To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: staging.tite.rdc.nie.edu.sg

I ran this command: sudo certbot --nginx -d staging.tite.rdc.nie.edu.sg

It produced this output:
2020-09-02 13:07:43,341:DEBUG:certbot._internal.main:certbot version: 1.6.0
2020-09-02 13:07:43,342:DEBUG:certbot._internal.main:Arguments: [’–nginx’, ‘-d’, ‘staging.tite.rdc.nie.edu.sg’]
2020-09-02 13:07:43,342:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2020-09-02 13:07:43,358:DEBUG:certbot._internal.log:Root logging level set at 20
2020-09-02 13:07:43,358:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2020-09-02 13:07:43,359:DEBUG:certbot._internal.plugins.selection:Requested authenticator nginx and installer nginx
2020-09-02 13:07:43,504:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx._internal.configurator:NginxConfigurator
Initialized: <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7f730e9b3e50>
Prep: True
2020-09-02 13:07:43,504:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7f730e9b3e50> and installer <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7f730e9b3e50>
2020-09-02 13:07:43,504:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator nginx, Installer nginx
2020-09-02 13:07:43,528:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(status=None, terms_of_service_agreed=None, agreement=None, only_return_existing=None, contact=(), key=None, external_account_binding=None), uri=u’https://acme-v02.api.letsencrypt.org/acme/acct/91480453’, new_authzr_uri=None, terms_of_service=None), a9a8505f67992bde962a05c239b325ee, Meta(creation_host=u’RDCtite’, register_to_eff=None, creation_dt=datetime.datetime(2020, 7, 16, 7, 16, 24, tzinfo=)))>
2020-09-02 13:07:43,530:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2020-09-02 13:07:43,538:INFO:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
2020-09-02 13:07:45,098:DEBUG:urllib3.connectionpool:“GET /directory HTTP/1.1” 200 658
2020-09-02 13:07:45,100:DEBUG:acme.client:Received response:
HTTP 200
content-length: 658
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
cache-control: public, max-age=0, no-cache
date: Wed, 02 Sep 2020 05:08:39 GMT
x-frame-options: DENY
content-type: application/json

{
“5ZmrU-tatX8”: “Adding random entries to the directory”,
“keyChange”: “https://acme-v02.api.letsencrypt.org/acme/key-change”,
“meta”: {
“caaIdentities”: [
“letsencrypt.org”
],
“termsOfService”: “https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf”,
“website”: “https://letsencrypt.org”
},
“newAccount”: “https://acme-v02.api.letsencrypt.org/acme/new-acct”,
“newNonce”: “https://acme-v02.api.letsencrypt.org/acme/new-nonce”,
“newOrder”: “https://acme-v02.api.letsencrypt.org/acme/new-order”,
“revokeCert”: “https://acme-v02.api.letsencrypt.org/acme/revoke-cert”
}
2020-09-02 13:07:45,101:INFO:certbot._internal.main:Obtaining a new certificate
2020-09-02 13:07:45,146:DEBUG:certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0036_key-certbot.pem
2020-09-02 13:07:45,148:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0036_csr-certbot.pem
2020-09-02 13:07:45,149:DEBUG:acme.client:Requesting fresh nonce
2020-09-02 13:07:45,149:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2020-09-02 13:07:45,518:DEBUG:urllib3.connectionpool:“HEAD /acme/new-nonce HTTP/1.1” 200 0
2020-09-02 13:07:45,519:DEBUG:acme.client:Received response:
HTTP 200
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
cache-control: public, max-age=0, no-cache
date: Wed, 02 Sep 2020 05:08:39 GMT
x-frame-options: DENY
replay-nonce: 0001nMmWeJAWIdzIWPY186RyMiAfKK0qlGwuJhz3m0wPUHU

2020-09-02 13:07:45,519:DEBUG:acme.client:Storing nonce: 0001nMmWeJAWIdzIWPY186RyMiAfKK0qlGwuJhz3m0wPUHU
2020-09-02 13:07:45,520:DEBUG:acme.client:JWS payload:
{
“identifiers”: [
{
“type”: “dns”,
“value”: “staging.tite.rdc.nie.edu.sg”
}
]
}
2020-09-02 13:07:45,521:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
“protected”: “eyJub25jZSI6ICIwMDAxbk1tV2VKQVdJZHpJV1BZMTg2UnlNaUFmS0swcWxHd3VKaHozbTB3UFVIVSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LW9yZGVyIiwgImtpZCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzkxNDgwNDUzIiwgImFsZyI6ICJSUzI1NiJ9”,
“payload”: “ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwgCiAgICAgICJ2YWx1ZSI6ICJzdGFnaW5nLnRpdGUucmRjLm5pZS5lZHUuc2ciCiAgICB9CiAgXQp9”,
“signature”: “hpU57O8R6BSlkMwkHSzatBnjlJkYvTXcZIdoppd2nPRxQRkK2SJ0iSTi3zHiWcXpCzNmC05yMcqIp7lHD8qLHFNcsuVgC7DxWBZTtBJcDZicT5RjgWhx8pMMO9Ch1VbJy1j1Wb8LENKTx7Rq-81xm7mYcei-A9ALztBHRZv3cRHC5QdJzKbTKQRwny8n9RVaPfEaXsqmtF4jMmGtlLBqMkdn7FvagpymgU8AAXB_jsgBNeJbQJQTyxj45R1TQwkRSB0-4c9PWnTkKA_f97iX0M96HAtBVjrbE5kkY2r0YDKcW5AYCaHgrUxX0yb2N9vQm4BojpLpVkIunG40xXsZdw”
}
2020-09-02 13:07:46,686:DEBUG:urllib3.connectionpool:“POST /acme/new-order HTTP/1.1” 201 357
2020-09-02 13:07:46,687:DEBUG:acme.client:Received response:
HTTP 201
content-length: 357
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
location: https://acme-v02.api.letsencrypt.org/acme/order/91480453/4979823992
boulder-requester: 91480453
date: Wed, 02 Sep 2020 05:08:40 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 0002gmJ7X3k9SIWuLQ7ebLUfmV1tkPzH1oUB_1excUFqlGM

{
“status”: “pending”,
“expires”: “2020-09-09T05:08:40.481269952Z”,
“identifiers”: [
{
“type”: “dns”,
“value”: “staging.tite.rdc.nie.edu.sg”
}
],
“authorizations”: [
“https://acme-v02.api.letsencrypt.org/acme/authz-v3/6930250035”
],
“finalize”: “https://acme-v02.api.letsencrypt.org/acme/finalize/91480453/4979823992”
}
2020-09-02 13:07:46,687:DEBUG:acme.client:Storing nonce: 0002gmJ7X3k9SIWuLQ7ebLUfmV1tkPzH1oUB_1excUFqlGM
2020-09-02 13:07:46,688:DEBUG:acme.client:JWS payload:

2020-09-02 13:07:46,689:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/6930250035:
{
“protected”: “eyJub25jZSI6ICIwMDAyZ21KN1gzazlTSVd1TFE3ZWJMVWZtVjF0a1B6SDFvVUJfMWV4Y1VGcWxHTSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvNjkzMDI1MDAzNSIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC85MTQ4MDQ1MyIsICJhbGciOiAiUlMyNTYifQ”,
“payload”: “”,
“signature”: “LKvPvYpxcPR7gYHv8EXtzzvcJc_0vj0Wb3CdQT0EIyEgCPUMcb_qG6qm8CoSCmPTSX5QZaYYd2mOtwuXlIN4J5nVFeHh9x3rCDoYuwbMXqPzRBZ9b98wmuV-aybrizneKCzQ64hskcENP6y3fVgepruvmvmNzSXgPF_b87ScHFTqvv3lPdypUOy60Gbyw4aqvRg5_jDc2aP-9R8QzA4ONHPH9Nmag0AbUE56jOgsZeDUMBllK1p78Yq8YcFZEAgDiXEKtpP1ADZy1u7VW92_GTyvum-eBzvDCtMgRFjjnwuUHQtdiL59-Wgt3_qeiNh0VnMSWXEdpVzPm3akeAaa-A”
}
2020-09-02 13:07:47,074:DEBUG:urllib3.connectionpool:“POST /acme/authz-v3/6930250035 HTTP/1.1” 200 805
2020-09-02 13:07:47,075:DEBUG:acme.client:Received response:
HTTP 200
content-length: 805
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
boulder-requester: 91480453
date: Wed, 02 Sep 2020 05:08:41 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 0001iJYQh8rNebGLJumXapaPm5a6IO-4bAQVwY_SsuLiaek

{
“identifier”: {
“type”: “dns”,
“value”: “staging.tite.rdc.nie.edu.sg”
},
“status”: “pending”,
“expires”: “2020-09-09T05:08:40Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/6930250035/dHzBGw”,
“token”: “dIPGeOi1LcnXS_woj22RoqmjIvowmxN-LLtV1AKSJCY”
},
{
“type”: “dns-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/6930250035/Bueq4Q”,
“token”: “dIPGeOi1LcnXS_woj22RoqmjIvowmxN-LLtV1AKSJCY”
},
{
“type”: “tls-alpn-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/6930250035/wC8_0A”,
“token”: “dIPGeOi1LcnXS_woj22RoqmjIvowmxN-LLtV1AKSJCY”
}
]
}
2020-09-02 13:07:47,075:DEBUG:acme.client:Storing nonce: 0001iJYQh8rNebGLJumXapaPm5a6IO-4bAQVwY_SsuLiaek
2020-09-02 13:07:47,076:INFO:certbot._internal.auth_handler:Performing the following challenges:
2020-09-02 13:07:47,076:INFO:certbot._internal.auth_handler:http-01 challenge for staging.tite.rdc.nie.edu.sg
2020-09-02 13:07:47,096:DEBUG:certbot_nginx._internal.http_01:Generated server block:

2020-09-02 13:07:47,097:DEBUG:certbot.reverter:Creating backup of /etc/nginx/nginx.conf
2020-09-02 13:07:47,098:DEBUG:certbot.reverter:Creating backup of /etc/nginx/conf.d/default.conf
2020-09-02 13:07:47,098:DEBUG:certbot.reverter:Creating backup of /etc/nginx/mime.types
2020-09-02 13:07:47,099:DEBUG:certbot_nginx._internal.parser:Writing nginx conf tree to /etc/nginx/nginx.conf:
user nginx;
worker_processes 1;

error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;

events {
worker_connections 1024;
}

http {
include /etc/letsencrypt/le_http_01_cert_challenge.conf;
server_names_hash_bucket_size 128;
include /etc/nginx/mime.types;
default_type application/octet-stream;

log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                  '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$http_x_forwarded_for"';

access_log  /var/log/nginx/access.log  main;

sendfile        on;
#tcp_nopush     on;

keepalive_timeout  65;

#gzip  on;

include /etc/nginx/conf.d/*.conf;

}

2020-09-02 13:07:47,100:DEBUG:certbot_nginx._internal.parser:Writing nginx conf tree to /etc/nginx/conf.d/default.conf:
server
{
#makes sures all URL access are https
listen 80;
listen [::]:80 default_server ipv6only=on;
return 302 https://$host$request_uri;
}

server
{
listen 443;

server_name tite.rdc.nie.edu.sg;

location /
{
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-NginX-Proxy true;
    #For Each mgb instance config file, the port set to listen is used for the following line
    proxy_pass http://localhost:8080/;
    # proxy_pass http://116.14.46.38:8080/;
    proxy_ssl_session_reuse off;

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $host;

    proxy_cache_bypass $http_upgrade;
    proxy_redirect off;
}

}

server
{
listen 443;

server_name staging.tite.rdc.nie.edu.sg;

location /
{
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-NginX-Proxy true;
    proxy_pass http://localhost:8082/;
    # proxy_pass http://116.14.46.38:8080/;
    proxy_ssl_session_reuse off;

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $host;

    proxy_cache_bypass $http_upgrade;
    proxy_redirect off;
}

}

server
{rewrite ^(/.well-known/acme-challenge/.*) $1 break; # managed by Certbot

#makes sures all URL access are https
listen 80;
listen [::]:80  ;
return 302 https://$host$request_uri;

server_name staging.tite.rdc.nie.edu.sg; # managed by Certbot

location = /.well-known/acme-challenge/dIPGeOi1LcnXS_woj22RoqmjIvowmxN-LLtV1AKSJCY{default_type text/plain;return 200 dIPGeOi1LcnXS_woj22RoqmjIvowmxN-LLtV1AKSJCY.bJ9qdvBkA9JJc5yV3wkrkkz529BjRKYTK_5Th8z4lsk;} # managed by Certbot

}
2020-09-02 13:07:48,115:INFO:certbot._internal.auth_handler:Waiting for verification…
2020-09-02 13:07:48,116:DEBUG:acme.client:JWS payload:
{}
2020-09-02 13:07:48,118:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/6930250035/dHzBGw:
{
“protected”: “eyJub25jZSI6ICIwMDAxaUpZUWg4ck5lYkdMSnVtWGFwYVBtNWE2SU8tNGJBUVZ3WV9Tc3VMaWFlayIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvY2hhbGwtdjMvNjkzMDI1MDAzNS9kSHpCR3ciLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvOTE0ODA0NTMiLCAiYWxnIjogIlJTMjU2In0”,
“payload”: “e30”,
“signature”: “Kug88TWCrUyllkiojFZIpA5g00zd4W2nmHSezo35f-xX66KmqYyubewOhlmIVMdrQ9t_pTEn2AS_0qdfDpVW_gI3MdaSBNtbv3Ox9nfLIMf0owuSQorHRkybKbAAKykcvQVRYv5uaR8W5aT5LunHUIQJNaKwVuug4obZJZSYo0qxYB7kHzLKtlecYaTrCv6kKQX8IZ5S7YArfvWNGC5leOwA2H_ygv5lWDlV8Vty8grKNku8lYpcxGWhCpQTJq-2U5QlHJDNkgxHYY-Ukm75-pVJjE4NIMLZZW9l-xPaMza7JPRlefUXEPPEbljE8I-oyyT9Rm0O9d-vfuQGbQB77g”
}
2020-09-02 13:07:48,613:DEBUG:urllib3.connectionpool:“POST /acme/chall-v3/6930250035/dHzBGw HTTP/1.1” 200 185
2020-09-02 13:07:48,614:DEBUG:acme.client:Received response:
HTTP 200
content-length: 185
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”, https://acme-v02.api.letsencrypt.org/acme/authz-v3/6930250035;rel=“up”
location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/6930250035/dHzBGw
boulder-requester: 91480453
date: Wed, 02 Sep 2020 05:08:42 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 0002aW1dkjOHkzla-iIcK8DUjanbsuWr7SewySHe3yD-cyQ

{
“type”: “http-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/6930250035/dHzBGw”,
“token”: “dIPGeOi1LcnXS_woj22RoqmjIvowmxN-LLtV1AKSJCY”
}
2020-09-02 13:07:48,614:DEBUG:acme.client:Storing nonce: 0002aW1dkjOHkzla-iIcK8DUjanbsuWr7SewySHe3yD-cyQ
2020-09-02 13:07:49,616:DEBUG:acme.client:JWS payload:

2020-09-02 13:07:49,618:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/6930250035:
{
“protected”: “eyJub25jZSI6ICIwMDAyYVcxZGtqT0hremxhLWlJY0s4RFVqYW5ic3VXcjdTZXd5U0hlM3lELWN5USIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvNjkzMDI1MDAzNSIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC85MTQ4MDQ1MyIsICJhbGciOiAiUlMyNTYifQ”,
“payload”: “”,
“signature”: “ZQpFUnikv0HoP0PHSoSbwnIjwDSMJLvr8iGK3z_Bsk5Uh8UOHPynbkKe1WZBo51AVxwI9Xv6S61j-uRInohR3bhmgFHrF4t-TCY1cAtn7m9yp0dqlvxfHmBwdF4R1nscdF2iCUcp0inlv1Yn1BQY4f4yzJu8I8MBZ6G0nnhILvWhSTEtz_iX_wbMZaqDau-CWW5VKPiDEyr1yVwq2Hi5vI05xSUBktWQJt_yq0AN4sO2wWp7Y0wSHcD1sVtzHNGgUtDHkyoaf4lpc4zcAgIM9IkeZvM1ptkhnhpjHYAt2wLkm1T7p04oMDuDxmOEX_nlZJ5tPRNuGRTm55hyBv4KCQ”
}
2020-09-02 13:07:50,004:DEBUG:urllib3.connectionpool:“POST /acme/authz-v3/6930250035 HTTP/1.1” 200 805
2020-09-02 13:07:50,005:DEBUG:acme.client:Received response:
HTTP 200
content-length: 805
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
boulder-requester: 91480453
date: Wed, 02 Sep 2020 05:08:43 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 0001KoVX1P9L1pQD973KsuJckZMTPz8blGO2bSCUe-3Nj6Q

{
“identifier”: {
“type”: “dns”,
“value”: “staging.tite.rdc.nie.edu.sg”
},
“status”: “pending”,
“expires”: “2020-09-09T05:08:40Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/6930250035/dHzBGw”,
“token”: “dIPGeOi1LcnXS_woj22RoqmjIvowmxN-LLtV1AKSJCY”
},
{
“type”: “dns-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/6930250035/Bueq4Q”,
“token”: “dIPGeOi1LcnXS_woj22RoqmjIvowmxN-LLtV1AKSJCY”
},
{
“type”: “tls-alpn-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/6930250035/wC8_0A”,
“token”: “dIPGeOi1LcnXS_woj22RoqmjIvowmxN-LLtV1AKSJCY”
}
]
}
2020-09-02 13:07:50,005:DEBUG:acme.client:Storing nonce: 0001KoVX1P9L1pQD973KsuJckZMTPz8blGO2bSCUe-3Nj6Q
2020-09-02 13:07:53,009:DEBUG:acme.client:JWS payload:

2020-09-02 13:07:53,011:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/6930250035:
{
“protected”: “eyJub25jZSI6ICIwMDAxS29WWDFQOUwxcFFEOTczS3N1SmNrWk1UUHo4YmxHTzJiU0NVZS0zTmo2USIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvNjkzMDI1MDAzNSIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC85MTQ4MDQ1MyIsICJhbGciOiAiUlMyNTYifQ”,
“payload”: “”,
“signature”: “QK6-nvdvoxSM9fwJVjNv3qVJJYg26A9PvWO8Icbl-B2_fFamwDkAu-dgZWJNGR2c2jnNr0IhVCzUYtMi4QESW4hy4hbejLyT2c6B2ZF4Zl0xpQN28WrWGGi3dvjVZw9pTiudml0O9rRX2Q4kl1ZgDE5KtIXw-ODMBEf7VlsWpd1_4sWw-6Cpma71kypLqlBDxA8BNGcU_xrU27ViVqf6bhuoycNGRRc9UcZxQNsJU23tbcwJOXv4ODW8kX58ZdEofXR2TAlmysIGmUmizKddvAaoo4or0zkWoqnMaW6u4nMKNyYn0TsPnxk0Jsr2_-RhoTH9AJxaAFaWFI4DJR_WLg”
}
2020-09-02 13:07:53,475:DEBUG:urllib3.connectionpool:“POST /acme/authz-v3/6930250035 HTTP/1.1” 200 805
2020-09-02 13:07:53,476:DEBUG:acme.client:Received response:
HTTP 200
content-length: 805
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
boulder-requester: 91480453
date: Wed, 02 Sep 2020 05:08:47 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 0001UgnriIVG-ztTvnr88rMlfhW9A67xLi7eYwIB6UEl3mE

{
“identifier”: {
“type”: “dns”,
“value”: “staging.tite.rdc.nie.edu.sg”
},
“status”: “pending”,
“expires”: “2020-09-09T05:08:40Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/6930250035/dHzBGw”,
“token”: “dIPGeOi1LcnXS_woj22RoqmjIvowmxN-LLtV1AKSJCY”
},
{
“type”: “dns-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/6930250035/Bueq4Q”,
“token”: “dIPGeOi1LcnXS_woj22RoqmjIvowmxN-LLtV1AKSJCY”
},
{
“type”: “tls-alpn-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/6930250035/wC8_0A”,
“token”: “dIPGeOi1LcnXS_woj22RoqmjIvowmxN-LLtV1AKSJCY”
}
]
}
2020-09-02 13:07:53,476:DEBUG:acme.client:Storing nonce: 0001UgnriIVG-ztTvnr88rMlfhW9A67xLi7eYwIB6UEl3mE
2020-09-02 13:07:56,480:DEBUG:acme.client:JWS payload:

2020-09-02 13:07:56,482:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/6930250035:
{
“protected”: “eyJub25jZSI6ICIwMDAxVWducmlJVkctenRUdm5yODhyTWxmaFc5QTY3eExpN2VZd0lCNlVFbDNtRSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvNjkzMDI1MDAzNSIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC85MTQ4MDQ1MyIsICJhbGciOiAiUlMyNTYifQ”,
“payload”: “”,
“signature”: “cwtgOro1C3eoiRvjE9-NwStc-a1jNkKTahvUfJbN8xlOQO9nH4wWAUZAdXjqaWpGpRs_VpLv4hkXK16X1BRCFe2V4QouBvYCm9G58_knECOoPS8j32afZholkK4r0RiFVzPcLaoAvaEyOIpJwC-q27JTpCZb5aT6LtwinqiNkgTWnXyKUKFCYJQ4koH-osqq0loGGr3JcbgDk0joRkGOH1WTS9RlPWVs3yqTGuCIc1A7P2IDBrogzH4zqLWdKROjd5xU6dRa2FotlyQUhNeiRer3B26PkZH_T-9vNgF6LW6z2rmmg6pLP9NeRTYiBOaGboRB52XvaeQxewX9eWvk1Q”
}
2020-09-02 13:07:56,864:DEBUG:urllib3.connectionpool:“POST /acme/authz-v3/6930250035 HTTP/1.1” 200 1379
2020-09-02 13:07:56,865:DEBUG:acme.client:Received response:
HTTP 200
content-length: 1379
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
boulder-requester: 91480453
date: Wed, 02 Sep 2020 05:08:50 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 0002mz6-CRLhSxf293hgna2H6sJvV_2IRYL9BpzXzpWxOQ4

{
“identifier”: {
“type”: “dns”,
“value”: “staging.tite.rdc.nie.edu.sg”
},
“status”: “invalid”,
“expires”: “2020-09-09T05:08:40Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:ietf:params:acme:error:unauthorized”,
“detail”: “Invalid response from https://staging.tite.rdc.nie.edu.sg/.well-known/acme-challenge/dIPGeOi1LcnXS_woj22RoqmjIvowmxN-LLtV1AKSJCY [118.201.204.72]: 503”,
“status”: 403
},
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/6930250035/dHzBGw”,
“token”: “dIPGeOi1LcnXS_woj22RoqmjIvowmxN-LLtV1AKSJCY”,
“validationRecord”: [
{
“url”: “http://staging.tite.rdc.nie.edu.sg/.well-known/acme-challenge/dIPGeOi1LcnXS_woj22RoqmjIvowmxN-LLtV1AKSJCY”,
“hostname”: “staging.tite.rdc.nie.edu.sg”,
“port”: “80”,
“addressesResolved”: [
“118.201.204.72”
],
“addressUsed”: “118.201.204.72”
},
{
“url”: “https://staging.tite.rdc.nie.edu.sg/.well-known/acme-challenge/dIPGeOi1LcnXS_woj22RoqmjIvowmxN-LLtV1AKSJCY”,
“hostname”: “staging.tite.rdc.nie.edu.sg”,
“port”: “443”,
“addressesResolved”: [
“118.201.204.72”
],
“addressUsed”: “118.201.204.72”
}
]
}
]
}
2020-09-02 13:07:56,865:DEBUG:acme.client:Storing nonce: 0002mz6-CRLhSxf293hgna2H6sJvV_2IRYL9BpzXzpWxOQ4
2020-09-02 13:07:56,866:WARNING:certbot._internal.auth_handler:Challenge failed for domain staging.tite.rdc.nie.edu.sg
2020-09-02 13:07:56,866:INFO:certbot._internal.auth_handler:http-01 challenge for staging.tite.rdc.nie.edu.sg
2020-09-02 13:07:56,866:DEBUG:certbot._internal.reporter:Reporting to user: The following errors were reported by the server:

Domain: staging.tite.rdc.nie.edu.sg
Type: unauthorized
Detail: Invalid response from https://staging.tite.rdc.nie.edu.sg/.well-known/acme-challenge/dIPGeOi1LcnXS_woj22RoqmjIvowmxN-LLtV1AKSJCY [118.201.204.72]: 503

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
2020-09-02 13:07:56,867:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File “/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py”, line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File “/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py”, line 180, in _poll_authorizations
raise errors.AuthorizationError(‘Some challenges have failed.’)
AuthorizationError: Some challenges have failed.

