Challenge failed for domain

sjelfs · June 19, 2023, 7:25am

My domain is: bestfostering.com; www.bestfostering.com

I ran this command: sudo certbot renew --dry-run

It produced this output:
Processing /etc/letsencrypt/renewal/bestfostering.com.conf

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for bestfostering.com
http-01 challenge for www.bestfostering.com
Waiting for verification...
Challenge failed for domain bestfostering.com
Challenge failed for domain www.bestfostering.com
http-01 challenge for bestfostering.com
http-01 challenge for www.bestfostering.com
Cleaning up challenges
Attempting to renew cert (bestfostering.com) from /etc/letsencrypt/renewal/bestfostering.com.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/bestfostering.com/fullchain.pem (failure)

My web server is (include version): nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version): Linux proxy 5.4.0-131-generic #147-Ubuntu SMP Fri Oct 14 17:07:22 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.40.0

rg305 · June 19, 2023, 7:34am

Hi @sjelfs, and welcome to the LE community forum

There is not enough detail shown about why the test fails.
Please redo the test with added detail:
sudo certbot renew -v --dry-run
or if that's still unclear:
sudo certbot renew -vv --dry-run

Also, this could do with an update:

Latest is 2.6.0

We might also want to review this file for any abnormalities:
/etc/letsencrypt/renewal/bestfostering.com.conf

sjelfs · June 19, 2023, 7:42am

Root logging level set at 10
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/bestfostering.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Requested authenticator <certbot.cli._Default object at 0x7fdb2be682e0> and installer <certbot.cli._Default object at 0x7fdb2be682e0>
Var dry_run=True (set by user).
Var server={'staging', 'dry_run'} (set by user).
Var dry_run=True (set by user).
Var server={'staging', 'dry_run'} (set by user).
Var account={'server'} (set by user).
Should renew, less than 30 days before certificate expiry 2023-06-18 14:00:06 UTC.
Cert is due for renewal, auto-renewing...
Requested authenticator nginx and installer nginx
Single candidate plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx.configurator:NginxConfigurator
Initialized: <certbot_nginx.configurator.NginxConfigurator object at 0x7fdb2be6ccd0>
Prep: True
Single candidate plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx.configurator:NginxConfigurator
Initialized: <certbot_nginx.configurator.NginxConfigurator object at 0x7fdb2be6ccd0>
Prep: True
Selected authenticator <certbot_nginx.configurator.NginxConfigurator object at 0x7fdb2be6ccd0> and installer <certbot_nginx.configurator.NginxConfigurator object at 0x7fdb2be6ccd0>
Plugins selected: Authenticator nginx, Installer nginx
Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-staging-v02.api.letsencrypt.org/acme/acct/107432474', new_authzr_uri=None, terms_of_service=None), e499ae84e6b086b2caa90cef35dba58b, Meta(creation_dt=datetime.datetime(2023, 6, 19, 7, 12, 22, tzinfo=<UTC>), creation_host='proxy'))>
Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org:443
https://acme-staging-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 826
Received response:
HTTP 200
Server: nginx
Date: Mon, 19 Jun 2023 07:37:06 GMT
Content-Type: application/json
Content-Length: 826
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "Tb-iQF1xG3A": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-staging-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf",
    "website": "https://letsencrypt.org/docs/staging-environment/"
  },
  "newAccount": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order",
  "renewalInfo": "https://acme-staging-v02.api.letsencrypt.org/draft-ietf-acme-ari-01/renewalInfo/",
  "revokeCert": "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert"
}
Renewing an existing certificate
Requesting fresh nonce
Sending HEAD request to https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce.
https://acme-staging-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
Received response:
HTTP 200
Server: nginx
Date: Mon, 19 Jun 2023 07:37:06 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: riQvc_enJXYGSg8fIJ4rH8gvNOHrZ_v8khZglUYkZsFDOXC0uX0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


