Suddenly acme-challenge Invalid response

Tr33 · May 19, 2020, 7:04pm

I’m using the certbot for a few years on a customers server. Suddenly he contacts me, that the ssl certificate is expired. That means the certbot was running for years correctly.

The system runs on Ubuntu 16 with nginx. The certbot has currently the version 0.31.0.

Now when I run sudo certbot renew I get this:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/domain.de.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for domain.de
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (domain.de) from /etc/letsencrypt/renewal/domain.de.conf produced an unexpected error: Failed authorization procedure. domain.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://domain.de/.well-known/acme-challenge/eF9vxHbtMvQxSrZIeecom1dSKpeOAx8pEDs4PoqrqxM [87.128.29.169]: "DOCUMENT NOT FOUND\r\n<P>\r\n\r\nThe requested document does not [or no longer] exist on this server. The link could be outdated or wr". Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/domain.de/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/domain.de/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: domain.de
   Type:   unauthorized
   Detail: Invalid response from
   http://domain.de/.well-known/acme-challenge/eF9vxHbtMvQxSrZIeecom1dSKpeOAx8pEDs4PoqrqxM
   [87.128.29.169]: "DOCUMENT NOT FOUND\r\n<P>\r\n\r\nThe requested
   document does not [or no longer] exist on this server. The link
   could be outdated or wr"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

First, wenn I saw the error, I tried to look if the folder .well-known/acme-challenge exists. It does. But I couldn’t access it (500 error). So I added special rights to the folder and now I get just a 403, because now files should be shown. But that doesn’t help at all, same certbot error.

Then I researched that I should try it with simple nginx configuration. I did:

server {
    listen 80;
    server_name domain.de;
    root /home/project/website;
}

But this didn’t help at all too. Yes, I restarted nginx.

Now I’m lost and don’t know what to do.

rg305 · May 19, 2020, 7:20pm

Did you see the error message:
Invalid response from
http://domain.de/.well-known/acme-challenge/eF9vxHbtMvQxSrZIeecom1dSKpeOAx8pEDs4PoqrqxM [87.128.29.169]:
DOCUMENT NOT FOUND

Q1: Is that your real domain name?
Q2: Is that the IP where your server is at?

If either answer is no, then please clarify.

Tr33 · May 19, 2020, 7:21pm

I changed the domain, to not expose my client. The IP is correct.

rg305 · May 19, 2020, 7:24pm

This worked previously.

But today there is a (very slow) response from that IP which is requiring authentication?

curl -Iki 87.128.29.169
HTTP/1.1 401 Unauthorized
Server: David-WebBox/12.00a (1215) WIN32
Transfer-Encoding: chunked
Cache-Control: no-cache
Connection: close
Content-Type: text/html
WWW-Authenticate: Basic realm="/"

Note: My tests may be way off - since I'm working without a real domain name.

Tr33 · May 19, 2020, 7:27pm

I didn’t configurate the main Server, I guess it’s in a cluster. The website is under a subdomain and reachable, but not for the public.

Why do you need the domain name? The error message doesn’t say that the server is not reachable.

rg305 · May 19, 2020, 7:27pm

Have you tried placing a test-file in the expected challenge folder?
/home/project/website/.well-known/acme-challenge/test-file
[you may have to create the full path]

Tr33 · May 19, 2020, 7:28pm

Yes I did, I created a empty test.txt and could access it over the browser.

rg305 · May 19, 2020, 7:28pm

From the Internet?

Tr33 · May 19, 2020, 7:29pm

Yes, like I said, everything is accessible through the web, without VPN.

rg305 · May 19, 2020, 7:30pm

Then I can't explain:

Tr33 · May 19, 2020, 7:32pm

Well the certbot creates temporarily files and deletes them afterwards. That how the certbot works.
For me it looks like the certbot isn’t creating any files for the test or he does it in the wrong place. But the logs aren’t shown anything helpful.

rg305 · May 19, 2020, 7:35pm

Have you tried specifying the challenge directory?:
Have you tried certbot with --verbose ?

