Please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address

My website is hosted in cloudflare I first disable the cloudflare CDN then I enabled it and I have the same problem. My webserver is nginx and I want to create a certificate for my website in an nginx reverse proxy.

My reverse proxy configurartion:

server {
listen 80 default_server;
listen [::]:80 default_server;
index index.php index.html index.htm;
root /var/www/html;
server_name jcp-connect.fr 176.139.8.11;
index index.html index.htm index.nginx-debian.html;
location /.well-known/acme-challenge/ {
        root /var/www/letsencrypt;
        try_files $uri @backend;
}

location @backend {
        proxy_pass http://jcp-connect.fr;
}
}

My backend server configuration when the cloudflare is enabled:

  http {                                                                                                                                                                                                                                        
   include mime.types;                                                                                                                                                                                                                   
    index index.php index.html index.htm;                                                                                                                                                                                                 
    default_type text/html;                                                                                                                                                                                                                                                                                                                                                                                                                                               
    sendfile on;                                                                                                                                                                                                                          
    keepalive_timeout 65;                                                                                                                                                                                                                 
    gzip on;                                                                                                                                                                                                                              
    client_max_body_size 1000M;                                                                                                                                                                                                           
                                                                                                                                                                                                                                          
    gzip_min_length  1k;                                                                                                                                                                                                                  
    gzip_buffers     4 16k;                                                                                                                                                                                                               
    gzip_http_version 1.0;                                                                                                                                                                                                                
    gzip_comp_level 2;                                                                                                                                                                                                                    
    gzip_types text/plain application/x-javascript text/css application/xml;                                                                                                                                                              
    gzip_vary on;                                                                                                                                                                                                                         
    server {                                                                                                                                                                                                                              
                                                                                                                                                                                                                                          
    listen 443 ssl http2;                                                                                                                                                                                                                 
    listen [::]:443 ssl http2;                                                                                                                                                                                                            
         listen 80;                                                                                                                                                                                                                       
      listen [::]:80;                                                                                                                                                                                                                     
      server_name jcp-connect.fr;                                                                                                                                                                                                         
     include /etc/nginx/snippets/self-signed.conf;                                                                                                                                                                                        
     include /etc/nginx/snippets/ssl-params.conf;                                                                                                                                                                                         
                                                                                                                                                                                                                                          
                                                                                                                                                                                                                                          
        fastcgi_connect_timeout 300;                                                                                                                                                                                                      
        fastcgi_send_timeout 300;                                                                                                                                                                                                         
        fastcgi_read_timeout 300;                                                                                                                                                                                                         
        fastcgi_buffer_size 32k;                                                                                                                                                                                                          
        fastcgi_buffers 4 32k;                                                                                                                                                                                                            
        fastcgi_busy_buffers_size 32k;                                                                                                                                                                                                    
        fastcgi_temp_file_write_size 32k;                                                                                                                                                                                                 
        client_body_timeout 10;                                                                                                                                                                                                           
        client_header_timeout 10;                                                                                                                                                                                                         
        send_timeout 60;                                                                                                                                                                                                                  
        output_buffers 1 32k;                                                                                                                                                                                                             
        postpone_output 1460;                                                                                                                                                                                                             
        root   /www/WebPortal/public;                                                                                                                                                                                                     
                                                                                                                                                                                                                                          
        location / {                                                                                                                                                                                                                      
                try_files $uri $uri/ /index.php?$query_string;                                                                                                                                                                            
                add_header X-Frame-Options sameorigin always;                                                                                                                                                                             
        }                                                                                                                                                                                                                                 
                                                                                                                                                                                                                                          
        location ~ \.php$ {                                                                                                                                                                                                               
            fastcgi_split_path_info ^(.+\.php)(/.+)$;                                                                                                                                                                                     
            fastcgi_index  index.php;                                                                                                                                                                                                     
            include        fastcgi_params;                                                                                                                                                                                                
            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name; 
             if (-f $request_filename) {                                                                                                                                                                                                   
                    # fastcgi_pass 127.0.0.1:1026;                                                                                                                                                                                        
                    fastcgi_pass unix:/var/run/php7-fpm.sock;                                                                                                                                                                             
            }                                                                                                                                                                                                                             
        }                                                                                                                                                                                                                                 
    }                                                                                                                                                                                                                                     
  }               

