Getting ERR_SSL_PROTOCOL_ERROR when connecting to my website through my router

My domain is: ackis.duckdns.org

It produced this output: ERR_SSL_PROTOCOL_ERROR
Is this a certificate error, configuration error, or something else? I’m able to connect fine to my website when I’m on internal LAN and I haven’t played around with configuration or anything. I did change routers from a Netgear POS to an EdgeRouter.

My web server is (include version): nginx 1.17.9

The operating system my web server runs on is (include version): Ubuntu 18.04.4

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0

This is the config for the virtual host that I’m dealing with right now.

# HTTP server - redirect to HTTPS
server {
        listen                                  80;
        listen                                  [::]:80;
        server_name                             www.ackis.duckdns.org ackis.duckdns.org;

        location / {
                return                          301 https://ackis.duckdns.org$request_uri;
        }

        # Workaround LE and certbot not working with nginx
        location /.well-known/acme-challenge/ {
                                                root /var/www/letsencrypt;
        }

        access_log                              syslog:server=localhost,tag=nginx_access_internet,severity=info;
        error_log                               syslog:server=localhost,tag=nginx_error_internet;
}

# www domain - redirect to domain without www
server {
        listen                                  443 ssl;
        listen                                  [::]:443 ssl;
        server_name                             www.ackis.duckdns.org;

        location / {
                return                          301 https://ackis.duckdns.org$request_uri;
        }

        access_log                              syslog:server=localhost,tag=nginx_access_internet,severity=info;
        error_log                               syslog:server=localhost,tag=nginx_error_internet;

        ssl_certificate                         /etc/letsencrypt/live/www.ackis.duckdns.org/fullchain.pem;
        ssl_certificate_key                     /etc/letsencrypt/live/www.ackis.duckdns.org/privkey.pem;

        etag                                    off;

        include                                 /etc/nginx/conf.d/headers.conf;
}

server {
        listen                                  443 ssl default_server;
#       listen                                  [::]:443 ssl;
        server_name                             ackis.duckdns.org;

        access_log                              syslog:server=localhost,tag=nginx_access_internet,severity=info;
        error_log                               syslog:server=localhost,tag=nginx_error_internet;

        ssl_certificate                         /etc/letsencrypt/live/ackis.duckdns.org/fullchain.pem; # managed by Certbot
        ssl_certificate_key                     /etc/letsencrypt/live/ackis.duckdns.org/privkey.pem; # managed by Certbot

        etag                                    off;

        include                                 /etc/nginx/conf.d/headers.conf;

        location ~* /\.\./ {
                deny                            all;
                return                          404;
        }

        location ~* "^(?:.+\.(?:htaccess|make|txt|test|markdown|md|engine|inc|info|install|module|profile|po|sh|.*sql|theme|tpl(?:\.php)?|xtmpl)|code-style\.pl|/Entries.*|/Repository|/Root|/Tag|/Template|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig\.save))$" {
                return                          404;
        }

        location = /favicon.ico {
                try_files                       /favicon.ico =204;
        }

        location / {
                root                            /var/www/internet;
                index                           index.html;
        }

        location /nginx_status {
                access_log                      syslog:server=localhost,tag=nginx_access_admin,severity=info;
                error_log                       syslog:server=localhost,tag=nginx_error_admin;

                include                         /etc/nginx/conf.d/include.whitelist;

#               auth_basic                      "Restricted access";
#               auth_basic_user_file            /etc/nginx/auth/admin.htpasswd;

                stub_status                     on;
        }
}

your server is talking http on both ports 80 and 443:

% curl -i http://ackis.duckdns.org/
HTTP/1.0 401 Authorization Required
Server: alphapd/2.1.8
Date: Sat Mar  7 15:44:44 2020
Pragma: no-cache
Cache-Control: no-cache
Content-type: text/html
Content-length: 103
WWW-Authenticate: Digest realm="DCS-5020L_60",qop="auth", nonce="69042a0d9fa83d08a522d299219f9326"

<html><body><h2>Error: Authorization Required</h2>
<p>Authentication was requested</p></body></html>
% curl -i http://ackis.duckdns.org:443/
HTTP/1.0 401 Authorization Required
Server: alphapd/2.1.8
Date: Sat Mar  7 15:44:56 2020
Pragma: no-cache
Cache-Control: no-cache
Content-type: text/html
Content-length: 103
WWW-Authenticate: Digest realm="DCS-5020L_DC",qop="auth", nonce="dee11c9c23405e691977e16b282d4614"

<html><body><h2>Error: Authorization Required</h2>
<p>Authentication was requested</p></body></html>

to me, it looks like you have faulty port forwarding (alphapd is some embedded webserver for routers, cameras…)

It is an IP cam, but it's not port forwarding, it's fauly uPNP. Even though uPNP is off on the camera, and port 443 is manually forwarded to a different IP address, these cameras want to take it over with this router.

