Error when receiving the certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: hlebushek.bit-live.tech

I ran this command: sudo certbot --nginx -d hlebushek.bit-live.tech -d www.hlebushek.bit-live.tech

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for hlebushek.bit-live.tech and www.hlebushek.bit-live.tech

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: www.hlebushek.bit-live.tech
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for www.hlebushek.bit-live.tech - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for www.hlebushek.bit-live.tech - check that a DNS record exists for this domain

Domain: hlebushek.bit-live.tech
Type: unauthorized
Detail: 62.213.122.223: Invalid response from http://hlebushek.bit-live.tech/.well-known/acme-challenge/oL1HTADpCUHHm3PJjUTRu5VGiSyKSDRQ3zT4p5rLPlE: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):nginx

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: Ubuntu 24.04 LTS

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.9.0

My nginx cfg

server {

        listen 443 ssl;
        server_name 192.168.130.14;
        ssl_certificate /etc/ssl/certs/nginx.crt;
        ssl_certificate_key /etc/ssl/certs/nginx.key;

        access_log /var/log/nginx/site-access.log;
        error_log /var/log/nginx/site-error.log;

        location / {
                proxy_pass_request_headers on;
                proxy_pass http://$server_name;
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-Proto https;
                proxy_set_header Connection keep-alive;
                proxy_redirect off;

        }
}
server {
        listen 80;
        server_name 1web.arbue.local;

        access_log /var/log/nginx/site-access.log;
        error_log /var/log/nginx/site-error.log;

        location / {
            proxy_pass http://192.168.130.14:80;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-Proto https;
            proxy_set_header Connection keep-alive;
        }
}

Welcome @Kakapuka228

This should be easy enough to fix. You do not have an A and/or AAAA record for your www subdomain. You only have one for your apex (root) domain name. You should create an A record like you have for that

The "404" is the key part. It is an HTTP Not Found error. Certbot did not know where to put the HTTP Challenge response in your server because you requested a cert for the domain for hlebushek.bit-live.tech but you do not have a server block that has that in the server_name.

You should make a server block for these two domain names (apex and www) for port 80. Or, add these names to your existing server block if appropriate.

the fact is that I have configured proxying to a Windows-based IIS server in this block, will the new entries interfere with the work of the current block?

You can have many server blocks in the same nginx system. nginx will choose which to use based on the port and the domain name in the URL. Perhaps you should review the nginx docs for how that works.

https://nginx.org/en/docs/http/request_processing.html

Я понял. В моём случае у меня есть подключение к pfsense, который, в свою очередь, перенаправляет на nginx, а nginx, в свою очередь, перенаправляет на сервер IIS, где находится сайт.
Вся моя инфраструктура подключена к внешнему интернету только через pfsense, у которого есть адрес: 62.213.122.223
Я купил домен на 62.213.122.223, и мне нужно создать не самоподписанный сертификат, а доменное имя. По сути, мне нужно создать ссылку: https://hlebushek.bit-live.tech:5932 / получить доступ к вашему IIS, который работает, но, к сожалению, без безопасного подключения.
1web.arbue.local — это сервер IIS, который уже находится в другом домене внутри инфраструктуры за пределами nginx

You showed that domain name in your nginx server block for port 80.

Connections to this domain name go to this IP:

hlebushek.bit-live.tech. 133    IN      A       62.213.122.223

An HTTP request to that domain gets a reply from an nginx system. Is that the nginx config you showed earlier. Or is it a different nginx system?

curl -I http://hlebushek.bit-live.tech
HTTP/1.1 200 OK
Server: nginx
Set-Cookie: PHPSESSID=09b87dc8abc8e378aa19ba9bb3540301; path=/

It's the same configuration.

Before trying anything else you should fix that. You still do not have an A record for your www subdomain like you do for your apex domain name.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.