I'm having trouble generating the let's encrypt certificate

Hello,

I'm having trouble generating the let's encrypt certificate for my website. Can you please help me resolve the issue?

My domain is: openedx.univ-bejaia.dz

I ran this command: certbot certonly --webroot -w /var/www/test -d openedx.univ-bejaia.dz

It produced this output:
Account registered.
Requesting a certificate for openedx.univ-bejaia.dz

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Identifier: openedx.univ-bejaia.dz
Type: connection
Detail: 41.111.207.114: Fetching http://openedx.univ-bejaia.dz/.well-known/acme-challenge/tFjKdWuSCH-L2YvsuBtKHy_Fc_bxtCQx-uC6GTF1clQ: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed identifiers serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): apache 2.4

The operating system my web server runs on is (include version): debian 13

My hosting provider, if applicable, is: I manage my own server

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 5.5.0

This pretty much says it. You need your site to be accessible to the Internet first before you worry about trying to get a certificate.

First, thank you for the quick answer
but it is accessible, you can try it your self ?

It's not accessible from where I am, nor from anywhere that this testing site tries from:

Thank you very much for the link.
The site is accessible from where I am, but not in other countries. In my opinion, if it was a firewall issue, the site wouldn't be accessible at all. I think it's a DNS problem, but how can I be sure?

DNS1315×943 66.4 KB

HTTP1520×938 76.2 KB

Infos1411×963 231 KB

TCPports1305×967 77 KB

UDPports1266×940 70.5 KB

It might be a firewall (or router, or other network device maybe even before getting to your ISP) that blocks traffic selectively. In order for Let's Encrypt to be sure that you control the name as seen from everywhere on the Internet, they need to check from multiple places on the Internet.

Well, are the responses that your authoritative DNS server gives to requests from around the world the correct IP, which is routed to the server that you're trying to use?

Sorry, I didn't understand your question. I've tried several websites, and they all display my site's public IP address. I don't know if I should assume there's no problem with the DNS. Do you have any suggestions for troubleshooting, because I'm completely stuck.

DNS1001×790 89.9 KB

DNS1593×789 64.8 KB

DNS2662×792 73.9 KB

DNS31295×595 54.8 KB

Your opinion is incorrect, or at least incomplete. Yes, a firewall could completely block access to your site. But it's also quite common to configure firewalls to block access based on geography--e.g., block any traffic from India. And that would line up pretty well with the test results.

If every place trying to resolve your name has the correct IP address, then there isn't a problem with DNS.

Are you intending for the site to only be available from your location, or are you intending for it to be accessible worldwide?

If it should only be available from where you are, then you need to use a different method of proving that you control the name. If your DNS is globally accessible, even though your web server isn't, then you might be able to use the DNS-01 challenge or hopefully soon, the DNS-PERSIST-01 challenge.

If it should be accessible worldwide, then you need to troubleshoot that first. If doing some kind of geographic blocking isn't something you've specifically configured, you need to figure out what system upstream of you is. Whomever you're paying for hosting your site is probably a good place to start.

I already asked the firewall administrator, and she told me that she hasn't implemented any geographical restrictions.

The site should be accessible worldwide, i am trying to install openedx, we host and manage our own server, as I said, I already asked the firewall administrator, and she told me that she hasn't implemented any geographical restrictions.
could the operating system (debian 13) or openedx itself be the cause?

Can she help explain why connections are timing out? We often use this tool and it also shows timeouts: Let's Debug

Interestingly, from my own test systems I can reach your site using HTTP. But, requests fail with an HTTP 403 Forbidden for your home page or sample HTTP Challenge requests. The 403 is reported by a "Web Application Firewall". I used two different AWS based systems located in the US. Perhaps that firewall is blocking things more strictly for other inbound IP addresses ?

Sample HTTP challenge but "home" page requests fail the same way

curl -i http://openedx.univ-bejaia.dz/.well-known/acme-challenge/Test404
HTTP/1.1 403 Forbidden
Connection: close
Content-Type: text/html
Cache-Control: no-cache
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors 'self'
Content-Length: 35602

(... lots of html omitted for brevity ...)

