SSL - Certbot: 404 / unauthorized

Hello!
I'm running into some issues with the creation of the certificates for my website.
I deployed a frontend application with React and nginx, containerized in Docker with docker-compose.
It runs on AWS / EC2.

Here is my nginx.conf:

upstream backend {
    server 12.345.67.890;
    keepalive 8;
}

server {
    listen 80;
    listen [::]:80;

    server_name my-website.com http://www.my-website.com/;

    location / {
      root   /usr/share/nginx/html;
      index  index.html index.htm;
      try_files $uri $uri/ /index.html =404;
    }

    location /.well-known/acme-challenge/ {
      allow all;
      root /var/www/certbot;
    }

    location /backend-service/ {
      proxy_pass http://backend;
    }
}

My docker-compose file:

version: '3.9'

services:
  administration-ui:
    image: aministration-ui:latest
    restart: always
    build:
      context: .
      dockerfile: Dockerfile-prod
    ports:
     - 80:80
     - 443:443
    networks:
     - myNetwork

networks:
  myNetwork:

My docker file:

FROM node:latest as build

WORKDIR /usr/src/app

COPY package.json ./
RUN npm install

COPY . .

USER root

RUN npm run build

FROM nginx:alpine

COPY --from=build /usr/src/app/build /usr/share/nginx/html
COPY --from=build /usr/src/app/nginx/nginx.conf /etc/nginx/conf.d/default.conf

EXPOSE 80

CMD ["nginx", "-g", "daemon off;"]

I ssh into the server and ran this command to create the certificates:
(version: certbot 2.6.0)

sudo certbot certonly -d my-website.com -d www.my-website.com

I pick option 3, my input for the folder is:

/var/www/certbot
When I'm prompted to select the webroot, I select option 2

It produces this output:

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: www.my-website.com
Type: unauthorized
Detail: 98.76.543.210: Invalid response from http://www.my-website.com/.well-known/acme-challenge/mvrOmy8v0pd1tEETK8YKrk_IUEoeYaxdtwTe7IsDDYY: 404
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

And here are the logs from nginx on the server:

2024/02/19 20:02:34 [error] 28#28: *39 open() "/var/www/certbot/.well-known/acme-challenge/mvrOmy8v0pd1tEETK8YKrk_IUEoeYaxdtwTe7IsDDYY:" failed (2: No such file or directory), client: 184.105.99.36, server: my-website.com, request: "GET /.well-known/acme-challenge/mvrOmy8v0pd1tEETK8YKrk_IUEoeYaxdtwTe7IsDDYY: HTTP/1.1", host: "www.my-website.com

I'm completely stuck, after having spent days on it. Since I'm a bit knew to all this, I dont really know where to look. All articles I read describe a fairly straightforward procedure yet I'm unable to do it.

The error message mentions "no file / no directory found". The folder does exist, I checked. But I cant really figure out if the request actually creates a file or not (I read it was a temp file and removed afterwards, so how could I know if it ever was there?)
The error message also mentions "unauthorized". I tried to set permissions on the folder var/www/certbot to all users, but I dont know if it's necessary. Could my ec2 instance config be a problem? Port 80 normally works, I know because my app works without ssl.

Another question: some tutorials use volumes, so that the request write the test file locally and then it's shared with the container where nginx runs. I dont get it, are we not supposed to run the certbot command on the server? Is it something that can be done locally? I'm confused

That's it. Let me know if I forgot something, and massive thanks in advance for any help that you could provide!

Hi @Nicoco, and welcome to the LE community forum

The proper syntax is:
server_name my-website.com www.my-website.com;
[without the "http://" and trailin slash]

Those two should agree.
In that: If the location ends with a slash, the root statement should also end with a slash.
I'd start by testing that expected challenge location.
Please a test text file there and then see if it can be reached from the Internet.

• echo "test" /var/www/certbot/Test_File-1234
• http://my-website.com/certbot/Test_File-1234

I suspect that you won't be able to reach that file.
If so, that would at least tell you exactly where the problem is.

Hello @rg305 and thanks for the quick answer

I made the changes that you recommended regarding server_name
I also changed the location block: tried to remove the slash in both places, and also tried to add it in both places, so that the 2 agree, as you said.
Unfortunately that gave me the exact same error message in both cases.

I did that test that you described: ssh to the console in my ec2 instance, added the test file and went to the url. It fails (404). But one thing I dont get: why should I test on

• /certbot/Test_File-1234
  and not
• /.well-known/acme-challenge/Test_File-1234
  ? Since the latter is the location served by nginx. But maybe I'm missing something?