Tr33 · May 19, 2020, 7:36pm

No I didn’t. I found how to change the folder for the certificates but not for the challenge itself.
What does --verbose do?
I have to be careful with running certbot because of the limitations.

rg305 · May 19, 2020, 7:40pm

It adds extra output into the LE log file.

For NGINX, you can use something like:

    location /.well-known/acme-challenge/ {
        access_log /var/ACMEchallengeTEST/access.log; # IF YOU WANT A SEPARATE LOG FILE
        root /var/ACMEchallengeTEST/;
        try_files $uri =405;
    }#location

Tr33 · May 19, 2020, 7:43pm

Okay I though you mean to give certbot a separate folder for the challange.
There is no point to tell nginx a different folder for that, because it is accessable already.

I try verbose in a minute.

rg305 · May 19, 2020, 7:44pm

And yet... it is NOT:

Your site is requiring authorization.

Tr33 · May 19, 2020, 7:46pm

It says that it can’t find eF9vxHbtMvQxSrZIeecom1dSKpeOAx8pEDs4PoqrqxM and not that the main folder or even server is not reachable.

rg305 · May 19, 2020, 7:49pm

I’m trying to help.
But you seem dead set on what is exactly going wrong and yet can’t seem to fix it.
Perhaps you are not so clear on what is actually going wrong. [I know I’m not.]
How about we try adding --verbose and (re)review the LE logs?

Tr33 · May 19, 2020, 8:00pm

Root logging level set at 10
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requested authenticator None and installer None
Single candidate plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx.configurator:NginxConfigurator
Initialized: <certbot_nginx.configurator.NginxConfigurator object at 0x7f00e041c668>
Prep: True
Selected authenticator <certbot_nginx.configurator.NginxConfigurator object at 0x7f00e041c668> and installer <certbot_nginx.configurator.NginxConfigurator object at 0x7f00e041c668>
Plugins selected: Authenticator nginx, Installer nginx
Picked account: <Account(RegistrationResource(uri='https://acme-v01.api.letsencrypt.org/acme/reg/13254777', new_authzr_uri='https://acme-v01.api.letsencrypt.org/acme/new-authz', terms_of_service='https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf', body=Registration(contact=('mailto:letsencrypt@shitter.tv',), agreement='https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf', only_return_existing=None, status=None, external_account_binding=None, terms_of_service_agreed=None, key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7f00e02fd6a0>)>))), 424db555ee2113ea41a3fbc222cc1a85, Meta(creation_dt=datetime.datetime(2017, 4, 24, 19, 31, 53, tzinfo=<UTC>), creation_host='domain'))>
Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
"GET /directory HTTP/1.1" 200 658
Received response:
HTTP 200
Cache-Control: public, max-age=0, no-cache
Connection: keep-alive
X-Frame-Options: DENY
Content-Type: application/json
Server: nginx
Content-Length: 658
Date: Tue, 19 May 2020 19:57:22 GMT
Strict-Transport-Security: max-age=604800

{
  "C9n9jRCPCxg": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: domain.de
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Generating key (2048 bits): /etc/letsencrypt/keys/0098_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0098_csr-certbot.pem
Requesting fresh nonce
Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
"HEAD /acme/new-nonce HTTP/1.1" 200 0
Received response:
HTTP 200
Cache-Control: public, max-age=0, no-cache
Connection: keep-alive
Replay-Nonce: 0102yLBaXdiKLdjEbezA-WVcWMyPLoeDWvw66abTF-uUpdw
X-Frame-Options: DENY
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Server: nginx
Date: Tue, 19 May 2020 19:57:26 GMT
Strict-Transport-Security: max-age=604800