   <h1>Web Application Firewall</h1>
    <p>This transfer is blocked by a Web Application Firewall.</p>
    <table><tbody>
        <tr>
            <td colspan="2">This transfer is blocked.</td>
        </tr>
        <tr>
            <td>URL</td>
            <td>http://openedx.univ-bejaia.dz/.well-known/acme-challenge/Test404</td>
        </tr>
        <tr>
            <td>Event ID</td>
            <td>110000003</td>
        </tr>
        <tr>
            <td>Event Type</td>
            <td>signature</td>

I couldn't tell her because she left. I'll tell her later. Indeed, we have a WAF (FortiWeb). I'll see with her if the problem is caused by the firewall or by FortiWeb. In the meantime, I changed the VM's public IP address to another one. Now my site is accessible everywhere, and I was able to generate the Let's Encrypt certificate for a test page I created on Apache. However, I still can't generate a certificate for the Openedx platform installed on this VM, knowing that Openedx is installed on Docker and the web server used is Caddy. Could you please tell me what the problem might be now? Since I was able to generate the certificate for the test page, I no longer have DNS or firewall problems. I think the problem comes from the Caddy web server not handling HTTPS ??

DNS1330×969 89.2 KB

http://openedx.univ-bejaia.dz/.well-known/acme-challenge/abc (from 41.111.207.110) is currently showing as blocked by the web application firewall.

I've just checked in firefox and it appears that only some User-Agents are blocked (such as curl), I don't know if this is causing the issue.

My site is now secure (https://openedx.univ-bejaia.dz/) As I told you I could generate a certificate for a test page on this VM runing on apache but if I desable apache and run openedx plate forme I can't generate a certificate for the openedx plate forme.
You told me that the challenge is blocked by the WAF, but how do you explain that I was able to generate the certificate for the test page that runs on Apache?

I apologize for the length of the message. Yous can find bellow the logs generated by caddy. In the openedx documentation (Requirements — Tutor documentation) they ask to configure the following DNS records:
learn 1800 IN A 1.1.1.1
*.learn 1800 IN CNAME learn.mydomain.com.

But the log generated by caddy tells that there isn't DNS records for each the bellow sub domains, il looks like a contardiction ?

NXDOMAIN looking up A for studio.openedx.univ-bejaia.dz
NXDOMAIN looking up A for apps.openedx.univ-bejaia.dz
NXDOMAIN looking up A for meilisearch.openedx.univ-bejaia.dz

The logs generated by caddy:
caddy-1 | {"level":"error","ts":1778640507.8918252,"logger":"tls.obtain","msg":"will retry","error":"[openedx.univ-bejaia.dz] Obtain: account pre-registration callback: failed getting EAB credentials: HTTP 422: caddy_legacy_user_removed (code 2977)","attempt":11,"retrying_in":10800,"elapsed":10883.181810648,"max_duration":2592000}
caddy-1 | {"level":"info","ts":1778651287.714723,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"apps.openedx.univ-bejaia.dz"}
caddy-1 | {"level":"info","ts":1778651288.3726501,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"studio.openedx.univ-bejaia.dz"}
caddy-1 | {"level":"info","ts":1778651288.6574647,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"meilisearch.openedx.univ-bejaia.dz"}
caddy-1 | {"level":"info","ts":1778651288.8288674,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"apps.openedx.univ-bejaia.dz","challenge_type":"tls-alpn-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
caddy-1 | {"level":"info","ts":1778651289.0077379,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"studio.openedx.univ-bejaia.dz","challenge_type":"tls-alpn-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
caddy-1 | {"level":"info","ts":1778651289.2879806,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"meilisearch.openedx.univ-bejaia.dz","challenge_type":"tls-alpn-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
caddy-1 | {"level":"error","ts":1778651290.1371324,"logger":"http.acme_client","msg":"challenge failed","identifier":"studio.openedx.univ-bejaia.dz","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"DNS problem: NXDOMAIN looking up A for studio.openedx.univ-bejaia.dz - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for studio.openedx.univ-bejaia.dz - check that a DNS record exists for this domain","instance":"","subproblems":}}
caddy-1 | {"level":"error","ts":1778651290.1372104,"logger":"http.acme_client","msg":"validating authorization","identifier":"studio.openedx.univ-bejaia.dz","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"DNS problem: NXDOMAIN looking up A for studio.openedx.univ-bejaia.dz - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for studio.openedx.univ-bejaia.dz - check that a DNS record exists for this domain","instance":"","subproblems":},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/291669473/37868872303","attempt":1,"max_attempts":3}
caddy-1 | {"level":"error","ts":1778651290.41684,"logger":"http.acme_client","msg":"challenge failed","identifier":"meilisearch.openedx.univ-bejaia.dz","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"DNS problem: NXDOMAIN looking up A for meilisearch.openedx.univ-bejaia.dz - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for meilisearch.openedx.univ-bejaia.dz - check that a DNS record exists for this domain","instance":"","subproblems":}}
caddy-1 | {"level":"error","ts":1778651290.4168806,"logger":"http.acme_client","msg":"validating authorization","identifier":"meilisearch.openedx.univ-bejaia.dz","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"DNS problem: NXDOMAIN looking up A for meilisearch.openedx.univ-bejaia.dz - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for meilisearch.openedx.univ-bejaia.dz - check that a DNS record exists for this domain","instance":"","subproblems":},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/291669473/37868872683","attempt":1,"max_attempts":3}
caddy-1 | {"level":"error","ts":1778651290.8761277,"logger":"http.acme_client","msg":"challenge failed","identifier":"apps.openedx.univ-bejaia.dz","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"DNS problem: NXDOMAIN looking up A for apps.openedx.univ-bejaia.dz - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for apps.openedx.univ-bejaia.dz - check that a DNS record exists for this domain","instance":"","subproblems":}}
caddy-1 | {"level":"error","ts":1778651290.8761756,"logger":"http.acme_client","msg":"validating authorization","identifier":"apps.openedx.univ-bejaia.dz","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"DNS problem: NXDOMAIN looking up A for apps.openedx.univ-bejaia.dz - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for apps.openedx.univ-bejaia.dz - check that a DNS record exists for this domain","instance":"","subproblems":},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/291669473/37868872033","attempt":1,"max_attempts":3}
caddy-1 | {"level":"info","ts":1778651291.5609913,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"studio.openedx.univ-bejaia.dz","challenge_type":"http-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
caddy-1 | {"level":"info","ts":1778651291.8408573,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"meilisearch.openedx.univ-bejaia.dz","challenge_type":"http-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
caddy-1 | {"level":"info","ts":1778651292.298875,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"apps.openedx.univ-bejaia.dz","challenge_type":"http-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
caddy-1 | {"level":"error","ts":1778651292.6899235,"logger":"http.acme_client","msg":"challenge failed","identifier":"studio.openedx.univ-bejaia.dz","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"DNS problem: NXDOMAIN looking up A for studio.openedx.univ-bejaia.dz - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for studio.openedx.univ-bejaia.dz - check that a DNS record exists for this domain","instance":"","subproblems":}}
