Let's Encrypt with Django, Gunicorn and Nginx

My domain is:

I ran this command:
sudo certbot -v --nginx -d soletlab-dev.com -d www.soletlab-dev.com

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Requesting a certificate for soletlab-dev.com and www.soletlab-dev.com
Performing the following challenges:
http-01 challenge for soletlab-dev.com
http-01 challenge for www.soletlab-dev.com
Waiting for verification...
Challenge failed for domain soletlab-dev.com
Challenge failed for domain www.soletlab-dev.com
http-01 challenge for soletlab-dev.com
http-01 challenge for www.soletlab-dev.com

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: soletlab-dev.com
Type: unauthorized
Detail: Invalid response from http://soletlab-dev.com/.well-known/acme-challenge/VvFY_f5kKF4366djLetfa6p868vpID4ImlNCf692BS8: 503

Domain: www.soletlab-dev.com
Type: unauthorized
Detail: Invalid response from http://www.soletlab-dev.com/.well-known/acme-challenge/E02RlC4kEOagAwbHjLPH-1lWKi48_4oIzcGZBBaRo7w: 503

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more detail

My web server is (include version):
nginx version: nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 22.04.2 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.21.0

Additional Info

  • The web app runs normally on http (port 80)
  • My web app is Django. I set it up using both gunicorn and nginx. I basically followed this tuturial from Digital Ocean: How To Set Up Django with Postgres, Nginx, and Gunicorn on Ubuntu 22.04 | DigitalOcean. So my "sites available" pretty much looks like the tutorial version.
  • The project files are located at /home/user/Project. All users have full rwx permission to this file.
  • one of the many things I tried: to my nginx/sites-available: I added
    location /.well-known/ {
        root /home/user/Project;

Hello @zserhan, welcome to the Let's Encrypt community. :slightly_smiling_face:

Do you have a Palo Alto Firewall?

$ curl -Ii http://soletlab-dev.com/.well-known/acme-challenge/sometestfile
HTTP/1.1 404 Not Found
Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 10 Mar 2023 16:57:23 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive

Indicates possibly a Palo Alto Firewall; note the HTTP/1.1 503 Service Unavailable

$ curl -Ii http://soletlab-dev.com/.well-known/acme-challenge/sometestfile -A "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
HTTP/1.1 503 Service Unavailable
Content-Type: text/html; charset=UTF-8
Content-Length: 2094
Connection: close
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache

Also using Let's Debug show an ERROR Block By Firewall https://letsdebug.net/soletlab-dev.com/1402974

1 Like

Please see Palo Alto firewall users with failing HTTP-01 challenges: enable "acme-protocol"


Thank you! I'll check this.


My suggestion for a quick troubleshoot is to try running Certbot against the Staging API in standalone mode. That just means Certbot will spin up it's own HTTP server on Port 80 and do everything. If that works, you probably have a configuration issue against Nginx; if it doesn't, you probably have an upstream firewall problem as @Bruce5051 suggested.

You can also try hosting a file under ./well-known/acme-challenge, ensure it is visible for a local request, and then try to access that from outside the network. If you see it locally but not externally, firewall issue. IMHO testing with standalone is easier, because it only requires turning off nginx for the test and you don't have to debug any setup.


@jvanasco Thanks for the suggestion! I didn't think to that before. I ran it in standalone mode and it showed the same error. So it's likely a firewall problem! I am working with IT to allow 'acme-protocol' on the firewall. I'll see if that solves the problem :slight_smile:


This post proved that: