ex.whatbank.ca
    Domains: ex.whatbank.ca
    Expiry Date: 2022-01-19 05:48:49+00:00 (VALID: 45 days)
    Certificate Path: /etc/letsencrypt/live/ex.whatbank.ca/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/ex.whatbank.ca/privkey.pem
  Certificate Name: iframe.whatbank.ca
    Domains: iframe.whatbank.ca
    Expiry Date: 2022-01-06 05:49:00+00:00 (VALID: 32 days)
    Certificate Path: /etc/letsencrypt/live/iframe.whatbank.ca/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/iframe.whatbank.ca/privkey.pem
  Certificate Name: img.whatbank.ca
    Domains: img.whatbank.ca
    Expiry Date: 2022-01-25 09:49:06+00:00 (VALID: 51 days)
    Certificate Path: /etc/letsencrypt/live/img.whatbank.ca/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/img.whatbank.ca/privkey.pem
  Certificate Name: lawrencepilch.com-0001
    Domains: lawrencepilch.com
    Expiry Date: 2022-02-18 06:45:39+00:00 (VALID: 75 days)
    Certificate Path: /etc/letsencrypt/live/lawrencepilch.com-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/lawrencepilch.com-0001/privkey.pem
  Certificate Name: lawrencepilch.com
    Domains: lawrencepilch.com www.lawrencepilch.com
    Expiry Date: 2022-01-30 09:50:06+00:00 (VALID: 56 days)
    Certificate Path: /etc/letsencrypt/live/lawrencepilch.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/lawrencepilch.com/privkey.pem
  Certificate Name: whatbank.ca-0001
    Domains: whatbank.ca
    Expiry Date: 2021-12-13 23:08:15+00:00 (VALID: 8 days)
    Certificate Path: /etc/letsencrypt/live/whatbank.ca-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/whatbank.ca-0001/privkey.pem
  Certificate Name: whatbank.ca
    Domains: whatbank.ca www.whatbank.ca
    Expiry Date: 2021-12-13 22:59:12+00:00 (VALID: 8 days)
    Certificate Path: /etc/letsencrypt/live/whatbank.ca/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/whatbank.ca/privkey.pem
  Certificate Name: www.lawrencepilch.com
    Domains: www.lawrencepilch.com
    Expiry Date: 2022-02-18 06:45:45+00:00 (VALID: 75 days)
    Certificate Path: /etc/letsencrypt/live/www.lawrencepilch.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.lawrencepilch.com/privkey.pem

I commented out the entire location paragraph and restarted nginx.
The result of sudo certbot --nginx -d whatbank.ca -d www.whatbank.ca is:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for whatbank.ca
http-01 challenge for www.whatbank.ca
Waiting for verification...
Challenge failed for domain whatbank.ca
Challenge failed for domain www.whatbank.ca
http-01 challenge for whatbank.ca
http-01 challenge for www.whatbank.ca
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: whatbank.ca
   Type:   unauthorized
   Detail: Invalid response from
   https://whatbank.ca/.well-known/acme-challenge/Hwa68Qkbwf2veesTEetkMazxjjg_9jnp8KdRoNB19DI
   [75.2.60.5]: "<!DOCTYPE html>\n<html lang=\"en-us\">\n<head>\n
   <meta charset=\"utf-8\">\n<meta name=\"viewport\"
   content=\"width=device-width, initial"

   Domain: www.whatbank.ca
   Type:   unauthorized
   Detail: Invalid response from
   https://whatbank.ca/.well-known/acme-challenge/us_5ncIFqnKVcH_OBAkv_lvol3YDkKVkHy14A-ndZ6k
   [75.2.60.5]: "<!DOCTYPE html>\n<html lang=\"en-us\">\n<head>\n
   <meta charset=\"utf-8\">\n<meta name=\"viewport\"
   content=\"width=device-width, initial"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

Don't you think that it has something to do with URLs like this https://whatbank.ca/.well-known/acme-challenge/... redirecting to the 404 error page?

Yes, it does. But I also saw other issues so wanted to address them one at a time.

Note these two certificates:

  Certificate Name: whatbank.ca-0001
    Domains: whatbank.ca
    Expiry Date: 2021-12-13 23:08:15+00:00 (VALID: 8 days)
    Certificate Path: /etc/letsencrypt/live/whatbank.ca-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/whatbank.ca-0001/privkey.pem
  Certificate Name: whatbank.ca
    Domains: whatbank.ca www.whatbank.ca
    Expiry Date: 2021-12-13 22:59:12+00:00 (VALID: 8 days)
    Certificate Path: /etc/letsencrypt/live/whatbank.ca/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/whatbank.ca/privkey.pem

First you should get rid of the overlap of these two certificates. The second one is the one you want since it covers both whatbank.ca and www.whatbank.ca. This needs two steps.