Storing nonce: riQvc_enJXYGSg8fIJ4rH8gvNOHrZ_v8khZglUYkZsFDOXC0uX0
JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "bestfostering.com"\n    },\n    {\n      "type": "dns",\n      "value": "www.bestfostering.com"\n    }\n  ]\n}'
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMDc0MzI0NzQiLCAibm9uY2UiOiAicmlRdmNfZW5KWFlHU2c4ZklKNHJIOGd2Tk9IclpfdjhraFpnbFVZa1pzRkRPWEMwdVgwIiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1vcmRlciJ9",
  "signature": "ki5R_kL16-3rvEAjriwkfGkiQgVBtOhk_zwqGTk5nC4k302mYbVFTkg2LOffcWMC9R8a2IhLBjAWLOt2DePuMbhHXpqbUtoQvNg52-IJAlt5HoeUwyWMnhTEsBKVAngUB1gDueDq_Z03nBggodoZOMKF8RADN2ECLQl9irxPrDiRl0y8yaJ49ItcSxtSrSMImZcvqeSw1tlpXf680FB6LMRXZ6CGThHnd-ivPqSPy6km96-iDjugUvNfvXQimXGu1zwXADdPvINKCC8KLB48fz1c_YiwyzOMbU_qPRUFIkH_bX4ewbtXnBz4oxCh3Cc1ArX_vfLzuP7603nAiOD1iw",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogImJlc3Rmb3N0ZXJpbmcuY29tIgogICAgfSwKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogInd3dy5iZXN0Zm9zdGVyaW5nLmNvbSIKICAgIH0KICBdCn0"
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 504
Received response:
HTTP 201
Server: nginx
Date: Mon, 19 Jun 2023 07:37:06 GMT
Content-Type: application/json
Content-Length: 504
Connection: keep-alive
Boulder-Requester: 107432474
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/order/107432474/9326397584
Replay-Nonce: FHK448youSQRf3o8vYbl293TL12SMo6UpBq7OzTk_lLb6zbAgxA
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2023-06-26T07:37:06Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "bestfostering.com"
    },
    {
      "type": "dns",
      "value": "www.bestfostering.com"
    }
  ],
  "authorizations": [
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/6956565884",
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/6956565894"
  ],
  "finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/107432474/9326397584"
}
Storing nonce: FHK448youSQRf3o8vYbl293TL12SMo6UpBq7OzTk_lLb6zbAgxA
JWS payload:
b''
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/6956565884:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMDc0MzI0NzQiLCAibm9uY2UiOiAiRkhLNDQ4eW91U1FSZjNvOHZZYmwyOTNUTDEyU01vNlVwQnE3T3pUa19sTGI2emJBZ3hBIiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzY5NTY1NjU4ODQifQ",
  "signature": "e0vTZG2CVQLNBbl_PGL3wvIIaRv5DB2t4mtcEifBXX0NqzmdaeSIzSsopW0o3wTUn3Nt8o_SCQ6whenH7JXj4ziTyzfySDrNqaHEo3VbpnOP49wnzT7W_oOI65NQmLLxuadGzdzGcRE4i9flHl6o1NujbEXXPYVLcRnQQ_cFM5E1Cp8PBHl1-Q-y1yNTIxgwTrBMmfA_3VyKIn20SPN1LUzPpaobQFEd7JxyrCdwnLFMCLl_wZ-fIuVKeJZixAq6Bk3XSepfmS53pyY8HiVelMtoIF-8lrbLrPK3T_RW88T57yyBQh4qzNOJ-mwiGsGbA-8vDOn7cp3N7hXvXbiTDg",
  "payload": ""
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/6956565884 HTTP/1.1" 200 819
Received response:
HTTP 200
Server: nginx
Date: Mon, 19 Jun 2023 07:37:06 GMT
Content-Type: application/json
Content-Length: 819
Connection: keep-alive
Boulder-Requester: 107432474
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: FHK448yoFbyTiCh_ApP1Vfow7DDvpCqMl0dacDjIbd67YikcsMU
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "bestfostering.com"
  },
  "status": "pending",
  "expires": "2023-06-26T07:37:06Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/6956565884/FP1ARQ",
      "token": "CNLVHVePD2vnFfvkg0yVKQJlHU9NFIsmnHfOpgzApY0"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/6956565884/7UkLyg",
      "token": "CNLVHVePD2vnFfvkg0yVKQJlHU9NFIsmnHfOpgzApY0"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/6956565884/G5kNpA",
      "token": "CNLVHVePD2vnFfvkg0yVKQJlHU9NFIsmnHfOpgzApY0"
    }
  ]
}
Storing nonce: FHK448yoFbyTiCh_ApP1Vfow7DDvpCqMl0dacDjIbd67YikcsMU
JWS payload:
b''
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/6956565894:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMDc0MzI0NzQiLCAibm9uY2UiOiAiRkhLNDQ4eW9GYnlUaUNoX0FwUDFWZm93N0REdnBDcU1sMGRhY0RqSWJkNjdZaWtjc01VIiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzY5NTY1NjU4OTQifQ",
  "signature": "Nekri1WPJfi-ebkdsWD9We4BIJ8wZDGpnR0kx6W2NfER2IKOrPwzeLXHyeqH1E8o8Q4y_miQ-UOc3Lr2D43xoUTSghPclS_lQpbKasUju195YgVPGMwPC8ZyFsdebzC-dpwPiHIqM7PO_mUmJYbiOhuWHxU0XbXvRsnRlBPrIoH-U5sPYGdl1Uzb7ohhdQmVDzbkDpS2a2_0MvO9pf8Ouo4Do5ChQuObYc-V3LlNoweOv1Hyro7K-5twXuIMfFmhqJ8j7_YqTeX7ptB6ocZru0F8UHu3ckJKIL5ZzsxFrmwIHkn30BBVF_NivWcsBycMpANIxuqWa2Zwt46JMXBO-w",
  "payload": ""
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/6956565894 HTTP/1.1" 200 823
Received response:
HTTP 200
Server: nginx
Date: Mon, 19 Jun 2023 07:37:07 GMT
Content-Type: application/json
Content-Length: 823
Connection: keep-alive
Boulder-Requester: 107432474
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: riQvc_en7ro6QCFnH1CSRmSoP-BA0dkpkBNilu10IKpQF4Wbfmc
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "www.bestfostering.com"
  },
  "status": "pending",
  "expires": "2023-06-26T07:37:06Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/6956565894/gD1nww",
      "token": "xcxx3sx3eMW3UmYJJIXTdq1-w1HZlBrYkSgkmm5DtBs"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/6956565894/3_yXfA",
      "token": "xcxx3sx3eMW3UmYJJIXTdq1-w1HZlBrYkSgkmm5DtBs"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/6956565894/AMUsNQ",
      "token": "xcxx3sx3eMW3UmYJJIXTdq1-w1HZlBrYkSgkmm5DtBs"
    }
  ]
}
Storing nonce: riQvc_en7ro6QCFnH1CSRmSoP-BA0dkpkBNilu10IKpQF4Wbfmc
Performing the following challenges:
http-01 challenge for bestfostering.com
http-01 challenge for www.bestfostering.com
Generated server block:
[]
Creating backup of /etc/nginx/nginx.conf
Creating backup of /etc/nginx/modules-enabled/50-mod-stream.conf
Creating backup of /etc/nginx/modules-enabled/50-mod-http-image-filter.conf
Creating backup of /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf
Creating backup of /etc/nginx/mime.types
Creating backup of /etc/letsencrypt/options-ssl-nginx.conf
Creating backup of /etc/nginx/conf.d/bestfostering.conf
Creating backup of /etc/nginx/conf.d/trolltec.conf
Creating backup of /etc/nginx/modules-enabled/50-mod-mail.conf
Writing nginx conf tree to /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 768;
        # multi_accept on;
}