caddy-1 | {"level":"error","ts":1778651292.6899676,"logger":"http.acme_client","msg":"validating authorization","identifier":"studio.openedx.univ-bejaia.dz","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"DNS problem: NXDOMAIN looking up A for studio.openedx.univ-bejaia.dz - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for studio.openedx.univ-bejaia.dz - check that a DNS record exists for this domain","instance":"","subproblems":},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/291669473/37868875543","attempt":2,"max_attempts":3}
caddy-1 | {"level":"error","ts":1778651292.689999,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"studio.openedx.univ-bejaia.dz","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:dns - DNS problem: NXDOMAIN looking up A for studio.openedx.univ-bejaia.dz - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for studio.openedx.univ-bejaia.dz - check that a DNS record exists for this domain"}
caddy-1 | {"level":"warn","ts":1778651292.6900811,"logger":"http","msg":"missing email address for ZeroSSL; it is strongly recommended to set one for next time"}
caddy-1 | {"level":"error","ts":1778651292.96985,"logger":"http.acme_client","msg":"challenge failed","identifier":"apps.openedx.univ-bejaia.dz","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"DNS problem: NXDOMAIN looking up A for apps.openedx.univ-bejaia.dz - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for apps.openedx.univ-bejaia.dz - check that a DNS record exists for this domain","instance":"","subproblems":}}
caddy-1 | {"level":"error","ts":1778651292.96989,"logger":"http.acme_client","msg":"validating authorization","identifier":"apps.openedx.univ-bejaia.dz","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"DNS problem: NXDOMAIN looking up A for apps.openedx.univ-bejaia.dz - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for apps.openedx.univ-bejaia.dz - check that a DNS record exists for this domain","instance":"","subproblems":},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/291669473/37868876193","attempt":2,"max_attempts":3}
caddy-1 | {"level":"error","ts":1778651292.9699042,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"apps.openedx.univ-bejaia.dz","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:dns - DNS problem: NXDOMAIN looking up A for apps.openedx.univ-bejaia.dz - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for apps.openedx.univ-bejaia.dz - check that a DNS record exists for this domain"}
caddy-1 | {"level":"error","ts":1778651293.3146174,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"studio.openedx.univ-bejaia.dz","issuer":"acme.zerossl.com-v2-DV90","error":"account pre-registration callback: failed getting EAB credentials: HTTP 422: caddy_legacy_user_removed (code 2977)"}
caddy-1 | {"level":"error","ts":1778651293.3146498,"logger":"tls.obtain","msg":"will retry","error":"[studio.openedx.univ-bejaia.dz] Obtain: account pre-registration callback: failed getting EAB credentials: HTTP 422: caddy_legacy_user_removed (code 2977)","attempt":12,"retrying_in":21600,"elapsed":21668.601484919,"max_duration":2592000}
caddy-1 | {"level":"warn","ts":1778651293.3147295,"logger":"http","msg":"missing email address for ZeroSSL; it is strongly recommended to set one for next time"}
caddy-1 | {"level":"error","ts":1778651293.4280741,"logger":"http.acme_client","msg":"challenge failed","identifier":"meilisearch.openedx.univ-bejaia.dz","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"DNS problem: NXDOMAIN looking up A for meilisearch.openedx.univ-bejaia.dz - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for meilisearch.openedx.univ-bejaia.dz - check that a DNS record exists for this domain","instance":"","subproblems":}}
caddy-1 | {"level":"error","ts":1778651293.4281154,"logger":"http.acme_client","msg":"validating authorization","identifier":"meilisearch.openedx.univ-bejaia.dz","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"DNS problem: NXDOMAIN looking up A for meilisearch.openedx.univ-bejaia.dz - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for meilisearch.openedx.univ-bejaia.dz - check that a DNS record exists for this domain","instance":"","subproblems":},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/291669473/37868875833","attempt":2,"max_attempts":3}
caddy-1 | {"level":"error","ts":1778651293.4281337,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"meilisearch.openedx.univ-bejaia.dz","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:dns - DNS problem: NXDOMAIN looking up A for meilisearch.openedx.univ-bejaia.dz - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for meilisearch.openedx.univ-bejaia.dz - check that a DNS record exists for this domain"}
caddy-1 | {"level":"error","ts":1778651293.483627,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"apps.openedx.univ-bejaia.dz","issuer":"acme.zerossl.com-v2-DV90","error":"account pre-registration callback: failed getting EAB credentials: HTTP 422: caddy_legacy_user_removed (code 2977)"}
caddy-1 | {"level":"error","ts":1778651293.4836543,"logger":"tls.obtain","msg":"will retry","error":"[apps.openedx.univ-bejaia.dz] Obtain: account pre-registration callback: failed getting EAB credentials: HTTP 422: caddy_legacy_user_removed (code 2977)","attempt":12,"retrying_in":21600,"elapsed":21668.768647286,"max_duration":2592000}
