To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: staging.tite.rdc.nie.edu.sg

I ran this command: sudo certbot --nginx -d staging.tite.rdc.nie.edu.sg

It produced this output:
2020-09-02 13:07:43,341:DEBUG:certbot._internal.main:certbot version: 1.6.0
2020-09-02 13:07:43,342:DEBUG:certbot._internal.main:Arguments: [’–nginx’, ‘-d’, ‘staging.tite.rdc.nie.edu.sg’]
2020-09-02 13:07:43,342:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2020-09-02 13:07:43,358:DEBUG:certbot._internal.log:Root logging level set at 20
2020-09-02 13:07:43,358:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2020-09-02 13:07:43,359:DEBUG:certbot._internal.plugins.selection:Requested authenticator nginx and installer nginx
2020-09-02 13:07:43,504:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx._internal.configurator:NginxConfigurator
Initialized: <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7f730e9b3e50>
Prep: True
2020-09-02 13:07:43,504:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7f730e9b3e50> and installer <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7f730e9b3e50>
2020-09-02 13:07:43,504:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator nginx, Installer nginx
2020-09-02 13:07:43,528:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(status=None, terms_of_service_agreed=None, agreement=None, only_return_existing=None, contact=(), key=None, external_account_binding=None), uri=u’https://acme-v02.api.letsencrypt.org/acme/acct/91480453’, new_authzr_uri=None, terms_of_service=None), a9a8505f67992bde962a05c239b325ee, Meta(creation_host=u’RDCtite’, register_to_eff=None, creation_dt=datetime.datetime(2020, 7, 16, 7, 16, 24, tzinfo=)))>
2020-09-02 13:07:43,530:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2020-09-02 13:07:43,538:INFO:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
2020-09-02 13:07:45,098:DEBUG:urllib3.connectionpool:“GET /directory HTTP/1.1” 200 658
2020-09-02 13:07:45,100:DEBUG:acme.client:Received response:
HTTP 200
content-length: 658
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
cache-control: public, max-age=0, no-cache
date: Wed, 02 Sep 2020 05:08:39 GMT
x-frame-options: DENY
content-type: application/json

{
“5ZmrU-tatX8”: “Adding random entries to the directory”,
“keyChange”: “https://acme-v02.api.letsencrypt.org/acme/key-change”,
“meta”: {
“caaIdentities”: [
letsencrypt.org
],
“termsOfService”: “https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf”,
“website”: “https://letsencrypt.org
},
“newAccount”: “https://acme-v02.api.letsencrypt.org/acme/new-acct”,
“newNonce”: “https://acme-v02.api.letsencrypt.org/acme/new-nonce”,
“newOrder”: “https://acme-v02.api.letsencrypt.org/acme/new-order”,
“revokeCert”: “https://acme-v02.api.letsencrypt.org/acme/revoke-cert
}
2020-09-02 13:07:45,101:INFO:certbot._internal.main:Obtaining a new certificate
2020-09-02 13:07:45,146:DEBUG:certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0036_key-certbot.pem
2020-09-02 13:07:45,148:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0036_csr-certbot.pem
2020-09-02 13:07:45,149:DEBUG:acme.client:Requesting fresh nonce
2020-09-02 13:07:45,149:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2020-09-02 13:07:45,518:DEBUG:urllib3.connectionpool:“HEAD /acme/new-nonce HTTP/1.1” 200 0
2020-09-02 13:07:45,519:DEBUG:acme.client:Received response:
HTTP 200
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
cache-control: public, max-age=0, no-cache
date: Wed, 02 Sep 2020 05:08:39 GMT
x-frame-options: DENY
replay-nonce: 0001nMmWeJAWIdzIWPY186RyMiAfKK0qlGwuJhz3m0wPUHU

