Configuring NGINX to redirect www to apex

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: crenergycoaching.org

I ran this command: sudo certbot --nginx

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: crenergycoaching.org
2: www.crenergycoaching.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/crenergycoaching.org.conf)

It contains these names: crenergycoaching.org

You requested these names for the new certificate: crenergycoaching.org,
www.crenergycoaching.org.

Do you want to expand and replace this existing certificate with the new
certificate?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel: e
Renewing an existing certificate for crenergycoaching.org and www.crenergycoaching.org

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Identifier: www.crenergycoaching.org
  Type:   connection
  Detail: 178.156.224.38: Fetching http://www.crenergycoaching.org/.well-known/acme-challenge/Kpul3scyH69ygjs2B6FslejLxj-sBGdX0qqmeDRZtYE: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): NGINX 1.28.1

The operating system my web server runs on is (include version): Ubuntu 24.04.4

My hosting provider, if applicable, is: Hetzner Cloud

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 5.3.1

I'm trying to configure NGINX to recognize requests for www.crenergycoaching.org and redirect them to https://crenergycoaching.org. It seems to be working when I test in various browsers (including in incognito mode) but when I test from remote locations (using for example https://geopeeker.com) I can't get www.crenergycoaching.org to work.

Figured this might be an SSL issue with the www.crenergycoaching.org name so I tried running Certbot to add a certificate for that domain (I already have one on the server for crenergycoaching.org). But Certbot keeps failing, as if there's a firewall blocking it. I triple checked my firewall and both port 80 and 443 are wide open.

I checked the letsencrypt log but not seeing any thing there or maybe I'm just not reading it correctly. Why is Certbot failing to obtain a cert for www.crenergycoaching.org?

Here's the end of the log file:

2026-03-02 16:58:31,691:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/snap/certbot/5370/lib/python3.12/site-packages/certbot/_internal/auth_handler.py", line 104, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/snap/certbot/5370/lib/python3.12/site-packages/certbot/_internal/auth_handler.py", line 208, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2026-03-02 16:58:31,691:DEBUG:certbot._internal.error_handler:Calling registered functions
2026-03-02 16:58:31,691:INFO:certbot._internal.auth_handler:Cleaning up challenges
2026-03-02 16:58:32,784:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/snap/certbot/5370/bin/certbot", line 7, in <module>
    sys.exit(main())
             ^^^^^^
  File "/snap/certbot/5370/lib/python3.12/site-packages/certbot/main.py", line 18, in main
    return internal_main.main(cli_args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/snap/certbot/5370/lib/python3.12/site-packages/certbot/_internal/main.py", line 1886, in main
    return config.func(config, plugins)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/snap/certbot/5370/lib/python3.12/site-packages/certbot/_internal/main.py", line 1446, in run
    new_lineage = _get_and_save_cert(le_client, config, sans,
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/snap/certbot/5370/lib/python3.12/site-packages/certbot/_internal/main.py", line 131, in _get_and_save_cert
    renewal.renew_cert(config, sans, le_client, lineage)
  File "/snap/certbot/5370/lib/python3.12/site-packages/certbot/_internal/renewal.py", line 565, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(sans, new_key)
                                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/snap/certbot/5370/lib/python3.12/site-packages/certbot/_internal/client.py", line 434, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/snap/certbot/5370/lib/python3.12/site-packages/certbot/_internal/client.py", line 512, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/snap/certbot/5370/lib/python3.12/site-packages/certbot/_internal/auth_handler.py", line 104, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/snap/certbot/5370/lib/python3.12/site-packages/certbot/_internal/auth_handler.py", line 208, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2026-03-02 16:58:32,786:ERROR:certbot._internal.log:Some challenges have failed.

FYI here's what I added to the NGINX config. file before trying obtain the cert--I simply added a new server block for www.crenergycoaching.org after the block that was inserted by certbot when I originally got the cert for crenergycoaching.org:

server {
    if ($host = crenergycoaching.org) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

	listen 80 ;
	listen [::]:80 ;
    server_name crenergycoaching.org;
    return 404; # managed by Certbot
}

server	{
	server_name www.crenergycoaching.org;
	return 301 https://crenergycoaching.org$request_uri;
}

Thanks for any clues you can provide.

Edit: I did not see the post title.

www.sunnypower.org appears to be serving current certificates for barredislands.com, and redirecting to barredislands.com.

The Certbot default redirects work just like they are. That is, HTTP to each domain just redirects to that domain as HTTPS

You have to modify your nginx config manually to change that. Once you do that the Certbot renew will not change it again. But, if you reissue the cert be sure to set the Certbot option to not configure redirects.

You should review your IPv6 AAAA address. Connections to that are failing. Your IPv4 is working fine. See: Let's Debug

I apologize, I was finishing the post and didn't realize it had already published before completed. Please see correct post now. Thank you.

@MaxHearnden @MikeMcQ sorry about that guys, I was still drafting my post above and didn't realize it had published before I was finished. It's ready now...any tips or advice would be most welcome. Thank you!

First, you are missing listen statements. While nginx has a default for port 80 it only covers IPv4. You have an AAAA record in your DNS so be sure to add both listen statements like you do with the other server block.

And, your IPv6 AAAA address is not working correctly. So, before worrying about certs you need to get that sorted out. Either fix your AAAA record and IPv6 config or remove it. Please see: Let's Debug

Thanks for replying.

The debug was helpful, thanks. If I'm reading it correctly it's timing out. Which is odd because I can pull it up in a browser and tested from other international locations. I removed the firewall for a few moments and retested, no change. Hmmm...I'm scratching my head here.

This is a cloud server in Hetzner's Virginia datacenter. Can't think of why the LetsEncrypt server can't connect. Could it blacklisted somewhere? I'm grasping...

If you have any ideas I'm all ears. I was able to perform all of this successfully on a different Hetzner server earlier today, and as far as I can see everything is configured the same way, so I'm at a loss as to what the issue is. I must be missing something here...

The IPv6 address in my AAAA record matches what Hetzner lists for the server. But I just removed it and will retest in an hour (TTL was set to 3600).

UPDATE: successfully obtained certs after removing the IPv6 address. Thank you for your help. I will look into why the IPv6 isn't working...must be something going on at Hetzner. I can see I had the correct IP listed by Hetzner for the server but maybe there's some extra tweak I need to do somewhere (just moved to Hetzner from AWS so still getting acquainted).

PPS have confirmed from various international locations that www.crenergycoaching.org is now working correctly. Case closed! Thanks again.

image1014×601 35.2 KB