Renewal 404 fail

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
lukehero.com (also not working on all my main domains)

I ran this command:
sudo certbot

It produced this output:
Performing the following challenges:
http-01 challenge for lukehero.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. lukehero.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://lukehero.com/.well-known/acme-challenge/1zz39vhtcCcZcVDwqay_lIKLASWMimaCDO_Le8iDfKM [2600:3c00::f03c:91ff:feb8:11d3]: “\r\n404 Not Found\r\n<body bgcolor=“white”>\r\n

404 Not Found

\r\n
”

IMPORTANT NOTES:

My web server is (include version):
nginx/1.10.3 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 16.04

My hosting provider, if applicable, is:
Linode

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.28.0

The folder .well-known does not exist when I check the dir. I manually created it and acme-challenge and put a file inside called test.txt. I cannot reach the file. The site totally does not work. However a subdomain site (analytics.lukehero.com) does work fine.

Edit: Removed errors that were fixed. Did not resolve issue.

Yes, same with the main page. This seems to be the main problem.

Perhaps this warning is related:

You should have one server block somewhere with:

server_name lukehero.com;

Hi @lukehero

first, fix that.

What's the content of that file? In line 59?

Second, you have ipv4 and ipv6 addresses. http is consistent (same http status ipv4 and ipv6), https is inconsistent. But /.well-known/acme-challenge isn't redirected, so now it's not critical.

Your certificate ( https://check-your-website.server-daten.de/?q=lukehero.com - there are the other informations)

CN=lukehero.com
	22.01.2019
	22.04.2019
expires in 57 days	lukehero.com - 1 entry

is ok, but the www-version is missing.

PS: That

The folder .well-known does not exist when I check the dir. I manually created it and acme-challenge and put a file inside called test.txt.

is critical. So share your config file to find your webroot.

I just fixed this error. Still no change.
I also have another website that does work (zenqalendar.com) and gives me the same error when trying to renew the cert.

Which file do I need to share? I'm still learning Linux / Servers

That page has the same (or more) problems ( https://check-your-website.server-daten.de/?q=zenqalendar.com ):

Domainname Http-Status redirect Sec. G
• http://zenqalendar.com/
173.255.202.118 301 https://zenqalendar.com/ 0.290 A
• http://www.zenqalendar.com/
173.255.202.118 301 https://www.zenqalendar.com/ 0.293 A
• http://zenqalendar.com/
2600:3c00::f03c:91ff:feb8:11d3 404 0.313 M
Not Found
• http://www.zenqalendar.com/
2600:3c00::f03c:91ff:feb8:11d3 404 0.287 M
Not Found
• https://zenqalendar.com/
173.255.202.118 200 6.437 N
Certificate error: RemoteCertificateChainErrors
• https://zenqalendar.com/
2600:3c00::f03c:91ff:feb8:11d3 -2 1.440 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it [2600:3c00::f03c:91ff:feb8:11d3]:443
• https://www.zenqalendar.com/
173.255.202.118 200 6.756 N
Certificate error: RemoteCertificateChainErrors
• https://www.zenqalendar.com/
2600:3c00::f03c:91ff:feb8:11d3 -2 1.446 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it [2600:3c00::f03c:91ff:feb8:11d3]:443
• http://zenqalendar.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
173.255.202.118 301 https://zenqalendar.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.297 A
• http://www.zenqalendar.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
173.255.202.118 301 https://www.zenqalendar.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.303 A
• http://zenqalendar.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
2600:3c00::f03c:91ff:feb8:11d3 404 0.287 A
Not Found
• http://www.zenqalendar.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
2600:3c00::f03c:91ff:feb8:11d3 404 0.290 A
Not Found
• https://zenqalendar.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 404 6.656 N
Not Found
Certificate error: RemoteCertificateChainErrors
• https://www.zenqalendar.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 404 6.694 N
Not Found
Certificate error: RemoteCertificateChainErrors

http + ipv4 redirects to https, http + ipv6 sends a 404. And https + ipv6 is blocked.

Perhaps your ipv6 configuration is missing or completely broken. Letsencrypt prefers ipv6, so that can't work.

And there are redirects http + /.well-known/acme-challenge -> https, but https + ipv6 doesn't work.

Your main nginx config file. Perhaps

/etc/nginx/nginx.conf

nginx.conf:

  GNU nano 2.5.3            File: /etc/nginx/nginx.conf


user www-data;
worker_processes auto;
pid /run/nginx.pid;

events {
        worker_connections 768;
        # multi_accept on;
}

http {

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        # server_tokens off;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        #default_type application/octet-stream;
        default_type text/html;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        ##
        # Gzip Settings
        ##

        gzip on;
        gzip_disable "msie6";

        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text$

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}


#mail {
#       # See sample authentication script at:
#       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#       # auth_http localhost/auth.php;
#       # pop3_capabilities "TOP" "USER";
#       # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#       server {
#               listen     localhost:110;
#               protocol   pop3;
#               proxy      on;
#       }
#
#       server {
#               listen     localhost:143;
#               protocol   imap;
#               proxy      on;
#       }
#}

