Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: openbooksocial.com

I ran this command:certbot --dry-run certonly

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?

1: Nginx Web Server plugin (nginx)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)

Select the appropriate number [1-3] then [enter] (press ‘c’ to cancel): 1
Plugins selected: Authenticator nginx, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’
to cancel): openbooksocial.com
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for openbooksocial.com
Waiting for verification…
Challenge failed for domain openbooksocial.com
http-01 challenge for openbooksocial.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: openbooksocial.com
  Type: connection
  Detail: Fetching
  http://openbooksocial.com/.well-known/acme-challenge/eI2sMNZH0hZ-XJwpw625SzdbauGMG5cex5uvVO2hWaI:
  Timeout during connect (likely firewall problem)

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address. Additionally, please check that
  your computer has a publicly routable IP address and that no
  firewalls are preventing the server from communicating with the
  client. If you’re using the webroot plugin, you should also verify
  that you are serving files from the webroot path you provided.

My web server is (include version): nginx version: nginx/1.17.10 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.40.0

Additionally, I can confirm that the firewall is inactive:
root@localhost:~# ufw status
Status: inactive
root@localhost:~# certbot --dry-run certonly

Any Pointers would be helpful. Thanks

If it helps : I am trying to install Mastodon https://docs.joinmastodon.org/admin/install/

Server IP 172.104.239.204

Port 80 is not responding at that IP.

The HTTP site must work before the HTTPS site can work.

I think you transcribed the IP address incorrectly:

$ dig +noall +answer openbooksocial.com
openbooksocial.com.     351     IN      A       172.109.239.204

172.104 is correct, 172.109 isn't.

Hi @vivmajor

your webserver doesn't answer - see https://check-your-website.server-daten.de/?q=openbooksocial.com#url-checks

If an online tool can't connect your webserver, Letsencrypt can't connect your webserver.

172.109.239.204
Brooklyn/New York/United States (US) - Frontier Communications Corporation
No Hostname found

Is that a home server? Allows your ISP port 80?

Works http internal?

curl http://openbooksocial.com/

from that machine?

Hi,
The IP I have given is correct 172.104.239.204. And if you just look for 172.104.239.204 in the broswer, it gives the Nginx default page.
Looks like there is some mixup somewhere.

Running command :
root@localhost:~# curl http://openbooksocial.com

301 Moved Permanently

Check your DNS records in Softlayer. You will see that you have 172.109 in your DNS A record (some random FCC IP) rather than 172.104 (your Linode).

Your local curl test notwithstanding (which is probably affected by /etc/hosts on that machine), your A record is incorrect.

Hi,
Ok there was some goofup in IP. Now the IP is 172.104.239.204
I did get the certificate.
But now I have problem starting my nginx.

Blockquote
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Fri 2020-06-26 05:15:57 UTC; 1min 4s ago
Docs: man:nginx(8)
Process: 16051 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=1/FAILURE)
Jun 26 05:15:57 localhost systemd[1]: Starting A high performance web server and a reverse proxy server...
Jun 26 05:15:57 localhost nginx[16051]: nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/example.com/fullchain.pem": BIO_new_file() failed (SSL: error>
Jun 26 05:15:57 localhost nginx[16051]: nginx: configuration file /etc/nginx/nginx.conf test failed
Jun 26 05:15:57 localhost systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
Jun 26 05:15:57 localhost systemd[1]: nginx.service: Failed with result 'exit-code'.
Jun 26 05:15:57 localhost systemd[1]: Failed to start A high performance web server and a reverse proxy server.
Blockquote

certbot response:

Blockquote root@localhost# certbot --nginx -d openbooksocial.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for openbooksocial.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/mastodon
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/mastodon
Congratulations! You have successfully enabled https://openbooksocial.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=openbooksocial.com

IMPORTANT NOTES:

• Congratulations! Your certificate and chain have been saved at:
  /etc/letsencrypt/live/openbooksocial.com/fullchain.pem
  Your key file has been saved at:
  /etc/letsencrypt/live/openbooksocial.com/privkey.pem
  Your cert will expire on 2020-09-24. To obtain a new or tweaked
  version of this certificate in the future, simply run certbot again
  with the "certonly" option. To non-interactively renew all of
  your certificates, run "certbot renew"

• If you like Certbot, please consider supporting our work by:

  Donating to ISRG / Let's Encrypt: Donate - Let's Encrypt
  Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation

Does that REALLY say "example.com" ?
If so, there is your problem.
There is no such cert nor path.
If not, and you just changed it before posting... You missed the real domain in a while lot of other places.
[So I don't really think this was an intentional "coverup" fail]

hi @rg305 No, there is no cover up. Its actually example.com in the output.

In my files I have :

dir /etc/letsencrypt/live/openbooksocial.com/

cert.pem chain.pem fullchain.pem privkey.pem README

Sorry, my bad. Had missed updating site name for letsencrypt setting.

So did you get it working?

My Nginx server is working http://172.104.239.204/
But the server block at https://openbooksocial.com/ with mastodon install, is not redirecting properly.
Any clue would be great. Thanks!

The redirection seems to be looping:

curl -Iki http://openbooksocial.com/
HTTP/1.1 301 Moved Permanently
Server: nginx/1.17.10 (Ubuntu)
Date: Fri, 26 Jun 2020 07:30:17 GMT
Content-Type: text/html
Content-Length: 179
Connection: keep-alive
Location: https://openbooksocial.com/

curl -Iki https://openbooksocial.com/
HTTP/1.1 301 Moved Permanently
Server: nginx/1.17.10 (Ubuntu)
Date: Fri, 26 Jun 2020 07:30:20 GMT
Content-Type: text/html
Content-Length: 179
Connection: keep-alive
Location: https://openbooksocial.com/

HTTP > HTTPS [this is good]
HTTPS > ITSELF [this is bad - endless loop]

Can we see the vhost configs for HTTP and HTTPS?

Thanks.
Can we see the vhost configs for HTTP and HTTPS?

Do you know your way around NGINX?
If not, show the output of:
grep -Eri 'server_name|SSL|listen' /etc/nginx/

Are you using anything like WordPress?

Not Wordpress. Its Mastodon.

root@localhost:/var/www/html# grep -Eri ‘server_name|SSL|listen’ /etc/nginx/
/etc/nginx/fastcgi.conf:fastcgi_param SERVER_NAME $server_name;
/etc/nginx/uwsgi_params:uwsgi_param SERVER_NAME $server_name;
/etc/nginx/nginx.conf: # server_names_hash_bucket_size 64;
/etc/nginx/nginx.conf: # server_name_in_redirect off;
/etc/nginx/nginx.conf: # SSL Settings
/etc/nginx/nginx.conf: ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
/etc/nginx/nginx.conf: ssl_prefer_server_ciphers on;
/etc/nginx/nginx.conf:# listen localhost:110;
/etc/nginx/nginx.conf:# listen localhost:143;
/etc/nginx/fastcgi_params:fastcgi_param SERVER_NAME $server_name;
/etc/nginx/sites-available/mastodon: server_name openbooksocial.com;
/etc/nginx/sites-available/mastodon: listen [::]:443 ssl ipv6only=on; # managed by Certbot
/etc/nginx/sites-available/mastodon: listen 443 ssl; # managed by Certbot
/etc/nginx/sites-available/mastodon: ssl_certificate /etc/letsencrypt/live/openbooksocial.com/fullchain.pem; # managed by Certbot
/etc/nginx/sites-available/mastodon: ssl_certificate_key /etc/letsencrypt/live/openbooksocial.com/privkey.pem; # managed by Certbot
/etc/nginx/sites-available/mastodon: include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
/etc/nginx/sites-available/mastodon: ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
/etc/nginx/sites-available/mastodon:#listen 443;
/etc/nginx/sites-available/mastodon:# listen 443 ssl http2;
/etc/nginx/sites-available/mastodon: # listen [::]:443 ssl http2;
/etc/nginx/sites-available/mastodon:# server_name openbooksocial.com;
/etc/nginx/sites-available/mastodon:# ssl_protocols TLSv1.2 TLSv1.3;
/etc/nginx/sites-available/mastodon: # ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
/etc/nginx/sites-available/mastodon: # ssl_prefer_server_ciphers on;
/etc/nginx/sites-available/mastodon: #ssl_session_cache shared:SSL:10m;
/etc/nginx/sites-available/mastodon:# ssl_certificate /etc/letsencrypt/live/openbooksocial.com/fullchain.pem;
/etc/nginx/sites-available/mastodon: # ssl_certificate_key /etc/letsencrypt/live/openbooksocial.com/privkey.pem;
/etc/nginx/sites-available/mastodon: listen 80;
/etc/nginx/sites-available/mastodon: listen [::]:80;
/etc/nginx/sites-available/mastodon: server_name openbooksocial.com;
/etc/nginx/sites-available/default: listen 80 default_server;
/etc/nginx/sites-available/default: listen [::]:80 default_server;
/etc/nginx/sites-available/default: # server_name openbooksocial.com;
/etc/nginx/sites-available/default: # SSL configuration
/etc/nginx/sites-available/default: # listen 443 ssl default_server;
/etc/nginx/sites-available/default: # listen [::]:443 ssl default_server;
/etc/nginx/sites-available/default: # Note: You should disable gzip for SSL traffic.
/etc/nginx/sites-available/default: # Read up on ssl_ciphers to ensure a secure configuration.
/etc/nginx/sites-available/default: # Self signed certs generated by the ssl-cert package
/etc/nginx/sites-available/default: server_name _;
/etc/nginx/sites-available/default:# listen 80;
/etc/nginx/sites-available/default:# listen [::]:80;
/etc/nginx/sites-available/default:# server_name example.com;
/etc/nginx/snippets/snakeoil.conf:# Self signed certificates generated by the ssl-cert package
/etc/nginx/snippets/snakeoil.conf:ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
/etc/nginx/snippets/snakeoil.conf:ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
/etc/nginx/scgi_params:scgi_param SERVER_NAME $server_name;