http {
include /etc/letsencrypt/le_http_01_cert_challenge.conf;
server_names_hash_bucket_size 128;

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        # server_tokens off;
        client_max_body_size 20M;
        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        ##
        # Gzip Settings
        ##

        gzip on;

        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}


#mail {
#       # See sample authentication script at:
#       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#       # auth_http localhost/auth.php;
#       # pop3_capabilities "TOP" "USER";
#       # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#       server {
#               listen     localhost:110;
#               protocol   pop3;
#               proxy      on;
#       }
#
#       server {
#               listen     localhost:143;
#               protocol   imap;
#               proxy      on;
#       }
#}

Writing nginx conf tree to /etc/nginx/conf.d/bestfostering.conf:
server {
         server_name .bestfostering.com www.bestfostering.com;

#         set $upstream 192.168.1.75;
          proxy_headers_hash_max_size 512;
          proxy_headers_hash_bucket_size 128;
#          ssl on;
#    ssl_certificate /etc/letsencrypt/live/bestfostering.com-0001/fullchain.pem; # managed by Certbot
#    ssl_certificate_key /etc/letsencrypt/live/bestfostering.com-0001/privkey.pem; # managed by Certbot

#         ssl_stapling on;
#         ssl_stapling_verify on;
#         ssl_prefer_server_ciphers On;
#         ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#         ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
#         ssl_dhparam /etc/nginx/sites-available/dhparams.pem;
     #    add_header Strict-Transport-Security "max-age=31536000";
#proxy_set_header X-Forwarded-Proto https;
#proxy_set_header X-Forwarded-Port 443;
#         access_log /var/log/nginx/fostering.log combined;

         location /.well-known {
                     alias /var/www/bestfostering.com/.well-known;
         }
#         location /codebase {
#                    proxy_pass http://192.168.1.17;
#                    }
         location /ords {
                     proxy_set_header Origin "";
                     proxy_pass http://10.0.0.122;
                     proxy_set_header X-Real_IP $remote_addr;
                     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                     proxy_http_version 1.1;
                     proxy_set_header X-Forwarded-Host $host;
                     proxy_set_header X-Forwarded-Server $host;
                     proxy_set_header X-Forwarded-Proto $scheme;
                     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                     proxy_set_header Host $http_host;
                     }
         location ~ /(apx|assets)  {
                     proxy_set_header Origin "";
                     proxy_set_header X-Forwarded-Proto https;
                     proxy_set_header X-Forwarded-Port 443;
                     proxy_pass http://10.0.0.151;
                     proxy_set_header X-Real_IP $remote_addr;
                     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                     proxy_http_version 1.1;
                     proxy_set_header X-Forwarded-Host $host;
                     proxy_set_header X-Forwarded-Server $host;
                     proxy_set_header X-Forwarded-Proto $scheme;
                     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                     proxy_set_header Host $http_host;
                     proxy_connect_timeout 600;
                     }
         location /wsapp/  {
                           proxy_pass http://10.0.0.38:8010;
                           proxy_http_version 1.1;
                           proxy_set_header Upgrade $http_upgrade;
                           proxy_set_header Connection "Upgrade";
                           proxy_set_header Host $host;
                          }
         location /i  {
                     proxy_set_header Origin "";
                     proxy_pass http://10.0.0.151;
                     proxy_set_header X-Real_IP $remote_addr;
                     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                     proxy_http_version 1.1;
                     proxy_set_header X-Forwarded-Proto https;
                     proxy_set_header X-Forwarded-Port 443;
                     proxy_set_header X-Forwarded-Host $host;
                     proxy_set_header X-Forwarded-Server $host;
                     proxy_set_header X-Forwarded-Proto $scheme;
                     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                     proxy_set_header Host $http_host;
                     }

         location  /Web {
                     proxy_set_header Origin "";
                     proxy_pass http://10.0.0.123;
                     proxy_set_header X-Real_IP $remote_addr;
                     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                     proxy_http_version 1.1;
                     proxy_set_header X-Forwarded-Host $host;
                     proxy_set_header X-Forwarded-Server $host;
                     proxy_set_header X-Forwarded-Proto $scheme;
                     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                     proxy_set_header Host $http_host;
                     }

         location / {
                     # proxy_pass_header Authorization;
                      proxy_pass http://10.0.0.151;
                      proxy_set_header X-Real-IP $remote_addr;
                      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                      proxy_http_version 1.1;
                      proxy_set_header X-Forwarded-Host $host; #new
                      proxy_set_header X-Forwarded-Server $host; #new
                      proxy_set_header X-Forwarded-Proto $scheme; #new
                      proxy_set_header Host $host; #new
                     # proxy_set_header Connection "";
                     # proxy_buffering off;
                     # client_max_body_size 0;
                     # proxy_read_timeout 36000s;
                     # proxy_redirect off;
                    }



