Certbot ssl unable to cert

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: erptest.tjomtek.co.za

I ran this command: sudo certbot --nginx

It produced this output:
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: erptest.tjomtek.co.za
Type: connection
Detail: Fetching http://erptest.tjomtek.co.za/.well-known/acme-challenge/bgi60tMmTqv3t_9kipxk55K-BlcUvyFh6WAuVhvR-Dw: Error getting validation data

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):

The operating system my web server runs on is (include version): ubuntu 20.04

My hosting provider, if applicable, is: Oracle free tier

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.30.0

Welcome to the community @salimm485

The error you show has changed a little. But, there is still a problem. It looks like your port 443 (https) is blocked by a firewall or perhaps faulty router settings.

Using Let's Debug test site it shows your http:// challenge request redirected to httpS:// and this request fails. See those results here

There is another problem though. The --nginx plug-in should be configuring your nginx to respond to the first http:// challenge without redirecting to https://. It is very unusual to see that. You might try rebooting your server. Still, you need to have port 443 open for anyone to use https:// for any connection (not just this cert).

Let us know what happens. We have steps to take to resolve the nginx plug-in issue if that is not fixed by a reboot.

EDIT: Oh, I saw you got two certs already today and still had 3 valid certs from August. Plus the cert you got from cPanel. Is there a reason you need to create so many?


Hi MikeMcQ
thanks will do a reboot and report back.
So busy testing our erp system with oracle , and on the final leg we need to issue out the ssl cert , so after some troubleshooting we run the command again to check if it works. So you will see a few if not many attempts ...

1 Like

You should use the Let's Encrypt staging system if you are still testing.

You will soon run into Rate Limits and be blocked if you keep issuing more production certs


thanks MikeMcQ will do

1 Like

Hi MikeMcQ
So after reboot I ran the let's encrpt test and was still being blocked on port 80.
I then opened firewalls on port 80 and 443 on Orace and rebooted. Still same issue...

Maybe i fresh start will help not sure where else to look ...

I see port 80 open but 443 closed. Port 80 should be all we need open for --nginx plug-in to work. Port 443 will be needed for https to work once the cert installed.

Can you upload the /var/log/letsencrypt/letsencrypt.log file? You may need to copy it to a .txt file for upload.

Or, just copy/paste the entire (long) contents here. In that case please put 3 backticks before and after the output like:
pasted log data

I was not clear on one point earlier. Right now I see http requests being redirected to https. But, with nginx plug-in it will make temp changes to nginx config to avoid the redirect for the ACME challenge. The log will help explain why this is not working.

Port test result:

nmap -p22,80,443 erptest.tjomtek.co.za
Nmap scan report for erptest.tjomtek.co.za (
22/tcp  open     ssh
80/tcp  open     http
443/tcp filtered https

Thanks MikeMcQ , will upload file shortly


letsencryptlog.txt (2.7 KB)

@MikeMcQ let me know if the file is okay , thanks for all your help, appreciated


Sorry but that is not a log that shows the error. It just shows a renew attempt but which did not do anything because the cert was not yet due. Can you look in that log folder for an older log that shows the error? You should have older logs with names of .1, .2 and so on. Or, reproduce error again for a new log?

2022-09-26 17:37:03,309:DEBUG:certbot._internal.display.obj:Notifying user: Certificate not yet due for renewal
2022-09-26 17:37:03,310:DEBUG:certbot._internal.plugins.selection:Requested authenticator nginx and installer nginx

letslogfilev2.txt (12.1 KB)
@MikeMcQ , according to the log file , shows that the cert was applied successfully , yet wen i try to access from a browser "This site can't be reached".
Is there another file that needs to get the encryption key , that I need to manually populate mayebe ?

Your port 443 is not open to the public internet. That must be open to allow HTTPS connection. I can reach your site fine with HTTP (no S). But, it redirects me to HTTPS which fails.

The nginx config in the log looks good. Once you open port 443 it should work fine. I don't know how you do that on your system. Sometimes it is a firewall in your server and sometimes it is your network config in your hosting service.

I only saw ports 22 and 80 open. You should look where you opened those and also open 443

nmap erptest.tjomtek.co.za
Nmap scan report for erptest.tjomtek.co.za (
22/tcp open  ssh
80/tcp open  http

Okay @MikeMcQ , will trouble shoot and open that port , thank you for all your assistance, really appreciated.


http Check website performance and response: Check host - online website monitoring
https Check website performance and response: Check host - online website monitoring


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.