Http challenge failing for cname

I hate to ask such a simple question. I have review many of the posts here, but noting is helping. So I apologize for a somewhat repetitive question.

My domain is:

I ran this command:
certbot --nginx --cert-name -d -d

It produced this output:
You are updating certificate to include new domain(s):

You are also removing previously included domain(s):

Did you intend to make this change?

(U)pdate cert/(C)ancel: u
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for
Waiting for verification...
Challenge failed for domain
http-01 challenge for
Cleaning up challenges
Some challenges have failed.

My web server is (include version): nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version): Linux Mint 20.1 Cinnamon (ubuntu)

My hosting provider, if applicable, is: I am hosting on my own home server. has a certificate. Just want to add but I can't figure out why it is failing http challenge.

I can login to a root shell on my machine (yes or no, or I don't know): absolutely

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): nope.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.40.0

my nginx server config:
server {
listen 80;
listen 443;
listen [::]:443;

    root /home/detrix42/www/novasector/public;
    index index.html;

error_log /home/detrix42/www/ error;
access_log /home/detrix42/www/;

    add_header 'Access-Control-Allow-Origin' '';


client_max_body_size 10M;

    location ~* \.(png|jpg)$ {
             expires 365d;

location ~* ^/images/ {
    root /home/detrix42/www/;
    gzip_static on;
    expires max;
    add_header Cache-Control public;

location / {
proxy_pass http://novasector;
#proxy_pass http://localhost:3000;

  proxy_read_timeout 20;
  include proxy_params;

ssl_certificate /etc/letsencrypt/live/;                                                                              
ssl_certificate_key /etc/letsencrypt/live/; # managed by Certbot                                                      
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot                                                                           
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot                                                                              


upstream novasector {
server unix:/home/detrix42/www/socks/novasector;

Right now if you go to all you will see is a Vue start up splash screen. The basic "Welcome to Vue" start page.

output of certbot certificates:
Certificate Name:
Expiry Date: 2023-03-09 01:23:31+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/
Private Key Path: /etc/letsencrypt/live/

domain registrar is godaddy
output of 'dig':
; <<>> DiG 9.16.1-Ubuntu <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28811
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 65494
; IN A


;; Query time: 23 msec
;; WHEN: Thu Dec 08 22:56:18 EST 2022
;; MSG SIZE rcvd: 77

Check these results

1 Like

Welcome to the community @detrix42

First, the formatting for your nginx server config could be better. Please update the post so you have 3 backticks before and after the entire nginx config.

I can read it anyway and that nginx config is not the whole picture. The posted config has both domain names in the same server block. But, requests to the two domains have different results.

And, the Let's Debug site (which Bruce linked to) gives different results for each.

Can you show the active nginx config by running:

sudo nginx -T >upload.txt

Then use the upload button on the forum post to upload the upload.txt file (it will be very long).

Example of different results

curl -Ik
HTTP/1.1 404 Not Found
Server: nginx/1.18.0 (Ubuntu)

curl -Ik
HTTP/1.1 301 Moved Permanently
Server: nginx/1.18.0 (Ubuntu)

Note: it's possible your proxy statement is not working right for the www subdomain and that is causing the different results.

Also, it is best to not combine port 80 and port 443 in the same server block. Much harder to configure properly


thanks. that gives me something to think about. At quick glance I can not see where it is redirecting. I used to have a server clause that would redirect port 80 to 443, but removed before posting this question. My app is just a Vue landing page. I don't think there is an redirects there. But thanks again. I will did into it.


Thank you very much. looking at the output of the nginx -T is shedding some light on the redirects. Yeah, it's a bit ugly. To embarrassed to post it here. sheesh. Thanks again.


Well, after cleaning up my nginx server files (somewhat) I got the letdebug to pass for both and I may have a misunderstanding here. Since I have certified, and is just a CNAME, and the DNS automatically redirects to, I don't think I need to have in the certification.

Well I just tried and I get a 404 not found. ugh. Almost there. Thanks to those that responded rather quickly....@Bruce5051 and @MikeMcQ


Cname doesn't "redirect" you, just reply it's same IP address as DNS name X. you do need certificate for www version: (as latest browser try https version as default when given without protocol header


There is nothing embarrassing about making mistakes.
Embarrassing is not admitting to having made any :wink: [no one is perfect]
As long as you are willing to learn, we are willing to teach :slight_smile:


CNAMEs are on the DNS level. Browsers don't have any knowledge of that and will keep using the "first" hostname. So you do want to include all hostnames in the certificate.


Update: got up this morning and with a refreshed brain, ran the following command:

certbot certonly --standalone --cert-name -d -d

had a conflict, binding to port 80 (nginx still running doh); shut down nginx, tried again and it worked. Woohoo!!!

If I still try going to I still get a Not Found error.

Thanks for all the help.

1 Like

Looks a certificate has been issued recently | 8160466099

Still seeing what @MikeMcQ previously found.

$ curl -Ik
HTTP/1.1 404 Not Found
Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 09 Dec 2022 14:50:07 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive

$ curl -Ik
HTTP/1.1 301 Moved Permanently
Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 09 Dec 2022 14:50:16 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive

$ curl -Ik
HTTP/1.1 502 Bad Gateway
Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 09 Dec 2022 14:50:28 GMT
Content-Type: text/html
Content-Length: 166
Connection: keep-alive

@detrix42, @MikeMcQ's requested information may still be the most useful to supply.

1 Like

That won't install the certificate.


Thanks for checking up on this. It is all working. I just did the test above:

curl -Ik

and got the following response:

HTTP/1.1 301 Moved Permanently
Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 10 Dec 2022 12:37:18 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive

For the moment, this server is not active all the time. I had more content here, but revamping it. So my rails/vue app is not up all the time. Which would be why it failed earlier. I will leave it running for a few days for those that want to try it.

Again thanks for the great help. I am very impressed with the quick responses. You all did save me a lot of time finding out that I was getting recursive redirects.

P.S. now realizing that even though my rails/vue app was down, nginx would still have redirected with the 301 moved permanently. hmmm. So those who want to, please try again. should be working.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.