In any case, I tried creating a "test.txt" file in the /var/www/certbot/ folder, and going to the following url:
http://my-website.com/.well-known/acme-challenge/test.txt
It gives a 404 but by looking at the nginx logs, I saw that the request was trying to find the file in the following folder: /var/www/certbot/.well-known/acme-challenge/
As you can see, the path of the request was appended to the path of the folder

I made the following changes to my nginx.conf file:

upstream backend {
    server 12.345.67.890;
    keepalive 8;
}

server {
    listen 80;
    listen [::]:80;

    server_name my-website.com http://www.my-website.com/;

    location ^~ /.well-known/acme-challenge/ {
      allow all;
      alias /var/www/certbot/;
    }

    location /backend-service/ {
      proxy_pass http://backend;
    }
}

So now I'm using an alias and the GET request tries to find the file in the proper folder.
(I also removed the location block that serves my html file, for testing purposes)
I'm still getting the following error:

90.119.27.129 - - [20/Feb/2024:09:57:46 +0000] "GET /.well-known/acme-challenge/abc.txt HTTP/1.1" 404 555 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "-"
2024/02/20 09:57:46 [error] 29#29: *15 open() "/var/www/certbot/abc.txt" failed (2: No such file or directory), client: 90.119.27.129, server: my-website.com, request: "GET /.well-known/acme-challenge/abc.txt HTTP/1.1", host: "www.my-website.com"

So still not working but at least the proper folder is targeted. I just dont get why it says "no such file of directory", since I can see the the file is there!

Do you have any idea? Thanks again for the help ++

You are 100% correct - that was a TYPO on my part.
That should have been:
http://my-website.com/.well-known/acme-challenge/Test_File-1234

That is a very useful piece of information [a clue!].

You might be able to get a cert quickly by using --webroot instead of the --nginx plugin.

Try:

certbot certonly --webroot -w /var/www/certbot -d my-website.com -d www.my-website.com --dry-run

If that works, then just remove the testing "--dry-run"

Indeed, a nice clue! But it didnt solve the problem, I'm afraid.

So I tried using --webroot, as you suggested.
The command you wrote returns:

Permission denied: '/var/log/letsencrypt/.certbot.lock'

Then I ran it with sudo and I got the same error message as previously: 404, unauthorized, etc.

I've been scratching my head on that for a week... It's quite a mystery

Is there a way to know if the challenge file is created at all? Cause here I only see that it cant be retrieved, but the error message gives mixed information: "unauthorized" AND "not found"... Shouldnt it be one or the other?

Thanks again

Please show:
ps -ef | grep -v grep | grep -Ei 'apache|nginx|docker|certbot'

Here it is:

root        2160       1  0 Feb09 ?        00:07:29 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --default-ulimit nofile=32768:65536
root      446052    2160  0 09:48 ?        00:00:00 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 443 -container-ip 172.17.0.2 -container-port 443
root      446057    2160  0 09:48 ?        00:00:00 /usr/bin/docker-proxy -proto tcp -host-ip :: -host-port 443 -container-ip 172.17.0.2 -container-port 443
root      446073    2160  0 09:48 ?        00:00:00 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 80 -container-ip 172.17.0.2 -container-port 80
root      446078    2160  0 09:48 ?        00:00:00 /usr/bin/docker-proxy -proto tcp -host-ip :: -host-port 80 -container-ip 172.17.0.2 -container-port 80
root      446121  446098  0 09:48 ?        00:00:00 nginx: master process nginx -g daemon off;
101       446167  446121  0 09:48 ?        00:00:00 nginx: worker process
ec2-user  446434  444204  0 09:57 pts/1    00:00:00 docker logs -f 6e3b963d7f01

Are you running certbot within a docker container?

My app is running in a docker container and I'm using the nginx image, but I'm not using a certbot image.
I actually tried that too (although I'm not just what the purpose is, I just saw some tutorial building a certbot image so I gave it a shot) but when I did the container was always exiting without any explicit error message, just "Exit with code 1". I couldnt find an explanation for that.

Are you running nginx in a docker container?

Hey sorry, I was offline for a few days... Now back on the issue

Yes I am running nginx in a docker container (I put the Docker file in my first message, in case it can help). Could that be a problem?

I'm still working on what you suggested earlier (creating a test file and trying to GET it)
Here is the result:

2024/02/27 20:38:45 [error] 29#29: *1 open() "/var/www/certbot/abc.txt" failed (2: No such file or directory)

Obviously I do have a /var folder in the root of the server, and the abc.txt file, so I'm wondering where the /var folder requested should actually be located. When the logs mention "open() "/var/www/certbot/abc.txt" failed", it doesnt tell me what path there is is before /var, but it doesnt seem to be the root of ther server. Is there a way to know what the full path requested is?

It shouldn't be a problem.

