Nginx Proxy Manager can not get a certificate. Why?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
wggert.norbertbass.eu

I ran this command:
docker nginx proxy manager -> request certificate -> Force SSL, HTTP/2 Support

It produced this output:

2026-01-11 11:29:55,665:DEBUG:certbot._internal.main:certbot version: 5.1.0
2026-01-11 11:29:55,665:DEBUG:certbot._internal.main:Location of certbot entry point: /opt/certbot/bin/certbot
2026-01-11 11:29:55,665:DEBUG:certbot._internal.main:Arguments: ['--config', '/etc/letsencrypt.ini', '--work-dir', '/tmp/letsencrypt-lib', '--logs-dir', '/data/logs', '--cert-name', 'npm-41', '--agree-tos', '--authenticator', 'webroot', '-m', 'randomuser86@mail.de', '--preferred-challenges', 'http', '--domains', 'wggert.norbertbass.eu']
2026-01-11 11:29:55,665:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2026-01-11 11:29:55,710:DEBUG:certbot._internal.log:Root logging level set at 30
2026-01-11 11:29:55,721:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None
2026-01-11 11:29:55,721:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * webroot
Description: Saves the necessary validation files to a .well-known/acme-challenge/ directory within the nominated webroot path. A separate HTTP server must be running and serving files from the webroot path. HTTP challenge only (wildcards not supported).
Interfaces: Authenticator, Plugin
Entry point: EntryPoint(name='webroot', value='certbot._internal.plugins.webroot:Authenticator', group='certbot.plugins')
Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0x7fff94f878d0>
Prep: True
2026-01-11 11:29:55,721:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.webroot.Authenticator object at 0x7fff94f878d0> and installer None
2026-01-11 11:29:55,722:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2026-01-11 11:29:56,003:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/2942962586', new_authzr_uri=None, terms_of_service=None), 953837388b4809f448f59520f6d8054e, Meta(creation_dt=datetime.datetime(2026, 1, 7, 15, 16, 53, tzinfo=datetime.timezone.utc), creation_host='7903b237489c', register_to_eff=None))>
2026-01-11 11:29:56,003:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2026-01-11 11:29:56,025:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2026-01-11 11:29:56,441:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 1033
2026-01-11 11:29:56,441:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 11 Jan 2026 10:29:56 GMT
Content-Type: application/json
Content-Length: 1033
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "0xVkrgoupXY": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "profiles": {
      "classic": "https://letsencrypt.org/docs/profiles#classic",
      "shortlived": "https://letsencrypt.org/docs/profiles#shortlived",
      "tlsclient": "https://letsencrypt.org/docs/profiles#tlsclient",
      "tlsserver": "https://letsencrypt.org/docs/profiles#tlsserver"
    },
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.6-August-18-2025.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "renewalInfo": "https://acme-v02.api.letsencrypt.org/acme/renewal-info",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2026-01-11 11:29:56,442:DEBUG:certbot._internal.display.obj:Notifying user: Requesting a certificate for wggert.norbertbass.eu
2026-01-11 11:29:56,477:DEBUG:acme.client:Requesting fresh nonce
2026-01-11 11:29:56,477:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2026-01-11 11:29:56,609:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2026-01-11 11:29:56,609:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 11 Jan 2026 10:29:56 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: Pihtai8mEr7rtXa6Ol3xEOVkXnFXrgWzimqpfSEvwaiy44IdGiQ
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


