I cannot get a certification

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: http://familjenisback.duckdns.org/

I ran this command: sudo certbot --nginx -d familjenisback.duckdns.org

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for familjenisback.duckdns.org

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: familjenisback.duckdns.org
Type: unauthorized
Detail: 155.4.61.251: Invalid response from http://familjenisback.duckdns.org/.well-known/acme-challenge/2Y5FQhWpoA1_LYf7e_pctfKF8e918LqSWH-nRmGkaXI: "\n\n \n \n \n\n <meta charset="utf-8" />\n <meta n"

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Nginx version: $(nginx -v 2>&1 | grep -o '[0-9.]*')

The operating system my web server runs on is (include version): Debian 12 (Bookworm) ((rasbarry pi))

My hosting provider, if applicable, is: I am hosting it myself on a Raspberry Pi, altough dns is through duckdns

I can login to a root shell on my machine (yes or no, or I don't know): y

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.21.0

But if I look at the headers returned by familjenisback.duckdns.org, I see:

X-Powered-By: Express

(without any Server header by the way; NB: the answer you've provided about the version is not the actual version obviously, but a command that should have been run to provide the version..)

What is it that you're actually running? I'm getting some kind of login screen of some kind of "Immich" webapp.

my bad, i know very little of this so i pasted some commands only. Immich is a image hosting site. Its whats run on my pi.
when i used server in the gnex.conf file it gave me an error message. currently i can atleast access the site but with http which is the problem. https is the way. i ran a test that someone with similar problmes had and it gave me this
https://dnsviz.net/d/familjenisback.duckdns.org/dnssec/

What does this mean?

If you're expecting the Immich application on your hostname and the IP address from the Let's Encrypt validation error is correct, then DNS is not the issue.

How does nginx relate to the "Express" header exactly? What kind of (custom) nginx setup do you have?

i dont know what the express header is, neither do i think i have a custom setup. Im very thankful if you can help me, what can i show you to get you to understnad my problem?

You're not running "Nginx Proxy Manager" or something like that by any chance?

If not, let's start with the entire nginx configuration by providing the output of the command nginx -T (with sudo if necessary).

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
worker_processes auto;

events {
    worker_connections 1024;
}

http {
    include       mime.types;
    default_type application/octet-stream;

    # Other configurations...

    server {
        listen 80;
        server_name familjenisback.duckdns.org;

        # Location directives, etc...
    }
}


# configuration file /etc/nginx/mime.types:

types {
    text/html                             html htm shtml;
    text/css                              css;
    text/xml                              xml;
    image/gif                             gif;
    image/jpeg                            jpeg jpg;
    application/javascript                js;
    application/atom+xml                  atom;
    application/rss+xml                   rss;

    text/mathml                           mml;
    text/plain                            txt;
    text/vnd.sun.j2me.app-descriptor      jad;
    text/vnd.wap.wml                      wml;
    text/x-component                      htc;

    image/avif                            avif;
    image/png                             png;
    image/svg+xml                         svg svgz;
    image/tiff                            tif tiff;
    image/vnd.wap.wbmp                    wbmp;
    image/webp                            webp;
    image/x-icon                          ico;
    image/x-jng                           jng;
    image/x-ms-bmp                        bmp;

    font/woff                             woff;
    font/woff2                            woff2;

    application/java-archive              jar war ear;
    application/json                      json;
    application/mac-binhex40              hqx;
    application/msword                    doc;
    application/pdf                       pdf;
    application/postscript                ps eps ai;
    application/rtf                       rtf;
    application/vnd.apple.mpegurl         m3u8;
    application/vnd.google-earth.kml+xml  kml;
    application/vnd.google-earth.kmz      kmz;
    application/vnd.ms-excel              xls;
    application/vnd.ms-fontobject         eot;
    application/vnd.ms-powerpoint         ppt;
    application/vnd.oasis.opendocument.graphics        odg;
    application/vnd.oasis.opendocument.presentation    odp;
    application/vnd.oasis.opendocument.spreadsheet     ods;
    application/vnd.oasis.opendocument.text            odt;
    application/vnd.openxmlformats-officedocument.presentationml.presentation    pptx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet    xlsx;
    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
    application/vnd.wap.wmlc              wmlc;
    application/wasm                      wasm;
    application/x-7z-compressed           7z;
    application/x-cocoa                   cco;
    application/x-java-archive-diff       jardiff;
    application/x-java-jnlp-file          jnlp;
    application/x-makeself                run;
    application/x-perl                    pl pm;
    application/x-pilot                   prc pdb;
    application/x-rar-compressed          rar;
    application/x-redhat-package-manager  rpm;
    application/x-sea                     sea;
    application/x-shockwave-flash         swf;
    application/x-stuffit                 sit;
    application/x-tcl                     tcl tk;
    application/x-x509-ca-cert            der pem crt;
    application/x-xpinstall               xpi;
    application/xhtml+xml                 xhtml;
    application/xspf+xml                  xspf;
    application/zip                       zip;

    application/octet-stream              bin exe dll;
    application/octet-stream              deb;
    application/octet-stream              dmg;
    application/octet-stream              iso img;
    application/octet-stream              msi msp msm;

    audio/midi                            mid midi kar;
    audio/mpeg                            mp3;
    audio/ogg                             ogg;
    audio/x-m4a                           m4a;
    audio/x-realaudio                     ra;

    video/3gpp                            3gpp 3gp;
    video/mp2t                            ts;
    video/mp4                             mp4;
    video/mpeg                            mpeg mpg;
    video/quicktime                       mov;
    video/webm                            webm;
    video/x-flv                           flv;
    video/x-m4v                           m4v;
    video/x-mng                           mng;
    video/x-ms-asf                        asx asf;
    video/x-ms-wmv                        wmv;
    video/x-msvideo                       avi;
}

Well, that's not much configuration at all. Frankly, I don't see how that nginx configuration could load your Express/Immich app?