Storing nonce: 0102yLBaXdiKLdjEbezA-WVcWMyPLoeDWvw66abTF-uUpdw
JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "domain.de"\n    }\n  ]\n}'
Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
  "signature": "J5_UKGvpIeM-9OhbfPhQu4kDVE8rmpc_HBfN-s9y2AACo2Uj-FHJQ-BOBjXRC03mnTh11LNiLDcmlSfc2nynm7GsMzshy4Pbr768YAquWealeh3KMJ1kKa2rdIkcNR5KfYbsbobjur-tq75_J52ScqHPoaAk0q_v0LhShlvA66AzzOOKLQr4K-boMHCdnAQsZ0qQ4puN9OEBxn2hnem2uinydepcMvqMErYAXEDmsQsjDJnUYW3DeJ0ev5TdTu0TIuP3AYChBwHCHmb-1ourYyG5ZXauM_tpH9nTUqpSPa0GzR2TQ9sBNt3MOxElSthBaGPP3wBLssnVLcGF2JP4n4L7ZLOaBfNlabWjf1NPXlVIVBFoZXl6GN20e9VPYr8pcAh_nys_cr_IeaCew-Z8LgM2608KGaZCKgavfXsjHlTIdoVR_T7ExyeZjj2GJAmUtHdsNeAf0d6-EWjFdZJkTu9MlGAzeNjWShJ7ejkEEDZTM6cqbq3kul5V4WwBVcLM48v3BpG4RRlBMwbJc2O4J0cJwl5WVIYT3R5PJBagxVbYyIObRwGP3q0yQouPzmheH-v0S-1WxF0mfWqdlfHOPwHzH-cNSXQmN2ep6b3-gf3EhAIVj2S5yA9Aq4_8Y79wHklgu7c_3BzF9cn11FW-3LsE-SJBlzDH89gTRxHukss",
  "protected": "eyJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LW9yZGVyIiwgImtpZCI6ICJodHRwczovL2FjbWUtdjAxLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9yZWcvMTMyNTQ3NzciLCAibm9uY2UiOiAiMDEwMnlMQmFYZGlLTGRqRWJlekEtV1ZjV015UExvZURXdnc2NmFiVEYtdVVwZHciLCAiYWxnIjogIlJTMjU2In0",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogImFybmkucnV0ZWMuZGUiCiAgICB9CiAgXQp9"
}
"POST /acme/new-order HTTP/1.1" 201 343
Received response:
HTTP 201
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Location: https://acme-v02.api.letsencrypt.org/acme/order/13254777/3426934433
Content-Length: 343
Date: Tue, 19 May 2020 19:57:27 GMT
Strict-Transport-Security: max-age=604800
Connection: keep-alive
Replay-Nonce: 0102bFH5iL4s9oJxcQn0GkfkyP9V3SemnJCWZ-UvODYnqF8
Content-Type: application/json
Boulder-Requester: 13254777
Server: nginx
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"