    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/bestfostering.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/bestfostering.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


}

server {rewrite ^(/.well-known/acme-challenge/.*) $1 break; # managed by Certbot

rewrite ^(/.well-known/acme-challenge/.*) $1 break; # managed by Certbot


    if ($host = www.bestfostering.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = bestfostering.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


         listen 80;
         server_name .bestfostering.com www.bestfostering.com;
   # return 404; # managed by Certbot
     return 301 https://$host$request_uri;



location = /.well-known/acme-challenge/CNLVHVePD2vnFfvkg0yVKQJlHU9NFIsmnHfOpgzApY0{default_type text/plain;return 200 CNLVHVePD2vnFfvkg0yVKQJlHU9NFIsmnHfOpgzApY0.VrHUH9PdfxrIbuwDW8oiOvIzFZlTmgyP7yGR_R25lfQ;} # managed by Certbot

location = /.well-known/acme-challenge/xcxx3sx3eMW3UmYJJIXTdq1-w1HZlBrYkSgkmm5DtBs{default_type text/plain;return 200 xcxx3sx3eMW3UmYJJIXTdq1-w1HZlBrYkSgkmm5DtBs.VrHUH9PdfxrIbuwDW8oiOvIzFZlTmgyP7yGR_R25lfQ;} # managed by Certbot

