"Error getting validation data" Status 400

I'm getting "Error getting validation data" with status 400 for the challenge URL and I have no idea why. I see Nginx returning 200 for it in the access log, and it works if I try it manually. I'm not using IPv6 (no AAAA, not enabled on server, firewall blocks it). It's a fresh install of Debian, Nginx and Certbot as of yesterday. The Nginx config is about as basic as you can get and serves HTML just fine. DNS setup hasn't changed in a long time (CAA 0 issue "letsencrypt.org" record is there)... Anyone have any ideas?

My domain is: escm.ml

I ran this command: certbot certonly --nginx -d "escm.ml" --debug-challenges --dry-run

It produced this output: See below

My web server is (include version): nginx/1.18.0

The operating system my web server runs on is (include version): Debian 10.9

My hosting provider, if applicable, is: Me

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.14.0

Debug log:

2021-04-10 19:56:34,505:DEBUG:urllib3.connectionpool:http://localhost:None "GET /v2/connections?snap=certbot&interface=content HTTP/1.1" 200 97
2021-04-10 19:56:34,930:DEBUG:certbot._internal.main:certbot version: 1.14.0
2021-04-10 19:56:34,930:DEBUG:certbot._internal.main:Location of certbot entry point: /snap/certbot/1093/bin/certbot
2021-04-10 19:56:34,930:DEBUG:certbot._internal.main:Arguments: ['--nginx', '-d', 'escm.ml', '--debug-challenges', '--dry-run', '--preconfigured-renewal']
2021-04-10 19:56:34,930:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-04-10 19:56:34,948:DEBUG:certbot._internal.log:Root logging level set at 20
2021-04-10 19:56:34,948:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2021-04-10 19:56:34,949:DEBUG:certbot._internal.plugins.selection:Requested authenticator nginx and installer nginx
2021-04-10 19:56:35,067:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx._internal.configurator:NginxConfigurator
Initialized: <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7f80bcb85df0>
Prep: True
2021-04-10 19:56:35,068:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx._internal.configurator:NginxConfigurator
Initialized: <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7f80bcb85df0>
Prep: True
2021-04-10 19:56:35,068:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7f80bcb85df0> and installer <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7f80bcb85df0>
2021-04-10 19:56:35,068:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator nginx, Installer nginx
2021-04-10 19:56:35,078:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-staging-v02.api.letsencrypt.org/acme/acct/19016084', new_authzr_uri=None, terms_of_service=None), 855b82e654230c82496679cfb0491e1b, Meta(creation_dt=datetime.datetime(2021, 4, 10, 19, 0, 49, tzinfo=<UTC>), creation_host='WebServer.lan', register_to_eff=None))>
2021-04-10 19:56:35,080:DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.
2021-04-10 19:56:35,082:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org:443
2021-04-10 19:56:35,775:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 724
2021-04-10 19:56:35,775:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 10 Apr 2021 23:56:35 GMT
Content-Type: application/json
Content-Length: 724
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "k-aG3-bsdmg": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-staging-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org/docs/staging-environment/"
  },
  "newAccount": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert"
}
2021-04-10 19:56:35,776:DEBUG:certbot.display.util:Notifying user: Simulating a certificate request for escm.ml
2021-04-10 19:56:35,946:DEBUG:acme.client:Requesting fresh nonce
2021-04-10 19:56:35,946:DEBUG:acme.client:Sending HEAD request to https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce.
2021-04-10 19:56:36,026:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2021-04-10 19:56:36,027:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 10 Apr 2021 23:56:35 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 00031DQuZmQJuQpA1ed6phTJQP6MH99nEtcge-kSJYNz_RQ
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


2021-04-10 19:56:36,027:DEBUG:acme.client:Storing nonce: 00031DQuZmQJuQpA1ed6phTJQP6MH99nEtcge-kSJYNz_RQ
2021-04-10 19:56:36,027:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "escm.ml"\n    }\n  ]\n}'
2021-04-10 19:56:36,029:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xOTAxNjA4NCIsICJub25jZSI6ICIwMDAzMURRdVptUUp1UXBBMWVkNnBoVEpRUDZNSDk5bkV0Y2dlLWtTSllOel9SUSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctb3JkZXIifQ",
  "signature": "JRqiu_qXvwxe7JQqzsUfYSZAniWj9Dy8Ndsb0oAHEehvcB7RiVVOqzs2DaiVzpUYpKxOcHUvL59RYtep3Hd4NjIwvCQOYXd8G5Q1s1-cGV_y2-8fmnV9TSi_foizqJLSo00OP7FVAav3qdSLoBhOQ9aOermWxzvIBA8Te8A9Q7VvY5o_KSTNTYGz5N__0ENC4vb9FVFVT5FU933QSefeOPqX4Lwefd16c_1xt36E8N0B21YlbpIXFRTXHwj1vIU4F19B9LBvTmI8Xs9DKiAMadWnG7lw4buXr6lUr_pU69Zjm-_UOh0Ls9x0S6diJiLpGRvV7vFBvA9yT9ntRMEGQg",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogImVzY20ubWwiCiAgICB9CiAgXQp9"
}
2021-04-10 19:56:36,146:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 339
2021-04-10 19:56:36,147:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Sat, 10 Apr 2021 23:56:36 GMT
Content-Type: application/json
Content-Length: 339
Connection: keep-alive
Boulder-Requester: 19016084
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/order/19016084/29429321
Replay-Nonce: 0004RRcU-TfvYTpQobr7FV1sGTrOi7fcLegAbc7cVPZmIVg
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2021-04-17T23:56:36Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "escm.ml"
    }
  ],
  "authorizations": [
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/25872200"
  ],
  "finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/19016084/29429321"
}
2021-04-10 19:56:36,147:DEBUG:acme.client:Storing nonce: 0004RRcU-TfvYTpQobr7FV1sGTrOi7fcLegAbc7cVPZmIVg
2021-04-10 19:56:36,147:DEBUG:acme.client:JWS payload:
b''
2021-04-10 19:56:36,149:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/25872200:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xOTAxNjA4NCIsICJub25jZSI6ICIwMDA0UlJjVS1UZnZZVHBRb2JyN0ZWMXNHVHJPaTdmY0xlZ0FiYzdjVlBabUlWZyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8yNTg3MjIwMCJ9",
  "signature": "TkwjaToxl4l2XIyf1YD92DmtDG7ldNAoO-M21SCh3xq7hTlbNUmJO1YSdQxYLi34Wyt1U3h695fS1Zqp_oD9dYi93kCYb42B2sTC3cmFh1wmt4SqKMn-5i41N7Eq79WWhrQXxMiIwAFbD5P5WXvF0OVjcah3bLZEoAWZCIbsDy88mjT4MY5gx8klAD8lUnGEI_ufPDxb3VddH60TKtbTlXDW7ojnNNhoxn_tWE3tvYTxPxi4z-ryAyURzO3hm5v9R9Fp7jkFN3EGPTqZQpIQbZ1PyzEWJn7UnMws6NskBuFLhheOHwGArWWozGU57RPYcNqPSOmKn2f_FRWqFoEfYQ",
  "payload": ""
}
2021-04-10 19:56:36,238:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/25872200 HTTP/1.1" 200 803
2021-04-10 19:56:36,239:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 10 Apr 2021 23:56:36 GMT
Content-Type: application/json
Content-Length: 803
Connection: keep-alive
Boulder-Requester: 19016084
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0004LMYfi_TP7wULiZpbM18f1O2ikIxtXuFQwFGxdWAspjw
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "escm.ml"
  },
  "status": "pending",
  "expires": "2021-04-17T23:56:36Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/25872200/HxGzqg",
      "token": "PFHzOy5PGlgkQZvFA-Q7Hmr16bOO_0Q_NylvCcw5EVc"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/25872200/5LGqnQ",
      "token": "PFHzOy5PGlgkQZvFA-Q7Hmr16bOO_0Q_NylvCcw5EVc"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/25872200/XQSO4w",
      "token": "PFHzOy5PGlgkQZvFA-Q7Hmr16bOO_0Q_NylvCcw5EVc"
    }
  ]
}
2021-04-10 19:56:36,239:DEBUG:acme.client:Storing nonce: 0004LMYfi_TP7wULiZpbM18f1O2ikIxtXuFQwFGxdWAspjw
2021-04-10 19:56:36,239:INFO:certbot._internal.auth_handler:Performing the following challenges:
2021-04-10 19:56:36,240:INFO:certbot._internal.auth_handler:http-01 challenge for escm.ml
2021-04-10 19:56:36,245:DEBUG:certbot_nginx._internal.http_01:Generated server block:
[]
2021-04-10 19:56:36,246:DEBUG:certbot.reverter:Creating backup of /etc/nginx/nginx.conf
2021-04-10 19:56:36,246:DEBUG:certbot.reverter:Creating backup of /etc/nginx/mime.types
2021-04-10 19:56:36,246:DEBUG:certbot.reverter:Creating backup of /etc/nginx/conf.d/default.conf
2021-04-10 19:56:36,247:DEBUG:certbot_nginx._internal.parser:Writing nginx conf tree to /etc/nginx/nginx.conf:

user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
include /etc/letsencrypt/le_http_01_cert_challenge.conf;
server_names_hash_bucket_size 128;
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
}

2021-04-10 19:56:36,248:DEBUG:certbot_nginx._internal.parser:Writing nginx conf tree to /etc/nginx/conf.d/default.conf:
server {rewrite ^(/.well-known/acme-challenge/.*) $1 break; # managed by Certbot


   server_name                escm.ml;
   listen                     80;

   location / {
      root    /var/www/html;
      index   index.html;
   }
location = /.well-known/acme-challenge/PFHzOy5PGlgkQZvFA-Q7Hmr16bOO_0Q_NylvCcw5EVc{default_type text/plain;return 200 PFHzOy5PGlgkQZvFA-Q7Hmr16bOO_0Q_NylvCcw5EVc.tEWGUSWdPFLTgLNoZthzugaPO54UVO8RVHyaJgMVh_c;} # managed by Certbot

}

2021-04-10 19:56:37,259:INFO:certbot._internal.auth_handler:Waiting for verification...
2021-04-10 19:56:37,260:DEBUG:certbot.display.util:Notifying user: Challenges loaded. Press continue to submit to CA. Pass "-v" for more info about
challenges.
2021-04-10 19:56:37,870:DEBUG:acme.client:JWS payload:
b'{}'
2021-04-10 19:56:37,872:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/25872200/HxGzqg:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xOTAxNjA4NCIsICJub25jZSI6ICIwMDA0TE1ZZmlfVFA3d1VMaVpwYk0xOGYxTzJpa0l4dFh1RlF3Rkd4ZFdBc3BqdyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbC12My8yNTg3MjIwMC9IeEd6cWcifQ",
  "signature": "rugE-covM9I0T_Yvf1-msSig4ncHkbH9QKyie0HRxqpJfh2sR0Q7vDNF24-lDRSIF08bO0Aft1bxgTRbilNwibOmcWQ0O4cHCkLQxbgOD2sKgDbaTlBTzxvE6yk4JiVkC8tBdmh_MwEP4B0Zs_SfUq_saQK-w5sgXRue3El1yBd5ru6nzYFU2PKV5JEk1H3un5lpu2LlAufTIgdfs4TAxHGqF0kazs4oS4LEKY2vjrGsB7pey4-xGNjtzlouEo9dRI8kCkNlq_20ghr61-EfvO4z_gI6bHog0XBhU5TRblqT8rGJcKGt2p2_5kEp_NI39GwmFpxFa_AcvlbTrwbjpw",
  "payload": "e30"
}
2021-04-10 19:56:37,955:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/25872200/HxGzqg HTTP/1.1" 200 191
2021-04-10 19:56:37,956:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 10 Apr 2021 23:56:37 GMT
Content-Type: application/json
Content-Length: 191
Connection: keep-alive
Boulder-Requester: 19016084
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/25872200>;rel="up"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/25872200/HxGzqg
Replay-Nonce: 0004i6k2dAXeyjnc6F9XNCgedHTQD7maLzb583LqhTBm3lc
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/25872200/HxGzqg",
  "token": "PFHzOy5PGlgkQZvFA-Q7Hmr16bOO_0Q_NylvCcw5EVc"
}
2021-04-10 19:56:37,956:DEBUG:acme.client:Storing nonce: 0004i6k2dAXeyjnc6F9XNCgedHTQD7maLzb583LqhTBm3lc
2021-04-10 19:56:38,958:DEBUG:acme.client:JWS payload:
b''
2021-04-10 19:56:38,960:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/25872200:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xOTAxNjA4NCIsICJub25jZSI6ICIwMDA0aTZrMmRBWGV5am5jNkY5WE5DZ2VkSFRRRDdtYUx6YjU4M0xxaFRCbTNsYyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8yNTg3MjIwMCJ9",
  "signature": "NhAkloM6ApfkYABBskMjgRaoecyVXRzNewSWnkOXJsmZV_2aeqW57RvYGTxg5YsZOMd6le9cixjTTsBb5iurTwAueAo7KuRC5_RaWbfTv1_UzD3DdrJPunn695-ZZaii-WgIy_PrnSxM1GnPHzJ6m2RsbaVv2pS_xBzWe6L0S1EjaQzfoYuXBPj2X549ILlSdzUnC0JABrlq5x7VGtTeyRZj2YLDJ7HIQL2BIyPcAwQRjBCeyd5eD4pFvBd5rPjo8kEtw0l7hUnvk9xsnDRLVJq53mB_-Y14LvntfOk5wl3viG2E05aUtUww-LqsB8I2PDUaaA_zSj58Ec_wOwl_Ww",
  "payload": ""
}
2021-04-10 19:56:39,043:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/25872200 HTTP/1.1" 200 803
2021-04-10 19:56:39,044:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 10 Apr 2021 23:56:39 GMT
Content-Type: application/json
Content-Length: 803
Connection: keep-alive
Boulder-Requester: 19016084
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 00042wBr5LxKzcZCcwyutte6DZrzs4se6xjV1OWXXv7rOPE
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "escm.ml"
  },
  "status": "pending",
  "expires": "2021-04-17T23:56:36Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/25872200/HxGzqg",
      "token": "PFHzOy5PGlgkQZvFA-Q7Hmr16bOO_0Q_NylvCcw5EVc"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/25872200/5LGqnQ",
      "token": "PFHzOy5PGlgkQZvFA-Q7Hmr16bOO_0Q_NylvCcw5EVc"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/25872200/XQSO4w",
      "token": "PFHzOy5PGlgkQZvFA-Q7Hmr16bOO_0Q_NylvCcw5EVc"
    }
  ]
}
2021-04-10 19:56:39,044:DEBUG:acme.client:Storing nonce: 00042wBr5LxKzcZCcwyutte6DZrzs4se6xjV1OWXXv7rOPE
2021-04-10 19:56:42,048:DEBUG:acme.client:JWS payload:
b''
2021-04-10 19:56:42,050:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/25872200:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xOTAxNjA4NCIsICJub25jZSI6ICIwMDA0MndCcjVMeEt6Y1pDY3d5dXR0ZTZEWnJ6czRzZTZ4alYxT1dYWHY3ck9QRSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8yNTg3MjIwMCJ9",
  "signature": "bnUqYxM5BSiZvv0wd8D-pR68n0WFnlm6hZCZiE9q1C284vns7mnB15Bi_upGObJB9C7kprgwnUPGfIyjSAcKYv7PIRKi3fLHjnmWlA6p7xnwgXIJRLs9Hg_EzUmM_W0Bib_1MwZwSksQQbkMpdYAidmdYNsv3662ZIz3s--BkJWaaw7cemDPWObEoN7IcSA-OcA0sJvDKpaeSFg_HqXywLe3TXf1bYfTTOMAOOCCjYXJMBqwdwYCa28CLG5mEpIb8kLQV9tsJFXoiv_w4qxjz47InnqOs2Y44KEjKMRNkyF64MmXxYVOv9b_VRFWe8ZfpAYzzbtsMxkN8kiS8l_jzA",
  "payload": ""
}
2021-04-10 19:56:42,136:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/25872200 HTTP/1.1" 200 803
2021-04-10 19:56:42,136:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 10 Apr 2021 23:56:42 GMT
Content-Type: application/json
Content-Length: 803
Connection: keep-alive
Boulder-Requester: 19016084
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0003zEhXOuyqrQ4T7SFgkbFQshu4-Ba3VoPArManrAZP4Co
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "escm.ml"
  },
  "status": "pending",
  "expires": "2021-04-17T23:56:36Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/25872200/HxGzqg",
      "token": "PFHzOy5PGlgkQZvFA-Q7Hmr16bOO_0Q_NylvCcw5EVc"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/25872200/5LGqnQ",
      "token": "PFHzOy5PGlgkQZvFA-Q7Hmr16bOO_0Q_NylvCcw5EVc"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/25872200/XQSO4w",
      "token": "PFHzOy5PGlgkQZvFA-Q7Hmr16bOO_0Q_NylvCcw5EVc"
    }
  ]
}
2021-04-10 19:56:42,137:DEBUG:acme.client:Storing nonce: 0003zEhXOuyqrQ4T7SFgkbFQshu4-Ba3VoPArManrAZP4Co
2021-04-10 19:56:45,140:DEBUG:acme.client:JWS payload:
b''
2021-04-10 19:56:45,142:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/25872200:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xOTAxNjA4NCIsICJub25jZSI6ICIwMDAzekVoWE91eXFyUTRUN1NGZ2tiRlFzaHU0LUJhM1ZvUEFyTWFuckFaUDRDbyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8yNTg3MjIwMCJ9",
  "signature": "sXIWspDs0hFqhglaYUvlCtwn-OCbYAWSo5bfFHo5PB6dsqEMHNjCdxZ56DVMMeKQfwbS1uzkeohqtsMXFayBafER2JTADZihpJvYS4tAnZI5-vWuKm8a_ltgoBT-YhhuE2a_dtO8LPwrWVXiRqFPvQVlsat35pHwcL366arCQ03WcmN1iesQugSofoiZ-PY1bmOIDK9laqs0qEWLwtTquA2joi9my76vpk-IWkKkxgCRTjwUrxU_IRDcDzsQVFB7OOFBQKQY3T7DDUHu0R0hJ-vJFtZhAxqfAnEqjKhGtJNIPewBRjeShO18w2pn--ioVbPq-S2ijh6il4PeP9pr-Q",
  "payload": ""
}
2021-04-10 19:56:45,224:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/25872200 HTTP/1.1" 200 803
2021-04-10 19:56:45,225:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 10 Apr 2021 23:56:45 GMT
Content-Type: application/json
Content-Length: 803
Connection: keep-alive
Boulder-Requester: 19016084
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 00034XGTSB_llJu7enj5dSoJsha0LZDY1HL89t6CCATPKF8
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "escm.ml"
  },
  "status": "pending",
  "expires": "2021-04-17T23:56:36Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/25872200/HxGzqg",
      "token": "PFHzOy5PGlgkQZvFA-Q7Hmr16bOO_0Q_NylvCcw5EVc"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/25872200/5LGqnQ",
      "token": "PFHzOy5PGlgkQZvFA-Q7Hmr16bOO_0Q_NylvCcw5EVc"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/25872200/XQSO4w",
      "token": "PFHzOy5PGlgkQZvFA-Q7Hmr16bOO_0Q_NylvCcw5EVc"
    }
  ]
}
2021-04-10 19:56:45,225:DEBUG:acme.client:Storing nonce: 00034XGTSB_llJu7enj5dSoJsha0LZDY1HL89t6CCATPKF8
2021-04-10 19:56:48,229:DEBUG:acme.client:JWS payload:
b''
2021-04-10 19:56:48,231:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/25872200:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xOTAxNjA4NCIsICJub25jZSI6ICIwMDAzNFhHVFNCX2xsSnU3ZW5qNWRTb0pzaGEwTFpEWTFITDg5dDZDQ0FUUEtGOCIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8yNTg3MjIwMCJ9",
  "signature": "GilONK9IU7mFJyWuc3DRhgSsgBGhMBSP9yCYVkriW2YRGDk1KyuZLRrQknfwjoug9N1sxs4Ludj6QkupSALAekfEFmc4iDsykLYJlpNgf6Df0XqSimMgynW5hb9K_wmjbSs3StncHEeEIH_SAI00r2Fs-t-DctFC6CXVYBmBgNkOT38oWxKbz5YbbXVxR-kVy3QyVuKRoCzEe1IhX15AU_2r6hn8r--Ori0AspN1dSumIlylqhGnUVoB8NKWaVy_XqZZyog1Qy5uUTw2VTDb_3qbNz1qpW00RVI65GsEYnz8wzB6ZUo4YMWLpesPuUoF5bKDubNODMpPztJjNjaT4Q",
  "payload": ""
}
2021-04-10 19:56:48,319:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/25872200 HTTP/1.1" 200 803
2021-04-10 19:56:48,320:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 10 Apr 2021 23:56:48 GMT
Content-Type: application/json
Content-Length: 803
Connection: keep-alive
Boulder-Requester: 19016084
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 00033M9REvJYVJt534_-dk4vJILZsOpdq6rmehoTuQ0Jf6U
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "escm.ml"
  },
  "status": "pending",
  "expires": "2021-04-17T23:56:36Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/25872200/HxGzqg",
      "token": "PFHzOy5PGlgkQZvFA-Q7Hmr16bOO_0Q_NylvCcw5EVc"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/25872200/5LGqnQ",
      "token": "PFHzOy5PGlgkQZvFA-Q7Hmr16bOO_0Q_NylvCcw5EVc"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/25872200/XQSO4w",
      "token": "PFHzOy5PGlgkQZvFA-Q7Hmr16bOO_0Q_NylvCcw5EVc"
    }
  ]
}
2021-04-10 19:56:48,320:DEBUG:acme.client:Storing nonce: 00033M9REvJYVJt534_-dk4vJILZsOpdq6rmehoTuQ0Jf6U
2021-04-10 19:56:51,324:DEBUG:acme.client:JWS payload:
b''
2021-04-10 19:56:51,327:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/25872200:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xOTAxNjA4NCIsICJub25jZSI6ICIwMDAzM005UkV2SllWSnQ1MzRfLWRrNHZKSUxac09wZHE2cm1laG9UdVEwSmY2VSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8yNTg3MjIwMCJ9",
  "signature": "k2nsb11m3ss1FAQTOXVFjRdZQvwj_ceKAvcHoz1HvDFDyfob25oIgniSwIzTdgai9zvNCffQ9UK2323A6zR4czRpCKCGI18BUAvYFOB00gPOb3lpMDJ_WN_1D-7RbTIfqF0lL4Jh9913IfkTZMiL0ujOSOUNTVTlLPbiALrRKgohGG19-ZN4HdRrNrgk-V58JA6ARrI4YdpwpDZ8bF3tOX5LLXrcbS0JXDA2NTxwblg3LyMwp0zbr0Q-8FVsrTtQzBw3XmTXdFSANvHudRUgdkoLt8CGeYC8oBzSOeyKnavl1gQAkh1ESVSn3MlFvmIbGeUzbfpirRp_37Rrn6pvCw",
  "payload": ""
}
2021-04-10 19:56:51,407:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/25872200 HTTP/1.1" 200 1000
2021-04-10 19:56:51,408:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 10 Apr 2021 23:56:51 GMT
Content-Type: application/json
Content-Length: 1000
Connection: keep-alive
Boulder-Requester: 19016084
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0004_cwCqH0yqlEfXFUbhj8-zaeNg6sb80Us7Cmneu3N03Q
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "escm.ml"
  },
  "status": "invalid",
  "expires": "2021-04-17T23:56:36Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:connection",
        "detail": "Fetching http://escm.ml/.well-known/acme-challenge/PFHzOy5PGlgkQZvFA-Q7Hmr16bOO_0Q_NylvCcw5EVc: Error getting validation data",
        "status": 400
      },
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/25872200/HxGzqg",
      "token": "PFHzOy5PGlgkQZvFA-Q7Hmr16bOO_0Q_NylvCcw5EVc",
      "validationRecord": [
        {
          "url": "http://escm.ml/.well-known/acme-challenge/PFHzOy5PGlgkQZvFA-Q7Hmr16bOO_0Q_NylvCcw5EVc",
          "hostname": "escm.ml",
          "port": "80",
          "addressesResolved": [
            "174.112.189.216"
          ],
          "addressUsed": "174.112.189.216"
        }
      ],
      "validated": "2021-04-10T23:56:37Z"
    }
  ]
}
2021-04-10 19:56:51,408:DEBUG:acme.client:Storing nonce: 0004_cwCqH0yqlEfXFUbhj8-zaeNg6sb80Us7Cmneu3N03Q
2021-04-10 19:56:51,409:WARNING:certbot._internal.auth_handler:Challenge failed for domain escm.ml
2021-04-10 19:56:51,409:INFO:certbot._internal.auth_handler:http-01 challenge for escm.ml
2021-04-10 19:56:51,410:DEBUG:certbot._internal.reporter:Reporting to user: The following errors were reported by the server:

Domain: escm.ml
Type:   connection
Detail: Fetching http://escm.ml/.well-known/acme-challenge/PFHzOy5PGlgkQZvFA-Q7Hmr16bOO_0Q_NylvCcw5EVc: Error getting validation data

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
2021-04-10 19:56:51,410:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/snap/certbot/1093/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/snap/certbot/1093/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 179, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2021-04-10 19:56:51,411:DEBUG:certbot._internal.error_handler:Calling registered functions
2021-04-10 19:56:51,411:INFO:certbot._internal.auth_handler:Cleaning up challenges
2021-04-10 19:56:52,522:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/snap/certbot/1093/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/snap/certbot/1093/lib/python3.8/site-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/snap/certbot/1093/lib/python3.8/site-packages/certbot/_internal/main.py", line 1435, in main
    return config.func(config, plugins)
  File "/snap/certbot/1093/lib/python3.8/site-packages/certbot/_internal/main.py", line 1304, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/snap/certbot/1093/lib/python3.8/site-packages/certbot/_internal/main.py", line 140, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/snap/certbot/1093/lib/python3.8/site-packages/certbot/_internal/client.py", line 444, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/snap/certbot/1093/lib/python3.8/site-packages/certbot/_internal/client.py", line 374, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/snap/certbot/1093/lib/python3.8/site-packages/certbot/_internal/client.py", line 424, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/snap/certbot/1093/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/snap/certbot/1093/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 179, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2021-04-10 19:56:52,523:ERROR:certbot._internal.log:Some challenges have failed.
2 Likes

Hi @g4rb4g3_ju1c3,

Welcome to this forum.

First of all, thank you for providing such detailed information, honestly!

I think this line might cause some issues here.
Can you check if your nginx configuration now contains this line?
It should be at the top of your escm.ml config file.

Another way of doing this would be to use webroot plugin. Based on your nginx configuration (thank you again for providing such detailed information!), the command you want to use maybe
sudo certbot certonly --webroot -d "escm.ml" -w /var/www/html --debug-challenges --dry-run (The -w path is pulled from your configuration, where you mentioned the root for that config is /var/www/html. If you change it in the future, you also need to modify the webroot path when you renew the certificate)

The difference between webroot and nginx is, webroot will place a file to the actual folder whereas nginx will put a return statement in your nginx configuration.

Thank you
Steven Z

4 Likes

Hey @stevenzhu,

No problem and thanks for the reply!

No, the rewrite line and location for the token are removed when Certbot is done and the config returns to normal:

server {
   server_name                escm.ml;
   listen                     80;

   location / {
      root    /var/www/html;
      index   index.html;
   }
}

Using --webroot, it fails with 404. I see that .well-know/acme-challenge gets created and owned by nginx which is correct, but the file itself is owned by root so I don't think Nginx is serving it:

drwxr-xr-x 3 nginx nginx 4096 2021-04-10 21:54:18 .well-known
drwxr-xr-x 2 nginx nginx 4096 2021-04-10 21:54:18 acme-challenge
-rw-r--r-- 1 root root 87 2021-04-10 21:54:18 GQuPQcUPJbe67hzCA7TBZB67oREdmudD_Sv_A6rgjLE

I tried using --standalone previously, but that also failed with 400 like my original problem above. That makes me wonder if it's something outside Certbot and web server config. I'm not sure, and I've been trying to figure this out for two days...