{
  "status": "pending",
  "expires": "2020-05-26T19:57:27.175057788Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "domain.de"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/4685944164"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/13254777/3426934433"
}
Storing nonce: 0102bFH5iL4s9oJxcQn0GkfkyP9V3SemnJCWZ-UvODYnqF8
JWS payload:
b''
Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/4685944164:
{
  "signature": "ub5rEqSDgcXD3W5EJl6rU9bkUvIGZWAYQFuyhr7-vXfAGzp2YWh8NAGY52PzYBvIc9scgpQmgra32Qir4XoFrXKgzqSLyO7FpvdXpInr1dtFYtpInhiMOSx-tmaX7Hac8gMHP-AhIvVCQaNUjMiLe38PtQjFnqN6aPohft7q6styhUrA8pv6cxzcmQiDKoBULFBR6bPPg5x-RKXBbBAODgnYfo3XtrKUV2vMdZAWs_iTiV9uZMrjmypdi9OZGkUNP9xz-7291o6uFfflk2gd6sNgS9GzTcwYUfeAQ-oHL6nTLLVqPR6qo86EaKxS4kv7h4RgBDJQgh22k6z5DlIzbqoX9_F-pbXMqEpynlpcjkfuDbizp-tuX8ch_YHoz2oSatzWVq66WfwZDuXtwmM551kOmk3aqFOlJt0_6t1Ef2vqQEL50vAUPiOhI8_BYcQqiC9_mIWDxBEFPV6bJmG8fyvQEvA12PBbvevhmtFxcsMju8wAZ0wVKHBf5r7n_CkPVODUyOln-ztVA76aX18uwaLvYEXKtkTYrTbZjYGR0diEioX4C4QRYbXtedyeRFLyBlgx5JV0X-h25uKrmGitgrnFPKJoFuVeN2nkHEeUVUv2mR9vIBrJynUKTK6SaiP8oY0GF1KRlOFI_N1n1R0bnHSecToH8cPF--J5tMoWS1k",
  "protected": "eyJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvNDY4NTk0NDE2NCIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXYwMS5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvcmVnLzEzMjU0Nzc3IiwgIm5vbmNlIjogIjAxMDJiRkg1aUw0czlvSnhjUW4wR2tma3lQOVYzU2VtbkpDV1otVXZPRFlucUY4IiwgImFsZyI6ICJSUzI1NiJ9",
  "payload": ""
}
"POST /acme/authz-v3/4685944164 HTTP/1.1" 200 791
Received response:
HTTP 200
Cache-Control: public, max-age=0, no-cache
Boulder-Requester: 13254777
Replay-Nonce: 0101m8Neu2SiAwfn3nPIVpn7lFazhwJQvwNdopFL5dnp1RU
X-Frame-Options: DENY
Server: nginx
Connection: keep-alive
Strict-Transport-Security: max-age=604800
Content-Length: 791
Date: Tue, 19 May 2020 19:57:27 GMT
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Content-Type: application/json

{
  "identifier": {
    "type": "dns",
    "value": "domain.de"
  },
  "status": "pending",
  "expires": "2020-05-26T19:57:27Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/4685944164/oKUouw",
      "token": "uWKvs1DxOjOSV8kcQ52Gm9A-Abn-1qsLMYwhzF7yrsA"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/4685944164/reGjdg",
      "token": "uWKvs1DxOjOSV8kcQ52Gm9A-Abn-1qsLMYwhzF7yrsA"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/4685944164/UM34EQ",
      "token": "uWKvs1DxOjOSV8kcQ52Gm9A-Abn-1qsLMYwhzF7yrsA"
    }
  ]
}
Storing nonce: 0101m8Neu2SiAwfn3nPIVpn7lFazhwJQvwNdopFL5dnp1RU
Performing the following challenges:
http-01 challenge for domain.de
Generated server block:
[]
Creating backup of /etc/nginx/mime.types
Creating backup of /etc/nginx/nginx.conf
Creating backup of /etc/nginx/conf.d/server.conf
Writing nginx conf tree to /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;


events {
  worker_connections 768;
  # multi_accept on;
}

http {
include /etc/letsencrypt/le_http_01_cert_challenge.conf;

  ##
  # Basic Settings
  ##

  sendfile on;
  tcp_nopush on;
  tcp_nodelay on;
  keepalive_timeout 65;
  client_body_timeout 15;
  client_header_timeout 15;
  types_hash_max_size 2048;
  server_tokens off;
server_names_hash_bucket_size 128;
  server_name_in_redirect off;
  include /etc/nginx/mime.types;
  default_type application/octet-stream;

  ssl_session_cache shared:SSL:50m;
  ssl_session_timeout 30m;
  ssl_session_tickets off;
  ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128- GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE- ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA- AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256- SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA- AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3- SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128- SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3- SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH- RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ecdh_curve secp384r1; ssl_prefer_server_ciphers on; ssl_dhparam /etc/nginx/dhparam.pem;
  ssl_stapling on;
  ssl_stapling_verify on;
  resolver 8.8.8.8 8.8.4.4;
  resolver_timeout 5s;


  ##
  # Additional headers
  ##
  add_header X-Content-Type-Options "nosniff";
  add_header X-Frame-Options "SAMEORIGIN";

  ##
  # Logging Settings
  ##
  access_log /var/log/nginx/access.log combined buffer=16k;
  error_log /var/log/nginx/error.log warn;