Also for reference, sites-enabled/lukehero:

server {
        server_name lukehero.com www.lukehero.com;

        root /home/lukehero;
        index index.php index.html index.htm;


        location / {
    try_files $uri $uri.html $uri/ @extensionless-php;
    index index.html index.htm index.php;
         #return 301 https://lukehero.com$request_uri;
}

location @extensionless-php {
    rewrite ^(.*)$ $1.php last;
}


    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/lukehero.com/fullchain.pem; # managed by Ce$
    ssl_certificate_key /etc/letsencrypt/live/lukehero.com/privkey.pem; # managed by $
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

        # pass the PHP scripts to FastCGI server listening on (...)
        #
        location ~ \.php$ {
        try_files $uri =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini

        # With php5-cgi alone:
        #fastcgi_pass 127.0.0.1:9000;
        # With php5-fpm:
        fastcgi_pass unix:/run/php/php7.0-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
        }

}
server {
    if ($host = lukehero.com) {
        #return 301 https://$host$request_uri;
    } # managed by Certbot


        server_name lukehero.com www.lukehero.com;
    listen 80;
    return 404; # managed by Certbot


}

Where did you create .well-known/acme-challenge and the test-file?

I have tried in both
zenqalendar.com/.well-known/acme-challenge/test.txt
and
lukehero.com/.well-known/acme-challenge/test.txt

zenqalendar works when loading on http (not on https because the cert expired today) and I can load the test.txt

I have about 5 domains and all of them aren’t working to renew certs. But all my subdomains do seem to allow renewing.

Are you using --nginx or --webroot? That config looks like it should work with --nginx.

The port 80 HTTP 404 is of course unconditional, if you look at its configuration:

Webroot has no way to succeed in that case.

In which directory did you create these subdirectories?

When running certbot? I just use
sudo certbot

Try

sudo certbot renew -a nginx --dry-run

(This will override webroot, if it was being used, which I don’t know).

The subdomains are inside the same folder as all sites (/home)

This is the output:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/zenqalendar.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.zenqalendar.com
http-01 challenge for zenqalendar.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (zenqalendar.com) from /etc/letsencrypt/renewal/zenqalendar.com.conf produced an unexpected error: Failed authorization procedure. www.zenqalendar.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficientauthorization :: Invalid response from http://www.zenqalendar.com/.well-known/acme-challenge/fsUyxfz3cRAZreCQwKdgcXOqtrv9a4JpC9hFhfZTkFo [2600:3c00::f03c:91ff:feb8:11d3]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>", zenqalendar.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://zenqalendar.com/.well-known/acme-challenge/GhRf139TMvHbMQQGVIGo0rk7Xr3ypwu9thei99GmUT8 [2600:3c00::f03c:91ff:feb8:11d3]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>". Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/analytics.tubehero.io.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for analytics.tubehero.io
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/analytics.tubehero.io/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/maketesters.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for maketesters.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (maketesters.com) from /etc/letsencrypt/renewal/maketesters.com.conf produced an unexpected error: Failed authorization procedure. maketesters.com(http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://maketesters.com/.well-known/acme-challenge/TixsDyPb2OYmI2bDfSAIW10jTVZvL729zjr6ArqIN4I [2600:3c00::f03c:91ff:feb8:11d3]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>". Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/analytics.lukehero.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for analytics.lukehero.com
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/analytics.lukehero.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/lukehero.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for lukehero.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (lukehero.com) from /etc/letsencrypt/renewal/lukehero.com.conf produced an unexpected error: Failed authorization procedure. lukehero.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://lukehero.com/.well-known/acme-challenge/Hs4yt1IyJx08j2eh4IxT7QpR1pnMXA9IytUgC2DhuPc [2600:3c00::f03c:91ff:feb8:11d3]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>". Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/freshjobs.io.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for freshjobs.io
http-01 challenge for www.freshjobs.io
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (freshjobs.io) from /etc/letsencrypt/renewal/freshjobs.io.conf produced an unexpected error: Failed authorization procedure. freshjobs.io (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://freshjobs.io/.well-known/acme-challenge/L5x8sUX7vxwCALG2SPHoagepgm1xBbWA6TpTmhBXvQg [2600:3c00::f03c:91ff:feb8:11d3]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>", www.freshjobs.io (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.freshjobs.io/.well-known/acme-challenge/3O7jUjYKtD5VWraBu-reQedDNJKae6G7UgJoI_mAQ2U [2600:3c00::f03c:91ff:feb8:11d3]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>". Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/uk.freshjobs.io.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for uk.freshjobs.io
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/uk.freshjobs.io/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/expenses.lukehero.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for expenses.lukehero.com
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/expenses.lukehero.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/tubehero.io.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for tubehero.io
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (tubehero.io) from /etc/letsencrypt/renewal/tubehero.io.confproduced an unexpected error: Failed authorization procedure. tubehero.io (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://tubehero.io/.well-known/acme-challenge/cZe_e2Ks4YIK-TvifedTV_Nqmybz1rLymKKJtXXg7h0 [2600:3c00::f03c:91ff:feb8:11d3]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>". Skipping.
The following certs could not be renewed:
  /etc/letsencrypt/live/zenqalendar.com/fullchain.pem (failure)
  /etc/letsencrypt/live/maketesters.com/fullchain.pem (failure)
  /etc/letsencrypt/live/lukehero.com/fullchain.pem (failure)
  /etc/letsencrypt/live/freshjobs.io/fullchain.pem (failure)
  /etc/letsencrypt/live/tubehero.io/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

