My domain is: BRUISEDSKY.COM
I ran this command: sudo certbot renew --dry-run
It produced this output:
`Saving debug log to /var/log/letsencrypt/letsencrypt.log
Processing /etc/letsencrypt/renewal/bruisedsky.com.conf
Simulating renewal of an existing certificate for bruisedsky.com and 6 more domains
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: bruisedsky.com
Type: unauthorized
Detail: During secondary validation: 2606:4700:3030::6815:1001: Invalid response from http://bruisedsky.com/.well-known/acme-challenge/RLpsgq5R5KPKPEazGTIrkvQsNKDCPuc-mzopCgVjhEU: 403
Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.
Failed to renew certificate bruisedsky.com with error: Some challenges have failed.
All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/bruisedsky.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.`
My web server is (include version): nginx version: nginx/1.22.1
The operating system my web server runs on is (include version): Debian 12.8
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot): certbot 3.1.0
The 403 had me curious and I verified my http server's configuration is correct. Did some more digging, and it appears that Cloudflare's security is blocking Let's Encrypt's access to my site. Is there a way around this without disabling Cloudflare's protection? I prefer HTTP-01 validation as it's more simple and straightforward than the DNS challenge.