2020-09-02 13:07:45,519:DEBUG:acme.client:Storing nonce: 0001nMmWeJAWIdzIWPY186RyMiAfKK0qlGwuJhz3m0wPUHU
2020-09-02 13:07:45,520:DEBUG:acme.client:JWS payload:
{
“identifiers”: [
{
“type”: “dns”,
“value”: “staging.tite.rdc.nie.edu.sg”
}
]
}
2020-09-02 13:07:45,521:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
“protected”: “eyJub25jZSI6ICIwMDAxbk1tV2VKQVdJZHpJV1BZMTg2UnlNaUFmS0swcWxHd3VKaHozbTB3UFVIVSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LW9yZGVyIiwgImtpZCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzkxNDgwNDUzIiwgImFsZyI6ICJSUzI1NiJ9”,
“payload”: “ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwgCiAgICAgICJ2YWx1ZSI6ICJzdGFnaW5nLnRpdGUucmRjLm5pZS5lZHUuc2ciCiAgICB9CiAgXQp9”,
“signature”: “hpU57O8R6BSlkMwkHSzatBnjlJkYvTXcZIdoppd2nPRxQRkK2SJ0iSTi3zHiWcXpCzNmC05yMcqIp7lHD8qLHFNcsuVgC7DxWBZTtBJcDZicT5RjgWhx8pMMO9Ch1VbJy1j1Wb8LENKTx7Rq-81xm7mYcei-A9ALztBHRZv3cRHC5QdJzKbTKQRwny8n9RVaPfEaXsqmtF4jMmGtlLBqMkdn7FvagpymgU8AAXB_jsgBNeJbQJQTyxj45R1TQwkRSB0-4c9PWnTkKA_f97iX0M96HAtBVjrbE5kkY2r0YDKcW5AYCaHgrUxX0yb2N9vQm4BojpLpVkIunG40xXsZdw”
}
2020-09-02 13:07:46,686:DEBUG:urllib3.connectionpool:“POST /acme/new-order HTTP/1.1” 201 357
2020-09-02 13:07:46,687:DEBUG:acme.client:Received response:
HTTP 201
content-length: 357
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
location: https://acme-v02.api.letsencrypt.org/acme/order/91480453/4979823992
boulder-requester: 91480453
date: Wed, 02 Sep 2020 05:08:40 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 0002gmJ7X3k9SIWuLQ7ebLUfmV1tkPzH1oUB_1excUFqlGM

{
“status”: “pending”,
“expires”: “2020-09-09T05:08:40.481269952Z”,
“identifiers”: [
{
“type”: “dns”,
“value”: “staging.tite.rdc.nie.edu.sg”
}
],
“authorizations”: [
https://acme-v02.api.letsencrypt.org/acme/authz-v3/6930250035
],
“finalize”: “https://acme-v02.api.letsencrypt.org/acme/finalize/91480453/4979823992
}
2020-09-02 13:07:46,687:DEBUG:acme.client:Storing nonce: 0002gmJ7X3k9SIWuLQ7ebLUfmV1tkPzH1oUB_1excUFqlGM
2020-09-02 13:07:46,688:DEBUG:acme.client:JWS payload:

2020-09-02 13:07:46,689:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/6930250035:
{
“protected”: “eyJub25jZSI6ICIwMDAyZ21KN1gzazlTSVd1TFE3ZWJMVWZtVjF0a1B6SDFvVUJfMWV4Y1VGcWxHTSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvNjkzMDI1MDAzNSIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC85MTQ4MDQ1MyIsICJhbGciOiAiUlMyNTYifQ”,
“payload”: “”,
“signature”: “LKvPvYpxcPR7gYHv8EXtzzvcJc_0vj0Wb3CdQT0EIyEgCPUMcb_qG6qm8CoSCmPTSX5QZaYYd2mOtwuXlIN4J5nVFeHh9x3rCDoYuwbMXqPzRBZ9b98wmuV-aybrizneKCzQ64hskcENP6y3fVgepruvmvmNzSXgPF_b87ScHFTqvv3lPdypUOy60Gbyw4aqvRg5_jDc2aP-9R8QzA4ONHPH9Nmag0AbUE56jOgsZeDUMBllK1p78Yq8YcFZEAgDiXEKtpP1ADZy1u7VW92_GTyvum-eBzvDCtMgRFjjnwuUHQtdiL59-Wgt3_qeiNh0VnMSWXEdpVzPm3akeAaa-A”
}
2020-09-02 13:07:47,074:DEBUG:urllib3.connectionpool:“POST /acme/authz-v3/6930250035 HTTP/1.1” 200 805
2020-09-02 13:07:47,075:DEBUG:acme.client:Received response:
HTTP 200
content-length: 805
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
boulder-requester: 91480453
date: Wed, 02 Sep 2020 05:08:41 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 0001iJYQh8rNebGLJumXapaPm5a6IO-4bAQVwY_SsuLiaek