The test text file should be in the ACME challenge folder.
Something more like:

I'm afraid I'm still not able to do it... I need to investigate further on my side

I do have a question that might sound dumb: if I use docker compose, do I have to ssh into my aws ec2 instance and run the challenge from there, or can I just do it locally? Would it theoretically work if I deploy my code (the website is up and running) but run the container on my machine? By doing the latter, I get the same error (unauthorized / 404)

Thanks!

The HTTP challenge request will go to the IP of the name in the certificate request.
I doubt you are pointing the website to your deployment machine [PC].
So, whatever IP responds to that name is where you need to run the ACME client.

That said, if you can somehow connect the web site to the container on your PC [like: via VPN or proxy], then I suppose it's "technically possible" [not worth the effort... but possible].

Ok got it, thanks!

Further investigation: I was checking letsencrypt logs and trying to make sense out of them, maybe it could useful? I copy / paste it below:

2024-03-01 15:51:45,473:DEBUG:certbot._internal.main:certbot version: 2.6.0
2024-03-01 15:51:45,474:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2024-03-01 15:51:45,474:DEBUG:certbot._internal.main:Arguments: ['--webroot', '-w', '/var/www/certbot', '-d', 'my-website.com', '-d', 'www.my-website.com', '--dry-run']
2024-03-01 15:51:45,474:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2024-03-01 15:51:45,484:DEBUG:certbot._internal.log:Root logging level set at 30
2024-03-01 15:51:45,485:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None
2024-03-01 15:51:45,487:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * webroot
Description: Saves the necessary validation files to a .well-known/acme-challenge/ directory within the nominated webroot path. A seperate HTTP server must be running and serving files from the webroot path. HTTP challenge only (wildcards not supported).
Interfaces: Authenticator, Plugin
Entry point: webroot = certbot._internal.plugins.webroot:Authenticator
Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0x7fcef20f48e0>
Prep: True
2024-03-01 15:51:45,487:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.webroot.Authenticator object at 0x7fcef20f48e0> and installer None
2024-03-01 15:51:45,488:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2024-03-01 15:51:45,548:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-staging-v02.api.letsencrypt.org/acme/acct/137046873', new_authzr_uri=None, terms_of_service=None), 62a18479572ce8bb1f2d81047c99477a, Meta(creation_dt=datetime.datetime(2024, 2, 19, 19, 25, 18, tzinfo=<UTC>), creation_host='ip-172-31-90-22.ec2.internal', register_to_eff=None))>
2024-03-01 15:51:45,549:DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.
2024-03-01 15:51:45,550:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org:443
2024-03-01 15:51:45,790:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 826
2024-03-01 15:51:45,791:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 01 Mar 2024 15:51:45 GMT
Content-Type: application/json
Content-Length: 826
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "L9EWr4_1hDs": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-staging-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf",
    "website": "https://letsencrypt.org/docs/staging-environment/"
  },
 },
  "newAccount": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order",
  "renewalInfo": "https://acme-staging-v02.api.letsencrypt.org/draft-ietf-acme-ari-02/renewalInfo/",
  "revokeCert": "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert"
}
2024-03-01 15:51:45,791:DEBUG:certbot._internal.display.obj:Notifying user: Simulating a certificate request for my-website.com and www.my-website.com
2024-03-01 15:51:45,796:DEBUG:acme.client:Requesting fresh nonce
2024-03-01 15:51:45,797:DEBUG:acme.client:Sending HEAD request to https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce.
2024-03-01 15:51:45,872:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2024-03-01 15:51:45,873:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 01 Mar 2024 15:51:45 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0ilprt0g-JjR1BTgkCbC5Z2fcFG6vzYJv4dixNkiAJguBvoXPPs
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


