Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
tube.vat.ru.net
I ran this command:
sudo certbot --nginx -v
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): www.tube.vat.ru.net
Requesting a certificate for www.tube.vat.ru.net
Performing the following challenges:
http-01 challenge for www.tube.vat.ru.net
Waiting for verification...
Challenge failed for domain www.tube.vat.ru.net
http-01 challenge for www.tube.vat.ru.net
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: www.tube.vat.ru.net
Type: unauthorized
Detail: Invalid response from http://www.tube.vat.ru.net/.well-known/acme-challenge/1JZQLcnYhrLoJl46gayH9MmgwppJKvriXfwCHgQVsEg [178.72.89.118]: 404
Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.
Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
My web server is (include version):
nginx 1.18.0
The operating system my web server runs on is (include version):
Raspberry Pi OS (clear installation) sudo apt update && sudo apt upgrade -y sudo apt install -y nginx-full certbot python3-certbot-nginx
I see server from internet - welcome NGINX page work
netstat -peanut
Proto
Recv-Q
Send-Q
Local Address
Foreign Address
State
User
Inode
PID/Program name
tcp
0
0
0.0.0.0:80
0.0.0.0:*
LISTEN
0
16192
-
tcp
0
0
0.0.0.0:22
0.0.0.0:*
LISTEN
0
13688
-
tcp
0
0
192.168.10.13:22
192.168.10.6:53735
ESTABLISHED
0
13830
-
tcp6
0
0
:::80
:::*
LISTEN
0
16193
-
tcp6
0
0
:::22
:::*
LISTEN
0
13690
-
udp
0
0
0.0.0.0:68
0.0.0.0:*
0
13733
-
udp
0
0
0.0.0.0:51310
0.0.0.0:*
108
9744
-
udp
0
0
0.0.0.0:5353
0.0.0.0:*
108
9742
-
udp6
0
0
:::546
:::*
0
13771
-
udp6
0
0
:::53860
:::*
108
9745
-
udp6
0
0
:::5353
:::*
108
9743
-
Also, my net config look like: Internet
->Router(80 forwarded)
->Revers Proxy(Nas Synology)
->Router (back call)
->Raspberry Pi 3
Could you say how? I can post here any logs, but not sure that I understand them right. I am somewhere in the middle of understanding of what going on in my system.
I think the Synology is intercepting the /.well-known/acme-challenge/ requests.
Compare:
$ curl -i www.tube.vat.ru.net/.well-known/acme-challenge/xyz
HTTP/1.1 404 Not Found
Server: nginx
Date: Sat, 02 Apr 2022 04:52:07 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Keep-Alive: timeout=20
<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx</center>
</body>
</html>
against:
$ curl -i www.tube.vat.ru.net/.well-knownx/acme-challenge/xyz
HTTP/1.1 404 Not Found
Server: nginx
Date: Sat, 02 Apr 2022 04:52:11 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive
Keep-Alive: timeout=20
<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.18.0</center>
</body>
</html>
Notice that the server version shows up in the HTML body only for the .well-knownx request, which would be from the Raspberry Pi.
As such, I don't think changing to --webroot would achieve anything.
If you can, reconfiguring Synology's reserve proxy server to use try_files so that it doesn't unconditionally intercept the acme-challenge requests could do the trick. But it's a bit of an advanced endeavor.
root@raspberrypi:/etc/nginx# certbot certonly --webroot
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): tube.vat.ru.net
Requesting a certificate for tube.vat.ru.net
Input the webroot for tube.vat.ru.net: (Enter 'c' to cancel): /
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: tube.vat.ru.net
Type: unauthorized
Detail: Invalid response from http://tube.vat.ru.net/.well-known/acme-challenge/GF5SMaKp-vFEpWp02t0EP-DS7zOZJmOqdRerU6lrSxw [178.72.89.118]: 404
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.