Ok… what is handling TLS in your infrastructure, then?

nginx with OpenSSL if that’s what you mean. I’ve fixed that problem that you identified - just forced those IP Cams to listen on some random ports, which got it off of 443. It looks like it’s working now. I just can’t renew certs because of another error.

you can probably proxy them through nginx.

(firefox complains mixed content on your website. replace <img src="http://www.w3.org/Icons/valid-xhtml10" alt="Valid XHTML 1.0!" height="31" width="88" /> with <img src="//www.w3.org/Icons/valid-xhtml10" alt="Valid XHTML 1.0!" height="31" width="88" />)

for the renew error, if you need help, write on.

Hahah, just fixed that. Switched it to http2 as well. Didn't want to change things when other things were broken if that makes sense. I even fixed a few html5 issues too. My webpage is so advanced I know.

As for the Lets Encrypt issue this is what I'm getting:

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: ackis.duckdns.org
   Type:   unauthorized
   Detail: Invalid response from
   http://ackis.duckdns.org/.well-known/acme-challenge/yqfXYFMJANsPjcb3-BTcyz5ZTRVDgtGWcVVcOX8R54o
   [68.148.53.117]: 403

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

on this url I get 403 forbidden on http. but 404 not found on https.

you should probably remove the "nginx workaround"

The workaround is just the webroot method since nginx is broken on some installs.

Ok, that’s probably not the problem. Can you recheck where you’re forwarding port 80? (it looks like alphapd answers there, not nginx)

I just have three port forwarding rule - here are the http/https ones:

2020-03-07737×62 6.38 KB

% curl -i http://ackis.duckdns.org/
curl: (1) Received HTTP/0.9 when not allowed

your webserver doesn’t sound very friendly

And I don't understand why.

it’s a lot friendlier now

% curl -i http://ackis.duckdns.org/
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Sun, 08 Mar 2020 10:02:34 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://ackis.duckdns.org/

<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>

That’s what it should’ve been doing all along. I didn’t change anything though.

That's a lie - I removed Apache2 which was listening on port 8008/8009. I had it installed because I wanted to learn Apache configs eventually.

The 403 error has changed into a 404 error at least... not sure if that's progress now (The error received when trying to renew a cert):

Renewing an existing certificate
Performing the following challenges:
http-01 challenge for plexpy.ackis.duckdns.org
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. plexpy.ackis.duckdns.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://plexpy.ackis.duckdns.org/.well-known/acme-challenge/7CjvErE5WnekV3lPr5EsOSwcv739imPnn6TqK7_BcB8 [68.148.53.117]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body>\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: plexpy.ackis.duckdns.org
   Type:   unauthorized
   Detail: Invalid response from
   http://plexpy.ackis.duckdns.org/.well-known/acme-challenge/7CjvErE5WnekV3lPr5EsOSwcv739imPnn6TqK7_BcB8
   [68.148.53.117]: "<html>\r\n<head><title>404 Not
   Found</title></head>\r\n<body>\r\n<center><h1>404 Not
   Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

(The domain for that one is different from what we had above, but the same error occurs across all my domains.)

that's helpful. I suppose --webroot is not properly configured.

you should try and use certbot renew -a nginx

This tries to renew everything up for renewal. There are three main errors that popped up - 403, 404 and an invalid configuration file. I think I can file the config file error. I snipped out a bunch of "Not due for renewal" messages because of length.