2024-03-01 15:51:45,873:DEBUG:acme.client:Storing nonce: 0ilprt0g-JjR1BTgkCbC5Z2fcFG6vzYJv4dixNkiAJguBvoXPPs
2024-03-01 15:51:45,873:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "my-website.com"\n    },\n    {\n      "type": "dns",\n      "value": "www.my-website.com"\n    }\n  ]\n}'
2024-03-01 15:51:45,875:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMzcwNDY4NzMiLCAibm9uY2UiOiAiMGlscHJ0MGctSmpSMUJUZ2tDYkM1WjJmY0ZHNnZ6WUp2NGRpeE5raUFKZ3VCdm9YUFBzIiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1vcmRlciJ9",
  "signature": "C-hIAYbsDeLeL-B2HPWrry_Fq1qop4nI5mKGaLhgd9mH4-Av5T3GFwjZDCLb4WIYQOK-dpoKz7L_pl2n_snyjr87QaZw6nWpMrK_M4EYEkQKlw_GOX6qK3u9AFDWDat1mrAV2NYoyv7hz-P4MNwbn-WcK5AGf8z8eelmwDLhtaJuWE58LqQ0z3GEV0D9en5WCLlk4_w7otxyVPBBzvsoygVoVlyXRlpeU_5dWz8Gx803KCRMcjP7rQ16r1MB_qRNW7dxSmLTMPPsc6m6gF7vEQCySM0EbB49t0_WV8gWxSxTdJydvG6OeUP-Ljqpu-yvQqoCK818i4E52dINnGxpsw",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogImZvbGxvdy11cC1kb2MuY29tIgogICAgfSwKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogInd3dy5mb2xsb3ctdXAtZG9jLmNvbSIKICAgIH0KICBdCn0"
}
2024-03-01 15:51:46,017:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 507
2024-03-01 15:51:46,017:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Fri, 01 Mar 2024 15:51:45 GMT
Content-Type: application/json
Content-Length: 507
Connection: keep-alive
Boulder-Requester: 137046873
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/order/137046873/14940908983
Replay-Nonce: 0ilprt0gOmQ7HKQgi8HrcBio8kGeFfa1IPTsk2SXDjjSQLfbYQs
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2024-03-08T15:51:45Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "my-website.com"
    },
    {
      "type": "dns",
      "value": "www.my-website.com"
    }
  ],
  "authorizations": [
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/11451886493",
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/11451886503"
  ],
  "finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/137046873/14940908983"
}
2024-03-01 15:51:46,018:DEBUG:acme.client:Storing nonce: 0ilprt0gOmQ7HKQgi8HrcBio8kGeFfa1IPTsk2SXDjjSQLfbYQs
2024-03-01 15:51:46,018:DEBUG:acme.client:JWS payload:
b''
2024-03-01 15:51:46,019:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/11451886493:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMzcwNDY4NzMiLCAibm9uY2UiOiAiMGlscHJ0MGdPbVE3SEtRZ2k4SHJjQmlvOGtHZUZmYTFJUFRzazJTWERqalNRTGZiWVFzIiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzExNDUxODg2NDkzIn0",
  "signature": "R1SqxTXOQlEeo-uk--hLxBaDjL-CfjuIPw4L6wFF-RoQqLINtP-AghIzPektWQLE-F38Ru-XDfdqHm70IEmMQ9hJYmQQ_VpaKm8CZtsX14c5FoV3Q3KxvCi0b798qcy_Fzt_1Tnkpdeite5yQvEZaxBiEb8bvayWNsD-E7OvLruHTfZM6Z9H_UNc3qEyf0ccYVYgX3muYMLoueqGywX7D94Cm3T2bUjSZXz4QKykzsT-gTPNXey3eK9zQxi2kd54I6tdaM9iLePlskOguue9lBEpB-QEBQXBy9e4yiZbRFxyxP0VVc6JRUfhGubcktF8y8h1FL5f1nz113naRK6_zg",
  "payload": ""
}
2024-03-01 15:51:46,099:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/11451886493 HTTP/1.1" 200 822
2024-03-01 15:51:46,099:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 01 Mar 2024 15:51:46 GMT
Content-Type: application/json
Content-Length: 822
Connection: keep-alive
Boulder-Requester: 137046873
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: oUuAB4TEtWryI9Mq91gH2zr1LVC4-BwwJWSyB3IddwgBVAAVsfQ
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "my-website.com"
  },
  "status": "pending",
  "expires": "2024-03-08T15:51:45Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11451886493/NMC-5g",
      "token": "YUuEwtEkut8MrsHd-aHlnoi8FUHptmsrWDilrYh2EzM"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11451886493/ZXZ8Pg",
      "token": "YUuEwtEkut8MrsHd-aHlnoi8FUHptmsrWDilrYh2EzM"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11451886493/j_MXuw",
      "token": "YUuEwtEkut8MrsHd-aHlnoi8FUHptmsrWDilrYh2EzM"
    }
  ]
}
2024-03-01 15:51:46,099:DEBUG:acme.client:Storing nonce: oUuAB4TEtWryI9Mq91gH2zr1LVC4-BwwJWSyB3IddwgBVAAVsfQ
2024-03-01 15:51:46,100:DEBUG:acme.client:JWS payload:
b''
2024-03-01 15:51:46,101:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/11451886503:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMzcwNDY4NzMiLCAibm9uY2UiOiAib1V1QUI0VEV0V3J5STlNcTkxZ0gyenIxTFZDNC1Cd3dKV1N5QjNJZGR3Z0JWQUFWc2ZRIiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzExNDUxODg2NTAzIn0",
  "signature": "lFwg8NQ3emPtxZcTpxfliN--oEqy7GymEnbDDrnv38BDUdrA9omeqVRRdYROVDi9J0kYWoOBUTeDXpXI7cuVkfZuoHQOoRxY3jvK1nu1YPcRFcmffui6F6BFYI9jj0kwg4XxOOf3gNvfGCVnufh7jAde7he4qWKxPpqLHAbGQez_Yg-b1yOkSRgIo-rzkjb9LAjBRbediJnnc9D3NtQuiqtw_cioxCTHWQx9x9rE-zTtc_W0jQhJd_s8A6GJhRFQAQaRrfFgK934gW4uppomLdwIbbV6pL0oKaYZcsWj3WzUAFE6hgra311GNCyvWvRMwKagJqJwZAuTSum7ZUXByg",
  "payload": ""
}
2024-03-01 15:51:46,180:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/11451886503 HTTP/1.1" 200 826
2024-03-01 15:51:46,180:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 01 Mar 2024 15:51:46 GMT
Content-Type: application/json
Content-Length: 826
Connection: keep-alive
Boulder-Requester: 137046873
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: oUuAB4TEL_wr0pY31YvZk072m7MfGCa6p6tYu9FLUf6yLpF_fSE
