There are redirects http -> https, but your https doesn't work, so Cloudflare throws an error and the validation can't work.
If you're the owner of this website:
The SSL certificate presented by the server did not pass validation. This could indicate an expired SSL certificate or a certificate that does not include the requested domain name. Please contact your hosting provider to ensure that an up-to-date and valid SSL certificate issued by a Certificate Authority is configured for this domain name on the origin server. Additional troubleshooting information here.
If you use Cloudflare you need a valide certificate so Cloudflare can load your site.
Perhaps remove the redirect http -> https, so that validation works.
I havent activated DNSKEY in cloudflare or even on my domain seller…
So I have to delete some IPs? IN Cloudflare they are all poiting to my VPS IP
They only thing I see is that I have some IPs on “IP Access Rules” but nothing
more
So Certbot is using the webroot plugin, but Nginx is redirecting HTTP requests to HTTPS, which would be fine, except HTTPS doesn’t work because Cloudflare considers your origin’s current certificate to be invalid.
You can get certificate renewal to succeed by excluding Let’s Encrypt’s requests from the HTTP to HTTPS redirect, or by fixing HTTPS.
Out of curiosity, could you provide the output of “sudo certbot certificates”?
2.)
Interesting! You really don’t have DNSSEC enabled at Cloudflare! But it is enabled.
Maybe you just turned it off recently?
Are you sure you’re looking at the correct Cloudflare account? Does the main page say the domain is “Active” without any issues?
Remove the redirect http -> https, then try, if you can load a test file via /.well-known/acme-challenge, that should be enough to create a new certificate.
If that doesn't work, create a new certificate manual using dns-validation.
I tried to check doing: cd /var/www/peter/.well-known/acme-challenge
And it appears that it doesnt even exist... Probably thats the problem? Is there a solution?
The .well-known directory would be expected to exist, but Certbot will create it if it doesn't. The acme-challenge directory doesn't normally exist when Certbot isn't running.
Not quite – it’s a 404 Not Found error from http://srpeter.com/. Before it was a Cloudflare 525 Origin Certificate something error from https://srpeter.com/.
It seems the web root setting in /etc/letsencrypt/renewal/srpeter.com.conf isn’t correct.
You can:
Update the Nginx configuration
Run the Certbot command to issue a certificate, with the arguments you used originally, and the new path, e.g. “sudo certbot certonly --webroot -w /new/root -d srpeter.com -d www.srpeter.com”