2026-01-11 11:29:56,609:DEBUG:acme.client:Storing nonce: Pihtai8mEr7rtXa6Ol3xEOVkXnFXrgWzimqpfSEvwaiy44IdGiQ
2026-01-11 11:29:56,609:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "wggert.norbertbass.eu"\n    }\n  ]\n}'
2026-01-11 11:29:56,615:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMjk0Mjk2MjU4NiIsICJub25jZSI6ICJQaWh0YWk4bUVyN3J0WGE2T2wzeEVPVmtYbkZYcmdXemltcXBmU0V2d2FpeTQ0SWRHaVEiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1vcmRlciJ9",
  "signature": "fb_5jsTkA5VYPH5NL6vyu_QbUDjaunxYdQc42Ht1fY_QkHkcNzX38pLz2trsEYHGR5zN7CrjldZaEqCG2Gk9mM0KQW2jFnsSIXIZ0chDUCKIG74JYXwMrulRXHOF752IXKxCI4k43pSrOhTCGPkeK8xMuZfHimJeWpKIUYkxmV2btn5RZ-J1bPtI2BtjvghkmK5z0CY9Em-4NxVhVPJwqiVVOLrANS0StrsYGENbDlDbecJFwAKpDFrA3iSpQjOf9g-k08hw_Zs93k9ZSm-ckQRt91m1XHplb_pLN4kYsivsWY_UK-q8bSUhyYrUwB70j-M8Vk0hqz5xF5NdLeOXPg",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogIndnZ2VydC5ub3JiZXJ0YmFzcy5ldSIKICAgIH0KICBdCn0"
}
2026-01-11 11:29:56,870:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 355
2026-01-11 11:29:56,871:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Sun, 11 Jan 2026 10:29:56 GMT
Content-Type: application/json
Content-Length: 355
Connection: keep-alive
Boulder-Requester: 2942962586
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/2942962586/468349922296
Replay-Nonce: lXCKneqJMFcmFN2nfrcGgokooJbP4Mr4-avzdpq9_8RRu_IZxT0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2026-01-18T10:29:56Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "wggert.norbertbass.eu"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz/2942962586/641417512056"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/2942962586/468349922296"
}
2026-01-11 11:29:56,871:DEBUG:acme.client:Storing nonce: lXCKneqJMFcmFN2nfrcGgokooJbP4Mr4-avzdpq9_8RRu_IZxT0
2026-01-11 11:29:56,871:DEBUG:acme.client:JWS payload:
b''
2026-01-11 11:29:56,875:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz/2942962586/641417512056:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMjk0Mjk2MjU4NiIsICJub25jZSI6ICJsWENLbmVxSk1GY21GTjJuZnJjR2dva29vSmJQNE1yNC1hdnpkcHE5XzhSUnVfSVp4VDAiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LzI5NDI5NjI1ODYvNjQxNDE3NTEyMDU2In0",
  "signature": "WAG90OwaihLQCsb8e5YcOrVqUouGltwNRgz0PxL0Sev9_Lnhi7gaKUPBEcn3jNlB6MKMHg3EfciAJOr0mu55ZZqa8G9R3bsYLdlaj50wP777uOPN4ezEiIAyEjYfIAJsH-GnOk_mANS6nEyeJI1irUZ0EksBScTkd9FkPCVnUKevgN2uJkd_8Yb-4_WRZnUxDtcNddrIiVdPmGL8MD8zXqFwrnN72F7fkhUhQT_M9Ls2JNl7YlE0TbMtqzJScL-_rKN9aMYWuzhxFbBklcvI5n6kxRFuZDS0At4CRQ6ogi48q3D3yWpSyyc3IjJIKfQTmG3vc8GobGEfajScrbexsg",
  "payload": ""
}
2026-01-11 11:29:57,009:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz/2942962586/641417512056 HTTP/1.1" 200 829
2026-01-11 11:29:57,009:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 11 Jan 2026 10:29:56 GMT
Content-Type: application/json
Content-Length: 829
Connection: keep-alive
Boulder-Requester: 2942962586
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: Pihtai8mlbT6R9QwweoDtko8p2U4juy9ZkvmpRHMGhXUlGllZD8
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "wggert.norbertbass.eu"
  },
  "status": "pending",
  "expires": "2026-01-18T10:29:56Z",
  "challenges": [
    {
      "type": "http-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall/2942962586/641417512056/5sE-ww",
      "status": "pending",
      "token": "nk6adHLJVwqt1EPcedGxPFFmZalLl8VxmpQNGi_uE1k"
    },
    {
      "type": "tls-alpn-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall/2942962586/641417512056/Z9uprA",
      "status": "pending",
      "token": "nk6adHLJVwqt1EPcedGxPFFmZalLl8VxmpQNGi_uE1k"
    },
    {
      "type": "dns-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall/2942962586/641417512056/-tdhFw",
      "status": "pending",
      "token": "nk6adHLJVwqt1EPcedGxPFFmZalLl8VxmpQNGi_uE1k"
    }
  ]
}
2026-01-11 11:29:57,010:DEBUG:acme.client:Storing nonce: Pihtai8mlbT6R9QwweoDtko8p2U4juy9ZkvmpRHMGhXUlGllZD8
2026-01-11 11:29:57,010:DEBUG:acme.challenges:tls-alpn-01 was not recognized, full message: {'type': 'tls-alpn-01', 'url': 'https://acme-v02.api.letsencrypt.org/acme/chall/2942962586/641417512056/Z9uprA', 'status': 'pending', 'token': 'nk6adHLJVwqt1EPcedGxPFFmZalLl8VxmpQNGi_uE1k'}
2026-01-11 11:29:57,010:INFO:certbot._internal.auth_handler:Performing the following challenges:
2026-01-11 11:29:57,010:INFO:certbot._internal.auth_handler:http-01 challenge for wggert.norbertbass.eu
2026-01-11 11:29:57,010:INFO:certbot._internal.plugins.webroot:Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.
2026-01-11 11:29:57,010:DEBUG:certbot._internal.plugins.webroot:Creating root challenges validation dir at /data/letsencrypt-acme-challenge/.well-known/acme-challenge
2026-01-11 11:29:57,039:DEBUG:certbot._internal.plugins.webroot:Attempting to save validation to /data/letsencrypt-acme-challenge/.well-known/acme-challenge/nk6adHLJVwqt1EPcedGxPFFmZalLl8VxmpQNGi_uE1k