}

Waiting for verification...
JWS payload:
b'{\n  "resource": "challenge",\n  "type": "http-01"\n}'
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/6956565884/FP1ARQ:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMDc0MzI0NzQiLCAibm9uY2UiOiAicmlRdmNfZW43cm82UUNGbkgxQ1NSbVNvUC1CQTBka3BrQk5pbHUxMElLcFFGNFdiZm1jIiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2NoYWxsLXYzLzY5NTY1NjU4ODQvRlAxQVJRIn0",
  "signature": "pb-liWXOlpVJB7oh8umcBnOwq-QnVE0Spp0r9HHDs7i6qvJx8ZsTX9m5GhhhM_JwJjXs3ztPw4bJ575qWLioeOvzwK-zDlNwoeX33JvZTMJqbD1nX4YUREZsIwwtky1ye6HW6q6Or2WDEePlA4Nu9WmIQ1aaVIrIfD74dHrXmRwsbSSbLsQyT-kQKDPG7uGw6EUefQxUA5flB5UzNd_bnXO4s1jEvSdmf1Kjo1QvON4zhQRO_ruSbQf8vMgXsphgsgNAt5p5Kdo3UPHS87aI5bEq4i7_dNclJbDlUd-3CHfQheBb2oBHxHV77mCAXdOzUIZ4d546wLubhg5-KPmZBA",
  "payload": "ewogICJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLAogICJ0eXBlIjogImh0dHAtMDEiCn0"
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/6956565884/FP1ARQ HTTP/1.1" 200 193
Received response:
HTTP 200
Server: nginx
Date: Mon, 19 Jun 2023 07:37:08 GMT
Content-Type: application/json
Content-Length: 193
Connection: keep-alive
Boulder-Requester: 107432474
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/6956565884>;rel="up"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/6956565884/FP1ARQ
Replay-Nonce: FHK448yo8SC7z4z-aA8fLpSg9a8ynw1wIwKtU8YxZcMFrGs3EhA
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/6956565884/FP1ARQ",
  "token": "CNLVHVePD2vnFfvkg0yVKQJlHU9NFIsmnHfOpgzApY0"
}
Storing nonce: FHK448yo8SC7z4z-aA8fLpSg9a8ynw1wIwKtU8YxZcMFrGs3EhA
JWS payload:
b'{\n  "resource": "challenge",\n  "type": "http-01"\n}'
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/6956565894/gD1nww:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMDc0MzI0NzQiLCAibm9uY2UiOiAiRkhLNDQ4eW84U0M3ejR6LWFBOGZMcFNnOWE4eW53MXdJd0t0VThZeFpjTUZyR3MzRWhBIiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2NoYWxsLXYzLzY5NTY1NjU4OTQvZ0Qxbnd3In0",
  "signature": "T-crTGW8CXIr2hlEvFg4zLzz1umufQzMuQJZjN0IIi3HNA-ESEg_ty5Jjd6Z2HPekiwsj3oTfsxZqb1vwK9D33XUofuAksYd9y8wee7QWBsWFKZ4cANcenvKlzeJmScLkeBzPp2UxGKtRY9UXrd5nFdQIv36NUfz7W7-tzRIk0wn7kqKNQRyL9jDnoT_UHfsgP5LKNu6oV6eCPezxQ7Bmb7BhVwtm8VOuY8jV047EGPH10LWAwGh2XGGWNVFc6raoXEXN7MIUqroHlB99wewbimYg3W63h-jTGuD9oBpEwjA3kHofauFJJywnFotBtRJk7hZ_gQ-7cFzfYo4r3wAtA",
  "payload": "ewogICJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLAogICJ0eXBlIjogImh0dHAtMDEiCn0"
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/6956565894/gD1nww HTTP/1.1" 200 193
Received response:
HTTP 200
Server: nginx
Date: Mon, 19 Jun 2023 07:37:08 GMT
Content-Type: application/json
Content-Length: 193
Connection: keep-alive
Boulder-Requester: 107432474
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/6956565894>;rel="up"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/6956565894/gD1nww
Replay-Nonce: riQvc_enYFaRLk4wlUbCLOCXUtMRpNV4o436YTKfs2f3tXe-hsQ
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/6956565894/gD1nww",
  "token": "xcxx3sx3eMW3UmYJJIXTdq1-w1HZlBrYkSgkmm5DtBs"
}
Storing nonce: riQvc_enYFaRLk4wlUbCLOCXUtMRpNV4o436YTKfs2f3tXe-hsQ
JWS payload:
b''
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/6956565884:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMDc0MzI0NzQiLCAibm9uY2UiOiAicmlRdmNfZW5ZRmFSTGs0d2xVYkNMT0NYVXRNUnBOVjRvNDM2WVRLZnMyZjN0WGUtaHNRIiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzY5NTY1NjU4ODQifQ",
  "signature": "D7S2UbljAByLX2kzQ-T5wTAhWVY7IBnlY5tbT_SoTZIIf__6ZcJ3ftsTDjwKmIp8N2lye0CE2Iz7y4ck1zFjExdrRgfnrKx62TzDZ6X3sVHPJeJA4N1VkWdufg-66Q_HJY5L3Axn1Be2Zo-YkksJwUIePWgTLeQdQq-RPcKes_Nz9OESTYzEBvYB0NtI1wToygQPpF07IvOwNCDTTlCPdvyq1RdDMusWEir_T-IYt04k3tgyhf5eaP-h-yQp6SWD86TIBEWW_TlYowPGsl6tv4ZhHJ5fxK-0MJNoW-7fAyoppYhtZ8mpD6WBKsr_LGKfK3Ono9u4eHMVKmeBw0Ds2Q",
  "payload": ""
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/6956565884 HTTP/1.1" 200 1033
Received response:
HTTP 200
Server: nginx
Date: Mon, 19 Jun 2023 07:37:09 GMT
Content-Type: application/json
Content-Length: 1033
Connection: keep-alive
Boulder-Requester: 107432474
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: riQvc_enGdU4PDb61okygZeVAMDhKzmvyKplPv-hiehiFnQ6dng
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "bestfostering.com"
  },
  "status": "invalid",
  "expires": "2023-06-26T07:37:06Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "92.27.83.0: Invalid response from http://bestfostering.com/.well-known/acme-challenge/CNLVHVePD2vnFfvkg0yVKQJlHU9NFIsmnHfOpgzApY0: 404",
        "status": 403
      },
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/6956565884/FP1ARQ",
      "token": "CNLVHVePD2vnFfvkg0yVKQJlHU9NFIsmnHfOpgzApY0",
      "validationRecord": [
        {
          "url": "http://bestfostering.com/.well-known/acme-challenge/CNLVHVePD2vnFfvkg0yVKQJlHU9NFIsmnHfOpgzApY0",
          "hostname": "bestfostering.com",
          "port": "80",
          "addressesResolved": [
            "92.27.83.0"
          ],
          "addressUsed": "92.27.83.0"
        }
      ],
      "validated": "2023-06-19T07:37:08Z"
    }
  ]
}
Storing nonce: riQvc_enGdU4PDb61okygZeVAMDhKzmvyKplPv-hiehiFnQ6dng
JWS payload:
b''
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/6956565894:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMDc0MzI0NzQiLCAibm9uY2UiOiAicmlRdmNfZW5HZFU0UERiNjFva3lnWmVWQU1EaEt6bXZ5S3BsUHYtaGllaGlGblE2ZG5nIiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzY5NTY1NjU4OTQifQ",
  "signature": "BdpDWK9SwhDFxsBKu9krWYeOARcDTyQ60bghZjfa6wlPtmp66PhYNU1K6w_Kd2Hc-wgquOK15eSQUAqIneSYRURmtLIGOoYrh65OtVI7G1zdsu_EToRWwwqzov7a5ctPdrWYnr54_JwfjY_6ajDLXvH9ncNDM2W_u2tbzhxTuIL1gJZ0NSjMDphq3Q93XSLcWZZlJI1BofRXwLyGlBvfA2tB38e0zM6NX71h3rTMYqUh8aTV3-AvbmbJ51tA2B2T4V8-WjP2Mc_ezIt4scV_Qna9gttuFC-cCjkKSotdg-gIa5UjUOkcVKOTxNSaKDOi_yJl4k3h3h2sUne9sc4wZw",
  "payload": ""
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/6956565894 HTTP/1.1" 200 1049
Received response:
HTTP 200
Server: nginx
Date: Mon, 19 Jun 2023 07:37:09 GMT
Content-Type: application/json
Content-Length: 1049
Connection: keep-alive
Boulder-Requester: 107432474
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: riQvc_en3SAyzl9i8HQ-psYCi_9ONFFcWB772Rehextgrfwk69c
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "www.bestfostering.com"
  },
  "status": "invalid",
  "expires": "2023-06-26T07:37:06Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "92.27.83.0: Invalid response from http://www.bestfostering.com/.well-known/acme-challenge/xcxx3sx3eMW3UmYJJIXTdq1-w1HZlBrYkSgkmm5DtBs: 404",
        "status": 403
      },
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/6956565894/gD1nww",
      "token": "xcxx3sx3eMW3UmYJJIXTdq1-w1HZlBrYkSgkmm5DtBs",
      "validationRecord": [
        {
          "url": "http://www.bestfostering.com/.well-known/acme-challenge/xcxx3sx3eMW3UmYJJIXTdq1-w1HZlBrYkSgkmm5DtBs",
          "hostname": "www.bestfostering.com",
          "port": "80",
          "addressesResolved": [
            "92.27.83.0"
          ],
          "addressUsed": "92.27.83.0"
        }
      ],
      "validated": "2023-06-19T07:37:08Z"
    }
  ]
}
Storing nonce: riQvc_en3SAyzl9i8HQ-psYCi_9ONFFcWB772Rehextgrfwk69c
Challenge failed for domain bestfostering.com
Challenge failed for domain www.bestfostering.com
http-01 challenge for bestfostering.com
http-01 challenge for www.bestfostering.com
Reporting to user: The following errors were reported by the server:

Domain: bestfostering.com
Type:   unauthorized
Detail: 92.27.83.0: Invalid response from http://bestfostering.com/.well-known/acme-challenge/CNLVHVePD2vnFfvkg0yVKQJlHU9NFIsmnHfOpgzApY0: 404

Domain: www.bestfostering.com
Type:   unauthorized
Detail: 92.27.83.0: Invalid response from http://www.bestfostering.com/.well-known/acme-challenge/xcxx3sx3eMW3UmYJJIXTdq1-w1HZlBrYkSgkmm5DtBs: 404

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

Calling registered functions
Cleaning up challenges
Attempting to renew cert (bestfostering.com) from /etc/letsencrypt/renewal/bestfostering.com.conf produced an unexpected error: Some challenges have failed.. Skipping.
Traceback was:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 462, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1208, in renew_cert
    renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 116, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 320, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 348, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 396, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/bestfostering.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/bestfostering.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.40.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1382, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1287, in renew
    renewal.handle_renewal_request(config)
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 486, in handle_renewal_request
    raise errors.Error("{0} renew failure(s), {1} parse failure(s)".format(
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: bestfostering.com
   Type:   unauthorized
   Detail: 92.27.83.0: Invalid response from
   http://bestfostering.com/.well-known/acme-challenge/CNLVHVePD2vnFfvkg0yVKQJlHU9NFIsmnHfOpgzApY0:
   404

   Domain: www.bestfostering.com
   Type:   unauthorized
   Detail: 92.27.83.0: Invalid response from
   http://www.bestfostering.com/.well-known/acme-challenge/xcxx3sx3eMW3UmYJJIXTdq1-w1HZlBrYkSgkmm5DtBs:
   404

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

AND:

# renew_before_expiry = 30 days
version = 0.40.0
archive_dir = /etc/letsencrypt/archive/bestfostering.com
cert = /etc/letsencrypt/live/bestfostering.com/cert.pem
privkey = /etc/letsencrypt/live/bestfostering.com/privkey.pem
chain = /etc/letsencrypt/live/bestfostering.com/chain.pem
fullchain = /etc/letsencrypt/live/bestfostering.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 1b67cb1e7ddee2e20f3f5d9ce5847a3e
authenticator = nginx
installer = nginx
server = https://acme-v02.api.letsencrypt.org/directory

rg305 · June 19, 2023, 7:49am

I think this may be conflicting with certbot code logic:

         location /.well-known {
                     alias /var/www/bestfostering.com/.well-known;
         }

Please create a test txt file at:
/var/www/bestfostering.com/.well-known/acme-challenge/test-file

rg305 · June 19, 2023, 7:51am

This also seems incorrect:

I'd use:
server_name bestfostering.com www.bestfostering.com;

sjelfs · June 19, 2023, 8:07am

I've upgraded certbot to 2.6.0, removed the . in front of bestfostering.com and commented out the .well_known line.

Got this:
touch: cannot touch '/var/www/bestfostering.com/.well-known/acme-challenge/test-file': No such file or directory

And tried the dry run again - same result.

rg305 · June 19, 2023, 8:34am

First:
mkdir /var/www/bestfostering.com/.well-known/acme-challenge/

sjelfs · June 19, 2023, 8:39am

test-file created.

rg305 · June 19, 2023, 8:44am

Is it empty?
I get 404:

curl -Ii bestfostering.com/.well-known/acme-challenge/test-file
HTTP/1.1 404
Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 19 Jun 2023 08:44:06 GMT
Content-Type: text/html;charset=utf-8
Connection: keep-alive
Content-Language: en

sjelfs · June 19, 2023, 8:52am

It was - but isn't now - but I think you'll still get a 404

rg305 · June 19, 2023, 8:55am

Yes, still 404.
You need to "fix" that problem before you continue with certbot.

rg305 · June 19, 2023, 9:05am

We should review the entire nginx config.
nginx -T

sjelfs · June 19, 2023, 9:07am

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 768;
        # multi_accept on;
}

http {

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        # server_tokens off;
        client_max_body_size 20M;
        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        ##
        # Gzip Settings
        ##

        gzip on;

        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}


#mail {
#       # See sample authentication script at:
#       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#       # auth_http localhost/auth.php;
#       # pop3_capabilities "TOP" "USER";
#       # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#       server {
#               listen     localhost:110;
#               protocol   pop3;
#               proxy      on;
#       }
#
#       server {
#               listen     localhost:143;
#               protocol   imap;
#               proxy      on;
#       }
#}

# configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:
load_module modules/ngx_http_image_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:
load_module modules/ngx_http_xslt_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:
load_module modules/ngx_mail_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:
load_module modules/ngx_stream_module.so;