My domain is: jcp-connect.fr

I ran this command:
./certbot-auto certonly --webroot -w /var/www/letsencrypt -d jcp-connect.fr
It produced this output:
Requesting to rerun ./certbot-auto with root privileges…
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for jcp-connect.fr
Using the webroot path /var/www/letsencrypt for all unmatched domains.
Waiting for verification…
Challenge failed for domain jcp-connect.fr
http-01 challenge for jcp-connect.fr
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:Domain: jcp-connect.fr
    Type: unauthorized
    Detail: Invalid response from
    http://jcp-connect.fr/.well-known/acme-challenge/tdOWhxrzlpNS6rUY8ZfXhL0z2NeHYrYMUd88IhTEi_s
    [176.139.8.11]: "\n\n \n\n <meta name=“viewport” content="width=device-w"To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

    The problem comes from that the challenge file cannot be reached but I don't know why. Any help please.
1 Like

Try placing a testfile in the expected challenge folder and see if that is accessible from the Internet.
mkdir /var/www/letsencrypt/.well-known/
mkdir /var/www/letsencrypt/.well-known/acme-challenge/
echo 'testshort' > /var/www/letsencrypt/test1234
echo 'testlong' > /var/www/letsencrypt/.well-known/acme-challenge/test1234
http://jcp-connect.fr/.well-known/acme-challenge/test1234

FYI: all HTTP requests are being forwarded to HTTPS [not sure if that plays any part in the failure]

1 Like

I tried it and the file is not accessible. I get 404 error

1 Like

And thus begins the process of finding and correcting the actual problem…

Do you have any error logs?
Can you make exception for the challenge requests (to exclude them from HTTPS forwarding)?

yes, I have error in log file/ this is the output of letsencrypt.log:

2019-12-09 09:58:41,977:DEBUG:certbot._internal.main:certbot version: 1.0.0
2019-12-09 09:58:41,978:DEBUG:certbot._internal.main:Arguments:
2019-12-09 09:58:41,978:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-12-09 09:58:41,984:DEBUG:certbot._internal.log:Root logging level set at 20
2019-12-09 09:58:41,985:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-12-09 09:58:41,985:DEBUG:certbot._internal.plugins.selection:Requested authenticator None and installer None
2019-12-09 09:58:41,991:DEBUG:certbot.plugins.util:Failed to find executable apache2ctl in PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
2019-12-09 09:58:41,992:DEBUG:certbot._internal.plugins.disco:No installation (PluginEntryPoint#apache): Cannot find Apache executable apache2ctl
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/plugins/disco.py”, line 130, in prepare
self._initialized.prepare()
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot_apache/_internal/configurator.py”, line 233, in prepare
self._verify_exe_availability(self.option(“ctl”))
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot_apache/_internal/configurator.py”, line 339, in _verify_exe_availability
‘Cannot find Apache executable {0}’.format(exe))
NoInstallationError: Cannot find Apache executable apache2ctl
2019-12-09 09:58:42,081:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx._internal.configurator:NginxConfigurator
Initialized: <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7f948ce4b2d0>
Prep: True
2019-12-09 09:58:42,082:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7f948ce4b2d0> and installer <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7f948ce4b2d0>
2019-12-09 09:58:42,082:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator nginx, Installer nginx
2019-12-09 09:58:42,084:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(status=None, terms_of_service_agreed=None, agreement=None, only_return_existing=None, contact=(), key=None, external_account_binding=None), uri=u’https://acme-v02.api.letsencrypt.org/acme/acct/73274143’, new_authzr_uri=None, terms_of_service=None), 03462bafab0becae7e6355e14b827163, Meta(creation_host=u’amel-ZenBook-UX533FD-UX533FD’, creation_dt=datetime.datetime(2019, 12, 6, 20, 41, 9, tzinfo=)))>
2019-12-09 09:58:42,085:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2019-12-09 09:58:42,086:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2019-12-09 09:58:42,898:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 “GET /directory HTTP/1.1” 200 658
2019-12-09 09:58:42,898:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx

 Yes, I used this rule to exclude the .well-known directory from the 301 redirect

I meant the NGINX error logs.

