Getting urn:ietf:params:acme:error:unauthorized error while creating new certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: http://loving-petals---by-rose-110525.floristtouch.com

I ran this command: certbot certonly --nginx -v -d loving-petals---by-rose-110525.floristtouch.com --redirect --expand --force-renewal

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Requesting a certificate for loving-petals---by-rose-110525.floristtouch.com
Performing the following challenges:
http-01 challenge for loving-petals---by-rose-110525.floristtouch.com
Waiting for verification...
Challenge failed for domain loving-petals---by-rose-110525.floristtouch.com
http-01 challenge for loving-petals---by-rose-110525.floristtouch.com

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: loving-petals---by-rose-110525.floristtouch.com
  Type:   unauthorized
  Detail: 178.79.159.104: Invalid response from http://loving-petals---by-rose-110525.floristtouch.com/: "\n<!DOCTYPE html>\n<html lang=\"en\">\n\n\n\n<head>\n  <meta charset=\"utf-8\">\n  <meta name=\"viewport\" content=\"width=device-width, initia"

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): nginx 1.22.1

The operating system my web server runs on is (include version): Debian 12

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 4.0.0

Also here is the log captured using the -v flag...

2025-05-13 16:54:50,325:DEBUG:certbot._internal.display.obj:Notifying user: Requesting a certificate for loving-petals---by-rose-110525.floristtouch.com
2025-05-13 16:54:50,328:DEBUG:acme.client:Requesting fresh nonce
2025-05-13 16:54:50,328:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2025-05-13 16:54:50,452:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2025-05-13 16:54:50,452:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 13 May 2025 16:54:50 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: QmouDpB2mAV35oGWdwUMcrSHXMXEn_JLn0FEQUXTzdjAh2fiKGA
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