# configuration file /etc/nginx/mime.types:

types {
    text/html                             html htm shtml;
    text/css                              css;
    text/xml                              xml;
    image/gif                             gif;
    image/jpeg                            jpeg jpg;
    application/javascript                js;
    application/atom+xml                  atom;
    application/rss+xml                   rss;

    text/mathml                           mml;
    text/plain                            txt;
    text/vnd.sun.j2me.app-descriptor      jad;
    text/vnd.wap.wml                      wml;
    text/x-component                      htc;

    image/png                             png;
    image/tiff                            tif tiff;
    image/vnd.wap.wbmp                    wbmp;
    image/x-icon                          ico;
    image/x-jng                           jng;
    image/x-ms-bmp                        bmp;
    image/svg+xml                         svg svgz;
    image/webp                            webp;

    application/font-woff                 woff;
    application/java-archive              jar war ear;
    application/json                      json;
    application/mac-binhex40              hqx;
    application/msword                    doc;
    application/pdf                       pdf;
    application/postscript                ps eps ai;
    application/rtf                       rtf;
    application/vnd.apple.mpegurl         m3u8;
    application/vnd.ms-excel              xls;
    application/vnd.ms-fontobject         eot;
    application/vnd.ms-powerpoint         ppt;
    application/vnd.wap.wmlc              wmlc;
    application/vnd.google-earth.kml+xml  kml;
    application/vnd.google-earth.kmz      kmz;
    application/x-7z-compressed           7z;
    application/x-cocoa                   cco;
    application/x-java-archive-diff       jardiff;
    application/x-java-jnlp-file          jnlp;
    application/x-makeself                run;
    application/x-perl                    pl pm;
    application/x-pilot                   prc pdb;
    application/x-rar-compressed          rar;
    application/x-redhat-package-manager  rpm;
    application/x-sea                     sea;
    application/x-shockwave-flash         swf;
    application/x-stuffit                 sit;
    application/x-tcl                     tcl tk;
    application/x-x509-ca-cert            der pem crt;
    application/x-xpinstall               xpi;
    application/xhtml+xml                 xhtml;
    application/xspf+xml                  xspf;
    application/zip                       zip;

    application/octet-stream              bin exe dll;
    application/octet-stream              deb;
    application/octet-stream              dmg;
    application/octet-stream              iso img;
    application/octet-stream              msi msp msm;

    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
    application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;

    audio/midi                            mid midi kar;
    audio/mpeg                            mp3;
    audio/ogg                             ogg;
    audio/x-m4a                           m4a;
    audio/x-realaudio                     ra;

    video/3gpp                            3gpp 3gp;
    video/mp2t                            ts;
    video/mp4                             mp4;
    video/mpeg                            mpeg mpg;
    video/quicktime                       mov;
    video/webm                            webm;
    video/x-flv                           flv;
    video/x-m4v                           m4v;
    video/x-mng                           mng;
    video/x-ms-asf                        asx asf;
    video/x-ms-wmv                        wmv;
    video/x-msvideo                       avi;
}

# configuration file /etc/nginx/conf.d/bestfostering.conf:
server {
         server_name bestfostering.com www.bestfostering.com;

#         set $upstream 192.168.1.75;
          proxy_headers_hash_max_size 512;
          proxy_headers_hash_bucket_size 128;
#          ssl on;
#    ssl_certificate /etc/letsencrypt/live/bestfostering.com-0001/fullchain.pem; # managed by Certbot
#    ssl_certificate_key /etc/letsencrypt/live/bestfostering.com-0001/privkey.pem; # managed by Certbot

#         ssl_stapling on;
#         ssl_stapling_verify on;
#         ssl_prefer_server_ciphers On;
#         ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#         ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
#         ssl_dhparam /etc/nginx/sites-available/dhparams.pem;
     #    add_header Strict-Transport-Security "max-age=31536000";
#proxy_set_header X-Forwarded-Proto https;
#proxy_set_header X-Forwarded-Port 443;
#         access_log /var/log/nginx/fostering.log combined;

#         location /.well-known {
#                     alias /var/www/bestfostering.com/.well-known;
#         }
#         location /codebase {
#                    proxy_pass http://192.168.1.17;
#                    }
         location /ords {
                     proxy_set_header Origin "";
                     proxy_pass http://10.0.0.122;
                     proxy_set_header X-Real_IP $remote_addr;
                     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                     proxy_http_version 1.1;
                     proxy_set_header X-Forwarded-Host $host;
                     proxy_set_header X-Forwarded-Server $host;
                     proxy_set_header X-Forwarded-Proto $scheme;
                     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                     proxy_set_header Host $http_host;
                     }
         location ~ /(apx|assets)  {
                     proxy_set_header Origin "";
                     proxy_set_header X-Forwarded-Proto https;
                     proxy_set_header X-Forwarded-Port 443;
                     proxy_pass http://10.0.0.151;
                     proxy_set_header X-Real_IP $remote_addr;
                     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                     proxy_http_version 1.1;
                     proxy_set_header X-Forwarded-Host $host;
                     proxy_set_header X-Forwarded-Server $host;
                     proxy_set_header X-Forwarded-Proto $scheme;
                     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                     proxy_set_header Host $http_host;
                     proxy_connect_timeout 600;
                     }
         location /wsapp/  {
                           proxy_pass http://10.0.0.38:8010;
                           proxy_http_version 1.1;
                           proxy_set_header Upgrade $http_upgrade;
                           proxy_set_header Connection "Upgrade";
                           proxy_set_header Host $host;
                          }
         location /i  {
                     proxy_set_header Origin "";
                     proxy_pass http://10.0.0.151;
                     proxy_set_header X-Real_IP $remote_addr;
                     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                     proxy_http_version 1.1;
                     proxy_set_header X-Forwarded-Proto https;
                     proxy_set_header X-Forwarded-Port 443;
                     proxy_set_header X-Forwarded-Host $host;
                     proxy_set_header X-Forwarded-Server $host;
                     proxy_set_header X-Forwarded-Proto $scheme;
                     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                     proxy_set_header Host $http_host;
                     }