That seems to fail exclusion:

curl -Iki http://jcp-connect.fr/.well-known/acme-challenge/test1234
HTTP/1.1 301 Moved Permanently
Date: Tue, 10 Dec 2019 15:58:31 GMT
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Tue, 10 Dec 2019 16:58:31 GMT
Location: https://jcp-connect.fr/.well-known/acme-challenge/test1234
Server: cloudflare
CF-RAY: 54306bb4994952be-MIA

and now:

curl -Iki http://jcp-connect.fr/.well-known/acme-challenge/test1234
curl: (7) Failed to connect to jcp-connect.fr port 80: Connection refused

In any case, this should still access the testfile:
https://jcp-connect.fr/.well-known/acme-challenge/test1234
[but it doesn’t = 404 error]

wget --no-check-certificate https://jcp-connect.fr/.well-known/acme-challenge/test1234
--2019-12-10 16:28:24--  https://jcp-connect.fr/.well-known/acme-challenge/test1234
Resolving jcp-connect.fr (jcp-connect.fr)... 176.139.8.11
Connecting to jcp-connect.fr (jcp-connect.fr)|176.139.8.11|:443... connected.
WARNING: cannot verify jcp-connect.fr's certificate, issued by ‘CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US’:
  Unable to locally verify the issuer's authority.
HTTP request sent, awaiting response... 404 Not Found
2019-12-10 16:28:25 ERROR 404: Not Found.

Back to the NGINX log files…

I cannot fix the source of the issue. I deleted the redirection rule of 301 but same problem my website is hosted in cloudflare and I can access to it. I was using cloudflare CDN but now I disabled it and I’m using only the DNS service. It is possible that my problem comes from the configuration of my backend server that has already a letsencrypt certificate and it passes the http-01 challenge successfully. Any other test can I perform to fix the problem please?

Removing Cloudflare did not fix the problem…
So the problem is within your system.
Did you create the testfiles?

yes, but the same problem the test file is not reachable and this is the output of my log:

2019-12-10 18:02:14,369:DEBUG:certbot._internal.error_handler:Calling registered functions
2019-12-10 18:02:14,369:INFO:certbot._internal.auth_handler:Cleaning up challenges
2019-12-10 18:02:14,370:DEBUG:certbot._internal.plugins.webroot:Removing /var/www/letsencrypt/.well-known/acme-challenge/WJC_A2nYtXexs8xiNgnpB8qDS_7mIOKWN0hcFM9h_B4
2019-12-10 18:02:14,371:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2019-12-10 18:02:14,371:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/bin/letsencrypt”, line 11, in
sys.exit(main())
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py”, line 14, in main
return internal_main.main(cli_args)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/main.py”, line 1350, in main
return config.func(config, plugins)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/main.py”, line 1237, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/main.py”, line 121, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/client.py”, line 416, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/client.py”, line 347, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/client.py”, line 395, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/auth_handler.py”, line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/auth_handler.py”, line 180, in _poll_authorizations
raise errors.AuthorizationError(‘Some challenges have failed.’)
AuthorizationError: Some challenges have failed.