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/ackis.duckdns.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewal configuration file /etc/letsencrypt/renewal/ackis.duckdns.org.conf does not specify an authe                                                                                                               nticator. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/asf.ackis.duckdns.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/calibre.ackis.duckdns.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for calibre.ackis.duckdns.org
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (calibre.ackis.duckdns.org) from /etc/letsencrypt/renewal/calibre.ackis.duc                                                                                                               kdns.org.conf produced an unexpected error: Failed authorization procedure. calibre.ackis.duckdns.or                                                                                                               g (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization ::                                                                                                                Invalid response from http://calibre.ackis.duckdns.org/.well-known/acme-challenge/nAx5fsg7_JZFfPMg6                                                                                                               r5svxcXQiS6JxxsqVkTwHMtiNI [68.148.53.117]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n                                                                                                               <body>\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>nginx</center>\r\n". Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/denon.ackis.duckdns.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for denon.ackis.duckdns.org
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (denon.ackis.duckdns.org) from /etc/letsencrypt/renewal/denon.ackis.duckdns                                                                                                               .org.conf produced an unexpected error: Failed authorization procedure. denon.ackis.duckdns.org (htt                                                                                                               p-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Inval                                                                                                               id response from http://denon.ackis.duckdns.org/.well-known/acme-challenge/mM4SjrIhP1Hse4FrvRaUOZ5wr                                                                                                               k3r17M6sWW8LXVthqw [68.148.53.117]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body>\r                                                                                                               \n<center><h1>404 Not Found</h1></center>\r\n<hr><center>nginx</center>\r\n". Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/nextcloud.ackis.duckdns.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for nextcloud.ackis.duckdns.org
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (nextcloud.ackis.duckdns.org) from /etc/letsencrypt/renewal/nextcloud.ackis                                                                                                               .duckdns.org.conf produced an unexpected error: Failed authorization procedure. nextcloud.ackis.duck                                                                                                               dns.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorizat                                                                                                               ion :: Invalid response from https://nextcloud.ackis.duckdns.org/.well-known/acme-challenge/TAvHc3lQ                                                                                                               mQRswguEJUUWCXyQgZs9KlR9MzQdpUOV3PE [68.148.53.117]: "<html>\r\n<head><title>403 Forbidden</title></                                                                                                               head>\r\n<body>\r\n<center><h1>403 Forbidden</h1></center>\r\n<hr><center>nginx</center>\r\n". Skipp                                                                                                               ing.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/obi200.ackis.duckdns.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/ombi.ackis.duckdns.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for ombi.ackis.duckdns.org
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (ombi.ackis.duckdns.org) from /etc/letsencrypt/renewal/ombi.ackis.duckdns.o                                                                                                               rg.conf produced an unexpected error: Failed authorization procedure. ombi.ackis.duckdns.org (http-0                                                                                                               1): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid                                                                                                                response from https://ombi.ackis.duckdns.org/.well-known/acme-challenge/CdTrddZiEPSuJzCb46S2PRJDWT96                                                                                                               DCoFDwcXXbzzp3s [68.148.53.117]: "<!DOCTYPE html>\n<html>\n<head>\n    <!--\n\n\n\n\n\n                                                                                                                                                             bbbbbbbb\n         OOOOOOOOO           ". Skipping.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/plexwebtools.ackis.duckdns.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for plexwebtools.ackis.duckdns.org
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (plexwebtools.ackis.duckdns.org) from /etc/letsencrypt/renewal/plexwebtools                                                                                                               .ackis.duckdns.org.conf produced an unexpected error: Failed authorization procedure. plexwebtools.a                                                                                                               ckis.duckdns.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient a                                                                                                               uthorization :: Invalid response from https://plexwebtools.ackis.duckdns.org/.well-known/acme-challe                                                                                                               nge/qsDO4xSRDjRSQNACglzMwqz-8NEBx00uL9-FJ2Y-mkA [68.148.53.117]: "<html>\r\n<head><title>403 Forbidd                                                                                                               en</title></head>\r\n<body>\r\n<center><h1>403 Forbidden</h1></center>\r\n<hr><center>nginx</center>                                                                                                               \r\n". Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/radarr.ackis.duckdns.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for radarr.ackis.duckdns.org
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (radarr.ackis.duckdns.org) from /etc/letsencrypt/renewal/radarr.ackis.duckd                                                                                                               ns.org.conf produced an unexpected error: Failed authorization procedure. radarr.ackis.duckdns.org (                                                                                                               http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: In                                                                                                               valid response from https://radarr.ackis.duckdns.org/.well-known/acme-challenge/eZqfYLDr7iM4arjnO5Iz                                                                                                               XhAmi2IajsIeBOMW6J82I8o [68.148.53.117]: "<html>\r\n<head><title>403 Forbidden</title></head>\r\n<bo                                                                                                               dy>\r\n<center><h1>403 Forbidden</h1></center>\r\n<hr><center>nginx</center>\r\n". Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/sabnzbd.ackis.duckdns.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for sabnzbd.ackis.duckdns.org
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (sabnzbd.ackis.duckdns.org) from /etc/letsencrypt/renewal/sabnzbd.ackis.duc                                                                                                               kdns.org.conf produced an unexpected error: Failed authorization procedure. sabnzbd.ackis.duckdns.or                                                                                                               g (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization ::                                                                                                                Invalid response from https://sabnzbd.ackis.duckdns.org/.well-known/acme-challenge/ImN-y-33bga-jybY                                                                                                               uro_xl0EWW5FK-N-G-cJ5APHsCo [68.148.53.117]: "<html>\r\n<head><title>403 Forbidden</title></head>\r\                                                                                                               n<body>\r\n<center><h1>403 Forbidden</h1></center>\r\n<hr><center>nginx</center>\r\n". Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/sonarr.ackis.duckdns.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for sonarr.ackis.duckdns.org
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (sonarr.ackis.duckdns.org) from /etc/letsencrypt/renewal/sonarr.ackis.duckd                                                                                                               ns.org.conf produced an unexpected error: Failed authorization procedure. sonarr.ackis.duckdns.org (                                                                                                               http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: In                                                                                                               valid response from https://sonarr.ackis.duckdns.org/.well-known/acme-challenge/WwvVyEycB-XqrFbql4QA                                                                                                               Ne9QDP5OLJdg-cP9n-iwB-I [68.148.53.117]: "<html>\r\n<head><title>403 Forbidden</title></head>\r\n<bo                                                                                                               dy>\r\n<center><h1>403 Forbidden</h1></center>\r\n<hr><center>nginx</center>\r\n". Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/ubooquityadmin.ackis.duckdns.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for ubooquityadmin.ackis.duckdns.org
Using default addresses 80 and [::]:80 ipv6only=on for authentication.