2 Likes

Welcome to the Let's Encrypt Community :slightly_smiling_face:

Well... your port 80 appears to currently be unreachable, so no amount of parameter changes or configuration analysis will help until that's resolved...

2 Likes

So it is. That's interesting, it was fine just a little while ago...

I rebooted the router and port 80 is back.

I'm noticing that I can connect to the web server from my phone from outside the LAN (Wifi turned off) and it works, but Let's Debug reports no route to host.

...yet when I run Certbot with Nginx, I see successful connections in the access log:

52.58.118.98 - - [10/Apr/2021:22:44:01 -0400] "GET /.well-known/acme-challenge/5J3qNrFJt5-D2Ggme8s8LBlQc1hWpZflpz9OlPsw20E HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"                     │
34.211.60.134 - - [10/Apr/2021:22:44:01 -0400] "GET /.well-known/acme-challenge/5J3qNrFJt5-D2Ggme8s8LBlQc1hWpZflpz9OlPsw20E HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"

...Let's Debug no longer reporting no route https://letsdebug.net/escm.ml/507219 but still have the Certbot 400 problem.

...and now Let's Debug says no route. I'm not understanding it though, because it's requesting things that aren't there (sometimes letsdebug-test and sometimes tokens), I see the server returning 404, but Let's Debug says it can't connect - which it just did. Port 80 is open and serving web pages.

2 Likes

I'm not able to consistently connect to port 80 with my tests. Do you have an adaptive firewall of some kind?

https://www.redirect-checker.org/index.php

3 Likes

It's pfSense and I've been going over all kinds of settings, but no, I never set anything like that up.

2 Likes

The key to successfully using an http-01 challenge (nginx, webroot, or standalone) is that you need to first be able to get a 404 from your browser when requesting this (which I currently do :confused:):

http://escm.ml/.well-known/acme-challenge/test

Perhaps, try this...

sudo nginx -s stop

sudo certbot certonly --standalone -d "escm.ml" --dry-run

That will definitively rule-out your nginx configuration as causing the issue.

2 Likes

Same 400 Error getting validation data result after shutting down Nginx and using --standalone.

Root logging level set at 10
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requested authenticator standalone and installer None
Single candidate plugin: * standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot._internal.plugins.standalone:Authenticator
Initialized: <certbot._internal.plugins.standalone.Authenticator object at 0x7f2dccd1d040>
Prep: True
Selected authenticator <certbot._internal.plugins.standalone.Authenticator object at 0x7f2dccd1d040> and installer None
Plugins selected: Authenticator standalone, Installer None
Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-staging-v02.api.letsencrypt.org/acme/acct/19016084', new_authzr_uri=None, terms_of_service=None), 855b82e654230c82496679cfb0491e1b, Meta(creation_dt=datetime.datetime(2021, 4, 10, 19, 0, 49, tzinfo=<UTC>), creation_host='WebServer.lan', register_to_eff=None))>
Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org:443
https://acme-staging-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 724
Received response:
HTTP 200
Server: nginx
Date: Sun, 11 Apr 2021 03:29:53 GMT
Content-Type: application/json
Content-Length: 724
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "W1-8DkzB9Pw": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-staging-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org/docs/staging-environment/"
  },
  "newAccount": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert"
}
Notifying user: Simulating a certificate request for escm.ml
Simulating a certificate request for escm.ml
Requesting fresh nonce
Sending HEAD request to https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce.
https://acme-staging-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
Received response:
HTTP 200
Server: nginx
Date: Sun, 11 Apr 2021 03:29:53 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0003VKleFX6vTcTWycJjZ762UpHF0q9TbqfJs7oMCeC5tNI
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


