Encountered with a problem `Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.`

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.jionlp.com

I ran this command: certbot --nginx -d www.jionlp.com -v

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Python 3.8 support will be dropped in the next planned release of Certbot - please upgrade your Python version.
Plugins selected: Authenticator nginx, Installer nginx
Requesting a certificate for www.jionlp.com
Performing the following challenges:
http-01 challenge for www.jionlp.com
Waiting for verification...
Challenge failed for domain www.jionlp.com
http-01 challenge for www.jionlp.com

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: www.jionlp.com
  Type:   unauthorized
  Detail: 182.92.160.94: Invalid response from http://www.jionlp.com/.well-known/acme-challenge/hhORNhTzBV0xE49MADGou9aylCT3eMNP4YIahX-SfcA: "<!doctype html><html lang=\"\"><head><meta charset=\"utf-8\"><meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\"><meta name=\"viewpo"

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): nginx version: nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 20.04.3 LTS \n \l

My hosting provider, if applicable, is: aliyun

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 3.0.1

Appendix:

Im hosting my website on aliyun(cloud server provided by alibaba), the public IP is 182.92.160.94. I wrapped my nginx server in a docker container, which is started like this:

b5f3aacf1839   jionlp_online:v1.0   "/bin/bash"   2 years ago   Up 6 weeks   16666/tcp, 17777/tcp, 18888/tcp, 0.0.0.0:80->80/tcp, :::80->80/tcp, 19999/tcp   frontend_server

And my nginx configure file is like this :

worker_processes  1;

error_log  /root/jionlp_online/JioNLP_frontend/nginx/nginx_error.log warn;

# Change pid to allow no super user to run
# pid        /tmp/nginx.pid;
user root;

worker_rlimit_nofile 65535;
events {
    worker_connections  1024;
}

http {
    proxy_temp_path /tmp/proxy_temp;
    client_body_temp_path /tmp/client_temp;
    fastcgi_temp_path /tmp/fastcgi_temp;
    uwsgi_temp_path /tmp/uwsgi_temp;
    scgi_temp_path /tmp/scgi_temp;

    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /root/jionlp_online/JioNLP_frontend/nginx/access.log  main;

    sendfile        on;
    keepalive_timeout  60;

  server {
    listen 80;  #监听端口
    server_name 0.0.0.0;  #域名
    root /root/jionlp_online/JioNLP_frontend/dist;  #站点目录

    gzip on;
    gzip_min_length 1k;
    gzip_buffers 4 16k;
    gzip_http_version 1.0;
    gzip_comp_level 9;
    gzip_types text/plain application/javascript application/x-javascript text/css text/javascript application/xml image/jpeg image/gif image/png;
    gzip_vary on;

    index index.html;

    location / {
        root /root/jionlp_online/JioNLP_frontend/dist;
        index index.html;
        try_files $uri $uri/ /index.html;
    }
    location ~ .*\.(txt)$ {
        add_header Access-Control-Allow-Origin *;
        add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS';
        add_header Access-Control-Allow-Headers 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';

        if ($request_method = 'OPTIONS') {
            return 204;
        }
    }
    location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|ico)$
    {
      expires 30d;
      # access_log off;
    }
    location ~ .*\.(js|css)?$
    {
      expires 15d;
      # access_log off;
    }
    access_log on;
  }

  # include /etc/nginx/conf.d/*.conf;

}

I am curious about the possibility of changing the open port 443 to this server, maybe??

and the nginx -T shows the below:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
worker_processes  1;

error_log  /root/jionlp_online/JioNLP_frontend/nginx/nginx_error.log warn;

# Change pid to allow no super user to run
# pid        /tmp/nginx.pid;
user root;

worker_rlimit_nofile 65535;
events {
    worker_connections  1024;
}

http {
    proxy_temp_path /tmp/proxy_temp;
    client_body_temp_path /tmp/client_temp;
    fastcgi_temp_path /tmp/fastcgi_temp;
    uwsgi_temp_path /tmp/uwsgi_temp;
    scgi_temp_path /tmp/scgi_temp;