2025-05-13 16:54:50,453:DEBUG:acme.client:Storing nonce: QmouDpB2mAV35oGWdwUMcrSHXMXEn_JLn0FEQUXTzdjAh2fiKGA
2025-05-13 16:54:50,453:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "loving-petals---by-rose-110525.floristtouch.com"\n    }\n  ]\n}'
2025-05-13 16:54:50,455:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvODAzMDA0NTUiLCAibm9uY2UiOiAiUW1vdURwQjJtQVYzNW9HV2R3VU1jclNIWE1YRW5fSkxuMEZFUVVYVHpkakFoMmZpS0dBIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctb3JkZXIifQ",
  "signature": "OnerfHP2p62r7Ufr8XouqYyy4pm1lBgN0PlFdw9SphljKFJ76Afu8azmZQXbErUbQcGAjrWVPDzxcQSXprvqhm_jQw8X2_XZliIfWKsbgWpUMgEzvayshB9D9ZaKXnzbOs1NuZCYxXQr96EEUgYvStQhFVTWTVvPDvT9aOGulOVCNTnxXdz3Ku-zxg5RA3fmAPrRg8sHwERV0DxvytktBwQJ3PPB3qqEVK_XIZCaoSnnKH8NWjhHQPwXiMIcC-jNkMCjthz89jpWvndgCy8hDqdT4ApVg2D6QZnC1dreCYF1DqHXi4945wHxWy-aWAt_ZHADNIwcl7ZScBOiLx9-Aw",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogImxvdmluZy1wZXRhbHMtLS1ieS1yb3NlLTExMDUyNS5mbG9yaXN0dG91Y2guY29tIgogICAgfQogIF0KfQ"
}
2025-05-13 16:54:50,642:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 377
2025-05-13 16:54:50,643:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Tue, 13 May 2025 16:54:50 GMT
Content-Type: application/json
Content-Length: 377
Connection: keep-alive
Boulder-Requester: 80300455
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/80300455/383705176077
Replay-Nonce: ww5-sb6N-l-gWaiwFHGwOM12AYq6Xv1EmcKADGtspohYVFcUw8I
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2025-05-20T16:54:50Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "loving-petals---by-rose-110525.floristtouch.com"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz/80300455/519817046657"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/80300455/383705176077"
}
2025-05-13 16:54:50,643:DEBUG:acme.client:Storing nonce: ww5-sb6N-l-gWaiwFHGwOM12AYq6Xv1EmcKADGtspohYVFcUw8I
2025-05-13 16:54:50,643:DEBUG:acme.client:JWS payload:
b''
2025-05-13 16:54:50,645:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz/80300455/519817046657:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvODAzMDA0NTUiLCAibm9uY2UiOiAid3c1LXNiNk4tbC1nV2Fpd0ZIR3dPTTEyQVlxNlh2MUVtY0tBREd0c3BvaFlWRmNVdzhJIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei84MDMwMDQ1NS81MTk4MTcwNDY2NTcifQ",
  "signature": "QLiY4oJ6amh6dklU_xFLq9njlddzBhHdlsYI0jQLMWQ5VMPrfwdK7UiF4kKeZ-nJiWnkWewbDmVd5lPQesjVi9qd-cTrfPawkInYdIsMJesZuhFSMQQOMmfeZigQyz1BiAFvP46HJ5FQuXOVRAoygv6zX2fQCx0u6_LRKt0WAnk7fi8lYqSdyQIF84MmAErSUL5R_KwNP0xFIE9g1f4U4V1_LFoiUB946_OEEdImY1CAbhVejLDnJtu3rW3APtjHpLQsi365CQtTvkC25JSEfyL4GV3SFW7G8xRHX8NRXbaCxKT3_IbnlxfJUqtfDUX91FhPPXWVlHHtnSOtOzmsjQ",
  "payload": ""
}
2025-05-13 16:54:50,786:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz/80300455/519817046657 HTTP/1.1" 200 849
2025-05-13 16:54:50,786:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 13 May 2025 16:54:50 GMT
Content-Type: application/json
Content-Length: 849
Connection: keep-alive
Boulder-Requester: 80300455
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: ww5-sb6NWjLL4ret2hDivhzRfsJYJXtVJjQI9XLjw6GXLJmN_Os
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "loving-petals---by-rose-110525.floristtouch.com"
  },
  "status": "pending",
  "expires": "2025-05-20T16:54:50Z",
  "challenges": [
    {
      "type": "http-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall/80300455/519817046657/ZCXelQ",
      "status": "pending",
      "token": "rFKc0xdaZSZpHcp9xC46GfGpawND0xrQupzxX9QBZhc"
    },
    {
      "type": "dns-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall/80300455/519817046657/5noDdA",
      "status": "pending",
      "token": "rFKc0xdaZSZpHcp9xC46GfGpawND0xrQupzxX9QBZhc"
    },
    {
      "type": "tls-alpn-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall/80300455/519817046657/pPgtjw",
      "status": "pending",
      "token": "rFKc0xdaZSZpHcp9xC46GfGpawND0xrQupzxX9QBZhc"
    }
  ]
}
user www-data www-data;
worker_processes auto;
pid /run/nginx.pid;
error_log /var/log/nginx/error.log;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 768;
        # multi_accept on;
}

http {
include /etc/letsencrypt/le_http_01_cert_challenge.conf;

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        types_hash_max_size 2048;
        # server_tokens off;

        server_names_hash_bucket_size 256;
        server_names_hash_max_size 1024;
        client_max_body_size  512M;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        ##
        # Logging Settings
        ##
        log_format  main
              '[$time_local] $remote_addr "$request_method $scheme://$host$request_uri" '
              '"$status $body_bytes_sent $upstream_response_time $request_time" '
              '<$http_user_agent> $http_referer';

        access_log off;

        # upstreams
        upstream php83_backend {
                server unix:/run/php/php8.3-fpm.sock;
        }


        ##
        # Gzip Settings
        ##

        gzip on;

        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/include.d/*.conf;
        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/vhost.d/*.conf;
        include /etc/nginx/sites.d/*.conf;
        include /etc/nginx/sites-enabled/*;


        # cookie setting
        fastcgi_temp_file_write_size 10m;
        fastcgi_busy_buffers_size 16k;
        fastcgi_buffer_size 16k;
        fastcgi_buffers 16 16k;

        # optimisation
        #fastcgi_read_timeout 360;
        fastcgi_connect_timeout 60;
        fastcgi_read_timeout 60;
        keepalive_requests 500;

}


#mail {
#       # See sample authentication script at:
#       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#       # auth_http localhost/auth.php;
#       # pop3_capabilities "TOP" "USER";
#       # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#       server {
#               listen     localhost:110;
#               protocol   pop3;
#               proxy      on;
#       }
#
#       server {
#               listen     localhost:143;
#               protocol   imap;
#               proxy      on;
#       }
#}

2025-05-13 16:54:53,233:DEBUG:certbot_nginx._internal.parser:Writing nginx conf tree to /etc/nginx/sites.d/site600.conf:
server {rewrite ^(/.well-known/acme-challenge/.*) $1 break; # managed by Certbot


    listen  80;

    server_name "loving-petals---by-rose-110525.floristtouch.com" "www.loving-petals---by-rose-110525.floristtouch.com"  ;

    access_log  /var/www/sites/site600/log/access.log main;
    error_log   /var/www/sites/site600/log/error.log error;

    root  "/var/www/sites/site600/public";

    include  includes/php-fpm.conf;
    index  index.php;

    # --- Sitemap rule starts 11Jan21
    location = /sitemap.xml {
     try_files $uri /sitemap.php;
    }
    location = /sitemap {
      rewrite ^(.*)$ /sitemap.php;
    }
    # --- Sitemap rule ends 11Jan21

    # system
    location ~* \.(?:ico|txt|map)$ {
        log_not_found  off;
    }

    # assets, media
    location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
        expires 1d;
    }

    # svg, fonts
    location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
        add_header Access-Control-Allow-Origin "*";
        expires 1d;
    }

location = /.well-known/acme-challenge/rFKc0xdaZSZpHcp9xC46GfGpawND0xrQupzxX9QBZhc{default_type text/plain;return 200 rFKc0xdaZSZpHcp9xC46GfGpawND0xrQupzxX9QBZhc.Pvr8TddtwflJW87rNHfR-NEqq5FWpTi2QcE5k2AbqwI;} # managed by Certbot

}

2025-05-13 16:54:55,225:DEBUG:acme.client:JWS payload:
b'{}'
2025-05-13 16:54:55,227:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall/80300455/519817046657/ZCXelQ:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvODAzMDA0NTUiLCAibm9uY2UiOiAid3c1LXNiNk5XakxMNHJldDJoRGl2aHpSZnNKWUpYdFZKalFJOVhManc2R1hMSm1OX09zIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbC84MDMwMDQ1NS81MTk4MTcwNDY2NTcvWkNYZWxRIn0",
  "signature": "mzr7_eoCkv0l1fUC9F2d05hUzHrnQ87r2vVXVn2gl02aDQ_l2ofYsCHPZ8f2V7-D2jjKnXNhmLnPUB34RCSpzCjTiYCuNwXSHhMMUkDI-9KCz2Sc8rPJgPZ2sxNnRgVzfGOBoM1uoFNIxHjWLYI2tI7LlN7eMyAOSLxAOZtx24Z4WSDwSJU7iigjSmLc4FLGzeec4JFpwiLQDa5NlKt7Vrb5RMf2SKVEiVn75H1XHK5NxWCeQgYVcEeG7HbLnCrUrIzatmfjk7CiBEUdTjqNuuExFMbmjSD0r93kNNg5NB7JcsWfGTsm7qbP8R6XsQFphotLI9v1fBpL4Bg6xc8Ywg",
  "payload": "e30"
}
2025-05-13 16:54:55,360:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall/80300455/519817046657/ZCXelQ HTTP/1.1" 200 193
2025-05-13 16:54:55,361:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 13 May 2025 16:54:55 GMT
Content-Type: application/json
Content-Length: 193
Connection: keep-alive
Boulder-Requester: 80300455
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz/80300455/519817046657>;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall/80300455/519817046657/ZCXelQ
Replay-Nonce: QmouDpB2JZ3wA-4-AZRATn-DdIB62QmvgY0lvwP1NxM55woT7og
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "http-01",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall/80300455/519817046657/ZCXelQ",
  "status": "pending",
  "token": "rFKc0xdaZSZpHcp9xC46GfGpawND0xrQupzxX9QBZhc"
}
2025-05-13 16:54:55,361:DEBUG:acme.client:Storing nonce: QmouDpB2JZ3wA-4-AZRATn-DdIB62QmvgY0lvwP1NxM55woT7og
2025-05-13 16:54:55,361:INFO:certbot._internal.auth_handler:Waiting for verification...
2025-05-13 16:54:56,361:DEBUG:acme.client:JWS payload:
b''
2025-05-13 16:54:56,363:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz/80300455/519817046657:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvODAzMDA0NTUiLCAibm9uY2UiOiAiUW1vdURwQjJKWjN3QS00LUFaUkFUbi1EZElCNjJRbXZnWTBsdndQMU54TTU1d29UN29nIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei84MDMwMDQ1NS81MTk4MTcwNDY2NTcifQ",
  "signature": "Bd-2yA-99MC91xSjPBBjrWE7Npt8iy_hHpdwv5tEVVAlaz86rwDjzAjNn3bs2kfELJh68ASzVZb-x_6lx2N8HEcStVva6sLtx4OWZ7IsJNe0QYSBf2JkFXixcgqcLMbV8e7Kf2Yzolp81bKUUQkdu45HYuhDfJgYx-qR4xYld5ATlyYxzrXDV6thE6RVgdxNFgyfBcRy6qEkmaz8E_GS0__Bav_XoUY8iDSedj0j8cAPxlMc_gh5V-ccLn8uQMjwOJ6hcjR5OhxifZtmZAuz-Bh8t1KDGBpZARb80M8O4K8jntFmIOcLhueBhLMmOg9yODdiCTjHUwI1J3jGcVlGiQ",
  "payload": ""
}
2025-05-13 16:54:56,495:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz/80300455/519817046657 HTTP/1.1" 200 1617
2025-05-13 16:54:56,495:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 13 May 2025 16:54:56 GMT
Content-Type: application/json
Content-Length: 1617
Connection: keep-alive
Boulder-Requester: 80300455
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: QmouDpB2hQl0zpydXzLfMyW-H9cK5y9uR0DSWy_9jpMx36HkqnQ
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "loving-petals---by-rose-110525.floristtouch.com"
  },
  "status": "invalid",
  "expires": "2025-05-20T16:54:50Z",
  "challenges": [
    {
      "type": "http-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall/80300455/519817046657/ZCXelQ",
      "status": "invalid",
      "validated": "2025-05-13T16:54:55Z",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "178.79.159.104: Invalid response from http://loving-petals---by-rose-110525.floristtouch.com/: \"\\n\u003c!DOCTYPE html\u003e\\n\u003chtml lang=\\\"en\\\"\u003e\\n\\n\\n\\n\u003chead\u003e\\n  \u003cmeta charset=\\\"utf-8\\\"\u003e\\n  \u003cmeta name=\\\"viewport\\\" content=\\\"width=device-width, initia\"",
        "status": 403
      },
      "token": "rFKc0xdaZSZpHcp9xC46GfGpawND0xrQupzxX9QBZhc",
      "validationRecord": [
        {
          "url": "http://loving-petals---by-rose-110525.floristtouch.com/.well-known/acme-challenge/rFKc0xdaZSZpHcp9xC46GfGpawND0xrQupzxX9QBZhc",
          "hostname": "loving-petals---by-rose-110525.floristtouch.com",
          "port": "80",
          "addressesResolved": [
            "178.79.159.104"
          ],
          "addressUsed": "178.79.159.104"
        },
        {
          "url": "http://loving-petals---by-rose-110525.floristtouch.com/",
          "hostname": "loving-petals---by-rose-110525.floristtouch.com",
          "port": "80",
          "addressesResolved": [
            "178.79.159.104"
          ],
          "addressUsed": "178.79.159.104"
        }
      ]
    }
  ]
}
2025-05-13 16:54:56,495:DEBUG:acme.client:Storing nonce: QmouDpB2hQl0zpydXzLfMyW-H9cK5y9uR0DSWy_9jpMx36HkqnQ
2025-05-13 16:54:56,496:INFO:certbot._internal.auth_handler:Challenge failed for domain loving-petals---by-rose-110525.floristtouch.com
2025-05-13 16:54:56,496:INFO:certbot._internal.auth_handler:http-01 challenge for loving-petals---by-rose-110525.floristtouch.com
2025-05-13 16:54:56,496:DEBUG:certbot._internal.display.obj:Notifying user:
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: loving-petals---by-rose-110525.floristtouch.com
  Type:   unauthorized
  Detail: 178.79.159.104: Invalid response from http://loving-petals---by-rose-110525.floristtouch.com/: "\n<!DOCTYPE html>\n<html lang=\"en\">\n\n\n\n<head>\n  <meta charset=\"utf-8\">\n  <meta name=\"viewport\" content=\"width=device-width, initia"

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

2025-05-13 16:54:56,497:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/snap/certbot/4557/lib/python3.12/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/snap/certbot/4557/lib/python3.12/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2025-05-13 16:54:56,497:DEBUG:certbot._internal.error_handler:Calling registered functions
2025-05-13 16:54:56,497:INFO:certbot._internal.auth_handler:Cleaning up challenges
2025-05-13 16:55:11,861:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/snap/certbot/4557/bin/certbot", line 8, in <module>
    sys.exit(main())
             ^^^^^^
  File "/snap/certbot/4557/lib/python3.12/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/snap/certbot/4557/lib/python3.12/site-packages/certbot/_internal/main.py", line 1872, in main
    return config.func(config, plugins)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/snap/certbot/4557/lib/python3.12/site-packages/certbot/_internal/main.py", line 1578, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/snap/certbot/4557/lib/python3.12/site-packages/certbot/_internal/main.py", line 143, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/snap/certbot/4557/lib/python3.12/site-packages/certbot/_internal/client.py", line 523, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/snap/certbot/4557/lib/python3.12/site-packages/certbot/_internal/client.py", line 424, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/snap/certbot/4557/lib/python3.12/site-packages/certbot/_internal/client.py", line 502, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/snap/certbot/4557/lib/python3.12/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/snap/certbot/4557/lib/python3.12/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2025-05-13 16:55:11,863:ERROR:certbot._internal.log:Some challenges have failed.

Hello @nishantsworld, welcome.

The nginx server is configured to redirect the .well-know/acme-challenge/ to /
Also the HTTP Response code of HTTP/1.1 302 Found 302 Found - HTTP | MDN
Typically one would expect a HTTP Response code of 404 Not Found - HTTP | MDN when there is no file.

$ curl -Ii http://loving-petals---by-rose-110525.floristtouch.com/.well-known/acme-challenge/sometestfile
HTTP/1.1 302 Found
Server: nginx/1.22.1
Date: Tue, 13 May 2025 17:37:28 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Location: /

Please show the output of each of the following commands

• sudo certbot certificates
• sudo nginx -T that is a capital T

Hmm. That is an interesting result. The --nginx option you use inserts temp code into the server block so that your nginx replies directly to the Let's Encrypt server.

And, we can even see the correct update to the server block in the log (snips below).

Does your nginx take a long time to reload? Like even more than 1 second? Because Certbot only waits one second after updating and reloading your nginx before proceeding to submit the cert request to the LE server.

For large or slow nginx that is not enough time and we need to add an option to sleep longer.

Does adding this to your command help?

--nginx-sleep-seconds 4

Snips from the log for the --nginx updates are below. You can see the initial rewrite/break should mean the location block at the bottom is what nginx uses to reply (the location = ./well-known/... one)

server {rewrite ^(/.well-known/acme-challenge/.*) $1 break; # managed by Certbot

    listen  80;

    server_name "loving-petals---by-rose-110525.floristtouch.com" "www.loving-petals---by-rose-110525.floristtouch.com"  ;

    access_log  /var/www/sites/site600/log/access.log main;
    error_log   /var/www/sites/site600/log/error.log error;

    root  "/var/www/sites/site600/public";

   ... other items omitted for brevity ...

location = /.well-known/acme-challenge/rFKc0xdaZSZpHcp9xC46GfGpawND0xrQupzxX9QBZhc{default_type text/plain;return 200 rFKc0xdaZSZpHcp9xC46GfGpawND0xrQupzxX9QBZhc.Pvr8TddtwflJW87rNHfR-NEqq5FWpTi2QcE5k2AbqwI;} # managed by Certbot
}

The server is hosting more than 600 nginx conf having more than 2500 server blocks.

certbot certificates has plenty of server blocks resulting in errors like...

2025-05-14 01:54:26,096:DEBUG:certbot.ocsp:OCSP response for certificate /etc/letsencrypt/live/wreaths-flowers-by-danielle-120324.floristtouch.com/cert.pem is signed by the certificate's issuer.
2025-05-14 01:54:26,097:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/live/wreaths-flowers-by-danielle-120324.floristtouch.com/cert.pem is: OCSPCertStatus.GOOD
2025-05-14 01:54:26,099:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): r10.o.lencr.org:80
2025-05-14 01:54:26,240:DEBUG:urllib3.connectionpool:http://r10.o.lencr.org:80 "POST / HTTP/1.1" 200 504

nginx -T output (apart from some 2500 odd server blocks shows the below output...

# configuration file /etc/nginx/sites-enabled/default:
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##

# Default server configuration
#
server {
        listen 80 default_server;
        listen [::]:80 default_server;

        # SSL configuration
        #
        # listen 443 ssl default_server;
        # listen [::]:443 ssl default_server;
        #
        # Note: You should disable gzip for SSL traffic.
        # See: https://bugs.debian.org/773332
        #
        # Read up on ssl_ciphers to ensure a secure configuration.
        # See: https://bugs.debian.org/765782
        #
        # Self signed certs generated by the ssl-cert package
        # Don't use them in a production server!
        #
        # include snippets/snakeoil.conf;

        root /var/www/html;

        # Add index.php to the list if you are using PHP
        index index.html index.htm index.nginx-debian.html;

        server_name _;

        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                try_files $uri $uri/ =404;
        }

        # pass PHP scripts to FastCGI server
        #
        #location ~ \.php$ {
        #       include snippets/fastcgi-php.conf;
        #
        #       # With php-fpm (or other unix sockets):
        #       fastcgi_pass unix:/run/php/php7.4-fpm.sock;
        #       # With php-cgi (or other tcp sockets):
        #       fastcgi_pass 127.0.0.1:9000;
        #}

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #       deny all;
        #}
}


# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
#       listen 80;
#       listen [::]:80;
#
#       server_name example.com;
#
#       root /var/www/example.com;
#       index index.html;
#
#       location / {
#               try_files $uri $uri/ =404;
#       }
#}

root@localhost:~#

Note
The server, along with all the certificates were actually migrated from an old server. Here are the steps i had used for migration...

1. scp everything from /etc/letsencrypt from the old server to the new one
2. Install certbot on new one, which ended up installing certbot 2.1
3. Uninstall certbot apt package and instead installing certbot from snap package, finally getting certbot 4.0.0
4. Installing the nginx module for certbot

I now tried your suggestion of running certbot certonly --nginx --nginx-sleep-seconds 30 -d loving-petals---by-rose-110525.floristtouch.com , however still the same issue.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for loving-petals---by-rose-110525.floristtouch.com

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: loving-petals---by-rose-110525.floristtouch.com
  Type:   unauthorized
  Detail: 178.79.159.104: Invalid response from http://loving-petals---by-rose-110525.floristtouch.com/: "\n<!DOCTYPE html>\n<html lang=\"en\">\n\n\n\n<head>\n  <meta charset=\"utf-8\">\n  <meta name=\"viewport\" content=\"width=device-width, initia"

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Also, to note, i tried creating the file named rFKc0xdaZSZpHcp9xC46GfGpawND0xrQupzxX9QBZhc at docroot/.well-known/acme-challenge and tried to access it from the browser with A Florist in | Florabella | Same-Day Flower Delivery and it was perfectly accessible.

I now tried to remove all our virtual hosts (server blocks) and generate SSL with just this one server block. The result is that the certs did get generated however, the nginx vhost file didn't get altered. I had to do it manually.

root@localhost:/etc/nginx# certbot certonly --nginx --nginx-sleep-seconds 30 -d loving-petals---by-rose-110525.floristtouch.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for loving-petals---by-rose-110525.floristtouch.com

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/loving-petals---by-rose-110525.floristtouch.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/loving-petals---by-rose-110525.floristtouch.com/privkey.pem
This certificate expires on 2025-08-12.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
root@localhost:/etc/nginx# certbot certonly --nginx -d www.loving-petals---by-rose-110525.floristtouch.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for www.loving-petals---by-rose-110525.floristtouch.com

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/www.loving-petals---by-rose-110525.floristtouch.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/www.loving-petals---by-rose-110525.floristtouch.com/privkey.pem
This certificate expires on 2025-08-12.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

So now i that leads to two possibilities...

1. Is there some issue in some of the other vhost that is preventing this SSL to get generated?
2. Why did certbot fail to edit nginx automatically in this case?

That's a lot of server blocks. Have you used the --nginx option to get certs for other domains on that server?

Usually --nginx works very well. But, sometimes there are unusual things in an nginx config that can cause it problems. With such a large nginx config it would be difficult to view it all to debug.

Would you run this as a test? The --webroot option does not parse or update the nginx config. It just places a file. This is a good option when --nginx doesn't work.

sudo certbot certonly --dry-run --webroot -w /var/www/sites/site600/public -d loving-petals---by-rose-110525.floristtouch.com

If that works I have some further questions before suggesting a final solution. For example, why are you "expanding" the cert and how many domains are already in the cert you are expanding? And, why did you not include a second -d option with the www domain in your original command? You have two domain names in the server block. Why not both in the cert?

Here is the output of the command you asked to run...

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Simulating a certificate request for loving-petals---by-rose-110525.floristtouch.com
The dry run was successful.

To answer you other questions...

• Each cert (belonging to each server block) has a max of 4 domains/subdomains.
• Not including -d for a second domain was just to avoid hitting the rate limit while debugging. So i was trying to generate ssl for one domain of the server block and when i hit the rate limit, was ending up trying with the second domain
• Eventually in my previous reply, when i isolated all other virtual hosts (server blocks) and ran the command, i did infact run the command with both the domains (with and without www) in a single certbot command

Missed response to one of your question in my previous reply...

As i had mentioned in my first post, this scenario/issue is applicable since the time the server was migrated. Earlier certbot was working perfectly even with the 2500 odd domains (approximately quarter those number of server blocks as approximately 4 domains/subdomains become part of each server block). And yes, on the old server, I was using the --nginx option to generate the certs

Has the --nginx option worked for any other domain since you migrated the server? Not just as a single server block but when all 2500 are active?

No, it hasn't. Am unable to even renew any of them now.

Before we get to your overall problem I'll just note this for your understanding ...

ITEM 1

The certonly option does just what it says. It gets the cert (only) and makes no permanent changes to your nginx config. So the "vhost file" not getting altered is expected.

ITEM 2

Yes, please use the --dry-run or other way to use the Let's Encrypt Staging system when testing or debugging. The rate limits are much higher in that system and has no risk of affecting your production certs. With --nginx option you need to add certonly to allow use of --dry-run.

Ouch. I was hoping the domain in your first post was using it for the first time and I was going to suggest using --webroot instead. The --webroot test worked earlier and is much more efficient with very large server configs. The main drawback is it can only be used with certonly which means you need to create server blocks for port 443 for new domains manually. You also need to know the specific root directory for the -w option. (or use location block in each of your port 80 server blocks for the acme-challenge to be somewhere else).

Converting roughly 600 (you said) certificate config for your 2500 server blocks might take a fair amount of effort. It depends on your skills and if you have any automation for your server config. I think this would be the most reliable way forward. I don't think any volunteer here would have suggested using --nginx for such a large system. Let me know if you want to proceed with this and we can walk through best way.

That said, you had it working on your old server so something is obviously different. Your --nginx test of a single server block worked so probably not something in the general nginx config or your environ. It is either the large number now is too much for the current snap / Certbot 4.0 or something in some other server blocks are confusing it.

I'd be curious to know if this works on one of your other certificate names

sudo certbot renew --dry-run --cert-name X

Where X is the certificate name from the sudo certbot certificates list. That is just a formatted display of the files named in the /etc/letsencrypt/renewal directory so you could just see the name from there (probably much faster). Just leave off the .conf part of the file name for --cert-name X value.

Thanks for clarifying on the certonly param. Will try tomorrow early morning UTC again without certonly and see if things work (since it is a production server, i can experiment only during off peak hours).

Thanks for the --dry-run suggestion.

Basically its a SaaS based platform, so ideally would have preferred to use certbot the --nginx way and not the --webroot way (as it has been over all the 600+ server blocks). It's a few steps less to program.

Nonetheless the bigger problem is renewals. I am guessing if the root cause gets detected and fixed, renewals and --nginx option both would start working again!

It failed

root@localhost:~# sudo certbot renew --dry-run --cert-name www.testssl.floristtouch.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.testssl.floristtouch.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for www.testssl.floristtouch.com

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: www.testssl.floristtouch.com
  Type:   unauthorized
  Detail: 178.79.159.104: Invalid response from http://www.testssl.floristtouch.com/.well-known/acme-challenge/T7Y98tWxJ9D58CJDt6mTCzilZ7ZimZvyV8lEJriGRaA: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Failed to renew certificate www.testssl.floristtouch.com with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/www.testssl.floristtouch.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Let's try a very long sleep seconds. If that fails please upload the full /var/log/letsencrypt/letsencrypt.log file for that run

Also, the access_log for the port 80 server block for this www.testssl domain would be helpful. At least the records related to the 404 we are seeing.

sudo certbot renew --dry-run --cert-name www.testssl.floristtouch.com --nginx-sleep-seconds 300

Frankly, if 300s is needed I don't think it is a viable long-term solution (I will explain later). It is just to eliminate this as the cause.

I have tried for a different domain hosted on the same server this time as it is a fully setup one. Yet failed with 300s sleep time as well

root@localhost:~# certbot renew --dry-run --cert-name www.theflowershop.ie --nginx-sleep-seconds 300
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.theflowershop.ie.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for www.theflowershop.ie

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: www.theflowershop.ie
  Type:   unauthorized
  Detail: 178.79.159.104: Invalid response from https://theflowershop.ie/: "\n<!DOCTYPE html>\n<html lang=\"en\">\n\n\n\n<head>\n  <meta charset=\"utf-8\">\n  <meta name=\"viewport\" content=\"width=device-width, initia"

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Failed to renew certificate www.theflowershop.ie with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/www.theflowershop.ie/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Here are the related access logs...

[14/May/2025:15:49:56 +0000] 66.133.109.36 "GET https://www.theflowershop.ie/.well-known/acme-challenge/YleihPhXUuYG6seYAdEMWgsiUA601EpqNApLQ8xIiN8" "301 5 0.040 0.040" <Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)> http://www.theflowershop.ie/.well-known/acme-challenge/YleihPhXUuYG6seYAdEMWgsiUA601EpqNApLQ8xIiN8
[14/May/2025:15:49:57 +0000] 66.133.109.36 "GET https://theflowershop.ie/.well-known/acme-challenge/YleihPhXUuYG6seYAdEMWgsiUA601EpqNApLQ8xIiN8" "302 5 0.039 0.039" <Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)> https://www.theflowershop.ie/.well-known/acme-challenge/YleihPhXUuYG6seYAdEMWgsiUA601EpqNApLQ8xIiN8
[14/May/2025:15:49:58 +0000] 66.133.109.36 "GET https://theflowershop.ie/" "200 30422 0.106 0.106" <Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)> https://theflowershop.ie/.well-known/acme-challenge/YleihPhXUuYG6seYAdEMWgsiUA601EpqNApLQ8xIiN8

As far as sharing /var/log/letsencrypt/letsencrypt.log is concerned, is there any way i can share it privately? It has too much data that i would not want to expose

Sorry, whatever information i thought would get exposed was actually of some other command that I ran.

I have uploaded the entire letsencrypt.log file for the above
le_logs.txt (66.2 KB)
command with this reply