Http-01 challenge always failing

My domain is: app.live.swahilies.com (subdomain to swahilies.com)

I ran this command:

sudo certbot --nginx -d app.live.swahilies.com --verbose

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requested authenticator nginx and installer nginx
Single candidate plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx.configurator:NginxConfigurator
Initialized: <certbot_nginx.configurator.NginxConfigurator object at 0x7f44d03ac100>
Prep: True
Selected authenticator <certbot_nginx.configurator.NginxConfigurator object at 0x7f44d03ac100> and installer <certbot_nginx.configurator.NginxConfigurator object at 0x7f44d03ac100>
Plugins selected: Authenticator nginx, Installer nginx
Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/100203334', new_authzr_uri=None, terms_of_service=None), 8af9bace0ae7398cf5f5fa0765fce529, Meta(creation_dt=datetime.datetime(2020, 10, 24, 11, 42, 34, tzinfo=<UTC>), creation_host='ubuntu-s-1vcpu-2gb-nyc1-01'))>
Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
Received response:
HTTP 200
Server: nginx
Date: Sun, 25 Oct 2020 13:13:26 GMT
Content-Type: application/json
Content-Length: 658
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "DAPG1QJJEZk": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
Obtaining a new certificate
Generating key (2048 bits): /etc/letsencrypt/keys/0006_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0006_csr-certbot.pem
Requesting fresh nonce
Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
Received response:
HTTP 200
Server: nginx
Date: Sun, 25 Oct 2020 13:13:26 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0004jNFsmFEPQ-XG42pmQ0nFOblLYrKHAcOEpOcY9AGDhB8
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


Storing nonce: 0004jNFsmFEPQ-XG42pmQ0nFOblLYrKHAcOEpOcY9AGDhB8
JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "app.live.swahilies.com"\n    }\n  ]\n}'
Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTAwMjAzMzM0IiwgIm5vbmNlIjogIjAwMDRqTkZzbUZFUFEtWEc0MnBtUTBuRk9ibExZcktIQWNPRXBPY1k5QUdEaEI4IiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctb3JkZXIifQ",
  "signature": "S9r6QA1Sl5Tlk9yKiv7iQIdMznwwxgciSDlD9TCh5Z3uHAG26IXZadMaH6INFSotICMLv7pBMhdCHusBhumK6Xg0ZGOccvctlDf2vYdc5aGDX6Ef0dnQuB2llWUBy-7vjfNeBFeYoMiNQhS-ErqYL6tKpK91Qrs71enwSwWiPpfGypVIMJ99zCyFNzMzURLGK4-FrBu03rFgp7ckaDzc1LW4TM7EhF5aooHL7sCItKz4lLNbIaThr2r8k_A3cFGt-8e-NOZRq4q9tD_1vnbJIJhe314_2xx11FB5UUDfQTeuv_sew4h80vrvAxNV8l2_s1sqgFNMbW6VK6kMuuwSYw",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogImFwcC5saXZlLnN3YWhpbGllcy5jb20iCiAgICB9CiAgXQp9"
}
https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 353
Received response:
HTTP 201
Server: nginx
Date: Sun, 25 Oct 2020 13:13:26 GMT
Content-Type: application/json
Content-Length: 353
Connection: keep-alive
Boulder-Requester: 100203334
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/100203334/5865917983
Replay-Nonce: 0004SP8stgvzbJJ6747aKjMiVuAvb-yd7m6IktIkXAmc7VY
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2020-11-01T13:13:26.379386633Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "app.live.swahilies.com"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/8132648710"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/100203334/5865917983"
}
Storing nonce: 0004SP8stgvzbJJ6747aKjMiVuAvb-yd7m6IktIkXAmc7VY
JWS payload:
b''
Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/8132648710:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTAwMjAzMzM0IiwgIm5vbmNlIjogIjAwMDRTUDhzdGd2emJKSjY3NDdhS2pNaVZ1QXZiLXlkN202SWt0SWtYQW1jN1ZZIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My84MTMyNjQ4NzEwIn0",
  "signature": "uSjowjymraOrVS_3eS8zEuh9TuK8MQffyAYntbjhk3XgttCEmvRgEXrVVem1T1C_AR9KkZ2A80fe9YA-Cit2_NR2Kv0cmBBO5CBGWlm1r-HOve89L3YwjA0wqMdBOsYhIRvnJLBI8l6BxTDBxPFtcSELO6q0-niHVgyAAgStY4Np6grbcTF5qAHhtNi3Iu_JW0bSgGukck9-6erZ97KaHx6J8jwuyVKCRkvzODm3BF0QHbOfHz5tTP8YcHDsq2MHbUnpGDkb6E_rb5t7MkNjHjBlmscfQe9GSPoDIn1xZSQcFM1soV5fz1_HYw4tqJlTM61PYgORvnqlD7RbawPtNg",
  "payload": ""
}
https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/8132648710 HTTP/1.1" 200 800
Received response:
HTTP 200
Server: nginx
Date: Sun, 25 Oct 2020 13:13:26 GMT
Content-Type: application/json
Content-Length: 800
Connection: keep-alive
Boulder-Requester: 100203334
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 00043nEsiwtKVU-XtG4fmq2VEbsV_YhrQFMF7RMJd0hlB0w
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "app.live.swahilies.com"
  },
  "status": "pending",
  "expires": "2020-11-01T13:13:26Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/8132648710/_LSXTA",
      "token": "Nrnxt6f5tOpRFYdavSC6Hgo5AN3l79r-gosaG-RWEPo"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/8132648710/l91kug",
      "token": "Nrnxt6f5tOpRFYdavSC6Hgo5AN3l79r-gosaG-RWEPo"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/8132648710/2VweZQ",
      "token": "Nrnxt6f5tOpRFYdavSC6Hgo5AN3l79r-gosaG-RWEPo"
    }
  ]
}
Storing nonce: 00043nEsiwtKVU-XtG4fmq2VEbsV_YhrQFMF7RMJd0hlB0w
Performing the following challenges:
http-01 challenge for app.live.swahilies.com
Generated server block:
[]
Creating backup of /etc/nginx/modules-enabled/50-mod-mail.conf
Creating backup of /etc/nginx/mime.types
Creating backup of /etc/nginx/modules-enabled/50-mod-stream.conf
Creating backup of /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf
Creating backup of /etc/nginx/sites-enabled/app.live.swahilies.com
Creating backup of /etc/nginx/modules-enabled/50-mod-http-image-filter.conf
Creating backup of /etc/nginx/nginx.conf
Writing nginx conf tree to /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
	worker_connections 768;
	# multi_accept on;
}

http {
include /etc/letsencrypt/le_http_01_cert_challenge.conf;

	##
	# Basic Settings
	##

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;
	# server_tokens off;
server_names_hash_bucket_size 128;
	# server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# SSL Settings
	##

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
	ssl_prefer_server_ciphers on;

	##
	# Logging Settings
	##

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	##
	# Gzip Settings
	##

	gzip on;

	# gzip_vary on;
	# gzip_proxied any;
	# gzip_comp_level 6;
	# gzip_buffers 16 8k;
	# gzip_http_version 1.1;
	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
}

# Default server configuration
#
server {rewrite ^(/.well-known/acme-challenge/.*) $1 break; # managed by Certbot


	listen 10.116.0.2:80;
	listen [2604:a880:400:d0::1c86:c001]:80;

	# SSL configuration
	#listen 443 ssl;

	# Note: You should disable gzip for SSL traffic.
	# See: https://bugs.debian.org/773332
	#
	# Read up on ssl_ciphers to ensure a secure configuration.
	# See: https://bugs.debian.org/765782
	#
	# Self signed certs generated by the ssl-cert package
	# Don't use them in a production server!
	#
	# include snippets/snakeoil.conf;

	server_name app.live.swahilies.com;

	root /var/www/app.live.swahilies.com/html/public;

	location ~ /.well-known {
                allow all;
        }

	# Add index.php to the list if you are using PHP
	index index.php index.html index.htm;

	location / {
		allow 10.116.0.6; # Private IP of load balancer 01
       	        allow 10.116.0.7; # Private IP of load balancer 02
		deny all;

		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		try_files $uri $uri/ /index.php?$query_string;
                # CORS headers
                add_header 'Access-Control-Allow-Origin' '*';
                add_header 'Access-Control-Allow-Headers' '*';
                add_header 'Access-Control-Allow-Methods' 'PATCH, PUT, GET, POST, DELETE, OPTIONS';
	}

	# pass PHP scripts to FastCGI server
	#
	location ~ \.php$ {
		include snippets/fastcgi-php.conf;
	#
	#	# With php-fpm (or other unix sockets):
		fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
	#	# With php-cgi (or other tcp sockets):
	#	fastcgi_pass 127.0.0.1:9000;
	}

	# deny access to .htaccess files, if Apache's document root
	# concurs with nginx's one

	location ~ /\.ht {
		deny all;
	}
location = /.well-known/acme-challenge/Nrnxt6f5tOpRFYdavSC6Hgo5AN3l79r-gosaG-RWEPo{default_type text/plain;return 200 Nrnxt6f5tOpRFYdavSC6Hgo5AN3l79r-gosaG-RWEPo.QtCHl42r9JSxfXuLPt_Gi2Al1HfmKW3WnhXNj2_SGtw;} # managed by Certbot

}

Waiting for verification...
JWS payload:
b'{\n  "resource": "challenge",\n  "type": "http-01"\n}'
Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/8132648710/_LSXTA:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTAwMjAzMzM0IiwgIm5vbmNlIjogIjAwMDQzbkVzaXd0S1ZVLVh0RzRmbXEyVkVic1ZfWWhyUUZNRjdSTUpkMGhsQjB3IiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbC12My84MTMyNjQ4NzEwL19MU1hUQSJ9",
  "signature": "jtesf5LGcWg25RymoTiTflckOUCyU73ogux5B3Ixgwu1bGRlsDZaFdQ4NaY3O1TKf7YPlL3OMhjFEA0xfH7sbRb9HbhBFxANpw7FH2FoXHI3zA82_tuWtuhp5Ua2leLxsHCrTc0d-8fk4F7e3T7zXhMAoH0ZzNNlDeZokj09mNPsPJ1t0uSZ6IP4Nm-9EHkWXBmCAp9hBicqeQEhylbN553-xSQjmn2DqOktYqS3ZWNj1KlHqFYrvmDP85zf3aQCxomrJASKcsTWlVyTllC9TeI7B8JVyCxfLTY1pcCnxtTKPjDuVUr1-lpaiB8VcH747LAbYxLrSbS5rrgD67JnQg",
  "payload": "ewogICJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLAogICJ0eXBlIjogImh0dHAtMDEiCn0"
}
https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/8132648710/_LSXTA HTTP/1.1" 200 185
Received response:
HTTP 200
Server: nginx
Date: Sun, 25 Oct 2020 13:13:27 GMT
Content-Type: application/json
Content-Length: 185
Connection: keep-alive
Boulder-Requester: 100203334
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz-v3/8132648710>;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/8132648710/_LSXTA
Replay-Nonce: 0004HRdD2aR5Ae6zS9jCf-qRZGy9Uy1zH0CQc76AB-nxroQ
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/8132648710/_LSXTA",
  "token": "Nrnxt6f5tOpRFYdavSC6Hgo5AN3l79r-gosaG-RWEPo"
}
Storing nonce: 0004HRdD2aR5Ae6zS9jCf-qRZGy9Uy1zH0CQc76AB-nxroQ
JWS payload:
b''
Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/8132648710:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTAwMjAzMzM0IiwgIm5vbmNlIjogIjAwMDRIUmREMmFSNUFlNnpTOWpDZi1xUlpHeTlVeTF6SDBDUWM3NkFCLW54cm9RIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My84MTMyNjQ4NzEwIn0",
  "signature": "oH6YZoDC69lzs0_be2clm5F2eVLMQkkbl542bmRwcicIpE7C0bo3RM1ute9qRaVSzGRz1ykXbtEBcTmljvlviotxdf29BO5DZjsV-jSK7bRukr1kDGxopI3mvaQTt_KsefuEtv5i22UKYGazjUaLHuZlyx5fu_-Qk52w_Y8S9R6P057iIsXGtUGpOV_mE09QOeg4faLLVpHB7smbnFTUotnzPl3AdBzEGR6mZOosenyB2c-osn2cat6PFSZEwU2PJGdmehAXHHPFR7z-eehba7yZFy9sVOcGBG2CdiAuijp7Nbti-t1ZzYppw4BFmKOg3qT8yCAVAeA0IAYaWkcr4A",
  "payload": ""
}
https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/8132648710 HTTP/1.1" 200 1309
Received response:
HTTP 200
Server: nginx
Date: Sun, 25 Oct 2020 13:13:28 GMT
Content-Type: application/json
Content-Length: 1309
Connection: keep-alive
Boulder-Requester: 100203334
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0003oeayfAxIdIb2CpShbIrKB3nJHa3FPTFEMaUJnH6wr6o
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "app.live.swahilies.com"
  },
  "status": "invalid",
  "expires": "2020-11-01T13:13:26Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "During secondary validation: Invalid response from http://app.live.swahilies.com/.well-known/acme-challenge/Nrnxt6f5tOpRFYdavSC6Hgo5AN3l79r-gosaG-RWEPo [161.35.253.136]: \"\u003chtml\u003e\\r\\n\u003chead\u003e\u003ctitle\u003e404 Not Found\u003c/title\u003e\u003c/head\u003e\\r\\n\u003cbody\u003e\\r\\n\u003ccenter\u003e\u003ch1\u003e404 Not Found\u003c/h1\u003e\u003c/center\u003e\\r\\n\u003chr\u003e\u003ccenter\u003enginx/1.18.0 (Ub\"",
        "status": 403
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/8132648710/_LSXTA",
      "token": "Nrnxt6f5tOpRFYdavSC6Hgo5AN3l79r-gosaG-RWEPo",
      "validationRecord": [
        {
          "url": "http://app.live.swahilies.com/.well-known/acme-challenge/Nrnxt6f5tOpRFYdavSC6Hgo5AN3l79r-gosaG-RWEPo",
          "hostname": "app.live.swahilies.com",
          "port": "80",
          "addressesResolved": [
            "161.35.253.136"
          ],
          "addressUsed": "161.35.253.136"
        }
      ]
    }
  ]
}
Storing nonce: 0003oeayfAxIdIb2CpShbIrKB3nJHa3FPTFEMaUJnH6wr6o
Challenge failed for domain app.live.swahilies.com
http-01 challenge for app.live.swahilies.com
Reporting to user: The following errors were reported by the server:

Domain: app.live.swahilies.com
Type:   unauthorized
Detail: During secondary validation: Invalid response from http://app.live.swahilies.com/.well-known/acme-challenge/Nrnxt6f5tOpRFYdavSC6Hgo5AN3l79r-gosaG-RWEPo [161.35.253.136]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body>\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>nginx/1.18.0 (Ub"

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

Calling registered functions
Cleaning up challenges
Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.40.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1382, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1132, in run
    new_lineage = _get_and_save_cert(le_client, config, domains,
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 121, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 417, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 348, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 396, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: app.live.swahilies.com
   Type:   unauthorized
   Detail: During secondary validation: Invalid response from
   http://app.live.swahilies.com/.well-known/acme-challenge/Nrnxt6f5tOpRFYdavSC6Hgo5AN3l79r-gosaG-RWEPo
   [161.35.253.136]: "<html>\r\n<head><title>404 Not
   Found</title></head>\r\n<body>\r\n<center><h1>404 Not
   Found</h1></center>\r\n<hr><center>nginx/1.18.0 (Ub"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version):
nginx/1.18.0

The operating system my web server runs on is (include version):
Ubuntu - 20.04

My hosting provider, if applicable, is:
DigitalOcean

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is: certbot 0.40.0

2 Likes

Welcome to the Let's Encrypt Community, Bryce :slightly_smiling_face:

Since there is a 404 being received by Let's Encrypt during secondary validation, this makes me wonder... :thinking:

Are you using a DigitalOcean load balancer?

If so, you will want to use a different process:

2 Likes

Thank you @griffin

Yes I use DigitalOcean load balancers which use Haproxy.

My first solution was to try SSL termination with Haproxy where SSL would be handled with the load balancer, but this attempt was an SSL pass-through using Haproxy where the SSL is handled in the web server.

Will SSL termination on the load balancer work with letsencrypt?

3 Likes

Absolutely. I would highly recommend taking advantage of the Use Let’s Encrypt tab to manage everything for you rather than complicating your life with certbot. :slightly_smiling_face:

SSL passthrough is bad juju because:

SSL passthrough distributes the decryption load across the backend servers, but every server must have the certificate information. You also can't add or modify HTTP headers, so you may lose the client's IP address, port, and other information contained in the X-forwarded-* headers.

Unless you want to do something like shut down all but one worker, run certbot on the active worker, mirror the certificate and private key to the remaining workers, then bring everything back up again, I would highly recommend using SSL termination.

3 Likes