  ##
  # File cache
  ##
  open_file_cache max=10000 inactive=300s;
  open_file_cache_valid 5m;
  open_file_cache_min_uses 2;
  open_file_cache_errors off;

  ##
  # Gzip Settings
  ##
  gzip on;
  gzip_disable "msie6";
  gzip_vary on;
  gzip_proxied any;
  gzip_comp_level 9;
  gzip_min_length 1000;
  gzip_buffers 16 8k;
  gzip_http_version 1.1;
  gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/png image/gif image/jpeg;

  ##
  # Virtual Host Configs
  ##
  include /etc/nginx/conf.d/*.conf;

}


#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
#   listen     localhost:110;
#   protocol   pop3;
#   proxy      on;
# }
#
# server {
#   listen     localhost:143;
#   protocol   imap;
#   proxy      on;
# }
#}

Writing nginx conf tree to /etc/nginx/conf.d/server.conf:
server {rewrite ^(/.well-known/acme-challenge/.*) $1 break; # managed by Certbot


  listen  80;
  listen  443 ssl http2;
  listen  [::]:80;
  listen  [::]:443 ssl http2;
  server_name     domain.de;


  client_max_body_size 132m;
  root /home/project/website;
  index index.php;
  try_files $uri $uri/ index.php?$args;
ssl_certificate /etc/letsencrypt/live/domain.de/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/domain.de/privkey.pem; # managed by Certbot
  ssl_trusted_certificate /etc/letsencrypt/live/domain.de/chain.pem;

  location ~ /.+\.php$ {
    try_files $uri /index.php;
    fastcgi_index index.php;
    fastcgi_pass unix:/run/php/php7.0-fpm.sock;
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param SCRIPT_NAME $fastcgi_script_name;
  }

  location ~ /.well-known {
      allow all;
  }

    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    } # managed by Certbot

location = /.well-known/acme-challenge/uWKvs1DxOjOSV8kcQ52Gm9A-Abn-1qsLMYwhzF7yrsA{default_type text/plain;return 200 uWKvs1DxOjOSV8kcQ52Gm9A-Abn-1qsLMYwhzF7yrsA.09aCJ3tIiWYvz2SggLO1SKbjjSGTWiZYGed8VquwcOA;} # managed by Certbot

}

Waiting for verification...
JWS payload:
b'{\n  "type": "http-01",\n  "resource": "challenge"\n}'
Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/4685944164/oKUouw:
{
  "signature": "TOrlimf0-H_e_W15cK7WSgMYOiY0S4963TQU6AxM5hfuITN8QzGoY0anF71TKthaNnhLuTKt25ZP2hmfepM_VrXWQoqTpGrY-s2fLmsjSbl-_Dsc2frhd_uFypOgw4UcOYJ3VlIoTnOMejCIinx-6BH4-fKQKnp8iWLmX8jLlF0L-h19PFI2O80Azz6AZ0h9RU6lvO8QV5m0veHZvIkV4C5kMST-ZBsHawjxWkGFAVN6_HrjFI9lESCxKzn7ei7t3yNsJv1V7Xj5c4AQVyq0aItGXoH9ZIALhQtO2OqIpro5gL4KiqVxoeRPCVZqYQwot6AU4XR8wzoGjlBA9tS6FXEXzL02bC4MVRj9ORiB6hxckxbLsgy5SWijiRA5-yrlW0g1qRp4R32D3tWPxw6LCC-jXCENtn1Y-qOHM8_OJQiyKK-H5zWIAAA4LoEfm6R9Teo0612sIlZ7_AINTO233dpnL7sJWq3r0k2p9mR7lAObaiGGaUkv3hAI7R6KJerMtnGQ8h0Tfr4vBO03P0YYZKC42ezp1nVoaAmNk_ZklYm4Z0cu6VtMhArtG4LM2NJjJt0a8k0hCFBw3CtyG2enCGuFqOshpehCF77pm0z1wGhMgktgPmkg1gj7iMgNPbrkRie1tjz0DMsdbf7EZehOcKCHcmZ1_86ZbnzQ6NEeU5o",
  "protected": "eyJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvY2hhbGwtdjMvNDY4NTk0NDE2NC9vS1VvdXciLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDEuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL3JlZy8xMzI1NDc3NyIsICJub25jZSI6ICIwMTAxbThOZXUyU2lBd2ZuM25QSVZwbjdsRmF6aHdKUXZ3TmRvcEZMNWRucDFSVSIsICJhbGciOiAiUlMyNTYifQ",
  "payload": "ewogICJ0eXBlIjogImh0dHAtMDEiLAogICJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiCn0"
}
"POST /acme/chall-v3/4685944164/oKUouw HTTP/1.1" 200 185
Received response:
HTTP 200
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/4685944164/oKUouw
Content-Length: 185
Date: Tue, 19 May 2020 19:57:28 GMT
Strict-Transport-Security: max-age=604800
Connection: keep-alive
Replay-Nonce: 0101ucxTk0pF0e9rugCCqJ6yLT_F2g_DZwzuBckS1TfuybE
Content-Type: application/json
Boulder-Requester: 13254777
Server: nginx
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz-v3/4685944164>;rel="up"