{
“identifier”: {
“type”: “dns”,
“value”: “staging.tite.rdc.nie.edu.sg”
},
“status”: “pending”,
“expires”: “2020-09-09T05:08:40Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/6930250035/dHzBGw”,
“token”: “dIPGeOi1LcnXS_woj22RoqmjIvowmxN-LLtV1AKSJCY”
},
{
“type”: “dns-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/6930250035/Bueq4Q”,
“token”: “dIPGeOi1LcnXS_woj22RoqmjIvowmxN-LLtV1AKSJCY”
},
{
“type”: “tls-alpn-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/6930250035/wC8_0A”,
“token”: “dIPGeOi1LcnXS_woj22RoqmjIvowmxN-LLtV1AKSJCY”
}
]
}
2020-09-02 13:07:47,075:DEBUG:acme.client:Storing nonce: 0001iJYQh8rNebGLJumXapaPm5a6IO-4bAQVwY_SsuLiaek
2020-09-02 13:07:47,076:INFO:certbot._internal.auth_handler:Performing the following challenges:
2020-09-02 13:07:47,076:INFO:certbot._internal.auth_handler:http-01 challenge for staging.tite.rdc.nie.edu.sg
2020-09-02 13:07:47,096:DEBUG:certbot_nginx._internal.http_01:Generated server block:

2020-09-02 13:07:47,097:DEBUG:certbot.reverter:Creating backup of /etc/nginx/nginx.conf
2020-09-02 13:07:47,098:DEBUG:certbot.reverter:Creating backup of /etc/nginx/conf.d/default.conf
2020-09-02 13:07:47,098:DEBUG:certbot.reverter:Creating backup of /etc/nginx/mime.types
2020-09-02 13:07:47,099:DEBUG:certbot_nginx._internal.parser:Writing nginx conf tree to /etc/nginx/nginx.conf:
user nginx;
worker_processes 1;

error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;

events {
worker_connections 1024;
}

http {
include /etc/letsencrypt/le_http_01_cert_challenge.conf;
server_names_hash_bucket_size 128;
include /etc/nginx/mime.types;
default_type application/octet-stream;

log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                  '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$http_x_forwarded_for"';

access_log  /var/log/nginx/access.log  main;

sendfile        on;
#tcp_nopush     on;

keepalive_timeout  65;

#gzip  on;

include /etc/nginx/conf.d/*.conf;

}

2020-09-02 13:07:47,100:DEBUG:certbot_nginx._internal.parser:Writing nginx conf tree to /etc/nginx/conf.d/default.conf:
server
{
#makes sures all URL access are https
listen 80;
listen [::]:80 default_server ipv6only=on;
return 302 https://$host$request_uri;
}

server
{
listen 443;

server_name tite.rdc.nie.edu.sg;

location /
{
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-NginX-Proxy true;
    #For Each mgb instance config file, the port set to listen is used for the following line
    proxy_pass http://localhost:8080/;
    # proxy_pass http://116.14.46.38:8080/;
    proxy_ssl_session_reuse off;

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $host;

    proxy_cache_bypass $http_upgrade;
    proxy_redirect off;
}

}

server
{
listen 443;

server_name staging.tite.rdc.nie.edu.sg;

location /
{
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-NginX-Proxy true;
    proxy_pass http://localhost:8082/;
    # proxy_pass http://116.14.46.38:8080/;
    proxy_ssl_session_reuse off;

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $host;

    proxy_cache_bypass $http_upgrade;
    proxy_redirect off;
}

}

server
{rewrite ^(/.well-known/acme-challenge/.*) $1 break; # managed by Certbot

#makes sures all URL access are https
listen 80;
listen [::]:80  ;
return 302 https://$host$request_uri;

server_name staging.tite.rdc.nie.edu.sg; # managed by Certbot

location = /.well-known/acme-challenge/dIPGeOi1LcnXS_woj22RoqmjIvowmxN-LLtV1AKSJCY{default_type text/plain;return 200 dIPGeOi1LcnXS_woj22RoqmjIvowmxN-LLtV1AKSJCY.bJ9qdvBkA9JJc5yV3wkrkkz529BjRKYTK_5Th8z4lsk;} # managed by Certbot