Can you provide the output of:

sudo netstat -nap | grep -E ':80|:443'

Ive blindly followed ai for the instruction... this is what you end up with lmao

tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      170219/nginx: maste 

Did you run the command before or after I edited the :443 into the command?

Also, are you sure your nginx is running on the same machine as Immich?

After, and yes

The immich website recommends installing immich in a container system - like Docker

Which method did you use? Requirements | Immich

What does this show:

sudo ps -eF | grep -Ei 'immi|nginx'

docker.

root        2301    2185  0 2426919 281128 1 Oct26 ?       00:05:44 immich
root        2817    2301  0 1287733 195152 3 Oct26 ?       00:03:06 immich-api
caddy       2922    2109  0 160625 19308  2 Oct26 ?        00:00:00 postgres: postgres immich 172.18.0.5(59446) idle
caddy       2923    2109  0 160626 19436  1 Oct26 ?        00:00:00 postgres: postgres immich 172.18.0.5(59450) idle
root      160589       1  0  2619  3840   3 13:57 ?        00:00:00 sudo systemctl status nginx
root      160590  160589  0  2619  1688   2 13:57 ?        00:00:00 sudo systemctl status nginx
root      160591  160590  0  4048  5576   1 13:57 ?        00:00:00 systemctl status nginx
root      169332  168827  0  2619  3968   2 14:43 pts/2    00:00:00 sudo systemctl status nginx.service
root      169333  169332  0  2619  1560   2 14:43 pts/0    00:00:00 sudo systemctl status nginx.service
root      169334  169333  0  4048  5484   1 14:43 pts/0    00:00:00 systemctl status nginx.service
root      170219       1  0  2524  3740   3 14:49 ?        00:00:00 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
nobody    170866  170219  0  2633  2592   0 14:53 ?        00:00:00 nginx: worker process
nobody    170867  170219  0  2633  2592   2 14:53 ?        00:00:00 nginx: worker process
nobody    170868  170219  0  2633  2592   0 14:53 ?        00:00:00 nginx: worker process
nobody    170869  170219  0  2633  2592   3 14:53 ?        00:00:00 nginx: worker process
harryko+  182165  169582  0  1522  2048   0 16:19 pts/1    00:00:00 grep --color=auto -Ei immi|nginx

You might have wanted to mention that earlier..............

Also, what's Caddy doing there?

mb, didnt know that containers affected this. I tried caddy first, looked easier and no manual setup for ssl but it didnt work so I used ngnix instead.

But your nginx configuration is almost completely empty with regard to actual relevant directives. There's no reverse proxy to Immich anywhere in the output you've just posted?

Also, why is there an HTTP server listening on port 443? If I go to https://familjenisback.duckdns.org I'll get a TLS error, but if I go to http://familjenisback.duckdns.org:443, I'm seeing the Immich page. Which is incorrect obviously, as port 443 should be HTTPS and not HTTP.

Is there a NAT router in play perhaps?

You need to provide as much information as possible, otherwise we need to really drag out the info which can be quite tiresome. Caddy, Docker, Immich, everything could be relevant and should be mentioned.

Please provide the Docker configuration.

Even the complete "AI instructions" might be helpful here.. Because I have no clue what's going on on that RPi..

I dont know what to show with the containers, i wrote "container info"

Client: Docker Engine - Community
 Version:    27.3.1
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.17.1
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.29.7
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 8
  Running: 4
  Paused: 0
  Stopped: 4
 Images: 10
 Server Version: 27.3.1
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 7f7fdf5fed64eb6a7caf99b3e12efcf9d60e311c
 runc version: v1.1.14-0-g2c9f560
 init version: de40ad0
 Security Options:
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 6.6.28+rpt-rpi-v8
 Operating System: Debian GNU/Linux 12 (bookworm)
 OSType: linux
 Architecture: aarch64
 CPUs: 4
 Total Memory: 3.703GiB
 Name: pi
 ID: 4ac76b03-79aa-481c-a333-cb594022448a
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: No memory limit support
WARNING: No swap limit support
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled

the chats with chatgpt are spread out over 2 or 3 chats, could not share one of them because it contained an attachement and why would i be able to share that...
Saving debug log to /var/log/letsencrypt/letsencrypt.logError while running ng - Pastebin.com here is a pasted version of my chats
https://chatgpt.com/share/671e6015-ab40-800d-91ae-6ae965c93b0a and there is one chatlog.

Well, you've already noticed that large language models like ChatGPT are quite terrible at helping with these kinds of problems, especially when not asked the exact right question. It tried many, many times to provide you with an nginx configuration linking to files that did not exist yet (certificate).

Anyway, in the end it also provided you with some complex nginx reverse proxy configurations. But your nginx -T was almost empty. What are the current nginx configuration files contents?

Also, please answer the question about if there is a NAT device with portmaps present and also provide the output of:

sudo netstat -nap | grep docker

Perhaps Osiris, or someone else, will be able to help you get this to work.

But, have you tried asking for advice on one of the immich support forums? Help Me! | Immich

Your problems are all related to your system configuration. Without a stable system getting a cert will be difficult.

I'm quite at a loss.. I don't understand why nginx would respond with the Immich webapp, while it has an almost empty configuration with nginx -T.. Some things don't add up, including something listening on port 443 (and being a HTTP port), without showing up on the netstat output.