I cannot get a certification

Account registered.
Requesting a certificate for familjenisback.duckdns.org
Performing the following challenges:
http-01 challenge for familjenisback.duckdns.org
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Challenge failed for domain familjenisback.duckdns.org
http-01 challenge for familjenisback.duckdns.org

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: familjenisback.duckdns.org
  Type:   dns
  Detail: DNS problem: SERVFAIL looking up A for familjenisback.duckdns.org - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for familjenisback.duckdns.org - the domain's nameservers may be malfunctioning

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

so its the dns server that is struggling now? is everything on my side good enough to get a certificate

Currently, yes.

Hard to tell, but I'm leaning to "no". Because your /etc/nginx/sites-enabled/default, which is still present I presume, should contain the reverse proxy directives from nginx to Immich. But when I go to your hostname, I only see the nginx default welcome page, not Immich. So for some reason, your nginx is still not correctly configured. That's why I asked for the sudo nginx -T output again.

right, that one is still empty, or atleast identical to how it looked before.

But the default file was far from empty when you showed it in I cannot get a certification - #21 by harrykotten? Why isn't it being picked up by nginx and its nginx -T command?

Also, I see now that the default configuration file from earlier contained the port 443 HTTPS server section that wouldn't work, so I guess the default file requires/required some modification too.

Can you please show me all the active nginx configuration files?

so I guess my only active conf file whould be,
default

server {
    listen 80;
    server_name familjenisback.duckdns.org;

    # Allow Certbot to access the challenge directory
    location /.well-known/acme-challenge/ {
        root /var/www/html;  # Ensure this path exists
        try_files $uri =404; # This ensures a proper response for missing files
    }

    # Redirect all other traffic to the Immich application
    location / {
        proxy_pass http://192.168.1.55:2283;  # Direct to Immich app
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

server {
    listen 443 ssl;
    server_name familjenisback.duckdns.org;

    ssl_certificate /etc/letsencrypt/live/familjenisback.duckdns.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/familjenisback.duckdns.org/privkey.pem;

    # Immich application
    location / {
        proxy_pass http://192.168.1.55:2283;  # Direct to Immich app
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

and ngnix.conf

worker_processes auto;

events {
    worker_connections 1024;
}

http {
    include       mime.types;
    default_type application/octet-stream;

    # Other configurations...

    server {
        listen 80;
        server_name familjenisback.duckdns.org;

        # Location directives, etc...
    }
}

It is best not to guess. The below command will show the actual nginx config. Please post output of this. Upper case T is essential

sudo nginx -T

Or upload the config.txt resulting from this. Run from your home directory or some other temp directory so this txt file not placed in any active nginx directory

sudo nginx -T >config.txt

That file can't be actually active as it's referring to the not-yet existing certificates which gave you trouble to begin with.

You should make sure the first half of that default file (with the listen 80; part) needs to be active. It's probably a good idea to replace the server block from nginx.conf with the port 80 server block from default, because it seems the default file isn't being loaded at all.

Maybe none are active because there is no include statement in the base nginx.conf to bring them in?

The one shown in post #7 did not have that but it also looked like parts were redacted so not sure ...

Probably. But OP had some issues with non-existing certs attempted to be loaded in their chat with ChatGPT, so somehow there was some kind of include in the past.. Not sure what's going on now.

sudo nginx -T
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
worker_processes auto;

events {
    worker_connections 1024;
}

http {
    include       mime.types;
    default_type application/octet-stream;

    # Other configurations...

    server {
        listen 80;
        server_name familjenisback.duckdns.org;

        # Location directives, etc...
    }
}


# configuration file /etc/nginx/mime.types:

types {
    text/html                             html htm shtml;
    text/css                              css;
    text/xml                              xml;
    image/gif                             gif;
    image/jpeg                            jpeg jpg;
    application/javascript                js;
    application/atom+xml                  atom;
    application/rss+xml                   rss;

    text/mathml                           mml;
    text/plain                            txt;
    text/vnd.sun.j2me.app-descriptor      jad;
    text/vnd.wap.wml                      wml;
    text/x-component                      htc;

    image/avif                            avif;
    image/png                             png;
    image/svg+xml                         svg svgz;
    image/tiff                            tif tiff;
    image/vnd.wap.wbmp                    wbmp;
    image/webp                            webp;
    image/x-icon                          ico;
    image/x-jng                           jng;
    image/x-ms-bmp                        bmp;

