IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: vpn..........com
  Type: unauthorized
  Detail: Invalid response from
  http://vpn..........com/.well-known/acme-challenge/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  [xxx.xx.xx.xx]: 404

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address.

my subdomain is point to correct IP address, also when I do nslookup for my subdomain it is resolving to correct IP address.
Please advice.

You really need to answer all the questions about your software, and tell us your actual domain.

With the info you gave us, we can't possibly tell anything.

I am trying to secure my openvpn server vpn.sammzinc.com, using cloudflare for DNS service. A record is pointing for correct IP address.
I am using the following guide to obtain ssl certificate.
OpenVPN Access Server & Lets Encrypt

now I get this error.
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see Rate Limits - Let's Encrypt

This is to be expected. You should use the staging environment for testing. See Staging Environment - Let's Encrypt for more info.

Is there a webserver listening on port 80 on the server you're running Certbot on?

when I run netstat -anpe | grep "80" | grep "LISTEN"
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
unix 2 [ ACC ] STREAM LISTENING 11724980 - private/scalemail-backend

I am really new to linux, is above response to your question?

Also in my firewall. port 80 is open for vpn server.
open vpn

Custom

HTTP

TCP

80

80

Default

HTTPS

TCP

443

443

Default

Please show the full certbot command request.

This is not good. Certbot via PPA and the commercial OpenVPN thingy?

There are easier ways to make a VPN: Wireguard, for example.

based on the instruction I am using following command

certbot certonly --standalone --preferred-challenges http -d vpn.sammzinc.com

problem with wireguard, i am not able to access some of the subnet on my lan
example: my main lan subnet is 192.168.100.0/24
but there are some subnet on my network 192.168.15.0/24. when i connect to my wireguard, i can't access anything on 192.168.15.0/24 subnet

I just ran this command on my server.. i think this explain the issue?

admin@OpenVpn:~$ sudo ufw status verbose
Status: inactive
admin@OpenVpn:~$ sudo ufw status
Status: inactive
admin@OpenVpn:~$

i did made same changes to fw.

sudo ufw verbose
Status: active

To Action From

22/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere # accept HTTP connections
22/tcp (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6) # accept HTTP connections

still no luck getting same error 404

Please show the output of:
curl -4 ifconfig.co

173.15.75.81

173.15.75.81

173.15.75.81

OK, so that's the expected IP.

Is there any NAT going on?

Just in SonicWall firewall to point to internal ip adress

Aha!
Please check the NAT in the firewall.

I did check and also had SonicWall support to look at NAT policy found nothing wrong.

Right now I see nginx using port 80. Don't you get an error from certbot --standalone saying port 80 is already in use?

curl -I  vpn.sammzinc.com/.well-known/acme-challenge/ForumTest

HTTP/1.1 404 Not Found
Server: nginx
Date: Sat, 16 Apr 2022 20:09:37 GMT
Content-Type: text/html
( ... )

admin@OpenVpn:~$ curl -I vpn.sammzinc.com/.well-known/acme-challenge/ForumTest
HTTP/1.1 404 Not Found
Server: nginx
Date: Sat, 16 Apr 2022 21:26:43 GMT
Content-Type: text/html
Content-Length: 3212
Connection: keep-alive
Keep-Alive: timeout=20
Vary: Accept-Encoding
ETag: "608a73aa-c8c"