Unauthorized, invalid response from https:// my domain

My domain is:
app.zerograu.com (a subdomain that point to my server ip)

I ran this command:
sudo certbot --nginx -d app.zerograu.com

It produced this output:
Domain: app.zerograu.com
Type: unauthorized
Detail: Invalid response from
https://app.zerograu.com/.well-known/acme-challenge/zoj...WoY
[2606:4700:3036::681b:9509]: "\n404 Not
Found\n\n

404 Not
Found

\n
openresty\n<"

My web server is (include version):
nginx 1.14.0

The operating system my web server runs on is (include version):
ubuntu 18.04

My hosting provider, if applicable, is:
hostinger vps

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
0.31.0

why certbot are trying to access with https: https://app.zerograu.com/.well-known/acme-challenge/zoj...WoY
instead https: http://app.zerograu.com/.well-known/acme-challenge/zoj...WoY?

Because your hostname sits behind CloudFlare and there is a HTTP to HTTPS redirect in place. Let's Encrypt follows such redirects.

How can I solve? The guys who access these things are on vacation, can certbot use http instead?

Let's Encrypt does use HTTP to start with. But your server/CloudFlare redirects to HTTPS. It's not Let's Encrypt who chooses to do HTTPS.

I tried to turn off the auto redirect but still not working

The auto-redirect shouldn't matter, as long as the requests are ending up on your own server. Do you see the requests from the Let's Encrypt validation server in your webserver access logs?

yes, the access logs show the requests from the Let's Encrypt

Then there is a nginx configuration issue which prevents the nginx certbot plugin from working properly. You could try to use the webroot plugin by using:

certbot -a webroot -i nginx -w /path/to/the/webroot/of/your/site/ -d app.zerograu.com

By the way, if you want, you could also add it to your existing certificate. But it's perfectly possible to get a separate certificate for the app subdomain, your choice.

sorry, I did a mistake, I thought some logs were from Let's Encrypt but weren't

If you disable CloudFlare temporarily, does it work then?

I tried but don't :confused:

If CloudFlare is disabled, you should be able to see the requests by Let's Encrypt. If you don't, search harder :grin:

Also, try the webroot option I mentioned above for a change.

I tried the webroot option, same error. Well, I'll keep tryind harder :smiley:

solved guys!! thank u guys very much for the time spent with me!
the problem was in cloudflare poiting wrong ip, sorry hehe