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "www.my-website.com"
  },
  "status": "pending",
  "expires": "2024-03-08T15:51:45Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11451886503/xdVzwQ",
      "token": "2ykowvvzZbvzfjVDvcr7fXxe2wAnU3aMVHz1YWT8sLw"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11451886503/FTQBsQ",
      "token": "2ykowvvzZbvzfjVDvcr7fXxe2wAnU3aMVHz1YWT8sLw"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11451886503/Zr-Fzw",
      "token": "2ykowvvzZbvzfjVDvcr7fXxe2wAnU3aMVHz1YWT8sLw"
    }
  ]
}
2024-03-01 15:51:46,181:DEBUG:acme.client:Storing nonce: oUuAB4TEL_wr0pY31YvZk072m7MfGCa6p6tYu9FLUf6yLpF_fSE
2024-03-01 15:51:46,181:INFO:certbot._internal.auth_handler:Performing the following challenges:
2024-03-01 15:51:46,181:INFO:certbot._internal.auth_handler:http-01 challenge for my-website.com
2024-03-01 15:51:46,181:INFO:certbot._internal.auth_handler:http-01 challenge for www.my-website.com
2024-03-01 15:51:46,181:INFO:certbot._internal.plugins.webroot:Using the webroot path /var/www/certbot for all unmatched domains.
2024-03-01 15:51:46,182:DEBUG:certbot._internal.plugins.webroot:Creating root challenges validation dir at /var/www/certbot/.well-known/acme-challenge
2024-03-01 15:51:46,182:DEBUG:certbot._internal.plugins.webroot:Creating root challenges validation dir at /var/www/certbot/.well-known/acme-challenge
2024-03-01 15:51:46,183:DEBUG:certbot._internal.plugins.webroot:Attempting to save validation to /var/www/certbot/.well-known/acme-challenge/YUuEwtEkut8MrsHd-aHlnoi8FUHptmsrWDilrYh2EzM
2024-03-01 15:51:46,184:DEBUG:certbot._internal.plugins.webroot:Attempting to save validation to /var/www/certbot/.well-known/acme-challenge/2ykowvvzZbvzfjVDvcr7fXxe2wAnU3aMVHz1YWT8sLw
2024-03-01 15:51:46,184:DEBUG:acme.client:JWS payload:
b'{}'
2024-03-01 15:51:46,185:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11451886493/NMC-5g:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMzcwNDY4NzMiLCAibm9uY2UiOiAib1V1QUI0VEVMX3dyMHBZMzFZdlprMDcybTdNZkdDYTZwNnRZdTlGTFVmNnlMcEZfZlNFIiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2NoYWxsLXYzLzExNDUxODg2NDkzL05NQy01ZyJ9",
  "signature": "fgdvnH_zvUINbOQfiqgd1QL-lc45OT61XAT22ouHdUUVvh6k6Ux4coohS5ytyWijIeENZ4Zl4Fg7dCEkXz3iVRd3V2sK3_u1pZ2BxBZxYJp8NfZh1HBBxSGKkuFAT34eKSV37Vj8FpNvWdZVztbHko8VAQr7e0MYDzTIV4PMu3tIL1h1X_-7SO8IhmNtEZDx7x5zcnwjllkQVWtRK3BsjSlMypD1Mm4x0rVq_S8x1TdGA66bcI5glJFNFaBX36GmoQbLsIXBvRAGCm5-phngoquN-w-SZbZbX_KhLmeY-XdMiFoVu3Z_jq0846vTzLchkavgMOQF8wdkOX_F7QNKwA",
  "payload": "e30"
}
2024-03-01 15:51:46,271:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/11451886493/NMC-5g HTTP/1.1" 200 194
2024-03-01 15:51:46,272:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 01 Mar 2024 15:51:46 GMT
Content-Type: application/json
Content-Length: 194
Connection: keep-alive
Boulder-Requester: 137046873
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/11451886493>;rel="up"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11451886493/NMC-5g
Replay-Nonce: 0ilprt0gNzoUYy0OpfbuWMNRPYDciXAtyp8DqmMKtHBzc-GXI3k
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11451886493/NMC-5g",
  "token": "YUuEwtEkut8MrsHd-aHlnoi8FUHptmsrWDilrYh2EzM"
}
2024-03-01 15:51:46,272:DEBUG:acme.client:Storing nonce: 0ilprt0gNzoUYy0OpfbuWMNRPYDciXAtyp8DqmMKtHBzc-GXI3k
2024-03-01 15:51:46,273:DEBUG:acme.client:JWS payload:
b'{}'
2024-03-01 15:51:46,274:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11451886503/xdVzwQ:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMzcwNDY4NzMiLCAibm9uY2UiOiAiMGlscHJ0MGdOem9VWXkwT3BmYnVXTU5SUFlEY2lYQXR5cDhEcW1NS3RIQnpjLUdYSTNrIiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2NoYWxsLXYzLzExNDUxODg2NTAzL3hkVnp3USJ9",
  "signature": "AHB5610XEiPHYOt9IRH71CqN3dsDQdqF1zFTWQTmUlO7B9JZpGf0HrEfFNM5tSBjwZ2J5fZ7PlcwMvkxb1XE3v3HZ4tkzWLYYZwIhiCL7u7ft_PF4P0ifd2HQzhlisRpteprMp30hcni72STnJNaZce-x9QgLJ7RjFRBxvPWKTHSZeKy3ntpf2g7VHBdnTKJSftyZyc8kXzdyne0f1RMMLC6WfHPrO8w2ExCkt-Wiv0XELNeLyQl2rfR0wynwcUCzN9gk0F3liB-MsgtqbEfFyKWByo4jA5L8IK0ocYK-hPIOJd-z1j5ZeZk81MMqJfa84Ulofv9cLxLFMqob6uj6g",
  "payload": "e30"
}
2024-03-01 15:51:46,358:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/11451886503/xdVzwQ HTTP/1.1" 200 194
2024-03-01 15:51:46,359:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 01 Mar 2024 15:51:46 GMT
Content-Type: application/json
Content-Length: 194
Connection: keep-alive
Boulder-Requester: 137046873
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/11451886503>;rel="up"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11451886503/xdVzwQ
Replay-Nonce: 0ilprt0gzL6jQD2Q9BHWg5vmlHzoUUYRR05kjOThvskWPZ5FBUA
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11451886503/xdVzwQ",
  "token": "2ykowvvzZbvzfjVDvcr7fXxe2wAnU3aMVHz1YWT8sLw"
}
2024-03-01 15:51:46,359:DEBUG:acme.client:Storing nonce: 0ilprt0gzL6jQD2Q9BHWg5vmlHzoUUYRR05kjOThvskWPZ5FBUA
2024-03-01 15:51:46,359:INFO:certbot._internal.auth_handler:Waiting for verification...
2024-03-01 15:51:47,361:DEBUG:acme.client:JWS payload:
b''