}
2020-09-02 13:07:48,115:INFO:certbot._internal.auth_handler:Waiting for verification…
2020-09-02 13:07:48,116:DEBUG:acme.client:JWS payload:
{}
2020-09-02 13:07:48,118:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/6930250035/dHzBGw:
{
“protected”: “eyJub25jZSI6ICIwMDAxaUpZUWg4ck5lYkdMSnVtWGFwYVBtNWE2SU8tNGJBUVZ3WV9Tc3VMaWFlayIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvY2hhbGwtdjMvNjkzMDI1MDAzNS9kSHpCR3ciLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvOTE0ODA0NTMiLCAiYWxnIjogIlJTMjU2In0”,
“payload”: “e30”,
“signature”: “Kug88TWCrUyllkiojFZIpA5g00zd4W2nmHSezo35f-xX66KmqYyubewOhlmIVMdrQ9t_pTEn2AS_0qdfDpVW_gI3MdaSBNtbv3Ox9nfLIMf0owuSQorHRkybKbAAKykcvQVRYv5uaR8W5aT5LunHUIQJNaKwVuug4obZJZSYo0qxYB7kHzLKtlecYaTrCv6kKQX8IZ5S7YArfvWNGC5leOwA2H_ygv5lWDlV8Vty8grKNku8lYpcxGWhCpQTJq-2U5QlHJDNkgxHYY-Ukm75-pVJjE4NIMLZZW9l-xPaMza7JPRlefUXEPPEbljE8I-oyyT9Rm0O9d-vfuQGbQB77g”
}
2020-09-02 13:07:48,613:DEBUG:urllib3.connectionpool:“POST /acme/chall-v3/6930250035/dHzBGw HTTP/1.1” 200 185
2020-09-02 13:07:48,614:DEBUG:acme.client:Received response:
HTTP 200
content-length: 185
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”, https://acme-v02.api.letsencrypt.org/acme/authz-v3/6930250035;rel=“up”
location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/6930250035/dHzBGw
boulder-requester: 91480453
date: Wed, 02 Sep 2020 05:08:42 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 0002aW1dkjOHkzla-iIcK8DUjanbsuWr7SewySHe3yD-cyQ

{
“type”: “http-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/6930250035/dHzBGw”,
“token”: “dIPGeOi1LcnXS_woj22RoqmjIvowmxN-LLtV1AKSJCY”
}
2020-09-02 13:07:48,614:DEBUG:acme.client:Storing nonce: 0002aW1dkjOHkzla-iIcK8DUjanbsuWr7SewySHe3yD-cyQ
2020-09-02 13:07:49,616:DEBUG:acme.client:JWS payload:

2020-09-02 13:07:49,618:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/6930250035:
{
“protected”: “eyJub25jZSI6ICIwMDAyYVcxZGtqT0hremxhLWlJY0s4RFVqYW5ic3VXcjdTZXd5U0hlM3lELWN5USIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvNjkzMDI1MDAzNSIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC85MTQ4MDQ1MyIsICJhbGciOiAiUlMyNTYifQ”,
“payload”: “”,
“signature”: “ZQpFUnikv0HoP0PHSoSbwnIjwDSMJLvr8iGK3z_Bsk5Uh8UOHPynbkKe1WZBo51AVxwI9Xv6S61j-uRInohR3bhmgFHrF4t-TCY1cAtn7m9yp0dqlvxfHmBwdF4R1nscdF2iCUcp0inlv1Yn1BQY4f4yzJu8I8MBZ6G0nnhILvWhSTEtz_iX_wbMZaqDau-CWW5VKPiDEyr1yVwq2Hi5vI05xSUBktWQJt_yq0AN4sO2wWp7Y0wSHcD1sVtzHNGgUtDHkyoaf4lpc4zcAgIM9IkeZvM1ptkhnhpjHYAt2wLkm1T7p04oMDuDxmOEX_nlZJ5tPRNuGRTm55hyBv4KCQ”
}
2020-09-02 13:07:50,004:DEBUG:urllib3.connectionpool:“POST /acme/authz-v3/6930250035 HTTP/1.1” 200 805
2020-09-02 13:07:50,005:DEBUG:acme.client:Received response:
HTTP 200
content-length: 805
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
boulder-requester: 91480453
date: Wed, 02 Sep 2020 05:08:43 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 0001KoVX1P9L1pQD973KsuJckZMTPz8blGO2bSCUe-3Nj6Q

