Nginx plugin starts working after standalone command

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
certbot --nginx --non-interactive --agree-tos -m --domains --cert-name

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Type: unauthorized
Detail: Invalid response from 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

My web server is (include version): nginx version: nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.9.0

The most interesting thing is, when i execute only and initially this command:
certbot --nginx --non-interactive --agree-tos -m --domains --cert-name

it fails, but if i execute first:

  1. certbot certonly --domain --cert-name --key-type rsa --authenticator standalone --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx" --non-interactive --agree-tos -m


  1. certbot --nginx --non-interactive --agree-tos -m --domains --cert-name

all is working.

I would like to know why and how i can achieve that nginx plugin will work without the previous standalone command.

Thanks and regards


Valid authorizations are cached for 30 days, so it looks like the second time you run the --nginx command, it just re-uses the previous valid authz.


Hi Osiris,

thank you for fast response on this. Is there any way to get some valid authz in place without the standalone command in between?

What i need to say is, that nginx is configured to redirect http to https and i am wondering if this could cause the --nginx command failing, but should not, according to:

" It only accepts redirects to “http:” or “https:”, and only to ports 80 or 443".

So, im actually clueless here...

1 Like

Please show the nginx config to better understand the problem therein, with:

nginx -T

From the outside looking in, I don't see a problem:
HTTP redirects to HTTPS:

curl -Ii
HTTP/1.1 301 Moved Permanently
Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 27 Feb 2024 13:16:15 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive

HTTPS request returns 404 as expected:

curl -Ii
HTTP/1.1 404 Not Found
Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 27 Feb 2024 13:16:22 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 11112
Connection: keep-alive
Vary: HX-Request, Cookie, origin
X-Request-ID: 8c1d6d71-59e3-4071-bcbc-3ec2de1d5e0d
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
Cross-Origin-Opener-Policy: same-origin
X-Frame-Options: SAMEORIGIN
Set-Cookie: csrftoken=0KQK6bYJVdSnM6Iq9ToESfOSwcq95OiP; expires=Tue, 25 Feb 2025 13:16:22 GMT; Max-Age=31449600; Path=/; SameSite=Lax
1 Like

No problem at all currently, it works all es expected. The issue i would llike to get rid of, is the error i get when i try to get certificates installed by executing initially "certbot --nginx..." - command. This will fail, until i execute "certbot certonly..." - command. So, to get --nginx command working and config maintained by certbot, i need to execute the certonly command previously. I would like to avoid this, if possible...

You contradict yourself, with these opposing statements:

It either "works" or "it fails".
Which is it?


sorry for the confusion:

when i execute initally this command:

certbot --nginx --non-interactive --agree-tos -m --domains --cert-name

it fails.

When i execute this comand first:

certbot certonly --domain --cert-name --key-type rsa --authenticator standalone --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx" --non-interactive --agree-tos -m

and then

certbot --nginx --non-interactive --agree-tos -m --domains --cert-name

It will be successful.

I am wondering if i can get it working without executing the standalone command first...

Please show the logs for that failure.

[one step at a time]

1 Like

Most people with nginx issues are due to certbot not being able to parse the config files or handle them correctly. That doesn't seem to be the case here - those errors are typically raised before authorization is attempted.

IMHOW, the issue is likely due to your nginx config for the http and https sections. if you can share as much of those blocks as possible, someone may see the issue.

If you can't get this config running, an alternative approach is to do the following:

1- configure nginx to proxypass the acme-challenge directory to an alternate port, like 8080
2- run the certbot certonly standalone option but bind it to the above identified port, e.g. --http-01-port=8080

That can be easier to setup and troubleshoot, because you just need to set up a test service on 8080 that can serve an acme challenge. Here is my fake server that I use to test this: peter_sslers/tools/ at main · aptise/peter_sslers · GitHub

If you run that server on 8080, then you can work on the nginx configuration until you're able to correctly reach the acme-challenge paths on port 80 through the proxypass.



i simply followed the netbox documentation:

HTTP Server Installation

Option A: nginx

Begin by installing nginx:

sudo apt install -y nginx

Once nginx is installed, copy the nginx configuration file provided by NetBox to /etc/nginx/sites-available/netbox. Be sure to replace with the domain name or IP address of your installation. (This should match the value configured for ALLOWED_HOSTS in

sudo cp /opt/netbox/contrib/nginx.conf /etc/nginx/sites-available/netbox

Then, delete /etc/nginx/sites-enabled/default and create a symlink in the sites-enabled directory to the configuration file you just created.

sudo rm /etc/nginx/sites-enabled/default
sudo ln -s /etc/nginx/sites-available/netbox /etc/nginx/sites-enabled/netbox

Finally, restart the nginx service to use the new configuration.

sudo systemctl restart nginx

The config looks like:

server {
listen [::]:443 ssl ipv6only=off;


ssl_certificate /etc/ssl/certs/netbox.crt;
ssl_certificate_key /etc/ssl/private/netbox.key;

client_max_body_size 25m;

location /static/ {
    alias /opt/netbox/netbox/static/;

location / {
    proxy_set_header X-Forwarded-Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;


server {
# Redirect HTTP traffic to HTTPS
listen [::]:80 ipv6only=off;
server_name _;
return 301 https://$host$request_uri;

i gave up and finally ended in executing always both commands in sequence, as this will work for me.

  1. certbot certonly --domain --cert-name --key-type rsa --authenticator standalone --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx" --non-interactive --agree-tos -m

  2. certbot --nginx --non-interactive --agree-tos -m --domains --cert-name

And all is fine...

That is highly unusual to need to run certonly with pre/post hooks before --nginx

When you tried running command #2 with --nginx earlier was nginx running?

There is an unusual bug that if nginx is not running before certbot --nginx is used then Certbot will start a copy of nginx that is not compatible with systemctl. That can lead to odd problems.

The fix is just to be sure nginx is running.

Your #1 command has a post-hook so leaves nginx running in a good state before trying command #2. Maybe this explains why that "fixes" it?


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.