Hello I have this problem with certbot. I setup the same machine many time and everytime certbot setup did work flawlessly. In fact I'm following my own setup documentation that I have used many times. However this time certbot surprises me with an odd error message or no error message at all.....
Please fill out the fields below so we can help you better.
My domain is: pool.swtrse.eu
I ran this command: certbot certonly --webroot --rsa-key-size 4096 -w /usr/share/nginx/html/ -d pool.swtrse.eu
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for pool.swtrse.eu
Using the webroot path /usr/share/nginx/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. pool.swtrse.eu (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://pool.swtrse.eu/.well-known/acme-challenge/9MC2sCrLtCuJwnkAlN5F3UwdhyEHiQVPY2DRMpHK9rg: "<html lang="en" xml"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
My web server is (include version): nginx/1.12.1
The operating system my web server runs on is (include version): CentOS 7 (3.10.0-514.26.2.el7.x86_64 GNU/Linux)
My hosting provider, if applicable, is: nextlayer
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
I don’t think CAA would be related because there’s a quite specific error about a mismatch.
You could try running with --debug-challenges, which will pause after it thinks the challenge is ready to be satisfied. Then you can see if you can access the challenge file in a browser, whether it’s been created in apparently the right place, and if you can see any other reason why the CA would not be able to reach the challenge file in the expected location.
Press Enter to Continue
Cleaning up challenges
Unable to clean up challenge directory /usr/share/nginx/html/.well-known/acme-challenge
Failed authorization procedure. pool.swtrse.eu (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://pool.swtrse.eu/.well-known/acme-challenge/FA21PQgjMyrKvcT6oMmK5K3S2Fe45Nnm1l-eljX8LZg: "<html lang="en" xml"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
So, Certbot set up the challenge properly. But that <!DOCTYPE html PUBLIC response that the CA got from your system is not the 404 error from your nginx, which simply begins <html><head><title>404 Not Found</title></head>, so it most be something else!
Can you look in your nginx logs and see if you can see the CA attempting to download the file from you? (For the ones where you posted the link, you might also see me attempting to download it with a browser, or yourself attempting to download it with a browser, so hopefully you won’t get confused between these.) It looks like there’s either some nginx configuration or some firewall or other device that is returning a totally different error message in response to the CA’s attempts to download the challenge file, since it’s not just the nginx 404 page.