2026-01-11 11:29:57,040:DEBUG:acme.client:JWS payload:
b'{}'
2026-01-11 11:29:57,046:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall/2942962586/641417512056/5sE-ww:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMjk0Mjk2MjU4NiIsICJub25jZSI6ICJQaWh0YWk4bWxiVDZSOVF3d2VvRHRrbzhwMlU0anV5OVprdm1wUkhNR2hYVWxHbGxaRDgiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2NoYWxsLzI5NDI5NjI1ODYvNjQxNDE3NTEyMDU2LzVzRS13dyJ9",
  "signature": "mWCJqwp9rklhhjUG3zP_hoY7LwaWBqZgwPzZNQ_G99u9MjgBdAXRxC4aLlnb5MeFnXoqTAo05eh11tL41mFweFnOO0RNEpmRYXP2F2QSJeTw8yHqNSTcxB4_gT8A02kuWmWqlSlFZJ-wQnry59yF_KXlCPwmZW9S-jW5TUtHqqaffCxj9XT3tpYXngIa_GEffXoUJLIt24VbyqbRY7roYONo69sTqDWK8FFxOIuK7GuvMjwT3JzlFsTd_bELNksl5pMUMtagtdKkcrxTQygfFmfTzKSkMAs_0mfsGacQs138bjjztZFgln359QqX0Fx3w-Um8Tvgn6LvMoQhCjci3A",
  "payload": "e30"
}
2026-01-11 11:29:57,181:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall/2942962586/641417512056/5sE-ww HTTP/1.1" 200 195
2026-01-11 11:29:57,182:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 11 Jan 2026 10:29:57 GMT
Content-Type: application/json
Content-Length: 195
Connection: keep-alive
Boulder-Requester: 2942962586
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz/2942962586/641417512056>;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall/2942962586/641417512056/5sE-ww
Replay-Nonce: Pihtai8m_OGUOlg3vJak3k0GAo0ZOoWMDBb89_Nt7M-wTSV2pDk
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "http-01",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall/2942962586/641417512056/5sE-ww",
  "status": "pending",
  "token": "nk6adHLJVwqt1EPcedGxPFFmZalLl8VxmpQNGi_uE1k"
}
2026-01-11 11:29:57,182:DEBUG:acme.client:Storing nonce: Pihtai8m_OGUOlg3vJak3k0GAo0ZOoWMDBb89_Nt7M-wTSV2pDk
2026-01-11 11:29:57,183:INFO:certbot._internal.auth_handler:Waiting for verification...
2026-01-11 11:29:58,183:DEBUG:acme.client:JWS payload:
b''
2026-01-11 11:29:58,189:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz/2942962586/641417512056:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMjk0Mjk2MjU4NiIsICJub25jZSI6ICJQaWh0YWk4bV9PR1VPbGczdkphazNrMEdBbzBaT29XTURCYjg5X050N00td1RTVjJwRGsiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LzI5NDI5NjI1ODYvNjQxNDE3NTEyMDU2In0",
  "signature": "lvXKEHguvbOAAQWRVVvC87kFbw-QK2Rtcw8Jwv_ggZ1fmXxdgvTUQL56YrXSQ78WnnX6VNknoOm154yN1b02e7y9mbPjLkj9esX8UuNU90JrhvDb8R9joti9WzINplmiTYwGWKQFpAzRkGealbUEcH0gMOpEh1CVA8-ZvP-UL8zbokxLe0zf_xhfwj517_Vg6UDsDHgHH7vkpJC3i-0SEvtx4qV7QB-IrQakpaOJ2iYhT_HO5d32ueTqxdlYEBffN87T-EkKaOe7hGQP4frrrqBRd8tw9ikVUIOKCDACuVsI200acHRjr6P06ql13FIyqwCmV_Hq2nk-Nfe3qTpH4w",
  "payload": ""
}
2026-01-11 11:29:58,388:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz/2942962586/641417512056 HTTP/1.1" 200 1101
2026-01-11 11:29:58,389:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 11 Jan 2026 10:29:58 GMT
Content-Type: application/json
Content-Length: 1101
Connection: keep-alive
Boulder-Requester: 2942962586
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: Pihtai8mmUTqbRGiwPTHjvchDoT-RB-xuw58bc4SlIfAPiRU_Tk
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "wggert.norbertbass.eu"
  },
  "status": "invalid",
  "expires": "2026-01-18T10:29:56Z",
  "challenges": [
    {
      "type": "http-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall/2942962586/641417512056/5sE-ww",
      "status": "invalid",
      "validated": "2026-01-11T10:29:57Z",
      "error": {
        "type": "urn:ietf:params:acme:error:connection",
        "detail": "2a00:6020:1000:1b::10b8: Fetching http://wggert.norbertbass.eu/.well-known/acme-challenge/nk6adHLJVwqt1EPcedGxPFFmZalLl8VxmpQNGi_uE1k: Error getting validation data",
        "status": 400
      },
      "token": "nk6adHLJVwqt1EPcedGxPFFmZalLl8VxmpQNGi_uE1k",
      "validationRecord": [
        {
          "url": "http://wggert.norbertbass.eu/.well-known/acme-challenge/nk6adHLJVwqt1EPcedGxPFFmZalLl8VxmpQNGi_uE1k",
          "hostname": "wggert.norbertbass.eu",
          "port": "80",
          "addressesResolved": [
            "2a00:6020:1000:1b::10b8"
          ],
          "addressUsed": "2a00:6020:1000:1b::10b8"
        }
      ]
    }
  ]
}
2026-01-11 11:29:58,389:DEBUG:acme.client:Storing nonce: Pihtai8mmUTqbRGiwPTHjvchDoT-RB-xuw58bc4SlIfAPiRU_Tk
2026-01-11 11:29:58,389:INFO:certbot._internal.auth_handler:Challenge failed for domain wggert.norbertbass.eu
2026-01-11 11:29:58,389:INFO:certbot._internal.auth_handler:http-01 challenge for wggert.norbertbass.eu
2026-01-11 11:29:58,390:DEBUG:certbot._internal.display.obj:Notifying user: 
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: wggert.norbertbass.eu
  Type:   connection
  Detail: 2a00:6020:1000:1b::10b8: Fetching http://wggert.norbertbass.eu/.well-known/acme-challenge/nk6adHLJVwqt1EPcedGxPFFmZalLl8VxmpQNGi_uE1k: Error getting validation data