2024-03-01 15:51:47,362:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/11451886493:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMzcwNDY4NzMiLCAibm9uY2UiOiAiMGlscHJ0MGd6TDZqUUQyUTlCSFdnNXZtbEh6b1VVWVJSMDVrak9UaHZza1dQWjVGQlVBIiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzExNDUxODg2NDkzIn0",
  "signature": "K_NcflC2z17tFg3-B-B8KsqMh-6eTsjlyzno2kjPZm4t0m-D7obSAdrAjORfaf8sIxtuHtCOdEzFiothGCH59kC4mN5BqaNYFBQdEUr-rfnTnCyPorOpSGQU5KGY_y-o39CGZ-2gmR8-DZqifUB9wnzYaJ50kaujD933032SaEztGRvbvVF0JKou_2HaHBlALm0GqNM9K6UvlI4-yJPN0LLHc0gWZeqARoQURBT5mAm1hdy74PrDNAwWy3Ib2YhnYvC_vUGPZkjMX2QeSnQsVpiVzh9iE3A7z5Z1sPfqLdGYY9MnqHcNBvokY3SG31uqcXzEwvQn64tYtrTqSm2jEw",
  "payload": ""
}
2024-03-01 15:51:47,445:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/11451886493 HTTP/1.1" 200 1155
2024-03-01 15:51:47,445:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 01 Mar 2024 15:51:47 GMT
Content-Type: application/json
Content-Length: 1155
Connection: keep-alive
Boulder-Requester: 137046873
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: oUuAB4TEBUaXKgpM5xXCuGSF1B0xVaQ3lhZbJIREUvAU4c2Afw8
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "my-website.com"
  },
  "status": "invalid",
  "expires": "2024-03-08T15:51:45Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "12.34.567.890: Invalid response from http://my-website.com/.well-known/acme-challenge/YUuEwtEkut8MrsHd-aHlnoi8FUHptmsrWDilrYh2EzM: 404",
        "status": 403
      },
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11451886493/NMC-5g",
      "token": "YUuEwtEkut8MrsHd-aHlnoi8FUHptmsrWDilrYh2EzM",
      "validationRecord": [
        {
          "url": "http://my-website.com/.well-known/acme-challenge/YUuEwtEkut8MrsHd-aHlnoi8FUHptmsrWDilrYh2EzM",
          "hostname": "my-website.com",
          "port": "80",
          "addressesResolved": [
            "12.34.567.890"
          ],
          "addressUsed": "12.34.567.890",
          "resolverAddrs": [
            "A:10.0.32.85:23282",
            "AAAA:10.0.32.81:22024"
          ]
        }
      ],
      "validated": "2024-03-01T15:51:46Z"
    }
  ]
}
2024-03-01 15:51:47,446:DEBUG:acme.client:Storing nonce: oUuAB4TEBUaXKgpM5xXCuGSF1B0xVaQ3lhZbJIREUvAU4c2Afw8
2024-03-01 15:51:47,446:DEBUG:acme.client:JWS payload:
b''
2024-03-01 15:51:47,447:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/11451886503:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMzcwNDY4NzMiLCAibm9uY2UiOiAib1V1QUI0VEVCVWFYS2dwTTV4WEN1R1NGMUIweFZhUTNsaFpiSklSRVV2QVU0YzJBZnc4IiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzExNDUxODg2NTAzIn0",
  "signature": "ca64d0dNNukW5C8NbZIZW5bCJ19zzPYu30I4Cmoa0s7rsvYDiS9i_7P8iUhAhSnMZvMdswn_nY3Pa64nxyMsNoIllsVXEk9hJvqeX_uyqpY7IxHiRJLT4oaTxEqvuaDyXBCknafrG0gpzskDOtGHwuQOzNha03pfSdm8ZJ9DtR-xOj6XGAKEtbSFkA4mB1oOCUtI6U6iSrAP4wrdPwxCqLW7sy6jZUXf4gf6gKcCC7jM7XXozLc1e7ng_xfPu_rfMkVBlMjWC28YGDid24sCoiYs4-E3ZepERkTKO9PVFlkJ3NKAaIpMM1h-46pvkddrmDpkxvVaOVFyrjfoef4zrg",
  "payload": ""
}
2024-03-01 15:51:47,529:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/11451886503 HTTP/1.1" 200 1171
2024-03-01 15:51:47,529:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 01 Mar 2024 15:51:47 GMT
Content-Type: application/json
Content-Length: 1171
Connection: keep-alive
Boulder-Requester: 137046873
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0ilprt0grB058zsC4lIiZ88QLLBY0gh77F9ULJ6CSEgZdu9ADY4
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "www.my-website.com"
  },
  "status": "invalid",
 "expires": "2024-03-08T15:51:45Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "12.34.567.890: Invalid response from http://www.my-website.com/.well-known/acme-challenge/2ykowvvzZbvzfjVDvcr7fXxe2wAnU3aMVHz1YWT8sLw: 404",
        "status": 403
      },
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/11451886503/xdVzwQ",
      "token": "2ykowvvzZbvzfjVDvcr7fXxe2wAnU3aMVHz1YWT8sLw",
      "validationRecord": [
        {
          "url": "http://www.my-website.com/.well-known/acme-challenge/2ykowvvzZbvzfjVDvcr7fXxe2wAnU3aMVHz1YWT8sLw",
          "hostname": "www.my-website.com",
          "port": "80",
          "addressesResolved": [
            "12.34.567.890"
          ],
          "addressUsed": "12.34.567.890",
          "resolverAddrs": [
            "A:10.0.32.87:30298",
            "AAAA:10.0.32.86:26324"
          ]
        }
      ],
      "validated": "2024-03-01T15:51:46Z"
    }
  ]
}
2024-03-01 15:51:47,530:DEBUG:acme.client:Storing nonce: 0ilprt0grB058zsC4lIiZ88QLLBY0gh77F9ULJ6CSEgZdu9ADY4
2024-03-01 15:51:47,530:INFO:certbot._internal.auth_handler:Challenge failed for domain my-website.com
2024-03-01 15:51:47,530:INFO:certbot._internal.auth_handler:Challenge failed for domain www.my-website.com
2024-03-01 15:51:47,530:INFO:certbot._internal.auth_handler:http-01 challenge for my-website.com
2024-03-01 15:51:47,530:INFO:certbot._internal.auth_handler:http-01 challenge for www.my-website.com
2024-03-01 15:51:47,530:DEBUG:certbot._internal.display.obj:Notifying user:
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: my-website.com
  Type:   unauthorized
  Detail: 12.34.567.890: Invalid response from http://my-website.com/.well-known/acme-challenge/YUuEwtEkut8MrsHd-aHlnoi8FUHptmsrWDilrYh2EzM: 404

