Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
I ran this command:sudo certbot certonly --dry-run
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Runs an HTTP server locally which serves the necessary validation files under
the /.well-known/acme-challenge/ request path. Suitable if there is no HTTP
server already running. HTTP challenge only (wildcards not supported).
(standalone)
2: Saves the necessary validation files to a .well-known/acme-challenge/
directory within the nominated webroot path. A seperate HTTP server must be
running and serving files from the webroot path. HTTP challenge only (wildcards
not supported). (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Account registered.
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): biscotty.online, www.biscotty.online
Simulating a certificate request for biscotty.online and www.biscotty.online
Input the webroot for biscotty.online: (Enter 'c' to cancel): /var/lib/www/biscotty.online
Select the webroot for www.biscotty.online:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Enter a new webroot
2: /var/lib/www/biscotty.online
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: biscotty.online
Type: connection
Detail: 76.127.10.154: Fetching http://biscotty.online/.well-known/acme-challenge/RS88CWc7BhBeBHkmeQNOOc7ocSTkbl_1kCTrJRN5Ipo: Timeout after connect (your server may be slow or overloaded)
Domain: www.biscotty.online
Type: connection
Detail: 76.127.10.154: Fetching http://www.biscotty.online/.well-known/acme-challenge/E8IuezyVN0OkVL1JPIvt1vy9k8dpieNjYpO4AXtS9kM: Timeout after connect (your server may be slow or overloaded)
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
My web server is (include version): nginx 1.24
The operating system my web server runs on is (include version): NixOS 23.05.2664.9034b46dc4c7
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.4.0
Hi @biscotty666, and welcome to the LE community forum
HTTP [TCP port 80] is required to use HTTP-01 authentication.
There appears to be something that seems like it is listening on that port.
But there is no web server being heard.
As always with these things, try it externally because your local network may be working fine. So for instance try access the site over http from your phones mobile data rather than your own wifi.
I suspect you have a home or office router and you are supposed to be forwarding port 80 to an internal server IP?
If HTTP-01 authentication turns out to be no longer an option for you, you could try using an ACME client that supports TLS-ALPN-01 authentication.
OR
Switch to DNS-01 authentication.
[much more "complicated" - but a valid option (if you can get automated)]
Here is a site you can use to test how others see your site.
I would suggest trying DNS validation (proving domain control via DNS TXT record) or tls-alpn-01 (validation of TLS on port 443). For standard HTTP validation to work you need your system to be accessible over port 80 from multiple geographic regions.
Could the connectivity problems we have be related to your Sveltekit at all?
I am pretty sure we have all been trying things like curl or similar and not actual browsers. A quick read on Sveltekit looks like if not setup right could cause what we are seeing
I see these response headers when ignoring the faulty cert on HTTPS
Feel free to try it in an actual browser lol. It automatically upgrades to https (where currently you have to accept the self-signed cert to proceed). What you are seeing is expected for the headers. Could the automatic upgrade to https be interfering somehow?