Storing nonce: 0003VKleFX6vTcTWycJjZ762UpHF0q9TbqfJs7oMCeC5tNI
JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "escm.ml"\n    }\n  ]\n}'
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xOTAxNjA4NCIsICJub25jZSI6ICIwMDAzVktsZUZYNnZUY1RXeWNKalo3NjJVcEhGMHE5VGJxZkpzN29NQ2VDNXROSSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctb3JkZXIifQ",
  "signature": "mkOr_0IQ5QVhQbePujRPf5ESzjqfJKjJFEE59AoFRVVSTTU7BHQRbyLcHOi5KT6QVuQ9X907rNQnEbqLU98IHcK_NRG_eJ5CGbLQwKgDN52rNSJ_vDtaM60ADld1oWnMWLWLf3yBe9XJSEtpKHf3c01bfjUh4nfGC0aSial_BUDppU-j2TTaFRSzGMoIaMiLIB3B78OerPIzTa-J0MfxN_Vt8FmTDYHy7NL9LUgNWo3wsGGWQ3MlrJqmPqp6XRGFxLa15G1vwknpXK5Q19PZmLrQZHf5zFEG69OaLILctlQ5B5LmPkbZmBQWcAZaPtIE6AP5dhnfHa1lkWI2gCDY4Q",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogImVzY20ubWwiCiAgICB9CiAgXQp9"
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 339
Received response:
HTTP 201
Server: nginx
Date: Sun, 11 Apr 2021 03:29:53 GMT
Content-Type: application/json
Content-Length: 339
Connection: keep-alive
Boulder-Requester: 19016084
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/order/19016084/29514925
Replay-Nonce: 0004ZclL54EQAyc1hnQCCwOJLkaDQNNb0T9vncmG-t8TAj0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2021-04-18T03:29:53Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "escm.ml"
    }
  ],
  "authorizations": [
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/25951092"
  ],
  "finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/19016084/29514925"
}
Storing nonce: 0004ZclL54EQAyc1hnQCCwOJLkaDQNNb0T9vncmG-t8TAj0
JWS payload:
b''
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/25951092:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xOTAxNjA4NCIsICJub25jZSI6ICIwMDA0WmNsTDU0RVFBeWMxaG5RQ0N3T0pMa2FEUU5OYjBUOXZuY21HLXQ4VEFqMCIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8yNTk1MTA5MiJ9",
  "signature": "NA8Yd2u4jjlQBa79mJE2ju-2TpqUxFqNEvAfd-YEON2G_z7LhVyKrDgRAo8vF9h_KDEkL0ImUN2gunrCjClRmucv9OcFG2KUAcjqlvbXtxB2w3mX8d_ky3_i4UVrNKMR30EyQ_pacsaV1OJ7A2RnmUS46eufOW4zJtHKBw91EC0-vNsGbgBk-vr67AljWeXpXCEhDHl56NgUpbsbTvtd0HZJxpzbipdOjWT7FTAoUao5C2USeaAcMLweu7r9EKAKQBwbKLOBWPog0r07034c5t8g_t0_yvSm7dY0neOeq8c76I_lv1UDX5ps3AoeNCgLVBw_mgdrnQEn9prdk3oOag",
  "payload": ""
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/25951092 HTTP/1.1" 200 803
Received response:
HTTP 200
Server: nginx
Date: Sun, 11 Apr 2021 03:29:53 GMT
Content-Type: application/json
Content-Length: 803
Connection: keep-alive
Boulder-Requester: 19016084
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0003nDMGIKKGwLPM40leyfoHd0JwaHFp_QzIXxCPM0P6vr4
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "escm.ml"
  },
  "status": "pending",
  "expires": "2021-04-18T03:29:53Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/25951092/WvKQuQ",
      "token": "skgGZYmesyAW9I6fcP8Ccb0CRts_SnzBSUBeEqNci2s"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/25951092/JvVx-g",
      "token": "skgGZYmesyAW9I6fcP8Ccb0CRts_SnzBSUBeEqNci2s"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/25951092/ca6iaw",
      "token": "skgGZYmesyAW9I6fcP8Ccb0CRts_SnzBSUBeEqNci2s"
    }
  ]
}
Storing nonce: 0003nDMGIKKGwLPM40leyfoHd0JwaHFp_QzIXxCPM0P6vr4
Performing the following challenges:
http-01 challenge for escm.ml
Successfully bound to :80 using IPv6
Certbot wasn't able to bind to :80 using IPv4, this is often expected due to the dual stack nature of IPv6 socket implementations.
Waiting for verification...
JWS payload:
b'{}'
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/25951092/WvKQuQ:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xOTAxNjA4NCIsICJub25jZSI6ICIwMDAzbkRNR0lLS0d3TFBNNDBsZXlmb0hkMEp3YUhGcF9ReklYeENQTTBQNnZyNCIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbC12My8yNTk1MTA5Mi9XdktRdVEifQ",
  "signature": "l3Qz7FDJlT4p8qpAAAH_jCsuBVMIBuDbwbqS0-4DxMX1oEgFBPJ_KSxx5TSJf7cLePV92rcT3Oet2VpEIAbLUILVZIJOQ41dgl5_fr_4a8-kwFO6PF-H6jWu32bmLCgGfpiBytSM9_9WKMEkWKci2py2aS4S-G15J3D8jYZV7oOq48VV2tu_NuFsaqC8LpfFDKe2AoDPDJkHbJ-XQK0YBur8o-9PCjOZTYfOJn4H5ZfWhKn0Iolgyai0Zj8X7FwQIyHTqjmHDUj2vVovmjSx5Ag82mSSLhJIF7bnVOHMrCoKAQZgCHHfnhNRiaLvIJvX_fhGWv-3ToXuqo24zdX0Eg",
  "payload": "e30"
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/25951092/WvKQuQ HTTP/1.1" 200 191
Received response:
HTTP 200
Server: nginx
Date: Sun, 11 Apr 2021 03:29:53 GMT
Content-Type: application/json
Content-Length: 191
Connection: keep-alive
Boulder-Requester: 19016084
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/25951092>;rel="up"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/25951092/WvKQuQ
Replay-Nonce: 0004ySVNquJw6YwXAIX34y4xdXJ1HYRJxgXp8X2HHxvZ1js
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/25951092/WvKQuQ",
  "token": "skgGZYmesyAW9I6fcP8Ccb0CRts_SnzBSUBeEqNci2s"
}
Storing nonce: 0004ySVNquJw6YwXAIX34y4xdXJ1HYRJxgXp8X2HHxvZ1js
::ffff:18.224.20.83 - - Incoming request
::ffff:18.224.20.83 - - Serving HTTP01 with token 'skgGZYmesyAW9I6fcP8Ccb0CRts_SnzBSUBeEqNci2s'
::ffff:18.224.20.83 - - "GET /.well-known/acme-challenge/skgGZYmesyAW9I6fcP8Ccb0CRts_SnzBSUBeEqNci2s HTTP/1.1" 200 -
::ffff:52.58.118.98 - - Incoming request
::ffff:52.58.118.98 - - Serving HTTP01 with token 'skgGZYmesyAW9I6fcP8Ccb0CRts_SnzBSUBeEqNci2s'
::ffff:52.58.118.98 - - "GET /.well-known/acme-challenge/skgGZYmesyAW9I6fcP8Ccb0CRts_SnzBSUBeEqNci2s HTTP/1.1" 200 -
JWS payload:
b''
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/25951092:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xOTAxNjA4NCIsICJub25jZSI6ICIwMDA0eVNWTnF1Snc2WXdYQUlYMzR5NHhkWEoxSFlSSnhnWHA4WDJISHh2WjFqcyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8yNTk1MTA5MiJ9",
  "signature": "fgsDaeVHW6VI7xqaADNSRq5BL8qCK3zjfxk4yx0e9_da8SRGbGUpmDTzg5UGGrxEpWrxTDRGckVdPlUnkvpbAqOlHa-aZC37XRZ-x-jiRa3ZofAlxmTKFzr-4mRL2iBC6snmTX1nXh30aESUQnRggP6fM_rZBQylviVxEIiYyuZSAQGevAh_3NO3Kh5QtzZbta0KkUhmKT733LgDfXdr0tt5hLbdMgGAxq-8cKdXg1Tb9Yu40IAvIXkv9rd55oeI6UnPWI7jYYsU4ytvX6PQzZxN_jx9NBDhEugDQU-zlKI34JmvOrvN2TOEPEgWukJJTSVNW_Ya9Gs2vD2-6aSUtw",
  "payload": ""
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/25951092 HTTP/1.1" 200 803
Received response:
HTTP 200
Server: nginx
Date: Sun, 11 Apr 2021 03:29:54 GMT
Content-Type: application/json