  Domain: www.my-website.com
  Type:   unauthorized
  Detail: 12.34.567.890: Invalid response from http://my-website.com/.well-known/acme-challenge/YUuEwtEkut8MrsHd-aHlnoi8FUHptmsrWDilrYh2EzM: 404

  Domain: www.my-website.com
  Type:   unauthorized
  Detail: 12.34.567.890: Invalid response from http://www.my-website.com/.well-known/acme-challenge/2ykowvvzZbvzfjVDvcr7fXxe2wAnU3aMVHz1YWT8sLw: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

2024-03-01 15:51:47,531:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3.9/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2024-03-01 15:51:47,531:DEBUG:certbot._internal.error_handler:Calling registered functions
2024-03-01 15:51:47,531:INFO:certbot._internal.auth_handler:Cleaning up challenges
2024-03-01 15:51:47,531:DEBUG:certbot._internal.plugins.webroot:Removing /var/www/certbot/.well-known/acme-challenge/YUuEwtEkut8MrsHd-aHlnoi8FUHptmsrWDilrYh2EzM
2024-03-01 15:51:47,532:DEBUG:certbot._internal.plugins.webroot:Removing /var/www/certbot/.well-known/acme-challenge/2ykowvvzZbvzfjVDvcr7fXxe2wAnU3aMVHz1YWT8sLw
2024-03-01 15:51:47,532:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2024-03-01 15:51:47,532:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/usr/lib/python3.9/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/main.py", line 1864, in main
    return config.func(config, plugins)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/main.py", line 1597, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/main.py", line 141, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/client.py", line 517, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/client.py", line 428, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2024-03-01 15:51:47,533:ERROR:certbot._internal.log:Some challenges have failed.

