Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
johchat.online

I ran this command:
certbot", "certonly", "--nginx", "-d", "johchat.online", "-n", "--agree-tos", "--email", "darkjake007@gmail.com"

It produced this output:


fatal: [localhost]: FAILED! => {"changed": true, "cmd": ["certbot", "certonly", "--nginx", "-d", "johchat.online", "-n", "--agree-tos", "--email", "darkjake007@gmail.com"], "delta": "0:00:07.774077", "end": "2024-02-09 05:02:37.707289", "msg": "non-zero return code", "rc": 1, "start": "2024-02-09 05:02:29.933212", "stderr": "Saving debug log to /var/log/letsencrypt/letsencrypt.log\nSome challenges have failed.\nAsk for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.", "stderr_lines": ["Saving debug log to /var/log/letsencrypt/letsencrypt.log", "Some challenges have failed.", "Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details."], "stdout": "Requesting a certificate for johchat.online\n\nCertbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:\n  Domain: johchat.online\n  Type:   connection\n  Detail: 2407:e400:9016:4a01:223:18ff:fed8:f540: Fetching http://johchat.online/.well-known/acme-challenge/rPC7321nHSzKwdx__vjnZ2SfnoUEemfHZ6JWA8QBgJw: Connection refused\n\nHint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.", "stdout_lines": ["Requesting a certificate for johchat.online", "", "Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:", "  Domain: johchat.online", "  Type:   connection", "  Detail: 2407:e400:9016:4a01:223:18ff:fed8:f540: Fetching http://johchat.online/.well-known/acme-challenge/rPC7321nHSzKwdx__vjnZ2SfnoUEemfHZ6JWA8QBgJw: Connection refused", "", "Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet."]}

My web server is (include version):
ubuntu server 23.10

The operating system my web server runs on is (include version):
ubuntu server 23.10

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.21.0

I have ensured there server is on DMZ while running this prior to port forwarding, I have also done port forwarding just in case, the domain is certainly pointing to the right area I have no idea why this is erroring out. I have also switched off the ufw temporarily with no such luck. I am not running an external firewall either just yet (need to hook it up, another task for later)

Are you able to reach your domain using http from the public Internet? Because that error says Let's Encrypt could not. And the let's debug test site cannot reach your domain either. Both IPv4 and v6 fail.

If you can reach it from the public Internet from your region could you have some sort of geographic based firewall in effect?

2 Likes

Sorry I am pretty new to nginx in general, I havent really ever self hosted via linux before.
Since I am able to ping it I would assume yes? like the domain is pointing to the correct IP and all and 127.0.0.1 in nginx is working fine.

Connecting from the public Internet is different than you making a local connection to your own server. You could try a mobile phone with Wi-fi disabled so you are using the carrier network. If you try that are you able to connect to your domain name? I am pretty sure you won't be able to.

You should make sure your router is allowing these ports and forwarding them or using NAT correctly. You may also have to make sure that your ISP allows these as inbound requests to you. Some residential ISP block them. Still, it would be a little unusual for them to block the IPV6 connection

The let's debug website is very helpful for testing connections for new systems. You should use that rather than making cert requests because too many failing cert requests will end up getting you temporarily blocked

2 Likes