         location  /Web {
                     proxy_set_header Origin "";
                     proxy_pass http://10.0.0.123;
                     proxy_set_header X-Real_IP $remote_addr;
                     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                     proxy_http_version 1.1;
                     proxy_set_header X-Forwarded-Host $host;
                     proxy_set_header X-Forwarded-Server $host;
                     proxy_set_header X-Forwarded-Proto $scheme;
                     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                     proxy_set_header Host $http_host;
                     }

         location / {
                     # proxy_pass_header Authorization;
                      proxy_pass http://10.0.0.151;
                      proxy_set_header X-Real-IP $remote_addr;
                      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                      proxy_http_version 1.1;
                      proxy_set_header X-Forwarded-Host $host; #new
                      proxy_set_header X-Forwarded-Server $host; #new
                      proxy_set_header X-Forwarded-Proto $scheme; #new
                      proxy_set_header Host $host; #new
                     # proxy_set_header Connection "";
                     # proxy_buffering off;
                     # client_max_body_size 0;
                     # proxy_read_timeout 36000s;
                     # proxy_redirect off;
                    }



    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/bestfostering.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/bestfostering.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


}

server {
    if ($host = www.bestfostering.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = bestfostering.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


         listen 80;
         server_name .bestfostering.com www.bestfostering.com;
   # return 404; # managed by Certbot
     return 301 https://$host$request_uri;



}

# configuration file /etc/letsencrypt/options-ssl-nginx.conf:
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file. Contents are based on https://ssl-config.mozilla.org

ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;

ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";

# configuration file /etc/nginx/conf.d/trolltec.conf:
server {
         listen 10.0.0.120:80;
         server_name trolltec.co.uk;
         set $upstream 10.0.0.151;

        location / {
                      add_header 'Access-Control-Allow-Origin' 'http://trolltec.co.uk';
                      add_header 'Access-Control-Allow-Credentials' 'true';
                      add_header 'Access-Control-Allow-Headers' 'Authorization,Accept,Origin,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
                      add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS,PUT,DELETE,PATCH';
                      proxy_pass_header Authorization;
                      proxy_pass http://$upstream;
                      proxy_set_header Host $host;
                      proxy_set_header X-Real-IP $remote_addr;
                      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                      proxy_http_version 1.1;
                      proxy_set_header Connection "";
                      proxy_buffering off;
                      client_max_body_size 0;
                      proxy_read_timeout 36000s;
                      proxy_redirect off;

                     }
        }

rg305 · June 19, 2023, 9:43am

This section also has an extra "."

sjelfs:

server {
    if ($host = www.bestfostering.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    if ($host = bestfostering.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

         listen 80;
         server_name .bestfostering.com www.bestfostering.com;
   # return 404; # managed by Certbot
     return 301 https://$host$request_uri;
}

You can actually reduce it all to just:

server {
     listen 80;
     server_name bestfostering.com www.bestfostering.com;
     return 301 https://$host$request_uri;
}

sjelfs · June 19, 2023, 9:50am

Of course, yes. Thanks - I've changed that now. Still looking to correct access to .well-known.

rg305 · June 19, 2023, 9:51am

That should correct it.
The fail was the unmatched name [me thinks].

rg305 · June 19, 2023, 9:55am

We should at least get the 301 redirection.
But I don't see that [yet].
Still just 404.

rg305 · June 19, 2023, 10:08am

Try doing this:

server {
     listen 80;
     server_name bestfostering.com www.bestfostering.com;
     location ^~ /.well-known/acme-challenge/ {
        root /some-unique-path/; #change to a real path [create one for this sole purpose]
     }
     return 301 https://$host$request_uri;
}

sjelfs · June 19, 2023, 10:34am

Ok, created sudo mkdir /var/www/certbot-test
Altered location ^~ /.well-known/acme-challenge/ {
root /var/www/certbot-test;
}

Created test file:
adminuser@proxy:/etc/nginx/conf.d$ cat /var/www/certbot-test/test
Just a test file

Still got:
curl -Ii bestfostering.com/.well-known/acme-challenge/test
HTTP/1.1 404
Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 19 Jun 2023 10:30:47 GMT
Content-Type: text/html;charset=utf-8
Connection: keep-alive
Content-Language: en

sjelfs · June 19, 2023, 10:48am

This is a reverse proxy which redirects traffic for bestfostering.com to a tomcat server. Now if I create the .well-known/acme-challenge on the tomcat server with a test file, I am able to access it. So, the issue seems to be that nginx isn't recognising that .well-known isn't to be redirected. Does that make sense/help?

Topic		Replies	Views
Cert Renewal Failure Help	4	312	March 12, 2024
Some challenges have failed when i run sudo certbot --nginx -d www.example.com Help	7	208	July 29, 2024
Certbot renew suddenly failing (Challenge failed for domain) Help	29	108	May 9, 2025
Certbot renew failed most of the time Help	15	572	November 23, 2023
Certbot --nginx renew fails - Challenge failed for domain Help	23	10222	January 5, 2022

Challenge failed for domain

Related topics