    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /root/jionlp_online/JioNLP_frontend/nginx/access.log  main;

    sendfile        on;
    keepalive_timeout  60;

  server {
    listen 80;  #监听端口
    server_name 0.0.0.0;  #域名
    root /root/jionlp_online/JioNLP_frontend/dist;  #站点目录

    gzip on;
    gzip_min_length 1k;
    gzip_buffers 4 16k;
    gzip_http_version 1.0;
    gzip_comp_level 9;
    gzip_types text/plain application/javascript application/x-javascript text/css text/javascript application/xml image/jpeg image/gif image/png;
    gzip_vary on;

    index index.html;

    location / {
        root /root/jionlp_online/JioNLP_frontend/dist;
        index index.html;
        try_files $uri $uri/ /index.html;
    }
    location ~ .*\.(txt)$ {
        add_header Access-Control-Allow-Origin *;

    application/vnd.google-earth.kml+xml  kml;
    application/vnd.google-earth.kmz      kmz;
    application/x-7z-compressed           7z;
    application/x-cocoa                   cco;
    application/x-java-archive-diff       jardiff;
    application/x-java-jnlp-file          jnlp;
    application/x-makeself                run;
    application/x-perl                    pl pm;
    application/x-pilot                   prc pdb;
    application/x-rar-compressed          rar;
    application/x-redhat-package-manager  rpm;
    application/x-sea                     sea;
    application/x-shockwave-flash         swf;
    application/x-stuffit                 sit;
    application/x-tcl                     tcl tk;
    application/x-x509-ca-cert            der pem crt;
    application/x-xpinstall               xpi;
    application/xhtml+xml                 xhtml;
    application/xspf+xml                  xspf;
    application/zip                       zip;

    application/octet-stream              bin exe dll;
    application/octet-stream              deb;
    application/octet-stream              dmg;
    application/octet-stream              iso img;
    application/octet-stream              msi msp msm;

    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
    application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;

    audio/midi                            mid midi kar;
    audio/mpeg                            mp3;
    audio/ogg                             ogg;
    audio/x-m4a                           m4a;
    audio/x-realaudio                     ra;

    video/3gpp                            3gpp 3gp;
    video/mp2t                            ts;
    video/mp4                             mp4;
    video/mpeg                            mpeg mpg;
    video/quicktime                       mov;
    video/webm                            webm;
    video/x-flv                           flv;
    video/x-m4v                           m4v;
    video/x-mng                           mng;
    video/x-ms-asf                        asx asf;
    video/x-ms-wmv                        wmv;
    video/x-msvideo                       avi;
}

This really confused me for about 2 days and have no trace of clues.
Really appreciated your help. Thx.

by the way, you can browse the website through http://www.jionlp.com

Is Certbot inside the same container as nginx?

Because the --nginx option changes the nginx config file and then reloads nginx.

If Certbot is not in the container you should use the --webroot option instead and make sure the container's volume for nginx root is shared with where Certbot runs so it can place the challenge token (see --webroot-path Certbot option)

Hello @dongrixinyu and welcome.

Presently the server is returning HTTP/1.1 200 OK for a (presumably) nonexistent token (file)

$ curl -Ii http://www.jionlp.com/.well-known/acme-challenge/sometestfile-2024_1228
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 28 Dec 2024 16:55:37 GMT
Content-Type: text/html
Content-Length: 1551
Last-Modified: Sat, 28 Dec 2024 10:48:58 GMT
Connection: keep-alive
Vary: Accept-Encoding
ETag: "676fd79a-60f"
Accept-Ranges: bytes

Edit - Supplemental

Also "Warning: SOA records are not consistent across nameservers." is shown here Hardenize Report: jionlp.com for the DNS Zone.

And Port 443 (i.e. HTTPS) is filtered (i.e. not accessibly)/

$ nmap -Pn -p80,443 www.jionlp.com
Starting Nmap 7.93 ( https://nmap.org ) at 2024-12-28 08:59 PST
Nmap scan report for www.jionlp.com (182.92.160.94)
Host is up (0.19s latency).

PORT    STATE    SERVICE
80/tcp  open     http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 5.51 seconds

Yes，I installed my nginx, certbox, python3, and my fronend code all in the same container.

By the way, I started my nginx with nginx -c /root/JioNLP_frontend/nginx/nginx.conf, where the nginx.conf is not in the default directory. Does this have an impact on the result??

Yes that matters. Review these

nginx:
Nginx Web Server plugin

--nginx-server-root NGINX_SERVER_ROOT
Nginx server root directory. (default: /etc/nginx or /usr/local/etc/nginx)

--nginx-ctl NGINX_CTL
Path to the 'nginx' binary, used for 'configtest' and retrieving nginx version number. (default: nginx)

https://eff-certbot.readthedocs.io/en/latest/using.html#certbot-command-line-options

@dongrixinyu Were you able to get the --nginx option working?

I forgot to mention you could try the --webroot option instead. It does not need to parse your nginx or control it. Is something like

certbot certonly --webroot -w /root/jionlp_online/JioNLP_frontend/dist -d www.jionlp.com --deploy-hook nginx-reload

Replace nginx-reload with the command to reload nginx so that it refreshes its config to use a new cert

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.