The following certs were successfully renewed:
  /etc/letsencrypt/live/analytics.tubehero.io/fullchain.pem (success)
  /etc/letsencrypt/live/analytics.lukehero.com/fullchain.pem (success)
  /etc/letsencrypt/live/uk.freshjobs.io/fullchain.pem (success)
  /etc/letsencrypt/live/expenses.lukehero.com/fullchain.pem (success)

The following certs could not be renewed:
  /etc/letsencrypt/live/zenqalendar.com/fullchain.pem (failure)
  /etc/letsencrypt/live/maketesters.com/fullchain.pem (failure)
  /etc/letsencrypt/live/lukehero.com/fullchain.pem (failure)
  /etc/letsencrypt/live/freshjobs.io/fullchain.pem (failure)
  /etc/letsencrypt/live/tubehero.io/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: freshjobs.io
   Type:   unauthorized
   Detail: Invalid response from
   http://freshjobs.io/.well-known/acme-challenge/L5x8sUX7vxwCALG2SPHoagepgm1xBbWA6TpTmhBXvQg
   [2600:3c00::f03c:91ff:feb8:11d3]: "<html>\r\n<head><title>404 Not
   Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404
   Not Found</h1></center>\r\n<hr><center>"

   Domain: www.freshjobs.io
   Type:   unauthorized
   Detail: Invalid response from
   http://www.freshjobs.io/.well-known/acme-challenge/3O7jUjYKtD5VWraBu-reQedDNJKae6G7UgJoI_mAQ2U
   [2600:3c00::f03c:91ff:feb8:11d3]: "<html>\r\n<head><title>404 Not
   Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404
   Not Found</h1></center>\r\n<hr><center>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
 - The following errors were reported by the server:

   Domain: lukehero.com
   Type:   unauthorized
   Detail: Invalid response from
   http://lukehero.com/.well-known/acme-challenge/Hs4yt1IyJx08j2eh4IxT7QpR1pnMXA9IytUgC2DhuPc
   [2600:3c00::f03c:91ff:feb8:11d3]: "<html>\r\n<head><title>404 Not
   Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404
   Not Found</h1></center>\r\n<hr><center>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
 - The following errors were reported by the server:

   Domain: maketesters.com
   Type:   unauthorized
   Detail: Invalid response from
   http://maketesters.com/.well-known/acme-challenge/TixsDyPb2OYmI2bDfSAIW10jTVZvL729zjr6ArqIN4I
   [2600:3c00::f03c:91ff:feb8:11d3]: "<html>\r\n<head><title>404 Not
   Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404
   Not Found</h1></center>\r\n<hr><center>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
 - The following errors were reported by the server:

   Domain: tubehero.io
   Type:   unauthorized
   Detail: Invalid response from
   http://tubehero.io/.well-known/acme-challenge/cZe_e2Ks4YIK-TvifedTV_Nqmybz1rLymKKJtXXg7h0
   [2600:3c00::f03c:91ff:feb8:11d3]: "<html>\r\n<head><title>404 Not
   Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404
   Not Found</h1></center>\r\n<hr><center>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
 - The following errors were reported by the server:

   Domain: www.zenqalendar.com
   Type:   unauthorized
   Detail: Invalid response from
   http://www.zenqalendar.com/.well-known/acme-challenge/fsUyxfz3cRAZreCQwKdgcXOqtrv9a4JpC9hFhfZTkFo
   [2600:3c00::f03c:91ff:feb8:11d3]: "<html>\r\n<head><title>404 Not
   Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404
   Not Found</h1></center>\r\n<hr><center>"

   Domain: zenqalendar.com
   Type:   unauthorized
   Detail: Invalid response from
   http://zenqalendar.com/.well-known/acme-challenge/GhRf139TMvHbMQQGVIGo0rk7Xr3ypwu9thei99GmUT8
   [2600:3c00::f03c:91ff:feb8:11d3]: "<html>\r\n<head><title>404 Not
   Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404
   Not Found</h1></center>\r\n<hr><center>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

As written: Your ipv6 is broken.

Your domains have ipv6, your subdomains perhaps not.

So first step: Remove your ipv6 addresses.

How is this done?
Apologies, I am very new to this still.

Yep, your subdomain analytics.lukehero.com doesn’t have an ipv6.

In your dns settings. There, where you manage your domains.

If you have ipv6 / AAAA entries, but your server doesn't work with ipv6, that's terrible. Letsencrypt prefers ipv6 -> dead.