{
“identifier”: {
“type”: “dns”,
“value”: “staging.tite.rdc.nie.edu.sg”
},
“status”: “pending”,
“expires”: “2020-09-09T05:08:40Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/6930250035/dHzBGw”,
“token”: “dIPGeOi1LcnXS_woj22RoqmjIvowmxN-LLtV1AKSJCY”
},
{
“type”: “dns-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/6930250035/Bueq4Q”,
“token”: “dIPGeOi1LcnXS_woj22RoqmjIvowmxN-LLtV1AKSJCY”
},
{
“type”: “tls-alpn-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/6930250035/wC8_0A”,
“token”: “dIPGeOi1LcnXS_woj22RoqmjIvowmxN-LLtV1AKSJCY”
}
]
}
2020-09-02 13:07:50,005:DEBUG:acme.client:Storing nonce: 0001KoVX1P9L1pQD973KsuJckZMTPz8blGO2bSCUe-3Nj6Q
2020-09-02 13:07:53,009:DEBUG:acme.client:JWS payload:

2020-09-02 13:07:53,011:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/6930250035:
{
“protected”: “eyJub25jZSI6ICIwMDAxS29WWDFQOUwxcFFEOTczS3N1SmNrWk1UUHo4YmxHTzJiU0NVZS0zTmo2USIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvNjkzMDI1MDAzNSIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC85MTQ4MDQ1MyIsICJhbGciOiAiUlMyNTYifQ”,
“payload”: “”,
“signature”: “QK6-nvdvoxSM9fwJVjNv3qVJJYg26A9PvWO8Icbl-B2_fFamwDkAu-dgZWJNGR2c2jnNr0IhVCzUYtMi4QESW4hy4hbejLyT2c6B2ZF4Zl0xpQN28WrWGGi3dvjVZw9pTiudml0O9rRX2Q4kl1ZgDE5KtIXw-ODMBEf7VlsWpd1_4sWw-6Cpma71kypLqlBDxA8BNGcU_xrU27ViVqf6bhuoycNGRRc9UcZxQNsJU23tbcwJOXv4ODW8kX58ZdEofXR2TAlmysIGmUmizKddvAaoo4or0zkWoqnMaW6u4nMKNyYn0TsPnxk0Jsr2_-RhoTH9AJxaAFaWFI4DJR_WLg”
}
2020-09-02 13:07:53,475:DEBUG:urllib3.connectionpool:“POST /acme/authz-v3/6930250035 HTTP/1.1” 200 805
2020-09-02 13:07:53,476:DEBUG:acme.client:Received response:
HTTP 200
content-length: 805
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
boulder-requester: 91480453
date: Wed, 02 Sep 2020 05:08:47 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 0001UgnriIVG-ztTvnr88rMlfhW9A67xLi7eYwIB6UEl3mE

{
“identifier”: {
“type”: “dns”,
“value”: “staging.tite.rdc.nie.edu.sg”
},
“status”: “pending”,
“expires”: “2020-09-09T05:08:40Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/6930250035/dHzBGw”,
“token”: “dIPGeOi1LcnXS_woj22RoqmjIvowmxN-LLtV1AKSJCY”
},
{
“type”: “dns-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/6930250035/Bueq4Q”,
“token”: “dIPGeOi1LcnXS_woj22RoqmjIvowmxN-LLtV1AKSJCY”
},
{
“type”: “tls-alpn-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/6930250035/wC8_0A”,
“token”: “dIPGeOi1LcnXS_woj22RoqmjIvowmxN-LLtV1AKSJCY”
}
]
}
2020-09-02 13:07:53,476:DEBUG:acme.client:Storing nonce: 0001UgnriIVG-ztTvnr88rMlfhW9A67xLi7eYwIB6UEl3mE
2020-09-02 13:07:56,480:DEBUG:acme.client:JWS payload:

2020-09-02 13:07:56,482:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/6930250035:
{
“protected”: “eyJub25jZSI6ICIwMDAxVWducmlJVkctenRUdm5yODhyTWxmaFc5QTY3eExpN2VZd0lCNlVFbDNtRSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvNjkzMDI1MDAzNSIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC85MTQ4MDQ1MyIsICJhbGciOiAiUlMyNTYifQ”,
“payload”: “”,
“signature”: “cwtgOro1C3eoiRvjE9-NwStc-a1jNkKTahvUfJbN8xlOQO9nH4wWAUZAdXjqaWpGpRs_VpLv4hkXK16X1BRCFe2V4QouBvYCm9G58_knECOoPS8j32afZholkK4r0RiFVzPcLaoAvaEyOIpJwC-q27JTpCZb5aT6LtwinqiNkgTWnXyKUKFCYJQ4koH-osqq0loGGr3JcbgDk0joRkGOH1WTS9RlPWVs3yqTGuCIc1A7P2IDBrogzH4zqLWdKROjd5xU6dRa2FotlyQUhNeiRer3B26PkZH_T-9vNgF6LW6z2rmmg6pLP9NeRTYiBOaGboRB52XvaeQxewX9eWvk1Q”
}
2020-09-02 13:07:56,864:DEBUG:urllib3.connectionpool:“POST /acme/authz-v3/6930250035 HTTP/1.1” 200 1379
2020-09-02 13:07:56,865:DEBUG:acme.client:Received response:
HTTP 200
content-length: 1379
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
boulder-requester: 91480453
date: Wed, 02 Sep 2020 05:08:50 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 0002mz6-CRLhSxf293hgna2H6sJvV_2IRYL9BpzXzpWxOQ4

{
“identifier”: {
“type”: “dns”,
“value”: “staging.tite.rdc.nie.edu.sg”
},
“status”: “invalid”,
“expires”: “2020-09-09T05:08:40Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:ietf:params:acme:error:unauthorized”,
“detail”: “Invalid response from https://staging.tite.rdc.nie.edu.sg/.well-known/acme-challenge/dIPGeOi1LcnXS_woj22RoqmjIvowmxN-LLtV1AKSJCY [118.201.204.72]: 503”,
“status”: 403
},
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/6930250035/dHzBGw”,
“token”: “dIPGeOi1LcnXS_woj22RoqmjIvowmxN-LLtV1AKSJCY”,
“validationRecord”: [
{
“url”: “http://staging.tite.rdc.nie.edu.sg/.well-known/acme-challenge/dIPGeOi1LcnXS_woj22RoqmjIvowmxN-LLtV1AKSJCY”,
“hostname”: “staging.tite.rdc.nie.edu.sg”,
“port”: “80”,
“addressesResolved”: [
“118.201.204.72”
],
“addressUsed”: “118.201.204.72”
},
{
“url”: “https://staging.tite.rdc.nie.edu.sg/.well-known/acme-challenge/dIPGeOi1LcnXS_woj22RoqmjIvowmxN-LLtV1AKSJCY”,
“hostname”: “staging.tite.rdc.nie.edu.sg”,
“port”: “443”,
“addressesResolved”: [
“118.201.204.72”
],
“addressUsed”: “118.201.204.72”
}
]
}
]
}
2020-09-02 13:07:56,865:DEBUG:acme.client:Storing nonce: 0002mz6-CRLhSxf293hgna2H6sJvV_2IRYL9BpzXzpWxOQ4
2020-09-02 13:07:56,866:WARNING:certbot._internal.auth_handler:Challenge failed for domain staging.tite.rdc.nie.edu.sg
2020-09-02 13:07:56,866:INFO:certbot._internal.auth_handler:http-01 challenge for staging.tite.rdc.nie.edu.sg
2020-09-02 13:07:56,866:DEBUG:certbot._internal.reporter:Reporting to user: The following errors were reported by the server:

Domain: staging.tite.rdc.nie.edu.sg
Type: unauthorized
Detail: Invalid response from https://staging.tite.rdc.nie.edu.sg/.well-known/acme-challenge/dIPGeOi1LcnXS_woj22RoqmjIvowmxN-LLtV1AKSJCY [118.201.204.72]: 503

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
2020-09-02 13:07:56,867:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File “/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py”, line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File “/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py”, line 180, in _poll_authorizations
raise errors.AuthorizationError(‘Some challenges have failed.’)
AuthorizationError: Some challenges have failed.

2020-09-02 13:07:56,867:DEBUG:certbot._internal.error_handler:Calling registered functions
2020-09-02 13:07:56,867:INFO:certbot._internal.auth_handler:Cleaning up challenges
2020-09-02 13:07:57,998:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File “/bin/certbot”, line 9, in
load_entry_point(‘certbot==1.6.0’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 15, in main
return internal_main.main(cli_args)
File “/usr/lib/python2.7/site-packages/certbot/_internal/main.py”, line 1353, in main
return config.func(config, plugins)
File “/usr/lib/python2.7/site-packages/certbot/_internal/main.py”, line 1102, in run
certname, lineage)
File “/usr/lib/python2.7/site-packages/certbot/_internal/main.py”, line 121, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File “/usr/lib/python2.7/site-packages/certbot/_internal/client.py”, line 418, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File “/usr/lib/python2.7/site-packages/certbot/_internal/client.py”, line 351, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/usr/lib/python2.7/site-packages/certbot/_internal/client.py”, line 398, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py”, line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File “/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py”, line 180, in _poll_authorizations
raise errors.AuthorizationError(‘Some challenges have failed.’)
AuthorizationError: Some challenges have failed.
2020-09-02 13:07:57,999:ERROR:certbot._internal.log:Some challenges have failed.

My web server is (include version): nginx/1.16.1

The operating system my web server runs on is (include version): Oracle Linux 7 (64-bit)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 1.6.0

Not sure if useful but heres my nginx default.conf:

server
{
#makes sures all URL access are https
listen 80;
listen [::]:80 default_server ipv6only=on;
return 302 https://$host$request_uri;
}

server
{
listen 443;

server_name tite.rdc.nie.edu.sg;

location /
{
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-NginX-Proxy true;
    #For Each mgb instance config file, the port set to listen is used for the following line
    proxy_pass http://localhost:8080/;
    #proxy_pass http://118.201.204.72:8080/;
    proxy_ssl_session_reuse off;

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $host;

    proxy_cache_bypass $http_upgrade;
    proxy_redirect off;
}

}

server
{
listen 443;

server_name staging.tite.rdc.nie.edu.sg;

location /
{
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-NginX-Proxy true;
    proxy_pass http://localhost:8080/;
    #proxy_pass http://118.201.204.72:8080/;
    proxy_ssl_session_reuse off;

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $host;

    proxy_cache_bypass $http_upgrade;
    proxy_redirect off;
}

}

1 Like

Your nginx config may be too “complicated” for certbot to understand and properly modify.
Try using --certonly with --dry-run
(avoid the nginx installer for now)
[possibly with --webroot too (although that may require for you to include a reachable root/location for the challenge requests)].

2 Likes

To be (more) clear:
Adding --certonly will ensure that certbot --nginx won’t use the installer portion (that was already shown to have failed).
Adding --dry-run will simulate the entire process (trial run) - ensuring you don’t exceed your limits.
I expect that will fail; as the HTTP vhost config sends all connections to HTTPS and the HTTPS config proxies everything to who-knows-where. Leaving the challenge requests unhandled/unanswered.
Thus the need for the --webroot option and the addition of the corresponding location handler for those challenge requests.

Once that is all successful, you can remove the --dry-run option and proceed in getting an actual cert.

If you insist on having certbot do the installer option, I would recommend checking the nginx config.
sudo nginx -t
or better
sudo nginx -T
[and review the whole thing head to toe - there must be something a bit imperfect in there… somewhere]

2 Likes

Hi @rg305,
Thank you so much for your help on this. I have tried the approaches you have suggested but they all lead to the same error of 503 which I have been getting from the start. As you have suggested, I am looking and staring hard at my nginx config file now. Will definitely update if there is progress. Thanks!

nginx config:

server
{
#makes sures all URL access are https
listen 80;
listen [::]:80 default_server ipv6only=on;
return 302 https://$host$request_uri;
}

server
{
listen 443;

server_name tite.rdc.nie.edu.sg;

location /
{
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-NginX-Proxy true;
    #For Each mgb instance config file, the port set to listen is used for the following line
    proxy_pass http://localhost:8080/;
    #proxy_pass http://118.201.204.72:8080/;
    proxy_ssl_session_reuse off;

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $host;

    proxy_cache_bypass $http_upgrade;
    proxy_redirect off;
}

}

server
{
listen 443;

server_name staging.tite.rdc.nie.edu.sg;

location /
{
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-NginX-Proxy true;
    proxy_pass http://localhost:8080/;
    #proxy_pass http://118.201.204.72:8080/;
    proxy_ssl_session_reuse off;

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $host;

    proxy_cache_bypass $http_upgrade;
    proxy_redirect off;
}

}

Try this; modify your first block as follows:

server
{
#makes sures all URL access are https [except ACME challenge requests]
listen 80;
listen [::]:80 default_server ipv6only=on;
   location /.well-known/acme-challenge/ {
       root /dedicatedACMEchallengeFOLDER/; #create a new folder to handle just these requests
       try_files $uri 405;
   }#location
return 302 https://$host$request_uri;
}#server

Then execute:

sudo certbot --certonly --webroot -w /dedicatedACMEchallengeFOLDER/ -d staging.tite.rdc.nie.edu.sg --dry-run
2 Likes

And since your HTTP block is listening for IPv6 and forwarding to HTTPS, you should also
listen [::}:443;
in the HTTPS block.
Even though your FQDN does not resolve with any AAAA/IPv6 address (today), you should leave the code consistent for when that day comes.

2 Likes

Hi @rg305,

Thanks again! I am bad at this. Do I have to create a folder for this? I’m getting this error now /dedicatedACMEchallengeFOLDER/ does not exist or is not a directory

1 Like

Yes, you will have to chose a unique “name” you like and then create that folder.
It can even be like:
/etc/nginx/challenges/
[any unique dedicated path will do]

2 Likes

Also, I was wondering what this error is pointing at —>
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

If I know then probably I could better get the server staff at my workplace to look into it. Thanks so much again

1 Like

That seems to be a standard error msg shown when it can’t reach the challenge file.

[that is why we use the LE staging environment with --dry-run, so those failures don’t count against you]

2 Likes

Hi @rg305,

I swear I am so bad at this. Thus far I have made the changes you gave so heres my config file again:

server
{
#makes sure all URL access are https
listen 80;
listen [::]:80 default_server ipv6only=on;
location /.well-known/acme-challenge/ {
root /etc/nginx/dedicatedACMEchallengeFOLDER/;
try_files $uri 405;
}
return 302 https://$host$request_uri;
}

i think my path is wrong

my cmd i executed : sudo certbot --certonly --webroot -w etc/nginx/dedicatedACMEchallengeFOLDER/ -d staging.tite.rdc.nie.edu.sg --dry- run

really appreciate the help :slight_smile: @rg305

2 Likes

Try placing a test file in that location to see if it can be reached from the Internet:
Make sure the file is “generic” type - not ending in .txt nor .html
something like:
/etc/nginxx/dedicateACMEchallngeFOLDER/test-file-1234
then try:
http://staging.tite.rdc.nie.edu.sg/.well-known/acme-challenge/test-file-1234

There is a slash missing before etc
And a space before run ?

1 Like

Here it is in two lines:

sudo certbot --certonly --webroot -w /etc/nginx/dedicatedACMEchallengeFOLDER/ \
-d staging.tite.rdc.nie.edu.sg --dry-run
1 Like

Oh right its showing somehting different now. funnily, the space was just some display issue

my apologies that should NOT have the two dashes.
Try:

sudo certbot certonly --webroot -w /etc/nginx/dedicatedACMEchallengeFOLDER \
-d staging.tite.rdc.nie.edu.sg --dry-run

Sorry it is 1 am here - 12 hours ahead of you :frowning: or is that behind you?

2 Likes

Great it works… though it leads back to the same error ah this is frustrating. oh boy 1am, so sry about this you should be sleeping.

1 Like

Oh I’m 12hours ahead its lunch time now :shallow_pan_of_food: