Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
I ran this command: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-22" --agree-tos --authenticator webroot --email "snippetsx@lcsa.ru" --preferred-challenges "dns,http" --domains "privateimmich.lcsa.ru"
It produced this output:
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: privateimmich.lcsa.ru
Type: unauthorized
Detail: 91.77.164.211: Invalid response from http://privateimmich.lcsa.ru/.well-known/acme-challenge/L-yP9MhPHEAFrYNFcPJHLMAQueIhs_KzueTzq_0NsI0: "<!doctype html>\n<html>\n <head>\n <!-- (used for SSR) -->\n <!-- metadata:tags -->\n\n <meta charset=\"utf-8\" />\n <meta n"
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
Cleaning up challenges
Some challenges have failed.
My web server is (include version): nginx proxy manager
The operating system my web server runs on is (include version): Debian 12
My hosting provider, if applicable, is: selfhost
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Certbot 2.11.0
Are you sure your DNS is set to the public IP of your self-hosted server?
Because HTTP requests to your domain are replied to by an openresty / express system. Or, maybe you have some kind of firewall software or device seeing the requests first?
Usually with NPM we see it used with an nginx server
In any case, your system is not replying correctly to the HTTP challenge. This is most likely a configuration problem best handled on the NPM support forum.
Normally the above request should get a HTTP error 404 Not Found. Yours sends a page that begins like below which is the same as shown in the above error message. The Let's Encrypt server probably got a similar wrong page returned to it.
The two above snippets tell me that Certbot is configured to serve the content via the webroot plugin, but nginx is not properly configured to serve the webroot path for that location. Instead, it seems to be serving the content from the upstream proxy (based on this likely being nginx proxy manager).
Two likely causes:
1- A proper location block is being overwritten by other blocks
2- There is no location block for the acme challenge
If I try to access your domain with a browser I get redirected to the page below. I guess the HTTP Challenge requests are also getting sent the redirect page. But, the challenge token gets lost when redirected like this so fails.