Certbot --version fails with 'utf-8' codec can't decode byte 0x99 in position 0

Hello mates,
I installed certbot on my VPN server which runs on Ubuntu (20 LTS) with an Nginx web server. I made an API and now i just want to get an SSL certificate for the apibch.site domain name.
I already had an SSL certificate for this domain name, but I uninstalled / reinstalled certbot because I needed another certificate for another domain name, and I already had this error. Except that by uninstalling certbot it deleted my SSL certificates.

I run the command sudo certbot certonly --nginx -d apibch.site -v
And I keep getting the following error:
An unexpected error occurred:

UnicodeDecodeError: 'utf-8' codec can't decode byte 0x99 in position 0: invalid start byte

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/certbot-log-n2rlugps/log or re-run Certbot with -v for more details.

I'm not sure how it works, but from what I understand certbot uses the nginx configuration file from the website in question? In my case, the configuration file for this domain name is in /etc/nginx/sites-available.
I show you the contents of this file (basic configuration):

server {
    listen 80;
    server_name apibch.site;
    return 301 https://$host$request_uri;
}

server {
    listen [::]:443 ssl ipv6only=on;
    listen 443 ssl;
    server_name apibch.site;

    location / {
        proxy_pass http://localhost:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

I tried a bunch of solutions to fix this blocking error but nothing worked.

That's usually not the case, how did you uninstall Certbot?

Certbot reads all the nginx configurations, so the problematic character might be in any of the nginx configuration files.

Please see the Certbot log if you can find more information (but I think there might not be any).

You might identify the culprit by e.g. running:

grep -obUaPR "\x99" /etc/nginx/

Thank you for this proposal; I only have one configuration file and the grep -obUaPR "\x99" /etc/nginx/ command returns nothing

What does this show?

sudo nginx -t

Because you have a server block for ssl but no certificates defined. nginx normally fails to start in that case.

It doesn't directly explain the 0x99 error but it might explain why I get a "connection refused" error trying to reach your system.

To view your entire nginx config use a capital T

sudo nginx -T

And, you only have IPv4 in your DNS now but you should fix your listen statements in your two server blocks so they are the same. Either both just IPv4 or both also with IPv6

I had to remove these lines:

    ssl_certificate /etc/letsencrypt/archive/apibch.site/fullchain1.pem;
    ssl_certificate_key /etc/letsencrypt/archive/apibch.site/privkey1.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

since the SSL files (fullchain1.pem and privkey1.pem) no longer exist (he deleted them for me when I uninstalled / reinstalled certbot)

Yes, I understand but that left in invalid server block. You should comment out that entire block. Still ...

Unrelated to your current problem...
But why don't these seem to be equal?:

[one explicitly includes IPv6 and the other does not]

Excellent point

TLDR; LOL

Here is what I did but I still get the same error
1 - I removed all the special characters from my .env file (the idea is to put anything before obtaining the SSL certificate, then put the correct values ​​of these variables back).
2- In sites-available I have only one configuration file (the one for apibch.site). MikeMcQ and rg305 thanks for your observation, I corrected the block:

server {
    listen 80;
    server_name apibch.site;
    return 301 https://$host$request_uri;
}

server {
    listen 443;
    listen [::]:443 ipv6only=on;
    server_name apibch.site;

     location / {
        proxy_pass http://localhost:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

2 - In site-enabled I simply have a symbolic link that points to /etc/nginx/sites-available/apibch.site
3 When I do an nginx -t I get no error:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Can you upload the upload.txt file result from this command?

sudo nginx -T >upload.txt

It will be fairly large

And, what happens if you:

sudo systemctl stop nginx
sudo systemctl start nginx

Do you get any problems starting nginx after a stop?

he're the file upload.txt:

# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
	worker_connections 768;
	# multi_accept on;
}

http {

	##
	# Basic Settings
	##

	sendfile on;
	tcp_nopush on;
	types_hash_max_size 2048;
	server_tokens off;

	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# SSL Settings
	##

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
	ssl_prefer_server_ciphers on;

	##
	# Logging Settings
	##

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	##
	# Gzip Settings
	##

	gzip on;

	# gzip_vary on;
	# gzip_proxied any;
	# gzip_comp_level 6;
	# gzip_buffers 16 8k;
	# gzip_http_version 1.1;
	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
}


#mail {
#	# See sample authentication script at:
#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#	# auth_http localhost/auth.php;
#	# pop3_capabilities "TOP" "USER";
#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#	server {
#		listen     localhost:110;
#		protocol   pop3;
#		proxy      on;
#	}
#
#	server {
#		listen     localhost:143;
#		protocol   imap;
#		proxy      on;
#	}
#}