Content-Length: 803
Connection: keep-alive
Boulder-Requester: 19016084
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0004Uwt-wFv4KgTwTcs9csK572n8BOX1i0KmPTGgBAw80NM
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "escm.ml"
  },
  "status": "pending",
  "expires": "2021-04-18T03:29:53Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/25951092/WvKQuQ",
      "token": "skgGZYmesyAW9I6fcP8Ccb0CRts_SnzBSUBeEqNci2s"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/25951092/JvVx-g",
      "token": "skgGZYmesyAW9I6fcP8Ccb0CRts_SnzBSUBeEqNci2s"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/25951092/ca6iaw",
      "token": "skgGZYmesyAW9I6fcP8Ccb0CRts_SnzBSUBeEqNci2s"
    }
  ]
}
Storing nonce: 0004Uwt-wFv4KgTwTcs9csK572n8BOX1i0KmPTGgBAw80NM
JWS payload:
b''
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/25951092:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xOTAxNjA4NCIsICJub25jZSI6ICIwMDA0VXd0LXdGdjRLZ1R3VGNzOWNzSzU3Mm44Qk9YMWkwS21QVEdnQkF3ODBOTSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8yNTk1MTA5MiJ9",
  "signature": "OKsRO_6RuF_-H_eOvAukfdjXKvCACl5KDs7h6GPKFEcZjuE0uB0vxYspZIE4BxBG6WsR8gXDIQPB98etpJPqP8OvCajzhLKfFHSmLMyGTNgkTPnIPM_i-3X3jR3k6QOf8J5Bwddw1Tx9dZBjGAfoTce07ogfMFQAhyzSostdNcnzzQIj2osbyWA9vkFicBh8Pgx36zD7XlJdo8JB_QDsV8UrVoq6QcmbmJ5g-YQVgzsiPx9rKmqaJBlxWvh2me-qH-V1Y93G-qdwwe-OYMQSdQva5mDWiuYhvGD07aOVRPyndTMwGGH80BgcqSKNTfW6vTTbnIPG6O0V7ygMMjqaLA",
  "payload": ""
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/25951092 HTTP/1.1" 200 803
Received response:
HTTP 200
Server: nginx
Date: Sun, 11 Apr 2021 03:29:57 GMT
Content-Type: application/json
Content-Length: 803
Connection: keep-alive
Boulder-Requester: 19016084
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0003EbjKDXArb3mYUuPDsnRxTHiy9KuiHHJn7aVeD1yRxGk
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "escm.ml"
  },
  "status": "pending",
  "expires": "2021-04-18T03:29:53Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/25951092/WvKQuQ",
      "token": "skgGZYmesyAW9I6fcP8Ccb0CRts_SnzBSUBeEqNci2s"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/25951092/JvVx-g",
      "token": "skgGZYmesyAW9I6fcP8Ccb0CRts_SnzBSUBeEqNci2s"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/25951092/ca6iaw",
      "token": "skgGZYmesyAW9I6fcP8Ccb0CRts_SnzBSUBeEqNci2s"
    }
  ]
}
Storing nonce: 0003EbjKDXArb3mYUuPDsnRxTHiy9KuiHHJn7aVeD1yRxGk
JWS payload:
b''
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/25951092:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xOTAxNjA4NCIsICJub25jZSI6ICIwMDAzRWJqS0RYQXJiM21ZVXVQRHNuUnhUSGl5OUt1aUhISm43YVZlRDF5UnhHayIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8yNTk1MTA5MiJ9",
  "signature": "abJ-cVsvOiRnG1oogdGCTxdK7HUJdwnf9lJc7a-KBFYbAKIDmzGAvuM0GLoWSRl8zJoYqBmK-jGoS6nNdAG_df9HIS0kWt48EvM62JpZcgScEM9v3neFdrMBGC2JmvsCbFpsmgkcrtzFLDIRbYUZ2XldXJ8SOO7JJzJVlng1YUJo6EsAWxWiG2pbyMpIcu9GYtUh9TvEX54S2afo_ORxMZ7CUdKD9BClfjkOY2HDcOIvMkl3Itk5LM3Sc4TOtB5Dr8xNgDO2E7c3V4HcqO-h5G-IJi0Vs3UZ4xFAX9lQe9450bGLPhTwnQ_YhlF5KuErPY-CcBqCe3x7eI9XdmCK1A",
  "payload": ""
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/25951092 HTTP/1.1" 200 803
Received response:
HTTP 200
Server: nginx
Date: Sun, 11 Apr 2021 03:30:01 GMT
Content-Type: application/json
Content-Length: 803
Connection: keep-alive
Boulder-Requester: 19016084
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 00046Z1--IsL8Oe2RK727YPfDOdsYb22PoCXhjQLzGJtNow
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "escm.ml"
  },
  "status": "pending",
  "expires": "2021-04-18T03:29:53Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/25951092/WvKQuQ",
      "token": "skgGZYmesyAW9I6fcP8Ccb0CRts_SnzBSUBeEqNci2s"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/25951092/JvVx-g",
      "token": "skgGZYmesyAW9I6fcP8Ccb0CRts_SnzBSUBeEqNci2s"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/25951092/ca6iaw",
      "token": "skgGZYmesyAW9I6fcP8Ccb0CRts_SnzBSUBeEqNci2s"
    }
  ]
}
Storing nonce: 00046Z1--IsL8Oe2RK727YPfDOdsYb22PoCXhjQLzGJtNow
JWS payload:
b''
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/25951092:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xOTAxNjA4NCIsICJub25jZSI6ICIwMDA0NloxLS1Jc0w4T2UyUks3MjdZUGZET2RzWWIyMlBvQ1hoalFMekdKdE5vdyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8yNTk1MTA5MiJ9",
  "signature": "V9bR_MIBQfnHV0vrnmLHGalYtZumvXtuORwqsZTa9qO1EzMBsdgAh-vysLMATodP221sZCp4HcAJcoh7sKpaSy_AQR8zieA8DdvngJaHGqn7zRMHov1wAsdOILeiGvsNsbpuuewBODYwXwz7JYS2KTrOkN5oHyU6waLpMGkvUp62XDRBlxQlmKIszgklqlRAzNhRG19o1yl0NEMgr2euGiY9iX9FGYxStOBCIMmrxTf3-iog8CbwVh6yVupe-cZgD1w5hJUf_VABv4xZRxj6vAPqfg2DgTqdXlNLUChKlX26wahaa83CH6OD0j07LgPa6FycvD-3-neuHAvczaELKg",
  "payload": ""
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/25951092 HTTP/1.1" 200 1000
Received response:
HTTP 200
Server: nginx
Date: Sun, 11 Apr 2021 03:30:04 GMT
Content-Type: application/json
Content-Length: 1000
Connection: keep-alive
Boulder-Requester: 19016084
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0004-1uNMzaVewcaPaUciN7M19sRgytLZGnjhH9GHoRZwXY
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "escm.ml"
  },
  "status": "invalid",
  "expires": "2021-04-18T03:29:53Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:connection",
        "detail": "Fetching http://escm.ml/.well-known/acme-challenge/skgGZYmesyAW9I6fcP8Ccb0CRts_SnzBSUBeEqNci2s: Error getting validation data",
        "status": 400
      },
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/25951092/WvKQuQ",
      "token": "skgGZYmesyAW9I6fcP8Ccb0CRts_SnzBSUBeEqNci2s",
      "validationRecord": [
        {
          "url": "http://escm.ml/.well-known/acme-challenge/skgGZYmesyAW9I6fcP8Ccb0CRts_SnzBSUBeEqNci2s",
          "hostname": "escm.ml",
          "port": "80",
          "addressesResolved": [
            "174.112.189.216"
          ],
          "addressUsed": "174.112.189.216"
        }
      ],
      "validated": "2021-04-11T03:29:53Z"
    }
  ]
}
Storing nonce: 0004-1uNMzaVewcaPaUciN7M19sRgytLZGnjhH9GHoRZwXY
Challenge failed for domain escm.ml
http-01 challenge for escm.ml
Reporting to user: The following errors were reported by the server:

Domain: escm.ml
Type:   connection
Detail: Fetching http://escm.ml/.well-known/acme-challenge/skgGZYmesyAW9I6fcP8Ccb0CRts_SnzBSUBeEqNci2s: Error getting validation data

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
Encountered exception:
Traceback (most recent call last):
  File "/snap/certbot/1093/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/snap/certbot/1093/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 179, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

Calling registered functions
Cleaning up challenges
Stopping server at :::80...
Exiting abnormally:
Traceback (most recent call last):
  File "/snap/certbot/1093/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/snap/certbot/1093/lib/python3.8/site-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/snap/certbot/1093/lib/python3.8/site-packages/certbot/_internal/main.py", line 1435, in main
    return config.func(config, plugins)
  File "/snap/certbot/1093/lib/python3.8/site-packages/certbot/_internal/main.py", line 1304, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/snap/certbot/1093/lib/python3.8/site-packages/certbot/_internal/main.py", line 140, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/snap/certbot/1093/lib/python3.8/site-packages/certbot/_internal/client.py", line 444, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/snap/certbot/1093/lib/python3.8/site-packages/certbot/_internal/client.py", line 374, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/snap/certbot/1093/lib/python3.8/site-packages/certbot/_internal/client.py", line 424, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/snap/certbot/1093/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/snap/certbot/1093/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 179, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: escm.ml
   Type:   connection
   Detail: Fetching
   http://escm.ml/.well-known/acme-challenge/skgGZYmesyAW9I6fcP8Ccb0CRts_SnzBSUBeEqNci2s:
   Error getting validation data

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
2 Likes

Definitely a networking issue then.

2 Likes

Pretty strange networking issue at that.

The domain name is fine, port scans show 80 is open, the server is serving up HTML, and we've determined it's not server config. When I run Certbot with
certbot certonly --nginx -d "escm.ml" --debug-challenges --dry-run
I see the server returning 200 for ACME challenge tokens like
http://escm.ml/.well-known/acme-challenge/88rz9vQ-NKN7_ncKFzj4nM9KEAFbpsNP_jGjnljXwns
but then the debug log reports
POST https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/26217981
returns an error:
During secondary validation: Fetching http://escm.ml/.well-known/acme-challenge/88rz9vQ-NKN7_ncKFzj4nM9KEAFbpsNP_jGjnljXwns: Error getting validation data

Let's Debug also fails: https://letsdebug.net/escm.ml/507589?debug=y
The HTTPCheck section reports "no route to host", and the LetsEncryptStaging section reports 403 because it got 404 from my server (which is correct because I didn't run Certbot and the token doesn't exist). I don't understand how it can report "no route to host" when it simultaneously gets 404 from my server. I noticed it was looking for
http://escm.ml/.well-known/acme-challenge/letsdebug-test
so I created it and verified it works, but same problem.

Could there be a DNS setup problem? As I mentioned before, I have a CAA 0 issue "letsencrypt.org" record. Do I need anything else? Does Let's Encrypt have a problem with the .ml TLD because it's free and scammers love it?

I'm otherwise not sure I can debug this any further since I'm not a Let's Encrypt ACME dev. If it's a problem at my end, I have no idea what it could be. I don't have anything fancy set up on the router and it simply forwards port 80 to the server. The ISP is Rogers in Canada and I've never had a problem running any of this stuff before. Of course that doesn't rule out the problem is with them, but I tend to doubt it since port 80 is open and fulfilling requests.

I appreciate all the help so far, and any ideas anyone has about this now...

2 Likes

Hi @g4rb4g3_ju1c3

looks like you have a wrong configured firewall or something else (failban, htaccess etc.).

D:\temp>download http://174.112.189.216/ -h
SystemDefault
Connection: keep-alive
Accept-Ranges: bytes
Content-Length: 320
Content-Type: text/html
Date: Sun, 11 Apr 2021 16:42:02 GMT
ETag: "6073148c-140"
Last-Modified: Sun, 11 Apr 2021 15:23:56 GMT
Server: nginx/1.18.0

Status: 200 OK

1337,00 milliseconds
1,34 seconds

D:\temp>download http://174.112.189.216/.well-known/acme-challenge/1234 -h
SystemDefault
Error (1): Die Verbindung mit dem Remoteserver kann nicht hergestellt werden.
ConnectFailure
3
Ein Verbindungsversuch ist fehlgeschlagen, da die Gegenstelle nach einer bestimmten Zeitspanne nicht richtig reagiert hat, oder die hergestellte Verbindung war fehlerhaft, da der verbundene Host nicht reagiert hat 174.112.189.216:80

21112,00 milliseconds
21,11 seconds

D:\temp>download http://174.112.189.216/ -h
SystemDefault
Error (1): Die Verbindung mit dem Remoteserver kann nicht hergestellt werden.
ConnectFailure
3
Ein Verbindungsversuch ist fehlgeschlagen, da die Gegenstelle nach einer bestimmten Zeitspanne nicht richtig reagiert hat, oder die hergestellte Verbindung war fehlerhaft, da der verbundene Host nicht reagiert hat 174.112.189.216:80

21069,00 milliseconds
21,07 seconds

D:\temp>download http://174.112.189.216/.well-known/acme-challenge/1234 -h
SystemDefault
Error (1): Die Verbindung mit dem Remoteserver kann nicht hergestellt werden.
ConnectFailure
3
Ein Verbindungsversuch ist fehlgeschlagen, da die Gegenstelle nach einer bestimmten Zeitspanne nicht richtig reagiert hat, oder die hergestellte Verbindung war fehlerhaft, da der verbundene Host nicht reagiert hat 174.112.189.216:80

21108,00 milliseconds
21,11 seconds

First try with the ip address works. Second try /.well-known/... is blocked. Some seconds later nothing answers.

PS: Ah, pfsense. Check that.

No, I use your ip address.

A CAA is checked, but that's not your error message.

No, there are a lot of domains with ml and a Letsencrypt certificate.

And "secondary validation" means: The primary Letsencrypt servers are able to check your system. The secondary are blocked -> it's your job to find that blocking instance and to remove it.

2 Likes

My primary concern has been the inconsistency of responses. @JuergenAuer's testing confirms my earlier suspicions. Since the outcome seems to be the same when using the standalone authenticator, we can be sure that it's not something in your nginx configuration.

I've had consistently positive results on my last several tests with Let's Debug and Redirect Checker | Check your Statuscode 301 vs 302, so you might just try this again:

sudo certbot --nginx -d "escm.ml"

2 Likes

omfg it needs to be able to ping me?!

The dry run finally started working once I allowed ping requests on the WAN interface in the firewall, which apparently you've noticed as well. I'm in the process of copying my previous setup over to the new web server, but I think it will be fine now.

Thanks a lot everyone for all the help and staying on it too. Really appreciate it. I'll let you know how it goes actually renewing all my certificates...

2 Likes

No, ping answers aren't required.

But now your server sends a 418 - Teapot.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/418

2 Likes

I didn't think ping should be required either, but it seems to matter. I noticed that requests were really slow sometimes on my phone, and you had one success but then a few timeouts. As soon as I enabled ping requests it all got back to normal speeds.

Yes, that's the original config from the old server. I have multiple virtual hosts and the default returns 418.

I copied over all my certificates but it's only renewing escm.ml for some reason. And then it doesn't seem to work loading the page: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING. I'm probably forgetting something somewhere...

2 Likes

No, that's not a problem.

See

That happens if you use must staple and if nothing is cached.

F5 - problem solved.

2 Likes

Finally, success. Yeah, the Firefox error is about OCSP stapling and other browsers are working fine. F5 and clearing the cache didn't work, but I'll figure it out in a bit (Edit: Nginx config had the wrong local DNS address - works now). All I care about at the moment is email is working again.

Still strange that ICMP ping would fix the connection problems. I could possibly see ACME wanting to see ping replies for some reason, but not how it would affect direct connections.

2 Likes

Could it be that however you "enabled" ping might have had a side effect (like restarting your firewall)?

2 Likes

It's not your browser cache. It's the empty webserver cache with the OCSP results.

Restarting your webserver -> you have always one time that error message.

2 Likes