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/4685944164/oKUouw",
  "token": "uWKvs1DxOjOSV8kcQ52Gm9A-Abn-1qsLMYwhzF7yrsA"
}
Storing nonce: 0101ucxTk0pF0e9rugCCqJ6yLT_F2g_DZwzuBckS1TfuybE
JWS payload:
b''
Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/4685944164:
{
  "signature": "Zis5Jc11rlnauNdn-MzVtfWtpn2_Xm7C_-KyDx4QiXbjsmCKHYls3_vTN6x8PdwKIbRKwC_bbaD_Q8Pdg47pdtaz0oDFaZrKTj48OFftpr2O-k5ue11iqet7q60Jg_EuiSaAMLOyaoOgl5-rQi4y0-uQerRR0b-L3JgCdBc5f3rGmspqv1Vm1hnAaVBS7bHW81ybzDveWP1sHQ5kgP1AtrNvIHGgYeGbMbAZwpbU9Ezjes4aVxhxNWtLhr1Z934gxfJUOdD7z6tb4QA4PmkhlakZgGwvy0l1x13-BUxjdSzMKlW54BR5pSCqBARhwrShihzI85nH2EKP_SO5J4O5Tu8MQpHjrnxMa-dsZiToeneXu0qgUg9Qb3aVPr_4kE-eFw5ixZQ4Prb9GdUXwpIC0Ev0kjms_utIei6nY-TNR4srwB4allRm8Jax7dahdFNfPIUyAhJrP5y34_uKKbHFn25BclwuEvO0L5mBDFi1silgsB2Tua88jGo2JGIUgUFzxBaaOAfLyyFuytrf6H8RVxyUEuaRzr90XKeVRLBR6ibauUP_lQVGNiUaOfCsvxS1x2V7V7X2kmK5ddVTvDtQEmaT1HubWTjeHktbCpX3ne65yTjumcQirUExeNVVwhneX_8phFtG8voF-vwcH8I5sC88SYBNG7GWxnm_69EmiAY",
  "protected": "eyJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvNDY4NTk0NDE2NCIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXYwMS5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvcmVnLzEzMjU0Nzc3IiwgIm5vbmNlIjogIjAxMDF1Y3hUazBwRjBlOXJ1Z0NDcUo2eUxUX0YyZ19EWnd6dUJja1MxVGZ1eWJFIiwgImFsZyI6ICJSUzI1NiJ9",
  "payload": ""
}
"POST /acme/authz-v3/4685944164 HTTP/1.1" 200 791
Received response:
HTTP 200
Cache-Control: public, max-age=0, no-cache
Boulder-Requester: 13254777
Replay-Nonce: 0101U0lT1Y_rz-QPGQdE71k2MKXUlOa1sxMcAvrD9vm8ii4
X-Frame-Options: DENY
Server: nginx
Connection: keep-alive
Strict-Transport-Security: max-age=604800
Content-Length: 791
Date: Tue, 19 May 2020 19:57:32 GMT
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Content-Type: application/json