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

2026-01-11 11:29:58,419:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/auth_handler.py", line 104, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/auth_handler.py", line 208, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2026-01-11 11:29:58,419:DEBUG:certbot._internal.error_handler:Calling registered functions
2026-01-11 11:29:58,419:INFO:certbot._internal.auth_handler:Cleaning up challenges
2026-01-11 11:29:58,419:DEBUG:certbot._internal.plugins.webroot:Removing /data/letsencrypt-acme-challenge/.well-known/acme-challenge/nk6adHLJVwqt1EPcedGxPFFmZalLl8VxmpQNGi_uE1k
2026-01-11 11:29:58,420:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2026-01-11 11:29:58,420:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/opt/certbot/bin/certbot", line 7, in <module>
    sys.exit(main())
             ^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/main.py", line 18, in main
    return internal_main.main(cli_args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 1850, in main
    return config.func(config, plugins)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 1562, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 141, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/client.py", line 526, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/client.py", line 427, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/client.py", line 505, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/auth_handler.py", line 104, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/auth_handler.py", line 208, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2026-01-11 11:29:58,446:ERROR:certbot._internal.log:Some challenges have failed.

My web server is (include version):
docker nginx proxy manager
nginx version: openresty/1.27.1.2

The operating system my web server runs on is (include version):
Operating System: Debian GNU/Linux 13 (trixie)
Kernel: Linux 6.12.47+rpt-rpi-2712

My hosting provider, if applicable, is:
I guess strato

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
I guess no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
not using Certbot

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 5.1.0

Nginx Proxy Manager canNOT get a certificate. Why?

Can a mod please fix the title?

Fixed the title.

With regard to your issue: an connection on port 80 over IPv6 seems to be returning a "Permission denied" error from your hosting providers network ("Deutsche Glasfaser Wholesale"). Also, the IPv4 IP address behind the hostname wggert.norbertbass.eu is 100.110.194.131. This is within the 100.64.0.0/10 IPv4 range, which is the "Shared Address Space" special purpose address block, usually used for carrier-grade NAT and is not globally reachable over the internet. And thus cannot be used to validate the domain name.