I see several time "Storing nonce" and "Attempting to save validation". I'm not sure to understand if the challenge is actually correctly saved or not.
Ultimately, the error that shows up is "unauthorized", but I dont get what kind of authorization we are refering to here. I'm using was / ec2, maybe some configuration is missing here?

In any case, thanks again for the help

First, my-website.com is a valid domain name. This isn't your domain name though - is it? Hiding your real domain name only makes it harder to help you. And, you should not be using other people's domains as examples.

As for:

Detail: 12.34.567.890: 
Invalid response from http://my-website.com/.well-known/acme-challenge/YUuEwtEkut8MrsHd-aHlnoi8FUHptmsrWDilrYh2EzM: 
404

The "404" is an http error Not Found. This means your ACME Client placed a challenge token in your webroot folder (/var/www/certbot in the first post). But, when the Let's Encrypt server made a request to your server for that token your server said it was not found.

This can happen for any number of reasons. One example is the /var/www/certbot folder that Certbot used is not available to your nginx. Maybe your nginx server block has a different folder in its root statement. Or, your nginx server container does not have access to the same volume as your Certbot container.

You have a complicated mix of products that requires care to get right. You should review each of your pieces carefully. You should test connectivity manually before trying Certbot again. Do this by making a test file in the webroot folder that your Certbot used and then try to get that using a browser (or curl) from the public internet.

That is not even an IP Address. I you feel the need to hide something use redacted.

Hello Mike and thanks for your answer

Just to clarify one thing: I used 'my-website' to avoid having this page show up in google results if people look for the website name. I think it'd look rather unprofessional. But Bruce just recommended above to use the 'redacted' mention, which I will do in the future.

I used the tip you provided and I think you put me on the right path.

• With a abc.txt file in the /var/www/certbot/ folder, I'm able to append /.well-known/acme-challenge/abc.txt to my url and have the text file displayed in the browser. So nginx seems to work properly here

• However, using curl and the same url, I'm unable to download the file properly. I'm getting a text file with html (the nginx 'not found' page). In the docker logs, I see this:

[03/Mar/2024:15:51:05 +0000] "GET /.well-known/acme-challenge/abc.tx HTTP/1.1" 404 146 "-" "curl/7.68.0" "-"
2024/03/03 15:51:05 [error] 29#29: *17 open() "/var/www/certbot/abc.tx" failed (2: No such file or directory)

Do you maybe have any idea why it would work in one case and not in the other? Thanks