The CA failed to verify the changes made by Certbot

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: designtools.hiwin.com

I ran this command: sudo certbot certonly --nginx --debug-challenges --dry-run -v

It produced this output:

image1860×821 42.3 KB

My web server is (include version):

The operating system my web server runs on is (include version): Ubuntu 22

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.9.0

I have made sure that all ports, and specifically 80 is open. Im even able to access a test file from outside the network at-
http://designtools.hiwin.com/.well-known/acme-challenge/test-file

Hello @hashmiabrar1, welcome to the Let's Encrypt community.

Using the online tool Let's Debug yields these results
https://letsdebug.net/designtools.hiwin.com/2285356

UnexpectedHttpResponse
Warning
Sending an ACME HTTP validation request to designtools.hiwin.com results in unexpected HTTP response 403 Forbidden. This indicates that the webserver is misconfigured or misbehaving.
403 Forbidden

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><meta http-equiv="Expires" content="-1"><meta http-equiv="Pragma" content="no-cache"><meta http-equiv="Cache-Control" content="no-cache"><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name='id' content='siteBlocked'><title>Web Site Blocked</title><meta name='ip' content='199.182.214.83'></head><body bgcolor="#005d84"><center><div style="background:#fff;border-radius:8px;padding:48px;width:275px;margin:72px auto;font:14px sans-serif;text-align:left"><center><img src="data:image/gif;base64,R0lGODlhlgAoALMAAPHw8Dw8PNLS06mqqpSVlvRvJvqaZfu2j3V1doSEhuHh4rm6uv3Uv8TFxWVmaP///yH5BAAAAAAALAAAAACWACgAAAT/8MlJKSAuo1XnRdoAdMLQSYojTAlxKgToIIQiLbNbJeBINbkfgnZ68BLFGMI3GSwGuqLUk1k0FhhkBecgDAaJzIoicHA6qcbEoaUMMolv2PxIZZj1DJ0iO0vmDngTIAhFc4ICV1FTUkMVCiZuDiIUCmFqE3ZjlQ6YDwhtEhiUFBh/VZJwFnqcepEVIKGldx2CjEWdjGWvO4GZejacnqAUOH6PI1yhgL43GYtveoUdYbITGM232hSTjI5SXb8NYXhpg6FstwB6PnZ6fnObn2zY8hKxSbTb+w8Y9sJTTKFwYCMDwHttyvw7ge0Mlxjp8swgg+oZtYgdsNniF/BZA0FA/4IVCTmQQ4o25u5FebOxA5CIhzQ+4MJL5iFYGCvI5LhPADY2InG0lEAyD6YyOlJ+avNmH6sHFrlwmCMSasSXx4zknJWN5z4AC0AEK1pE6EBPQEwoJeZsqE4xZXLZIbBu4gSsAADYkYWPoT6vPL+t43VRnKQVuRD+yiolboKbWmlkiATgQIHLmDMbMMDg3tZrfwHzw8HCQeM9Rt/iGLYIxD4ZFp3p8WUgs+3aRAZ9FmVQ9BTGWqlMe5RTaWkV5zgtKoYnmhgqepBYtl2As4SnpxAo0KtAJLbu27f75oZ8wupWHyUAeLPkIM5NbO/OkCfAdavex3NRP1Ah2rDZemDy0/9shIlmCRx91MJMbJwAt44fdpEhwxAaVOVZOMWw80BtmNlS13AAvnNKiMuNBwkBXlhYCRZObATJQg8IsIkTRZSA4gAwljCAhevR+AADmHV2whOkEEnkF2N94YSSMI7n5JNQdsChW1FWaeWV49VmAJZcduklT5bx9+WYZJb5YwFimqnmmlEeICSbcMYp55x01mnnnXjmqeeefPbp55+ABirooGvmReg2VHq1wDENNDleGEWAlaKTF6jIyAKWMhJHP45+hUAAwxQIZQy4EFDCcL516lIA1tyyqQCJarNOAgH4gICoDzQQgG88nKArlxto81itHG1apQq9fhKJTzjm+mn/DZE0esMIzGLSKI6mQCKSAAHsWAkUaHmxwgIjrFdHAw2IsCN7OGKiQFYK7IqhAuh6Ue6OKAbjxUw2nEhurunWoB4U/56oxjqw0nHrA28kEgCsAwTQHbEBLJECwyoAwQEIH/EQL2ERB+BLCgvs0g9BAywx8q661gCAxLvQ64uxa7igazLdllBrvAkk0s2mCn+EolU+53WrAAlgasYuCOcqMdAffeD0dYveAcYDD0vArbKiiJzjHQQkkBcQ64hUdh21/iqBxJ9wgPDZmUg8QrczNcPGyz6UYYQJdJQRQMWfuFA2adeIDQDZ5c0hwgw8DK32ArQymwvbaLfdNWon1EoA4augJJACE59X3sA0L9sQbD8EjL4DKJ2bFhYL2u2qtWn7ghrvCkBYDtWppXD+2O6D0J1sAmqo/bJp3MqeLDEICLgE3fKNgAEAZYzwBVSFQAKVGpuDNRzbe8SLOdwPlK4rB9wKEK8OxEAdb0GFnK5CvGqUXD3DfG/yciSbB6DDOqDiGlT+1z8tEE8UhdifB2jFqmAs4G/NYKALkre5XLWBbbqSnQOI1QTTUKAFXPjbCtb3Nx3sKxchS5kRMIGAEUKwfhCM1aFcVaKyoKpyM/wT3rahukrILod82hyufCWLeI0pAgA7" id="nsa_banner" style="margin-bottom:28px;" /></center><img style="float:left;margin:7px 7px 0 -3px" src="data:image/gif;base64,R0lGODlhGAAYAJEAAP///9sbIeVUWfOsriH5BAAAAAAALAAAAAAYABgAAAJchG8jErGDYmStWiHRsJxDuXVi8x3hOJYAuqAH1X0nh61p4s4ensIxL2rdALoLKiA7HpOso3D0VEKLFcFAgYJkgR2Dz8Ls1Gzi67eikf7SalKGKlJJzpfMW/iwFwAAOw=="><div style="font-weight:bold;word-wrap:break-word;margin-top:7px;padding-left:28px;"><div id="alert_text">This site has been blocked by the network administrator.</div></div><div style="word-wrap:break-word;margin-top:8px;padding-left:28px;font-size:13px"><div style="margin-bottom:8px">Block reason: Gateway GEO-IP Filter Alert</div><div style="margin-bottom:8px">IP address: 65.21.146.168</div><div>Connection initiated from country: Finland</div></div></div></center></body></html>

Trace:
@0ms: Making a request to http://designtools.hiwin.com/.well-known/acme-challenge/letsdebug-test (using initial IP 199.182.214.83)
@0ms: Dialing 199.182.214.83
@261ms: Server response: HTTP 403 Forbidden

Edit

Supplemental information

Your test-file is present (good)

$ curl -Ii http://www.designtools.hiwin.com/.well-known/acme-challenge/test-file
HTTP/1.1 200 OK
Server: nginx/1.24.0 (Ubuntu)
Date: Mon, 18 Nov 2024 17:51:04 GMT
Content-Type: application/octet-stream
Content-Length: 13
Last-Modified: Mon, 18 Nov 2024 05:58:52 GMT
Connection: keep-alive
ETag: "673ad79c-d"
Accept-Ranges: bytes

A nonexistent file is not present (good)

$ curl -Ii http://www.designtools.hiwin.com/.well-known/acme-challenge/sometestfile
HTTP/1.1 404 Not Found
Server: nginx/1.24.0 (Ubuntu)
Date: Mon, 18 Nov 2024 17:51:10 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive

Port 80 is open; Port 443 is closed for www.designtools.hiwin.com; maybe not what you desire,
but then again maybe it is.

$ nmap -Pn -p80,443 www.designtools.hiwin.com
Starting Nmap 7.80 ( https://nmap.org ) at 2024-11-18 17:50 UTC
Nmap scan report for www.designtools.hiwin.com (199.182.214.83)
Host is up (0.063s latency).

PORT    STATE  SERVICE
80/tcp  open   http
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 0.56 seconds

Port 80 is open; Port 443 is closed for designtools.hiwin.com; maybe not what you desire,
but then again maybe it is.

$ nmap -Pn -p80,443 designtools.hiwin.com
Starting Nmap 7.80 ( https://nmap.org ) at 2024-11-18 17:50 UTC
Nmap scan report for designtools.hiwin.com (199.182.214.83)
Host is up (0.063s latency).

PORT    STATE  SERVICE
80/tcp  open   http
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 0.37 seconds

thank you for your response @Bruce5051
is that got to do with how my config is setup-

server {
        listen 80;
        listen [::]:80;

        root /var/www/designtools.hiwin.com/html;
        index index.html index.htm index.nginx-debian.html;

        server_name designtools.hiwin.com www.designtools.hiwin.com;

        location /.well-known/acme-challenge/ {
                allow all;
                try_files $uri =404;
        }
}

I have my port 80 open as well-

image508×446 6.15 KB

This again is supplemental; not directly related to the initial issue.

Is there a listen for Port 443 for HTTPS?

there is not for 443.
I think its because Im trying to get the ssl cert, and then would open it for https. I hope I'm not wrong on this

I think this is relevant; "During secondary validation"

Edit

Definitely looks like Geo Blocking
Permanent link to this check report

Please see these as well for explanation and suggestions

image424×331 30 KB

Thank you so much.

You are welcome @hashmiabrar1.
Have a pleasant day.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.