    font/woff                             woff;
    font/woff2                            woff2;

    application/java-archive              jar war ear;
    application/json                      json;
    application/mac-binhex40              hqx;
    application/msword                    doc;
    application/pdf                       pdf;
    application/postscript                ps eps ai;
    application/rtf                       rtf;
    application/vnd.apple.mpegurl         m3u8;
    application/vnd.google-earth.kml+xml  kml;
    application/vnd.google-earth.kmz      kmz;
    application/vnd.ms-excel              xls;
    application/vnd.ms-fontobject         eot;
    application/vnd.ms-powerpoint         ppt;
    application/vnd.oasis.opendocument.graphics        odg;
    application/vnd.oasis.opendocument.presentation    odp;
    application/vnd.oasis.opendocument.spreadsheet     ods;
    application/vnd.oasis.opendocument.text            odt;
    application/vnd.openxmlformats-officedocument.presentationml.presentation    pptx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet    xlsx;
    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
    application/vnd.wap.wmlc              wmlc;
    application/wasm                      wasm;
    application/x-7z-compressed           7z;
    application/x-cocoa                   cco;
    application/x-java-archive-diff       jardiff;
    application/x-java-jnlp-file          jnlp;
    application/x-makeself                run;
    application/x-perl                    pl pm;
    application/x-pilot                   prc pdb;
    application/x-rar-compressed          rar;
    application/x-redhat-package-manager  rpm;
    application/x-sea                     sea;
    application/x-shockwave-flash         swf;
    application/x-stuffit                 sit;
    application/x-tcl                     tcl tk;
    application/x-x509-ca-cert            der pem crt;
    application/x-xpinstall               xpi;
    application/xhtml+xml                 xhtml;
    application/xspf+xml                  xspf;
    application/zip                       zip;

    application/octet-stream              bin exe dll;
    application/octet-stream              deb;
    application/octet-stream              dmg;
    application/octet-stream              iso img;
    application/octet-stream              msi msp msm;

    audio/midi                            mid midi kar;
    audio/mpeg                            mp3;
    audio/ogg                             ogg;
    audio/x-m4a                           m4a;
    audio/x-realaudio                     ra;

    video/3gpp                            3gpp 3gp;
    video/mp2t                            ts;
    video/mp4                             mp4;
    video/mpeg                            mpeg mpg;
    video/quicktime                       mov;
    video/webm                            webm;
    video/x-flv                           flv;
    video/x-m4v                           m4v;
    video/x-mng                           mng;
    video/x-ms-asf                        asx asf;
    video/x-ms-wmv                        wmv;
    video/x-msvideo                       avi;
}

I replaced the first part, now it looks like this

sudo nginx -T
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
worker_processes auto;

events {
    worker_connections 1024;
}

http {
    include       mime.types;
    default_type application/octet-stream;

    # Other configurations...

server {
    listen 80;
    server_name familjenisback.duckdns.org;

    # Allow Certbot to access the challenge directory
    location /.well-known/acme-challenge/ {
        root /var/www/html;  # Ensure this path exists
        try_files $uri =404; # This ensures a proper response for missing files
    }

    # Redirect all other traffic to the Immich application
    location / {
        proxy_pass http://192.168.1.55:2283;  # Direct to Immich app
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}
}


# configuration file /etc/nginx/mime.types:

types {
    text/html                             html htm shtml;
    text/css                              css;
    text/xml                              xml;
    image/gif                             gif;
    image/jpeg                            jpeg jpg;
    application/javascript                js;
    application/atom+xml                  atom;
    application/rss+xml                   rss;

    text/mathml                           mml;
    text/plain                            txt;
    text/vnd.sun.j2me.app-descriptor      jad;
    text/vnd.wap.wml                      wml;
    text/x-component                      htc;

    image/avif                            avif;
    image/png                             png;
    image/svg+xml                         svg svgz;
    image/tiff                            tif tiff;
    image/vnd.wap.wbmp                    wbmp;
    image/webp                            webp;
    image/x-icon                          ico;
    image/x-jng                           jng;
    image/x-ms-bmp                        bmp;

    font/woff                             woff;
    font/woff2                            woff2;