Possible solutions:

• use the dns-01 challenge (but even if you would be able to get a cert, your website still wouldn't be reachable over the public internet);
• fix your IPv6 permission denied problem (Let's Encrypt prefers IPv6 over IPv4);
• get a publicly reachable IPv4 address.

Looks more like you're trying to host your website at home to me?

Yes, because the IPv4 is not public I am trying to use IPv6

Yes, I want to host a Nextcloud server / webpage.

Can it be that the fritz.box 7530 blocks the connection somehow? It offers a VPN Wireguard tunnel to the router, and that works.

Most if not all home routers block incoming IPv6 connections to devices in the home network by default. You need to allow access to the device in question in the Fritz!Box somehow.

In the router I have set up
Port Assigned Externally IPv6
of port 80 and 443 for TCP and UDP.

The pi also has a IPv6 address ::4:3:4:4 (digits)

Assuming you provided this information because the Pi is actually running your NPM: the current IPv6 address configured for your hostname (AAAA record) is 2a00:6020:1000:1b::10b8 which does not resemble the address of the Raspberry Pi provided above.

Note that IPv6 (usually) does not observe anything like NAT as we're nowadays used to with IPv4. NAT is just a band-aid for IPv4 shortage, something not applicable (yet? ) to IPv6.

If your RPi is running your site, you should also put the IPv6 address of the RPi into the AAAA RR of the DNS.

Router IPv6 address
2a00:6020:1000:1b::10b8

Pi address
0:0:0:0:2502:f89:f5d5:a9ca (four "0"s are fixed, copy paste: ::2502:f89:f5d5:a9ca)

That's also the address the Pi has according to Port Sharing tab
::2502:f89:f5d5:a9ca

However the router tells me this is the "IP Address in the Internet"
2a00:6020:b48c:1400:2502:f89:f5d5:a9ca

I have so far only superficial knowledge about IPv6, so I am wondering why the first to numbers are identical to the router, the last four identical to the Pi, but numbers 3 and 4 seem to be completely different.

Yes, your routers main IPv6 address is usually a little bit different than the IPv6 range routed to the internal network.

The ::4:3:4:4 you mentioned earlier might be from the link-local address starting with fe80::.

You should put this IP address into the DNS AAAA record of your hostname. (And probably delete the 100.x.y.z A record.)

That said, I cannot connect to 2a00:6020:b48c:1400:2502:f89:f5d5:a9ca on port 80 nor port 443.. I get a "No route to host" error back from your router at 2a00:6020:1000:1b::10b8. Is the Pi up? Can you confirm the IP address 2a00:6020:b48c:1400:2502:f89:f5d5:a9ca on your Pi itself?

Note that this is mainly (relatively easy) networking stuff and not so much the main purpose of this Community.

Thanks for the help regardless.
Learned that I need to use the address
2a00:6020:b48c:1400:e79e:894:ae59:599f
Then it works as intended, for now.

Now I just have to figure out how to make the address dynamic so it doesn't break when the router's IP changes.

Usually IPv6 addresses don't change, but maybe that's different for your ISP.

Couldn't the assigned subnet change? (the /56 or /64 or whatever)

And, my Windows client, by default, assigns a temporary IP within that. You can configure it to use the same one although subject to what is allowed by the router. I believe it does that to make tracking by IP more difficult (not sure).

Sure, but with so much address space available, why would they?

I'm not entirely sure, but the main reason for dynamic IP addresses would probably be the IPv4 shortage to begin with, right? Or a relic of the dial-up past, which should be gone with always-on connections?

Or maybe I'm just biased with not having a dynamic IP address since, well, 25 years or so.

I get a new /64 each time I reboot my router (which is rare, mind you). So far it has always been within the same /48. Still, perhaps the ISP's own infrastructure changes might even change that.

Do you as a customer get a /64? Or a /48? Because here most ISPs hand out /48s. And as far as I know, most ISPs hand out fixed ranges. Maybe not officially in the small print, there it most likely still says "dynamic", but in practise, even with rebooting routers et cetera, the customer gets the same range. (They'll probably call it dynamic so that in the event the address needs to change for some reason in a rare event, the customer can't complain.)

I believe so. That's how it identified in my (own) router. It's been a little bit since I set it up so perhaps I misunderstand but that's what it looks like.

And, to be complete ... the router and modem are only ever restarted at the same time.

Well, either /48 or /64 should be enough

My ISP allocates a /56 prefix for my IP address using DHCPv6, which the router subnets into three /64 prefixes (internet and two local networks). The /56 prefix changes every time my router restarts and it's been allocated from addresses within 2a0a:ef40::/32.