1. Change the name in the nginx conf to use the cert and private key path as shown in this cert. That is, remove the -0001 from the file names. Reload nginx
2. Run sudo certbot delete whatbank.ca-0001

Then, let's try a test renew like this

sudo certbot renew --cert-name whatbank.ca --dry-run

Running sudo certbot certificates the -001 domain is now gone.

Running
sudo certbot renew --cert-name whatbank.ca --dry-run

Has errors:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/whatbank.ca.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for whatbank.ca
http-01 challenge for www.whatbank.ca
Waiting for verification...
Challenge failed for domain whatbank.ca
Challenge failed for domain www.whatbank.ca
http-01 challenge for whatbank.ca
http-01 challenge for www.whatbank.ca
Cleaning up challenges
Attempting to renew cert (whatbank.ca) from /etc/letsencrypt/renewal/whatbank.ca.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/whatbank.ca/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/whatbank.ca/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: whatbank.ca
   Type:   unauthorized
   Detail: Invalid response from
   https://whatbank.ca/.well-known/acme-challenge/53gdtlVIFHlsVXXRnKvS82PZMjmxEwLhv0xooXOQ5tk
   [75.2.60.5]: "<!DOCTYPE html>\n<html lang=\"en-us\">\n<head>\n
   <meta charset=\"utf-8\">\n<meta name=\"viewport\"
   content=\"width=device-width, initial"

   Domain: www.whatbank.ca
   Type:   unauthorized
   Detail: Invalid response from
   https://whatbank.ca/.well-known/acme-challenge/0YgqNozeliSPT0eve46-7BVIvsw6g5C6e1ZqIZQFbVA
   [75.2.60.5]: "<!DOCTYPE html>\n<html lang=\"en-us\">\n<head>\n
   <meta charset=\"utf-8\">\n<meta name=\"viewport\"
   content=\"width=device-width, initial"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

Ok, good progress. I know you may not see it but I do. But I need to step away for a while so maybe someone else will pickup from here.

The next thing I would want to see is to have you upload the log file. Best to upload than copy/paste as it will be large:

/var/log/letsencrypt/letsencrypt.log

OK. Thanks for the help so far.

As @MikeMcQ suggested here is this file: /var/log/letsencrypt/letsencrypt.log
letsencrypt.log.txt (1.9 MB)

This line looks especially ominous:
WARNING:certbot.auth_handler:Challenge failed for domain whatbank.ca

Again, this goes back to the issue of the challenge redirecting to a 404 Page not found page rather than to where it is supposed to go.

Yes, it is ominous but the trick is finding out why. The way you run certbot has it making temporary changes to your nginx conf to ensure the response is correct. Yet it is not. The log makes clear why you get that result. But, I am not clear on what needs to be done to correct it. Certbot is getting confused making the temporary changes.

Note these changes to your nginx conf are removed after the renew so it is not always easy to see what happened.

I will not have more time until later to look at this more in depth. Again, perhaps another volunteer will spot something. Here is the changed nginx conf from the log. The problem is the initial challenge is redirected from http to https (seen in error message) but yet the location statements with the well-known response are in the http server and not processed.

Update: You should consider updating your version of certbot 0.40 is fairly old. Your version of Ubuntu supports the snap install which would be version 1.21. I do not know that it would fix this problem but worth a try.

2021-12-04 19:42:17,305:DEBUG:certbot_nginx.parser:Writing nginx conf tree to /etc/nginx/sites-enabled/whatbank.ca:

server {rewrite ^(/.well-known/acme-challenge/.*) $1 break; # managed by Certbot

rewrite ^(/.well-known/acme-challenge/.*) $1 break; # managed by Certbot


    if ($host = www.whatbank.ca) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = whatbank.ca) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


   listen 80;
   server_name whatbank.ca www.whatbank.ca;
   return 301 https://$server_name$request_uri;
location = /.well-known/acme-challenge/53gdtlVIFHlsVXXRnKvS82PZMjmxEwLhv0xooXOQ5tk{default_type text/plain;return 200 53gdtlVIFHlsVXXRnKvS82PZMjmxEwLhv0xooXOQ5tk.mFOFkyiUHa0wIsskh_DYJ3lRVJ0xETsJDXxpSD2g-2o;} # managed by Certbot

location = /.well-known/acme-challenge/0YgqNozeliSPT0eve46-7BVIvsw6g5C6e1ZqIZQFbVA{default_type text/plain;return 200 0YgqNozeliSPT0eve46-7BVIvsw6g5C6e1ZqIZQFbVA.mFOFkyiUHa0wIsskh_DYJ3lRVJ0xETsJDXxpSD2g-2o;} # managed by Certbot

}
server {
   listen 443 ssl;
   server_name whatbank.ca www.whatbank.ca;
    ssl_certificate /etc/letsencrypt/live/whatbank.ca/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/whatbank.ca/privkey.pem; # managed by Certbot
   ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
   ssl_prefer_server_ciphers on;
   ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;

#  location / {
#       proxy_pass https://infallible-hypatia-9e85e7.netlify.app;
#       proxy_redirect http://178.128.239.248:3838/ https://$host/;
#      proxy_http_version 1.1;
#      proxy_set_header Upgrade $http_upgrade;
#      proxy_set_header Connection $connection_upgrade;
#      proxy_read_timeout 20d;
#  }
}

I've updated Certbot.

certbot --version
certbot 1.21.0

And uploaded the latest logfile,
letsencrypt.log.txt (1.9 MB)

sudo certbot renew --cert-name whatbank.ca --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/whatbank.ca.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for whatbank.ca and www.whatbank.ca

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: whatbank.ca
  Type:   unauthorized
  Detail: Invalid response from https://whatbank.ca/.well-known/acme-challenge/XgX5V_UrRUPTCfukHMAkK6tEuoz73o0Hj7DtgoIxC74 [75.2.60.5]: "<!DOCTYPE html>\n<html lang=\"en-us\">\n<head>\n    <meta charset=\"utf-8\">\n<meta name=\"viewport\" content=\"width=device-width, initial"

  Domain: www.whatbank.ca
  Type:   unauthorized
  Detail: Invalid response from https://whatbank.ca/.well-known/acme-challenge/gmyY4GOFWKlj0YHnLXex4kqcANrC0Y_rZ2FmVYNaIfc [75.2.60.5]: "<!DOCTYPE html>\n<html lang=\"en-us\">\n<head>\n    <meta charset=\"utf-8\">\n<meta name=\"viewport\" content=\"width=device-width, initial"

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Failed to renew certificate whatbank.ca with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/whatbank.ca/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Sorry, but I need to point out the obvious:

Name:    img.whatbank.ca
Address: 178.128.239.248

Name:    iframe.whatbank.ca
Address: 178.128.239.248

Name:    ex.whatbank.ca
Address: 178.128.239.248

And:

Name:    www.whatbank.ca
Address: 75.2.60.5

Name:    whatbank.ca
Address: 75.2.60.5

That's 75.2.60.5 not 178.128.239.248

curl -Ii whatbank.ca
HTTP/1.1 301 Moved Permanently
location: https://whatbank.ca/
server: Netlify

curl -Ii 178.128.239.248
Server: nginx/1.18.0 (Ubuntu)

That's Netlify not nginx

Oh gosh - totally missed that. Thanks

Still, not sure implication. Looking quickly seems like Netlify is a CDN that can manage Lets Encrypt certs on your behalf but can also bring your own. I am not sure why you would want to but you can. And, that 75.2... IP points back at AWS Global Accelerator. Definitely adds to the mystery so looks like need to re-check some basics.

@ixodid198 On the server that you are running Certbot and nginx, could you show results of this command:

curl -4 ifconfig.co

That will show the public IP for that server so we can be sure it matches the DNS.

And, can you explain the configuration? As @rg305 noted, Netlify shows in the Server header responses to whatbank.ca (and www). Are you sure these requests are passing thru to the nginx server you are showing in this thread? For example, make the below request and see if it shows up in your nginx access log at /var/log/nginx/access.log?

curl -I http://whatbank.ca

Update: @ixodid198 Is it possible you used Netlify to issue Lets Encrypt certs for the whatbank.ca and www.whatbank.ca domain names? And maybe used certbot and nginx for the other domains?

A few pages on my site are composed of two elements.