Ok don’t try to renew anymore until we fix the problem.
You need to be able to access the test files from the Internet first.
Please find the NGINX error log file.
Please show the config file for jcp-connect.fr

The nginx (proxy) error log file:

2019/12/10 00:32:49 [emerg] 29752#29752: open() “/etc/nginx/sites-enabled/default” failed (2: No such file or directory) in /etc/nginx/nginx.conf:62
2019/12/10 00:41:18 [notice] 30671#30671: signal process started
2019/12/10 00:41:23 [notice] 30680#30680: signal process started
2019/12/10 09:54:51 [notice] 11437#11437: signal process started
2019/12/10 09:54:56 [notice] 11449#11449: signal process started
2019/12/10 09:55:40 [emerg] 11470#11470: unexpected “}” in /etc/nginx/sites-enabled/reverse:20
2019/12/10 10:05:18 [emerg] 11675#11675: unexpected end of file, expecting “}” in /etc/nginx/sites-enabled/reverse:17
2019/12/10 12:40:35 [notice] 17394#17394: signal process started
2019/12/10 12:42:54 [notice] 17463#17463: signal process started
2019/12/10 12:42:59 [notice] 17473#17473: signal process started
2019/12/10 12:43:55 [notice] 17527#17527: signal process started
2019/12/10 12:44:00 [notice] 17536#17536: signal process started
2019/12/10 12:52:06 [notice] 17738#17738: signal process started
2019/12/10 13:01:35 [notice] 17937#17937: signal process started
2019/12/10 13:01:40 [notice] 17948#17948: signal process started
2019/12/10 16:23:52 [notice] 26523#26523: signal process started
2019/12/10 16:23:57 [notice] 26534#26534: signal process started
2019/12/10 17:12:03 [notice] 28265#28265: signal process started
2019/12/10 17:25:53 [notice] 28512#28512: signal process started
2019/12/10 17:29:03 [notice] 28645#28645: signal process started
2019/12/10 18:01:52 [notice] 29536#29536: signal process started

The config file of the backend server jcp-connect.fr:

server {                                                                
                                                                            
    listen 443 ssl http2;                                                   
    listen [::]:443 ssl http2;                                              
    server_name jcp-connect.fr;                                             
    ssl_certificate /etc/dehydrated/certs/jcp-connect.fr/cert.pem;          
    ssl_certificate_key /etc/dehydrated/certs/jcp-connect.fr/privkey.pem;   
    ssl_session_timeout 5m;                                                 
    ssl_protocols SSLv2 SSLv3 TLSv1;                                        
    ssl_ciphers HIGH:!aNULL:!MD5;                                           
    ssl_prefer_server_ciphers on;                                           
        fastcgi_connect_timeout 300;                                        
        fastcgi_send_timeout 300;                                           
        fastcgi_read_timeout 300;                                        
        fastcgi_buffer_size 32k;                                         
        fastcgi_buffers 4 32k;                                           
        fastcgi_busy_buffers_size 32k;                                   
        fastcgi_temp_file_write_size 32k;                                
        client_body_timeout 10;                                          
        client_header_timeout 10;                                        
        send_timeout 60;                                                 
        output_buffers 1 32k;            
        postpone_output 1460;            
        root   /www/WebPortal/public;    
                                         
        location / {                     
                try_files $uri $uri/ /index.php?$query_string;
                add_header X-Frame-Options sameorigin always; 
        }                                                     
                                                              
        location ~ \.php$ {                                   
            fastcgi_split_path_info ^(.+\.php)(/.+)$;         
            fastcgi_index  index.php;                         
            include        fastcgi_params;                    
            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
                                                                               
            if (-f $request_filename) {                                        
                    # fastcgi_pass 127.0.0.1:1026;                             
                    fastcgi_pass unix:/var/run/php7-fpm.sock;                  
            }                                                                  
        }                                                                      
    }

doesn’t match:

Try adding to the config:

Location /.well-known/acme-challenge/ {
 try_files $uri =404;
 root /var/www/letsencrypt;
}#location

But this is the configuration of the backend server that has already a lets encrypt certificate.
For the nginx reverse proxy for which I want to create a certificate, this is the configuration:

  server {
     listen 80 default_server;
     listen [::]:80 default_server;
    index index.php index.html index.htm;
     root /var/www/html;
     server_name jcp-connect.fr 176.139.8.11;
     location /.well-known/acme-challenge/ {
    root /var/www/letsencrypt;
    try_files $uri 404;
   }
 location @backend {
    proxy_pass http://jcp-connect.fr;
}
}

port 80 is closed from the Internet to your server.
When CDN is used it redirects all port 80 to 443.
So your system will never get any port 80 requests.

on second review: port 80 seems open now.
But I still can’t access the test file.
Please specify a specific error log file and access log file within the challenge location block to confirm access through that location.

My last letsencrypt logfile where the port 80 is open and the CDN is disabled:

2019-12-10 18:44:39,936:DEBUG:acme.client:Storing nonce: 0001YL29mDtdCh_tNw9guwq41cTavEXYu66hVORxBx_VDjI
2019-12-10 18:44:39,937:WARNING:certbot._internal.auth_handler:Challenge failed for domain jcp-connect.fr
2019-12-10 18:44:39,938:INFO:certbot._internal.auth_handler:http-01 challenge for jcp-connect.fr
2019-12-10 18:44:39,939:DEBUG:certbot._internal.reporter:Reporting to user: The following errors were reported by the server:

Domain: jcp-connect.fr
Type: unauthorized
Detail: Invalid response from http://jcp-connect.fr/.well-known/acme-challenge/X_XmtCxdQwPVZ5MEqe1SQ3veqS9bTXlBIU1dIaO4zg0 [176.139.8.11]: "\n<html lang=“en”>\n \n <meta charset=“utf-8”>\n <meta name=“viewport” content=“width=device-w”

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
2019-12-10 18:44:39,940:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/auth_handler.py”, line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/auth_handler.py”, line 180, in _poll_authorizations
raise errors.AuthorizationError(‘Some challenges have failed.’)
AuthorizationError: Some challenges have failed.

2019-12-10 18:44:39,940:DEBUG:certbot._internal.error_handler:Calling registered functions
2019-12-10 18:44:39,940:INFO:certbot._internal.auth_handler:Cleaning up challenges
2019-12-10 18:44:39,941:DEBUG:certbot._internal.plugins.webroot:Removing /var/www/letsencrypt/.well-known/acme-challenge/X_XmtCxdQwPVZ5MEqe1SQ3veqS9bTXlBIU1dIaO4zg0
2019-12-10 18:44:39,942:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2019-12-10 18:44:39,942:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/bin/letsencrypt”, line 11, in
sys.exit(main())
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py”, line 14, in main
return internal_main.main(cli_args)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/main.py”, line 1350, in main
return config.func(config, plugins)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/main.py”, line 1237, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/main.py”, line 121, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/client.py”, line 416, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/client.py”, line 347, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/client.py”, line 395, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/auth_handler.py”, line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/auth_handler.py”, line 180, in _poll_authorizations
raise errors.AuthorizationError(‘Some challenges have failed.’)
AuthorizationError: Some challenges have failed.

The nginx proxy configuration is:

 server {
  listen 80 default_server;
  listen [::]:80 default_server;
  index index.php index.html index.htm;
     root /var/www/html;
     server_name jcp-connect.fr 176.139.8.11;
     location /.well-known/acme-challenge/ {
     root /var/www/letsencrypt;
     try_files $uri 404;
 }
location @backend {
    proxy_pass http://jcp-connect.fr;
 }
}

OK we don’t need to look at the LE log file.
Please stop trying to renew - you will soon hit a limit.

modify this:

to include:

access_log /some/path/to/this/access/log;
error_log /some/path/to/this/error/log;

[use an actual path and real file names]

location /.well-known/acme-challenge/ {
    root /var/www/letsencrypt;
    try_files $uri 404;
    access_log  /var/log/nginx/access.log; 
    error_log  /var/log/nginx/error.log;
}

If those are the normal log files, then our requests will not be easy to find.
Please use new file names.

access_log /var/log/nginx/testaccess.log;
error_log /var/log/nginx/testerror.log;