Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: xignall.com

I ran this command: sudo certbot --nginx -d xignall.com -v

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Requesting a certificate for xignall.com
Performing the following challenges:
http-01 challenge for xignall.com
Waiting for verification...
Challenge failed for domain xignall.com
http-01 challenge for xignall.com

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: xignall.com
Type: unauthorized
Detail: 186.15.236.236: Invalid response from http://xignall.com/.well-known/acme-challenge/NK9qDPRGnMMtaWWyMOmut-UKfnetfLSI3_-2MP2HAY0: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.

My web server is (include version):

The operating system my web server runs on is (include version): ubuntu: 20.04.4 LTS

My hosting provider, if applicable, is: HostBig/HostFast but my webserver is private site on 186.15.236.236

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Partially (NOT FOR WEBSITE) Version=110.0.39

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.21.0

You're trying to use the nginx plugin:

But the HTTP listener doesn't seem to be nginx:

curl -Ii http://xignall.com/
HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Set-Cookie: frontend_lang=es_419; Expires=Tue, 09 Sep 2025 11:40:00 GMT; Path=/
Set-Cookie: session_id=db3a6848d7b0f9e45fc5bda6e20354bf0598aea9; Expires=Tue, 09 Sep 2025 11:40:00 GMT; Max-Age=604800; HttpOnly; Path=/
X-Content-Type-Options: nosniff
Server: Werkzeug/2.0.2 Python/3.10.12       <<<<<<<<<<<<<<<<<<<<<<<<<<<<
Date: Mon, 09 Sep 2024 11:40:00 GMT
4 Likes

I have revised but I don't see any apache running server.

The server is behind a NAT, the public IP address is on a mikrotik router/firewall, port 80 in directed to my webserver under a private IP, do you think that can be the issue? should I set a public IP address to my ubunto vmware server?

please advice and thanks for your reply.

It is fine to use NAT to send incoming requests to a server on your private network.

I think your NAT was not working correctly before but it looks like it is now. An nginx server is replying to HTTP requests arriving on port 80.

What does this show? It is only a test

sudo certbot certonly --dry-run --nginx -d xignall.com
2 Likes

I’ve double checked on NAT and there was a port redirection wrong, I have settled up the port 80 to port 80 on TCP and UDP and I was able to process the certificate.

I’ll do the rest of the configuration and let you know if there is any issue.
Thanks

2 Likes

UDP port 80 is not required, just TCP.

1 Like

I was able to run certbot and it was successfully created the certificate, everything is supposed to be working just fine but still I can’t access to my web.

I have the confirmation email and I’ve restarted nginx, any ideas why would this kit be working?

When I’ve created the certificate request, the NS where still propagating, I have disabled cloudflare and unistall my domain from cloudflare and leave my domain with default NS from my hosting provider.

What confirmation email? As far as I know, Let's Encrypt does not send any of those.

Your HTTPS port 443 is not working properly. It's not doing proper HTTPS (SSL/TLS), but it's also not doing HTTP on port 443 (which is a configuration error we see often, but is not the case here). So no idea.. What process is listening on port 443? You can check using e.g. netstat -nap | grep 443.

1 Like

Have you done the same kind of TCP routing for port 443?

Inbound requests on port 443 should go to your nginx on port 443.

You should also follow Osiris suggestion to run netstat to see what is running on port 443

3 Likes