Nginx certbot challenge failed: 404

My domain is: premium-guns.de

I ran this command: sudo certbot --nginx -d premium-guns.de

It produced this output:
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: premium-guns.de
Type: unauthorized
Detail: 89.31.143.90: Invalid response from http://premium-guns.de/.well-known/acme-challenge/-5-10gJ_zr7locNeW6FbXJI-CCqkw_yHJ7pUoteE-Nc: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

My web server is (include version): nginx/1.22.1

The operating system my web server runs on is (include version): Debian GNU/Linux 12 (bookworm)

My hosting provider, if applicable, is: none, since i host on a RaspberryPi (domain is from united domains)

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): ssh console

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.1.0

my configuration file looks like this:

#nginx config file for Nextjs App
#place in /etc/nginx/sites-available/name_of_config_file
server {
listen 80;
server_name premium-guns.de;

    gzip on;
    gzip_proxied any;
    gzip_types application/javascript application/x-javascript text/css text/javascript;
    gzip_comp_level 5;
    gzip_buffers 16 8k;
    gzip_min_length 256;

    location /_next/static/ {
            alias /var/www/premium-guns/.next/static/;
            expires 365d;
            access_log off;
    }

    location / {
            proxy_pass http://127.0.0.1:3000; #change to 3001 for second app, but make sure second nextjs app star>                proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection 'upgrade';
            proxy_set_header Host $host;
            proxy_cache_bypass $http_upgrade;
    }

}

sites-enabled is empty since i followed a tutorial where he changed the configuration so that sites-available is used directly. sites-available default is deleted.

The wan ip of my router is 87.158.62.167, with ports 80 and 443 forwarded to the raspberry pi.

curl -I4 premium-guns.de gives this output:

HTTP/1.1 301 Moved Permanently
Date: Tue, 27 Feb 2024 19:09:59 GMT
Content-Type: text/html
Connection: keep-alive
Location: http://87.158.62.167
Server: UD Webspace 3.2

please help

and yes i am a federally certified guns dealer, i am allowed to.

Edit: i think someone is triing to ddos me right now, at least the process manager indicates that. pls use your energy for someone who really hurts soceity, equipping hunters, who secure harvests and thereby our food, doesn't...

I expect that redirect is part of your problem. I don't know enough about your setup to know where it's coming from.

Your certbot version isn't as old as a lot that I've seen here, but you may want to update to to current, 2.9.0.

Hopefully someone more familiar with the --nginx plugin will have more to offer.

If you are going to run that web site from the IP 87.158.62.167, then you will need a name that points directly to that IP.

Notice that the domain name doesn't resolve to that IP [and that is the main reason for this problem]:

Name:      premium-guns.de
Addresses: 2001:8d8:100f:f000::200
           217.160.0.149

yeah i thought this is the normal way to connect my ip to the domain via ipv4 in united-domains, but turns out it isn't, thx for the heads-up, i'm gonna try the other way after work.

Your certbot command requires nginx to handle the http challenge. But the server identification looks like it is something else. You should check that HTTP requests reach nginx

after finding the right way to connect the ip to the domain in united-domains, it worked. thx guys.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.