{
  "identifier": {
    "type": "dns",
    "value": "domain.de"
  },
  "status": "pending",
  "expires": "2020-05-26T19:57:27Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/4685944164/oKUouw",
      "token": "uWKvs1DxOjOSV8kcQ52Gm9A-Abn-1qsLMYwhzF7yrsA"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/4685944164/reGjdg",
      "token": "uWKvs1DxOjOSV8kcQ52Gm9A-Abn-1qsLMYwhzF7yrsA"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/4685944164/UM34EQ",
      "token": "uWKvs1DxOjOSV8kcQ52Gm9A-Abn-1qsLMYwhzF7yrsA"
    }
  ]
}
Storing nonce: 0101U0lT1Y_rz-QPGQdE71k2MKXUlOa1sxMcAvrD9vm8ii4
JWS payload:
b''
Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/4685944164:
{
  "signature": "OLiUd3hxz-G4pmEEgumrUZmrL6QXvmF6BF4WM4VM3QoedIjCtsUP60IE-T3LvC1iPJdImd5QUTN5Sq39fDP8CozcVRV4y_0eYWH4hbabq7_PZ6rPZblSafOUXjU4JLkWRin4depj4wGdadCNKLK3mOyAXf49QWewKI1ExM4kT9rZjedb3YS28xxmThpXT2kxG_xHQT4UdzzIs7Ri4o2shJZqHjlnOjJB1Hgl2_sMRrTpQmJkkDUzEQmJUYDOQ99Xq7d4Eo3f8de2s8C0WWG3RZgVYnBqbH_X18UJNbswYKkVmEluA-bvecPA18rHYQi0IlcrFVQJnkau9CcNJTFhl5UGJeZOHeOC0mZjAGqdQ_U6LLp7DG0gZbAzfyHWHbqEL0Diz-Y4hhZA80JbdYrmNg0W5Vb9oV8x3WD0EhDxsFrzlTdyf6zY11CrQZU7vzsHWcjPUbs8S4qyTPFR5DOy6x7e8usdh_CZDyIpEmqrluidNpOmDstFLsinG6ug-vjobDTwnHiRz_iHyKNhPcEacjqSUuvY2Dr95z684HGwc_JkBb7U-c9ZYUfT2_oLiUAV9G6UVbgcCc47R7s25svypjqINzB61yJopF68q2p48JFhiLYd6MkdGRtgkE9yFQTJ-bTsMonsaahSz6cfLRJb05NcMgCWvSZ8np9cw53OkEw",
  "protected": "eyJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvNDY4NTk0NDE2NCIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXYwMS5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvcmVnLzEzMjU0Nzc3IiwgIm5vbmNlIjogIjAxMDFVMGxUMVlfcnotUVBHUWRFNzFrMk1LWFVsT2Exc3hNY0F2ckQ5dm04aWk0IiwgImFsZyI6ICJSUzI1NiJ9",
  "payload": ""
}
"POST /acme/authz-v3/4685944164 HTTP/1.1" 200 1127
Received response:
HTTP 200
Cache-Control: public, max-age=0, no-cache
Boulder-Requester: 13254777
Replay-Nonce: 0101pyNgpFXaTFU2morUnm-R4LAEBLHuKYOUu-rsoBf_KYE
X-Frame-Options: DENY
Server: nginx
Connection: keep-alive
Strict-Transport-Security: max-age=604800
Content-Length: 1127
Date: Tue, 19 May 2020 19:57:35 GMT
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Content-Type: application/json