# configuration file /etc/nginx/modules-enabled/50-mod-http-geoip2.conf:
load_module modules/ngx_http_geoip2_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:
load_module modules/ngx_http_image_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:
load_module modules/ngx_http_xslt_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:
load_module modules/ngx_mail_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:
load_module modules/ngx_stream_module.so;

# configuration file /etc/nginx/modules-enabled/70-mod-stream-geoip2.conf:
load_module modules/ngx_stream_geoip2_module.so;

# configuration file /etc/nginx/mime.types:

types {
    text/html                             html htm shtml;
    text/css                              css;
    text/xml                              xml;
    image/gif                             gif;
    image/jpeg                            jpeg jpg;
    application/javascript                js;
    application/atom+xml                  atom;
    application/rss+xml                   rss;

    text/mathml                           mml;
    text/plain                            txt;
    text/vnd.sun.j2me.app-descriptor      jad;
    text/vnd.wap.wml                      wml;
    text/x-component                      htc;

    image/png                             png;
    image/tiff                            tif tiff;
    image/vnd.wap.wbmp                    wbmp;
    image/x-icon                          ico;
    image/x-jng                           jng;
    image/x-ms-bmp                        bmp;
    image/svg+xml                         svg svgz;
    image/webp                            webp;

    application/font-woff                 woff;
    application/java-archive              jar war ear;
    application/json                      json;
    application/mac-binhex40              hqx;
    application/msword                    doc;
    application/pdf                       pdf;
    application/postscript                ps eps ai;
    application/rtf                       rtf;
    application/vnd.apple.mpegurl         m3u8;
    application/vnd.ms-excel              xls;
    application/vnd.ms-fontobject         eot;
    application/vnd.ms-powerpoint         ppt;
    application/vnd.wap.wmlc              wmlc;
    application/vnd.google-earth.kml+xml  kml;
    application/vnd.google-earth.kmz      kmz;
    application/x-7z-compressed           7z;
    application/x-cocoa                   cco;
    application/x-java-archive-diff       jardiff;
    application/x-java-jnlp-file          jnlp;
    application/x-makeself                run;
    application/x-perl                    pl pm;
    application/x-pilot                   prc pdb;
    application/x-rar-compressed          rar;
    application/x-redhat-package-manager  rpm;
    application/x-sea                     sea;
    application/x-shockwave-flash         swf;
    application/x-stuffit                 sit;
    application/x-tcl                     tcl tk;
    application/x-x509-ca-cert            der pem crt;
    application/x-xpinstall               xpi;
    application/xhtml+xml                 xhtml;
    application/xspf+xml                  xspf;
    application/zip                       zip;

    application/octet-stream              bin exe dll;
    application/octet-stream              deb;
    application/octet-stream              dmg;
    application/octet-stream              iso img;
    application/octet-stream              msi msp msm;

    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
    application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;

    audio/midi                            mid midi kar;
    audio/mpeg                            mp3;
    audio/ogg                             ogg;
    audio/x-m4a                           m4a;
    audio/x-realaudio                     ra;

    video/3gpp                            3gpp 3gp;
    video/mp2t                            ts;
    video/mp4                             mp4;
    video/mpeg                            mpeg mpg;
    video/QuickTime                       mov;
    video/webm                            webm;
    video/x-flv                           flv;
    video/x-m4v                           m4v;
    video/x-mng                           mng;
    video/x-ms-asf                        asx asf;
    video/x-ms-wmv                        wmv;
    video/x-msvideo                       avi;
}

# configuration file /etc/nginx/conf.d/default.conf:
server {
    listen 80 default_server;
    listen [::]:80 default_server;

    root /var/www/html;
    index index.html index.htm index.php;

    server_name _;

    location /phpmyadmin {
        alias /var/www/html/phpmyadmin;
        index index.php;
    }

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/run/php/php7.4-fpm.sock;
    }
}

# configuration file /etc/nginx/snippets/fastcgi-php.conf:
# regex to split $uri to $fastcgi_script_name and $fastcgi_path
fastcgi_split_path_info ^(.+?\.php)(/.*)$;

# Check that the PHP script exists before passing it
try_files $fastcgi_script_name =404;

# Bypass the fact that try_files resets $fastcgi_path_info
# see: http://trac.nginx.org/nginx/ticket/321
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;

fastcgi_index index.php;
include fastcgi.conf;

# configuration file /etc/nginx/fastcgi.conf:

fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  REQUEST_SCHEME     $scheme;
fastcgi_param  HTTPS              $https if_not_empty;

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  REMOTE_USER        $remote_user;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;

# configuration file /etc/nginx/conf.d/phpmyadmin.conf:
server {
  listen 80;
  listen [::]:80;
  server_name *****myVPSipadress***;
  root /usr/share/phpmyadmin/;
  index index.php index.html index.htm index.nginx-debian.html;

  access_log /var/log/nginx/phpmyadmin_access.log;
  error_log /var/log/nginx/phpmyadmin_error.log;

  location / {
    try_files $uri $uri/ /index.php;
  }

  location ~ ^/(doc|sql|setup)/ {
    deny all;
  }

  location ~ \.php$ {
    fastcgi_pass unix:/run/php/php7.4-fpm.sock;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include fastcgi_params;
    include snippets/fastcgi-php.conf;
  }

  location ~ /\.ht {
    deny all;
  }
}

# configuration file /etc/nginx/fastcgi_params:

fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  REQUEST_SCHEME     $scheme;
fastcgi_param  HTTPS              $https if_not_empty;

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  REMOTE_USER        $remote_user;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;

# configuration file /etc/nginx/sites-enabled/apibch.site:
server {
    listen 80;
    server_name apibch.site;
    return 301 https://$host$request_uri;
}

server {
    listen 443;
    listen [::]:443 ipv6only=on;
    server_name apibch.site;

    location / {
        proxy_pass http://localhost:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

That doesn't seem corrected.

You might try this with that output.txt file

perl -ne 'print "$. $_" if m/[\x00-\x08\x0E-\x1F\x80-\xFF]/' output.txt

I think the command Osiris showed should have worked and this may not be better. It almost looks like some wrong BOM (Byte Order Mark) as first byte of one of the files but for some reason nginx doesn't care. Note it has offset 0 in your error message.

If you can't locate the problem character we could just adjust your http server block for the --webroot method to avoid whatever is causing trouble with the --nginx plug-in. Let us know if you want advice.

Thanks MikeMcQ for your response. I tried your suggestion (
I won't be able to sleep until the problem is solved) ; if I understand correctly we use Perl to find non-printable and ASCII-like characters in the file upload.txt; it gives nothing.
I also corrected the server configuration:

server {
        listen 80;
        listen [::]:80 ipv6only=on;
        server_name apibch.site;
        return 301 https://$host$request_uri;
}

server {
        listen 443;
        listen [::]:443 ipv6only=on;
        server_name apibch.site;
        location / {
                proxy_pass http://localhost:3000;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
        }
}

I did not understand everything in your message (I am new to the back-end, sorry) but I will gladly accept your advices !

Try replacing your entire port 80 server block with this:

server {
    listen 80;
    listen [::]:80;  
    server_name apibch.site;

    location /.well-known/acme-challenge/ {
        root /var/certbot;      # make this folder or some other folder
    }
    location / {
       return 301 https://$host$request_uri;
    }
}

Reload nginx and then this to test:

sudo certbot certonly --dry-run --webroot -w /var/certbot -d apibch.site

The -w folder in this command should match the root folder above

If that works use this for a production cert

sudo certbot certonly --webroot -w /var/certbot -d apibch.site --deploy-hook 'systemctl reload nginx'

You then have to reconfigure the port 443 server block for the certs and ssl (don't forget to change the listen statements to include ssl). The --nginx plug-in would have done that but certonly --webroot means you just get a cert and no auto-configure of nginx.

I created the "certbot" folder in var, then I changed my server block:

server {
    listen 80;
    listen [::]:80;
    server_name apibch.site;

    location /.well-known/acme-challenge/ {
        root /var/certbot;      # make this folder or some other folder
    }
    location / {
       return 301 https://$host$request_uri;
    }
}
server {
        listen 443;
        listen [::]:443 ipv6only=on;
        server_name apibch.site;
        location / {
                proxy_pass http://localhost:3000;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
        }
}

then I ran the command (after a systemctl restart nginx): still the same error:

root@ubuntu-s-1vcpu-2gb-intel-fra1-01:/var# sudo certbot certonly --dry-run --webroot -w /var/certbot -d apibch.site
An unexpected error occurred:
UnicodeDecodeError: 'utf-8' codec can't decode byte 0x99 in position 0: invalid start byte

Huh. Well, the error isn't coming from nginx config then

What does this do

sudo certbot --version

root@ubuntu-s-1vcpu-2gb-intel-fra1-01:/var# sudo certbot --version
An unexpected error occurred:
UnicodeDecodeError: 'utf-8' codec can't decode byte 0x99 in position 0: invalid start byte

What about

whereis certbot