1. Static content served by Netlify
2. Dynamic content served on the same page in an iframe by an R Shiny server I run on Digital Ocean (178.128.239.248)

curl -4 ifconfig.co
178.128.239.248

curl -I http://whatbank.ca
HTTP/1.1 301 Moved Permanently
cache-control: public, max-age=0, must-revalidate
content-length: 35
content-type: text/plain
date: Sat, 04 Dec 2021 14:03:11 GMT
x-nf-request-id: 01FP4CXAD9RJJWH5P79YS5Z142
location: https://whatbank.ca/
server: Netlify
age: 51193

sudo vi /var/log/nginx/access.log

192.0.91.177 - - [04/Dec/2021:23:12:58 -0500] "HEAD /wp HTTP/1.1" 301 0 "-" "jetmon/1.0 (Jetpack Site Uptime Monitor by WordPress.com)"
192.0.91.177 - - [04/Dec/2021:23:12:58 -0500] "HEAD /wp HTTP/1.1" 404 0 "-" "jetmon/1.0 (Jetpack Site Uptime Monitor by WordPress.com)"
104.156.229.24 - - [04/Dec/2021:23:13:55 -0500] "GET / HTTP/1.1" 403 196 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/98 Safari/537.4 (StatusCake)"
45.63.121.159 - - [04/Dec/2021:23:14:19 -0500] "GET / HTTP/1.1" 403 196 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/98 Safari/537.4 (StatusCake)"

Regarding Netlify > whatbank.ca > Domain Management
See screenshot below:

Screen Shot 2021-12-04 at 11.23.07 PM1720×1386 249 KB

That last Netlify screen looks like it is managing your Let's Encrypt cert.

Generally, a CDN needs a cert to manage an https connection between its "edge" and the client (browser). There is another connection from the edge to your server. I do not know Netlify specifics but other CDN's allow different options for connection between the edge and your origin server (http, https, dynamic choice, ...). You would need a different cert if doing https between your server and the CDN.

The cert seen by visitors to whatbank.ca is the one shown in that Netlify screen. See this site which checks cert chains: SSL Checker

So, the reason nginx is not renewing cert requests for those 2 domain names is that Netlify is intercepting those requests.

Does this make sense? Why do you think you need certs in nginx for those 2 domains?

I'm pretty confident having both Netlify and nginx handle whatbank certificates was done in error. So I'm thinking I will stop nginx from renewing the certificates for www.whatbank.ca and whatbank.ca. Which probably means modifying /etc/nginx/sites-available/whatbank.ca, reloading nginx, and running

sudo certbot delete whatbank.ca
sudo certbot delete www.whatbank.ca

How does that sound?

Here's the current sites-available/whatbank.ca. How should it be modified?

server {
    if ($host = www.whatbank.ca) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = whatbank.ca) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


   listen 80;
   server_name whatbank.ca www.whatbank.ca;
   return 301 https://$server_name$request_uri;
}
server {
   listen 443 ssl;
   server_name whatbank.ca www.whatbank.ca;
    ssl_certificate /etc/letsencrypt/live/whatbank.ca/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/whatbank.ca/privkey.pem; # managed by Certbot
   ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
   ssl_prefer_server_ciphers on;
   ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;

#  location / {
#       proxy_pass https://infallible-hypatia-9e85e7.netlify.app;
#       proxy_redirect http://178.128.239.248:3838/ https://$host/;
#      proxy_http_version 1.1;
#      proxy_set_header Upgrade $http_upgrade;
#      proxy_set_header Connection $connection_upgrade;
#      proxy_read_timeout 20d;
#  }
}

Because you have some names on multiple certs, I would delete the certs via explicitly using their cert names:

replacing:

with:
sudo certbot delete --cert-name whatbank.ca-0001
sudo certbot delete --cert-name whatbank.ca

Would the revised file, /etc/nginx/sites-available/whatbank.ca, look like this?

server {
#    if ($host = www.whatbank.ca) {
#        return 301 https://$host$request_uri;
#    } # managed by Certbot


#    if ($host = whatbank.ca) {
#        return 301 https://$host$request_uri;
#    } # managed by Certbot


   listen 80;
   server_name whatbank.ca www.whatbank.ca;
   return 301 https://$server_name$request_uri;
}

server {
   listen 443 ssl;
   server_name whatbank.ca www.whatbank.ca;
#    ssl_certificate /etc/letsencrypt/live/whatbank.ca/fullchain.pem; # managed by Certbot
#    ssl_certificate_key /etc/letsencrypt/live/whatbank.ca/privkey.pem; # managed by Certbot
   ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
   ssl_prefer_server_ciphers on;
   ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;

#  location / {
#       proxy_pass https://infallible-hypatia-9e85e7.netlify.app;
#       proxy_redirect http://178.128.239.248:3838/ https://$host/;
#      proxy_http_version 1.1;
#      proxy_set_header Upgrade $http_upgrade;
#      proxy_set_header Connection $connection_upgrade;
#      proxy_read_timeout 20d;
#  }
}

It wouldn't look like anything.
The IP for those names don't point to your server.
They will never be used there.