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (ubooquityadmin.ackis.duckdns.org) from /etc/letsencrypt/renewal/ubooquitya                                                                                                               dmin.ackis.duckdns.org.conf produced an unexpected error: Failed authorization procedure. ubooquitya                                                                                                               dmin.ackis.duckdns.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks suffic                                                                                                               ient authorization :: Invalid response from http://ubooquityadmin.ackis.duckdns.org/.well-known/acme                                                                                                               -challenge/SPWmOaPJSk62h_6mRg0E7WD868okUu7OgW5IF7NSKPE [68.148.53.117]: "<html>\r\n<head><title>404                                                                                                                Not Found</title></head>\r\n<body>\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>nginx</                                                                                                               center>\r\n". Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/usbserver.ackis.duckdns.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/webmin.ackis.duckdns.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/wiki.ackis.duckdns.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.ackis.duckdns.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.channydraws.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/znc.ackis.duckdns.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/zoneminder.ackis.duckdns.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/calibre.ackis.duckdns.org/fullchain.pem (failure)
  /etc/letsencrypt/live/denon.ackis.duckdns.org/fullchain.pem (failure)
  /etc/letsencrypt/live/nextcloud.ackis.duckdns.org/fullchain.pem (failure)
  /etc/letsencrypt/live/ombi.ackis.duckdns.org/fullchain.pem (failure)
  /etc/letsencrypt/live/plexwebtools.ackis.duckdns.org/fullchain.pem (failure)
  /etc/letsencrypt/live/radarr.ackis.duckdns.org/fullchain.pem (failure)
  /etc/letsencrypt/live/sabnzbd.ackis.duckdns.org/fullchain.pem (failure)
  /etc/letsencrypt/live/sonarr.ackis.duckdns.org/fullchain.pem (failure)
  /etc/letsencrypt/live/ubooquityadmin.ackis.duckdns.org/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/asf.ackis.duckdns.org/fullchain.pem expires on 2020-05-03 (skipped)
  /etc/letsencrypt/live/canon.ackis.duckdns.org/fullchain.pem expires on 2020-05-08 (skipped)
  /etc/letsencrypt/live/channydraws-dev.ackis.duckdns.org/fullchain.pem expires on 2020-05-14 (skipp                                                                                                               ed)
  /etc/letsencrypt/live/channydraws.com/fullchain.pem expires on 2020-05-03 (skipped)
  /etc/letsencrypt/live/chantelle.ackis.duckdns.org/fullchain.pem expires on 2020-05-14 (skipped)
  /etc/letsencrypt/live/datacrow.ackis.duckdns.org/fullchain.pem expires on 2020-04-17 (skipped)
  /etc/letsencrypt/live/glances.ackis.duckdns.org/fullchain.pem expires on 2020-04-14 (skipped)
  /etc/letsencrypt/live/grafana.ackis.duckdns.org/fullchain.pem expires on 2020-04-27 (skipped)
  /etc/letsencrypt/live/hdhrextend.ackis.duckdns.org/fullchain.pem expires on 2020-05-03 (skipped)
  /etc/letsencrypt/live/lidarr.ackis.duckdns.org/fullchain.pem expires on 2020-05-08 (skipped)
  /etc/letsencrypt/live/mf4890.ackis.duckdns.org/fullchain.pem expires on 2020-05-08 (skipped)
  /etc/letsencrypt/live/monit.ackis.duckdns.org/fullchain.pem expires on 2020-05-08 (skipped)
  /etc/letsencrypt/live/mylar.ackis.duckdns.org/fullchain.pem expires on 2020-04-14 (skipped)
  /etc/letsencrypt/live/obi200.ackis.duckdns.org/fullchain.pem expires on 2020-04-28 (skipped)
  /etc/letsencrypt/live/plexpy.ackis.duckdns.org/fullchain.pem expires on 2020-05-03 (skipped)
  /etc/letsencrypt/live/transmission.ackis.duckdns.org/fullchain.pem expires on 2020-04-14 (skipped)
  /etc/letsencrypt/live/ubooquity.ackis.duckdns.org/fullchain.pem expires on 2020-04-14 (skipped)
  /etc/letsencrypt/live/usbserver.ackis.duckdns.org/fullchain.pem expires on 2020-05-02 (skipped)
  /etc/letsencrypt/live/webmin.ackis.duckdns.org/fullchain.pem expires on 2020-05-14 (skipped)
  /etc/letsencrypt/live/wiki.ackis.duckdns.org/fullchain.pem expires on 2020-04-14 (skipped)
  /etc/letsencrypt/live/www.ackis.duckdns.org/fullchain.pem expires on 2020-05-14 (skipped)
  /etc/letsencrypt/live/www.channydraws.com/fullchain.pem expires on 2020-04-19 (skipped)
  /etc/letsencrypt/live/znc.ackis.duckdns.org/fullchain.pem expires on 2020-04-14 (skipped)
  /etc/letsencrypt/live/zoneminder.ackis.duckdns.org/fullchain.pem expires on 2020-05-14 (skipped)
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/calibre.ackis.duckdns.org/fullchain.pem (failure)
  /etc/letsencrypt/live/denon.ackis.duckdns.org/fullchain.pem (failure)
  /etc/letsencrypt/live/nextcloud.ackis.duckdns.org/fullchain.pem (failure)
  /etc/letsencrypt/live/ombi.ackis.duckdns.org/fullchain.pem (failure)
  /etc/letsencrypt/live/plexwebtools.ackis.duckdns.org/fullchain.pem (failure)
  /etc/letsencrypt/live/radarr.ackis.duckdns.org/fullchain.pem (failure)
  /etc/letsencrypt/live/sabnzbd.ackis.duckdns.org/fullchain.pem (failure)
  /etc/letsencrypt/live/sonarr.ackis.duckdns.org/fullchain.pem (failure)
  /etc/letsencrypt/live/ubooquityadmin.ackis.duckdns.org/fullchain.pem (failure)

Additionally, the following renewal configurations were invalid:
  /etc/letsencrypt/renewal/ackis.duckdns.org.conf (parsefail)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9 renew failure(s), 1 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: calibre.ackis.duckdns.org
   Type:   unauthorized
   Detail: Invalid response from
   http://calibre.ackis.duckdns.org/.well-known/acme-challenge/nAx5fsg7_JZFfPMg6r5svxcXQiS6JxxsqVkTw                                                                                                               HMtiNI
   [68.148.53.117]: "<html>\r\n<head><title>404 Not
   Found</title></head>\r\n<body>\r\n<center><h1>404 Not
   Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
 - The following errors were reported by the server:

   Domain: denon.ackis.duckdns.org
   Type:   unauthorized
   Detail: Invalid response from
   http://denon.ackis.duckdns.org/.well-known/acme-challenge/mM4SjrIhP1Hse4FrvRaUOZ5wrk3r17M6sWW8LXV                                                                                                               thqw
   [68.148.53.117]: "<html>\r\n<head><title>404 Not
   Found</title></head>\r\n<body>\r\n<center><h1>404 Not
   Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
 - The following errors were reported by the server:

   Domain: nextcloud.ackis.duckdns.org
   Type:   unauthorized
   Detail: Invalid response from
   https://nextcloud.ackis.duckdns.org/.well-known/acme-challenge/TAvHc3lQmQRswguEJUUWCXyQgZs9KlR9Mz                                                                                                               QdpUOV3PE
   [68.148.53.117]: "<html>\r\n<head><title>403
   Forbidden</title></head>\r\n<body>\r\n<center><h1>403
   Forbidden</h1></center>\r\n<hr><center>nginx</center>\r\n"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
 - The following errors were reported by the server:

   Domain: ombi.ackis.duckdns.org
   Type:   unauthorized
   Detail: Invalid response from
   https://ombi.ackis.duckdns.org/.well-known/acme-challenge/CdTrddZiEPSuJzCb46S2PRJDWT96DCoFDwcXXbz                                                                                                               zp3s
   [68.148.53.117]: "<!DOCTYPE html>\n<html>\n<head>\n
   <!--\n\n\n\n\n\n
   bbbbbbbb\n         OOOOOOOOO           "

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
 - The following errors were reported by the server:

   Domain: plexwebtools.ackis.duckdns.org
   Type:   unauthorized
   Detail: Invalid response from
   https://plexwebtools.ackis.duckdns.org/.well-known/acme-challenge/qsDO4xSRDjRSQNACglzMwqz-8NEBx00                                                                                                               uL9-FJ2Y-mkA
   [68.148.53.117]: "<html>\r\n<head><title>403
   Forbidden</title></head>\r\n<body>\r\n<center><h1>403
   Forbidden</h1></center>\r\n<hr><center>nginx</center>\r\n"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
 - The following errors were reported by the server:

   Domain: radarr.ackis.duckdns.org
   Type:   unauthorized
   Detail: Invalid response from
   https://radarr.ackis.duckdns.org/.well-known/acme-challenge/eZqfYLDr7iM4arjnO5IzXhAmi2IajsIeBOMW6                                                                                                               J82I8o
   [68.148.53.117]: "<html>\r\n<head><title>403
   Forbidden</title></head>\r\n<body>\r\n<center><h1>403
   Forbidden</h1></center>\r\n<hr><center>nginx</center>\r\n"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
 - The following errors were reported by the server:

   Domain: sabnzbd.ackis.duckdns.org
   Type:   unauthorized
   Detail: Invalid response from
   https://sabnzbd.ackis.duckdns.org/.well-known/acme-challenge/ImN-y-33bga-jybYuro_xl0EWW5FK-N-G-cJ                                                                                                               5APHsCo
   [68.148.53.117]: "<html>\r\n<head><title>403
   Forbidden</title></head>\r\n<body>\r\n<center><h1>403
   Forbidden</h1></center>\r\n<hr><center>nginx</center>\r\n"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
 - The following errors were reported by the server:

   Domain: sonarr.ackis.duckdns.org
   Type:   unauthorized
   Detail: Invalid response from
   https://sonarr.ackis.duckdns.org/.well-known/acme-challenge/WwvVyEycB-XqrFbql4QANe9QDP5OLJdg-cP9n                                                                                                               -iwB-I
   [68.148.53.117]: "<html>\r\n<head><title>403
   Forbidden</title></head>\r\n<body>\r\n<center><h1>403
   Forbidden</h1></center>\r\n<hr><center>nginx</center>\r\n"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
 - The following errors were reported by the server:

   Domain: ubooquityadmin.ackis.duckdns.org
   Type:   unauthorized
   Detail: Invalid response from
   http://ubooquityadmin.ackis.duckdns.org/.well-known/acme-challenge/SPWmOaPJSk62h_6mRg0E7WD868okUu                                                                                                               7OgW5IF7NSKPE
   [68.148.53.117]: "<html>\r\n<head><title>404 Not
   Found</title></head>\r\n<body>\r\n<center><h1>404 Not
   Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

wait, what's the command you issued with --webroot?

did it look like certbot renew -d somedomain -a webroot -w /var/www/letsencrypt -i nginx ?

yeah, your workaround is probably interfering with that. I still have no idea why you use it.