    application/java-archive              jar war ear;
    application/json                      json;
    application/mac-binhex40              hqx;
    application/msword                    doc;
    application/pdf                       pdf;
    application/postscript                ps eps ai;
    application/rtf                       rtf;
    application/vnd.apple.mpegurl         m3u8;
    application/vnd.google-earth.kml+xml  kml;
    application/vnd.google-earth.kmz      kmz;
    application/vnd.ms-excel              xls;
    application/vnd.ms-fontobject         eot;
    application/vnd.ms-powerpoint         ppt;
    application/vnd.oasis.opendocument.graphics        odg;
    application/vnd.oasis.opendocument.presentation    odp;
    application/vnd.oasis.opendocument.spreadsheet     ods;
    application/vnd.oasis.opendocument.text            odt;
    application/vnd.openxmlformats-officedocument.presentationml.presentation    pptx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet    xlsx;
    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
    application/vnd.wap.wmlc              wmlc;
    application/wasm                      wasm;
    application/x-7z-compressed           7z;
    application/x-cocoa                   cco;
    application/x-java-archive-diff       jardiff;
    application/x-java-jnlp-file          jnlp;
    application/x-makeself                run;
    application/x-perl                    pl pm;
    application/x-pilot                   prc pdb;
    application/x-rar-compressed          rar;
    application/x-redhat-package-manager  rpm;
    application/x-sea                     sea;
    application/x-shockwave-flash         swf;
    application/x-stuffit                 sit;
    application/x-tcl                     tcl tk;
    application/x-x509-ca-cert            der pem crt;
    application/x-xpinstall               xpi;
    application/xhtml+xml                 xhtml;
    application/xspf+xml                  xspf;
    application/zip                       zip;

    application/octet-stream              bin exe dll;
    application/octet-stream              deb;
    application/octet-stream              dmg;
    application/octet-stream              iso img;
    application/octet-stream              msi msp msm;

    audio/midi                            mid midi kar;
    audio/mpeg                            mp3;
    audio/ogg                             ogg;
    audio/x-m4a                           m4a;
    audio/x-realaudio                     ra;

    video/3gpp                            3gpp 3gp;
    video/mp2t                            ts;
    video/mp4                             mp4;
    video/mpeg                            mpeg mpg;
    video/quicktime                       mov;
    video/webm                            webm;
    video/x-flv                           flv;
    video/x-m4v                           m4v;
    video/x-mng                           mng;
    video/x-ms-asf                        asx asf;
    video/x-ms-wmv                        wmv;
    video/x-msvideo                       avi;
}

That's probably NOT the best root path for the challenges.

Why not? The rest is being served through the reverse proxy to Immich..

@harrykotten I think it should be good to go.

Would you try this? It is just a test. It won't issue a production cert

sudo certbot certonly --dry-run --webroot -w /var/www/html -d familjenisback.duckdns.org

Just show the result of this

sudo certbot certonly --dry-run --webroot -w /var/www/html -d familjenisback.duckdns.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Simulating a certificate request for familjenisback.duckdns.org

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: familjenisback.duckdns.org
  Type:   dns
  Detail: DNS problem: server failure at resolver looking up A for familjenisback.duckdns.org; no valid AAAA records found for familjenisback.duckdns.org

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
harrykotten@pi:~ $ 

That's still the DNS problem with DuckDNS. Please try again until you either get a success or something else than "DNS problem". Note that with the staging environment (by using --dry-run), you can test very often due to way less strict rate limits (for most testing practically non-existent).

Also note that this certonly --dry-run test is probably not the best command for a production cert by simply removing the --dry-run. I'd recommend for a production cert the command from earlier with -a webroot -i nginx.

I had a hard time getting that last part, I should test the cert, and i can do that often, but not with that command.

Well, you can test that latter command too with --staging, but it behaves differently than the certonly subcommand with --dry-run. With --dry-run, Certbot really gets into testing mode, not storing the test cert anywhere for example. However, with -i nginx and --staging, Certbot will run just as with the production environment, including with the installation of the issued cert, but then simply uses the staging environment. So you'd end up with a staging cert installed into nginx, which would need to be replaced by valid a production cert.

Both have their benefit and drawbacks.

It seems like duckdns sucks... If you were in my place, what would you do?

Does using just --staging invalidate cached authorizations? I have always assumed it did not but I never tested that.

Given their somewhat unusual nginx config, using the --nginx installer isn't what I'd recommend. Certainly opinions can vary on this That isn't why I suggested that certonly --dry-run though. I really wanted to see just that test.

@harrykotten Don't let these comments detract from the main problem which is the duckdns DNS system.