caddy-1 | {"level":"warn","ts":1778651293.483722,"logger":"http","msg":"missing email address for ZeroSSL; it is strongly recommended to set one for next time"}
caddy-1 | {"level":"error","ts":1778651293.658858,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"meilisearch.openedx.univ-bejaia.dz","issuer":"acme.zerossl.com-v2-DV90","error":"account pre-registration callback: failed getting EAB credentials: HTTP 422: caddy_legacy_user_removed (code 2977)"}
caddy-1 | {"level":"error","ts":1778651293.6588902,"logger":"tls.obtain","msg":"will retry","error":"[meilisearch.openedx.univ-bejaia.dz] Obtain: account pre-registration callback: failed getting EAB credentials: HTTP 422: caddy_legacy_user_removed (code 2977)","attempt":12,"retrying_in":21600,"elapsed":21668.945084775,"max_duration":2592000}
caddy-1 | {"level":"info","ts":1778651307.8937814,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"openedx.univ-bejaia.dz"}
caddy-1 | {"level":"info","ts":1778651308.6002471,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"openedx.univ-bejaia.dz","challenge_type":"tls-alpn-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
caddy-1 | {"level":"error","ts":1778651310.7655184,"logger":"http.acme_client","msg":"challenge failed","identifier":"openedx.univ-bejaia.dz","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"Cannot negotiate ALPN protocol "acme-tls/1" for tls-alpn-01 challenge","instance":"","subproblems":}}
caddy-1 | {"level":"error","ts":1778651310.7655838,"logger":"http.acme_client","msg":"validating authorization","identifier":"openedx.univ-bejaia.dz","problem":{"type":"urn:ietf:params:acme:error:unauthorized","title":"","detail":"Cannot negotiate ALPN protocol "acme-tls/1" for tls-alpn-01 challenge","instance":"","subproblems":},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/291669473/37868893163","attempt":1,"max_attempts":3}
caddy-1 | {"level":"info","ts":1778651312.1890745,"logger":"http.acme_client","msg":"trying to solve challenge","identifier":"openedx.univ-bejaia.dz","challenge_type":"http-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
caddy-1 | {"level":"error","ts":1778651315.8902805,"logger":"http.acme_client","msg":"challenge failed","identifier":"openedx.univ-bejaia.dz","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"41.111.207.110: Fetching https://openedx.univ-bejaia.dz:443/.well-known/acme-challenge/OMs3TWzzPI8-6oNBQbleUT6BxAERWCtR6IcbDPEf6Do: Error getting validation data","instance":"","subproblems":}}
caddy-1 | {"level":"error","ts":1778651315.8903267,"logger":"http.acme_client","msg":"validating authorization","identifier":"openedx.univ-bejaia.dz","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"41.111.207.110: Fetching https://openedx.univ-bejaia.dz:443/.well-known/acme-challenge/OMs3TWzzPI8-6oNBQbleUT6BxAERWCtR6IcbDPEf6Do: Error getting validation data","instance":"","subproblems":},"order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/291669473/37868898033","attempt":2,"max_attempts":3}
caddy-1 | {"level":"error","ts":1778651315.8903453,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"openedx.univ-bejaia.dz","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:connection - 41.111.207.110: Fetching https://openedx.univ-bejaia.dz:443/.well-known/acme-challenge/OMs3TWzzPI8-6oNBQbleUT6BxAERWCtR6IcbDPEf6Do: Error getting validation data"}
caddy-1 | {"level":"warn","ts":1778651315.890449,"logger":"http","msg":"missing email address for ZeroSSL; it is strongly recommended to set one for next time"}
caddy-1 | {"level":"error","ts":1778651316.059699,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"openedx.univ-bejaia.dz","issuer":"acme.zerossl.com-v2-DV90","error":"account pre-registration callback: failed getting EAB credentials: HTTP 422: caddy_legacy_user_removed (code 2977)"}
caddy-1 | {"level":"error","ts":1778651316.0597308,"logger":"tls.obtain","msg":"will retry","error":"[openedx.univ-bejaia.dz] Obtain: account pre-registration callback: failed getting EAB credentials: HTTP 422: caddy_legacy_user_removed (code 2977)","attempt":12,"retrying_in":21600,"elapsed":21691.349716117,"max_duration":2592000}

No, that was only an example of DNS records for someone operating their service at learn.mydomain.com. That example should be adjusted for your domain name.

And, it looks like you fixed that already as those domain names now have an A record. Are you still having problems getting a cert?

First, i want to tell you that the firewall manager solved the problem, now the public IP address is accessible from everywhere.

But we're still having trouble generating the certificate. Maybe the problem is because caddy is in the docker container.

I knew from the beginning that it was just an example, and we configured the DNS records according to our domain.

I don't understand why in the OpenEdX documentation they ask to configure the following DNS records (according to our domain):
learn 1800 IN A 1.1.1.1
*.learn 1800 IN CNAME learn.mydomain.com

and when let's encrypt try to generate the certificate its says that there is no DNS records for the bellow subdomains:
NXDOMAIN looking up A for studio.openedx.univ-bejaia.dz
NXDOMAIN looking up A for apps.openedx.univ-bejaia.dz
NXDOMAIN looking up A for meilisearch.openedx.univ-bejaia.dz

ns1-cloud.cerist.dz (one of the two DNS servers for your domain) is returning an error in response to queries to your domains. See https://dnsviz.net/d/studio.openedx.univ-bejaia.dz/dnssec/ for more information.