{
  "identifier": {
    "type": "dns",
    "value": "domain.de"
  },
  "status": "invalid",
  "expires": "2020-05-26T19:57:27Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "Invalid response from http://domain.de/.well-known/acme-challenge/uWKvs1DxOjOSV8kcQ52Gm9A-Abn-1qsLMYwhzF7yrsA [87.128.29.169]: \"DOCUMENT NOT FOUND\\r\\n\u003cP\u003e\\r\\n\\r\\nThe requested document does not [or no longer] exist on this server. The link could be outdated or wr\"",
        "status": 403
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/4685944164/oKUouw",
      "token": "uWKvs1DxOjOSV8kcQ52Gm9A-Abn-1qsLMYwhzF7yrsA",
      "validationRecord": [
        {
          "url": "http://domain.de/.well-known/acme-challenge/uWKvs1DxOjOSV8kcQ52Gm9A-Abn-1qsLMYwhzF7yrsA",
          "hostname": "domain.de",
          "port": "80",
          "addressesResolved": [
            "87.128.29.169"
          ],
          "addressUsed": "87.128.29.169"
        }
      ]
    }
  ]
}
Storing nonce: 0101pyNgpFXaTFU2morUnm-R4LAEBLHuKYOUu-rsoBf_KYE
Reporting to user: The following errors were reported by the server:

Domain: domain.de
Type:   unauthorized
Detail: Invalid response from http://domain.de/.well-known/acme-challenge/uWKvs1DxOjOSV8kcQ52Gm9A-Abn-1qsLMYwhzF7yrsA [87.128.29.169]: "DOCUMENT NOT FOUND\r\n<P>\r\n\r\nThe requested document does not [or no longer] exist on this server. The link could be outdated or wr"

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 168, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 239, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. domain.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://domain.de/.well-known/acme-challenge/uWKvs1DxOjOSV8kcQ52Gm9A-Abn-1qsLMYwhzF7yrsA [87.128.29.169]: "DOCUMENT NOT FOUND\r\n<P>\r\n\r\nThe requested document does not [or no longer] exist on this server. The link could be outdated or wr"

Calling registered functions
Cleaning up challenges
Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1119, in run
    certname, lineage)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 121, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 410, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 353, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 389, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 168, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 239, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. domain.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://domain.de/.well-known/acme-challenge/uWKvs1DxOjOSV8kcQ52Gm9A-Abn-1qsLMYwhzF7yrsA [87.128.29.169]: "DOCUMENT NOT FOUND\r\n<P>\r\n\r\nThe requested document does not [or no longer] exist on this server. The link could be outdated or wr"
Failed authorization procedure. domain.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://domain.de/.well-known/acme-challenge/uWKvs1DxOjOSV8kcQ52Gm9A-Abn-1qsLMYwhzF7yrsA [87.128.29.169]: "DOCUMENT NOT FOUND\r\n<P>\r\n\r\nThe requested document does not [or no longer] exist on this server. The link could be outdated or wr"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: domain.de
   Type:   unauthorized
   Detail: Invalid response from
   http://domain.de/.well-known/acme-challenge/uWKvs1DxOjOSV8kcQ52Gm9A-Abn-1qsLMYwhzF7yrsA
   [87.128.29.169]: "DOCUMENT NOT FOUND\r\n<P>\r\n\r\nThe requested
   document does not [or no longer] exist on this server. The link
   could be outdated or wr"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

it doesn’t say anything about trying to create that specific file.

rg305 · May 19, 2020, 8:59pm

Not 100% certain…
But

  location ~ /.well-known {
      allow all;
  }

may be conflicting with:

location = /.well-known/acme-challenge/uWKvs1DxOjOSV8kcQ52Gm9A-Abn-1qsLMYwhzF7yrsA{default_type text/plain;return 200 uWKvs1DxOjOSV8kcQ52Gm9A-Abn-1qsLMYwhzF7yrsA.09aCJ3tIiWYvz2SggLO1SKbjjSGTWiZYGed8VquwcOA;} # managed by Certbot