2020-09-02 13:07:56,867:DEBUG:certbot._internal.error_handler:Calling registered functions
2020-09-02 13:07:56,867:INFO:certbot._internal.auth_handler:Cleaning up challenges
2020-09-02 13:07:57,998:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File “/bin/certbot”, line 9, in
load_entry_point(‘certbot==1.6.0’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 15, in main
return internal_main.main(cli_args)
File “/usr/lib/python2.7/site-packages/certbot/_internal/main.py”, line 1353, in main
return config.func(config, plugins)
File “/usr/lib/python2.7/site-packages/certbot/_internal/main.py”, line 1102, in run
certname, lineage)
File “/usr/lib/python2.7/site-packages/certbot/_internal/main.py”, line 121, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File “/usr/lib/python2.7/site-packages/certbot/_internal/client.py”, line 418, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File “/usr/lib/python2.7/site-packages/certbot/_internal/client.py”, line 351, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/usr/lib/python2.7/site-packages/certbot/_internal/client.py”, line 398, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py”, line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File “/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py”, line 180, in _poll_authorizations
raise errors.AuthorizationError(‘Some challenges have failed.’)
AuthorizationError: Some challenges have failed.
2020-09-02 13:07:57,999:ERROR:certbot._internal.log:Some challenges have failed.

My web server is (include version): nginx/1.16.1

The operating system my web server runs on is (include version): Oracle Linux 7 (64-bit)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 1.6.0

Not sure if useful but heres my nginx default.conf:

server
{
#makes sures all URL access are https
listen 80;
listen [::]:80 default_server ipv6only=on;
return 302 https://$host$request_uri;
}

server
{
listen 443;

server_name tite.rdc.nie.edu.sg;

location /
{
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-NginX-Proxy true;
    #For Each mgb instance config file, the port set to listen is used for the following line
    proxy_pass http://localhost:8080/;
    #proxy_pass http://118.201.204.72:8080/;
    proxy_ssl_session_reuse off;

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $host;

    proxy_cache_bypass $http_upgrade;
    proxy_redirect off;
}

}

server
{
listen 443;

server_name staging.tite.rdc.nie.edu.sg;

location /
{
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-NginX-Proxy true;
    proxy_pass http://localhost:8080/;
    #proxy_pass http://118.201.204.72:8080/;
    proxy_ssl_session_reuse off;

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $host;

    proxy_cache_bypass $http_upgrade;
    proxy_redirect off;
}

}

Your nginx config may be too “complicated” for certbot to understand and properly modify.
Try using --certonly with --dry-run
(avoid the nginx installer for now)
[possibly with --webroot too (although that may require for you to include a reachable root/location for the challenge requests)].

To be (more) clear:
Adding --certonly will ensure that certbot --nginx won’t use the installer portion (that was already shown to have failed).
Adding --dry-run will simulate the entire process (trial run) - ensuring you don’t exceed your limits.
I expect that will fail; as the HTTP vhost config sends all connections to HTTPS and the HTTPS config proxies everything to who-knows-where. Leaving the challenge requests unhandled/unanswered.
Thus the need for the --webroot option and the addition of the corresponding location handler for those challenge requests.

Once that is all successful, you can remove the --dry-run option and proceed in getting an actual cert.

If you insist on having certbot do the installer option, I would recommend checking the nginx config.
sudo nginx -t
or better
sudo nginx -T
[and review the whole thing head to toe - there must be something a bit imperfect in there… somewhere]

Hi @rg305,
Thank you so much for your help on this. I have tried the approaches you have suggested but they all lead to the same error of 503 which I have been getting from the start. As you have suggested, I am looking and staring hard at my nginx config file now. Will definitely update if there is progress. Thanks!

nginx config:

server
{
#makes sures all URL access are https
listen 80;
listen [::]:80 default_server ipv6only=on;
return 302 https://$host$request_uri;
}

server
{
listen 443;

server_name tite.rdc.nie.edu.sg;

location /
{
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-NginX-Proxy true;
    #For Each mgb instance config file, the port set to listen is used for the following line
    proxy_pass http://localhost:8080/;
    #proxy_pass http://118.201.204.72:8080/;
    proxy_ssl_session_reuse off;

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $host;

    proxy_cache_bypass $http_upgrade;
    proxy_redirect off;
}

}

server
{
listen 443;

server_name staging.tite.rdc.nie.edu.sg;

location /
{
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-NginX-Proxy true;
    proxy_pass http://localhost:8080/;
    #proxy_pass http://118.201.204.72:8080/;
    proxy_ssl_session_reuse off;

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $host;

    proxy_cache_bypass $http_upgrade;
    proxy_redirect off;
}

}

Try this; modify your first block as follows:

server
{
#makes sures all URL access are https [except ACME challenge requests]
listen 80;
listen [::]:80 default_server ipv6only=on;
   location /.well-known/acme-challenge/ {
       root /dedicatedACMEchallengeFOLDER/; #create a new folder to handle just these requests
       try_files $uri 405;
   }#location
return 302 https://$host$request_uri;
}#server

Then execute:

sudo certbot --certonly --webroot -w /dedicatedACMEchallengeFOLDER/ -d staging.tite.rdc.nie.edu.sg --dry-run

And since your HTTP block is listening for IPv6 and forwarding to HTTPS, you should also
listen [::}:443;
in the HTTPS block.
Even though your FQDN does not resolve with any AAAA/IPv6 address (today), you should leave the code consistent for when that day comes.

Hi @rg305,

Thanks again! I am bad at this. Do I have to create a folder for this? I’m getting this error now /dedicatedACMEchallengeFOLDER/ does not exist or is not a directory

Yes, you will have to chose a unique “name” you like and then create that folder.
It can even be like:
/etc/nginx/challenges/
[any unique dedicated path will do]

Also, I was wondering what this error is pointing at —>
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

If I know then probably I could better get the server staff at my workplace to look into it. Thanks so much again

That seems to be a standard error msg shown when it can’t reach the challenge file.

[that is why we use the LE staging environment with --dry-run, so those failures don’t count against you]

Hi @rg305,

I swear I am so bad at this. Thus far I have made the changes you gave so heres my config file again:

server
{
#makes sure all URL access are https
listen 80;
listen [::]:80 default_server ipv6only=on;
location /.well-known/acme-challenge/ {
root /etc/nginx/dedicatedACMEchallengeFOLDER/;
try_files $uri 405;
}
return 302 https://$host$request_uri;
}

i think my path is wrong

image1880×551 39 KB

my cmd i executed : sudo certbot --certonly --webroot -w etc/nginx/dedicatedACMEchallengeFOLDER/ -d staging.tite.rdc.nie.edu.sg --dry- run

really appreciate the help @rg305

Try placing a test file in that location to see if it can be reached from the Internet:
Make sure the file is “generic” type - not ending in .txt nor .html
something like:
/etc/nginxx/dedicateACMEchallngeFOLDER/test-file-1234
then try:
http://staging.tite.rdc.nie.edu.sg/.well-known/acme-challenge/test-file-1234

There is a slash missing before etc
And a space before run ?

Here it is in two lines:

sudo certbot --certonly --webroot -w /etc/nginx/dedicatedACMEchallengeFOLDER/ \
-d staging.tite.rdc.nie.edu.sg --dry-run

image945×155 6.83 KB

Oh right its showing somehting different now. funnily, the space was just some display issue

my apologies that should NOT have the two dashes.
Try:

sudo certbot certonly --webroot -w /etc/nginx/dedicatedACMEchallengeFOLDER \
-d staging.tite.rdc.nie.edu.sg --dry-run

Sorry it is 1 am here - 12 hours ahead of you or is that behind you?

image953×391 17.8 KB

Great it works… though it leads back to the same error ah this is frustrating. oh boy 1am, so sry about this you should be sleeping.

Oh I’m 12hours ahead its lunch time now