"Unauthorized" "Invalid response"

Help
1

I'm certain my CNAME is properly set up for this subdomain. I've successfully run certbot on four other subdomains on this particular server, so I have no idea why this one isn't working

My domain is: searx.ryspace.xyz

I ran this command: certbot -v --nginx

It produced this output:

Root logging level set at 10
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requested authenticator nginx and installer nginx
Single candidate plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx.configurator:NginxConfigurator
Initialized: <certbot_nginx.configurator.NginxConfigurator object at 0x7fb0e4067310>
Prep: True
Selected authenticator <certbot_nginx.configurator.NginxConfigurator object at 0x7fb0e4067310> and installer <certbot_nginx.configurator.NginxConfigurator object at 0x7fb0e4067310>
Plugins selected: Authenticator nginx, Installer nginx
Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/130964089', new_authzr_uri=None, terms_of_service=None), 2ced3925e7784bf6ef82ccc0b9179e28, Meta(creation_dt=datetime.datetime(2021, 7, 17, 21, 5, 46, tzinfo=<UTC>), creation_host='vmi629291.contaboserver.net'))>
Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
Received response:
HTTP 200
Server: nginx
Date: Sun, 18 Jul 2021 20:18:36 GMT
Content-Type: application/json
Content-Length: 658
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "Ryn8k9_IxC8": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
Not suggesting name "_"
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/util.py", line 282, in get_filtered_names
    filtered_names.add(enforce_le_validity(name))
  File "/usr/lib/python3/dist-packages/certbot/util.py", line 476, in enforce_le_validity
    raise errors.ConfigurationError(
certbot.errors.ConfigurationError: _ contains an invalid character. Valid characters are A-Z, a-z, 0-9, ., and -.

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: ryspace.xyz
2: mail.ryspace.xyz
3: www.mail.ryspace.xyz
4: nextcloud.ryspace.xyz
5: searx.ryspace.xyz
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 5
Obtaining a new certificate
Generating key (2048 bits): /etc/letsencrypt/keys/0007_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0007_csr-certbot.pem
Requesting fresh nonce
Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
Received response:
HTTP 200
Server: nginx
Date: Sun, 18 Jul 2021 20:18:37 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0102O2QrT7O6BcpfqbpEtS29t-DQqRSKpcZizr3sgEO55PQ
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


Storing nonce: 0102O2QrT7O6BcpfqbpEtS29t-DQqRSKpcZizr3sgEO55PQ
JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "searx.ryspace.xyz"\n    }\n  ]\n}'
Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTMwOTY0MDg5IiwgIm5vbmNlIjogIjAxMDJPMlFyVDdPNkJjcGZxYnBFdFMyOXQtRFFxUlNLcGNaaXpyM3NnRU81NVBRIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctb3JkZXIifQ",
  "signature": "JexZO5lqBP8zNJMjGqXzVm107JNu3I1cxF2G6Y6jM4KlyY3ICThvm0AYYa8SlEC1ncAQOfNIUQ1D9GfpGobFq1NsKtwbo1pSUKsbkkFIfwU9CH-s5rIBic2I7tCUL16xtRdGwGMN5bmpCXhDtJ2NfPXEWn1rqPN9e0BPoKpym_W_im-TyhgDoVTLTku3YU02iaYpW6L3sXfmztfRCNRR3Tq3yw48tl3bB8qH61gfYvFJG6XwgN0G3DfgiqTVy2AQ5hzCH1JJalQTLX_He-rr406toB7k42ghJYqf1BH4E0Y91AFzkU1F6CHGSbqmKdprj9R97F9eYK4h3i64Ksr1rg",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogInNlYXJ4LnJ5c3BhY2UueHl6IgogICAgfQogIF0KfQ"
}
https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 340
Received response:
HTTP 201
Server: nginx
Date: Sun, 18 Jul 2021 20:18:37 GMT
Content-Type: application/json
Content-Length: 340
Connection: keep-alive
Boulder-Requester: 130964089
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/130964089/11173211018
Replay-Nonce: 01015m4HVcvLxUm5-PBxY_OFBsl9KQ3dkJ-khMvGU-hzVUw
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2021-07-25T20:18:37Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "searx.ryspace.xyz"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/14936545110"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/130964089/11173211018"
}
Storing nonce: 01015m4HVcvLxUm5-PBxY_OFBsl9KQ3dkJ-khMvGU-hzVUw
JWS payload:
b''
Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/14936545110:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTMwOTY0MDg5IiwgIm5vbmNlIjogIjAxMDE1bTRIVmN2THhVbTUtUEJ4WV9PRkJzbDlLUTNka0ota2hNdkdVLWh6VlV3IiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8xNDkzNjU0NTExMCJ9",
  "signature": "2zoCVngU7Pq_y7ZWB9azW1rewPkNySNoIrYrEujw_wEWdeaq1PHw14eCE6o_i127NpPGsf7U6YLFLWBu92-fe1DGjhRI3mfqA2cnmdaWrxEtcYTQVax9HHEKtnJIUZa7F9p24LHTX5SG4WOygYpovxzE6fd9X_1Qz4e8uB2fK_CBpJ7CZTebux-o59oNKwgRYo7Ycb01qbxG0Fb5BeOJJs6DwqtqteIDtvAmYkLUfO0qAGovAM3-i1PbkFMjdwcBOt7ErorofJLa1W9ir8NhnWPC-Qy6w28lPHvAG5qmuSNmMEsxQkNNI5UKCWQOiQTznxspltglSBS5wfgtmTgaPw",
  "payload": ""
}
https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/14936545110 HTTP/1.1" 200 798
Received response:
HTTP 200
Server: nginx
Date: Sun, 18 Jul 2021 20:18:38 GMT
Content-Type: application/json
Content-Length: 798
Connection: keep-alive
Boulder-Requester: 130964089
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0102cMwBc-JTc4O4NhxOE3frpMahjlg0TtNqckYaq-i8srA
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "searx.ryspace.xyz"
  },
  "status": "pending",
  "expires": "2021-07-25T20:18:37Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/14936545110/MspkKw",
      "token": "pbotxsphIj5YhOc0-t_8rpdB7UsuWPd7Ls2S3FXzPHg"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/14936545110/RcSePA",
      "token": "pbotxsphIj5YhOc0-t_8rpdB7UsuWPd7Ls2S3FXzPHg"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/14936545110/YnwQoQ",
      "token": "pbotxsphIj5YhOc0-t_8rpdB7UsuWPd7Ls2S3FXzPHg"
    }
  ]
}
Storing nonce: 0102cMwBc-JTc4O4NhxOE3frpMahjlg0TtNqckYaq-i8srA
Performing the following challenges:
http-01 challenge for searx.ryspace.xyz
Generated server block:
[]
Creating backup of /etc/nginx/sites-enabled/mail
Creating backup of /etc/nginx/nginx.conf
Creating backup of /etc/nginx/sites-enabled/default
Creating backup of /etc/nginx/modules-enabled/50-mod-http-image-filter.conf
Creating backup of /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf
Creating backup of /etc/nginx/mime.types
Creating backup of /etc/nginx/sites-enabled/rysearx
Creating backup of /etc/nginx/modules-enabled/50-mod-mail.conf
Creating backup of /etc/nginx/sites-enabled/nextcloud
Creating backup of /etc/nginx/sites-enabled/ryspace
Creating backup of /etc/letsencrypt/options-ssl-nginx.conf
Creating backup of /etc/nginx/modules-enabled/50-mod-stream.conf
Writing nginx conf tree to /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 768;
        # multi_accept on;
}

http {
include /etc/letsencrypt/le_http_01_cert_challenge.conf;
server_names_hash_bucket_size 128;

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        # server_tokens off;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        ##
        # Gzip Settings
        ##

        gzip on;

        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}


#mail {
#       # See sample authentication script at:
#       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
# 
#       # auth_http localhost/auth.php;
#       # pop3_capabilities "TOP" "USER";
#       # imap_capabilities "IMAP4rev1" "UIDPLUS";
# 
#       server {
#               listen     localhost:110;
#               protocol   pop3;
#               proxy      on;
#       }
# 
#       server {
#               listen     localhost:143;
#               protocol   imap;
#               proxy      on;
#       }
#}

Writing nginx conf tree to /etc/nginx/sites-enabled/rysearx:
server {rewrite ^(/.well-known/acme-challenge/.*) $1 break; # managed by Certbot


        listen 80;
        server_name searx.ryspace.xyz ;
        root /usr/local/searx/searx;

        location /static {
        }

        location / {
                        include uwsgi_params;
                        uwsgi_pass unix://run/uwsgi/app/searx/socket;
        }
location = /.well-known/acme-challenge/pbotxsphIj5YhOc0-t_8rpdB7UsuWPd7Ls2S3FXzPHg{default_type text/plain;return 200 pbotxsphIj5YhOc0-t_8rpdB7UsuWPd7Ls2S3FXzPHg.n7YhZ_u5SBvtsdzsQK0E6ETR4D2F7Zyb4nCohQylbIw;} # managed by Certbot

}

Waiting for verification...
JWS payload:
b'{\n  "resource": "challenge",\n  "type": "http-01"\n}'
Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/14936545110/MspkKw:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTMwOTY0MDg5IiwgIm5vbmNlIjogIjAxMDJjTXdCYy1KVGM0TzROaHhPRTNmcnBNYWhqbGcwVHROcWNrWWFxLWk4c3JBIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbC12My8xNDkzNjU0NTExMC9Nc3BrS3cifQ",
  "signature": "Dduce5auMo2pTuVYLerx0XZQrNktXi2T_qiOsCu9WFF9q5XeD6vcze7V72WkNDxso9kdGPXMS_CtdR0GsPTLbT1XF1M5JSZvRH7qeiYHWXByM7Tv6hL3QZtZ2gfwziD-EO5XCr54CHwteIA2R1fMPa6OnrMl8iPvB48cQikDfyzMHtanZ0xBHUVQN_sNyOslDf3bG-6ayJhhBsc-v2D724tvnBeFORjWM_xILvbfaFaER77mEprxdhM3qHDQROJ54KxTxRlKlhRAjRezo_-zscqSKZEoRkeU1addzq3C1llTRYsBfPLl4uk3z6Sfak3CZOnXnQaRQyiaq9ay1CyTMQ",
  "payload": "ewogICJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLAogICJ0eXBlIjogImh0dHAtMDEiCn0"
}
https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/14936545110/MspkKw HTTP/1.1" 200 186
Received response:
HTTP 200
Server: nginx
Date: Sun, 18 Jul 2021 20:18:39 GMT
Content-Type: application/json
Content-Length: 186
Connection: keep-alive
Boulder-Requester: 130964089
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz-v3/14936545110>;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/14936545110/MspkKw
Replay-Nonce: 0101vuADbwMt4urgTKQQZqn26lSDAEW-Nfk65L1emSAJx5Y
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/14936545110/MspkKw",
  "token": "pbotxsphIj5YhOc0-t_8rpdB7UsuWPd7Ls2S3FXzPHg"
}
Storing nonce: 0101vuADbwMt4urgTKQQZqn26lSDAEW-Nfk65L1emSAJx5Y
JWS payload:
b''
Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/14936545110:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTMwOTY0MDg5IiwgIm5vbmNlIjogIjAxMDF2dUFEYndNdDR1cmdUS1FRWnFuMjZsU0RBRVctTmZrNjVMMWVtU0FKeDVZIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8xNDkzNjU0NTExMCJ9",
  "signature": "o6kX-SpIi6dp7MHI-1qxBNsyYdZGQNVHhnhwA1TpA8q7ANgJpJj_6ANZenAqVVMFo1TGx3147GvFQHtSa7546YX-hB2qvBoBoLSpVpfiYhGKNdn2_cSL-oscK_-ft99yBM_99L5LXzQAF_roVwpmAZaN3XgsRHV1NqZp61Mog9yIbuSLjqoSbfpLkyLf1pc2kbVB7ZbZPLMCIVthhIGLPnJJlCm_lI23_Y8ToEP8YyTLrc8DCUdK_ozfC92ybWdLnLBJ37RSuaJPGWTEdZPnLDwQUKC5UeR3qrRr-PJtlYAVDZ8e7VzteVOJEf82A2S0zAs0AEiWgSldf_ArBYHh1g",
  "payload": ""
}
https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/14936545110 HTTP/1.1" 200 1358
Received response:
HTTP 200
Server: nginx
Date: Sun, 18 Jul 2021 20:18:40 GMT
Content-Type: application/json
Content-Length: 1358
Connection: keep-alive
Boulder-Requester: 130964089
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0101LWEoEng_dRxjq3U1IBlc2IYh-maf1gZ3DvUQEqaFqWA
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "searx.ryspace.xyz"
  },
  "status": "invalid",
  "expires": "2021-07-25T20:18:37Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "Invalid response from http://searx.ryspace.xyz/.well-known/acme-challenge/pbotxsphIj5YhOc0-t_8rpdB7UsuWPd7Ls2S3FXzPHg [2a02:c207:2062:9291::1]: \"\u003chtml\u003e\\r\\n\u003chead\u003e\u003ctitle\u003e404 Not Found\u003c/title\u003e\u003c/head\u003e\\r\\n\u003cbody\u003e\\r\\n\u003ccenter\u003e\u003ch1\u003e404 Not Found\u003c/h1\u003e\u003c/center\u003e\\r\\n\u003chr\u003e\u003ccenter\u003enginx/1.18.0 (Ub\"",
        "status": 403
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/14936545110/MspkKw",
      "token": "pbotxsphIj5YhOc0-t_8rpdB7UsuWPd7Ls2S3FXzPHg",
      "validationRecord": [
        {
          "url": "http://searx.ryspace.xyz/.well-known/acme-challenge/pbotxsphIj5YhOc0-t_8rpdB7UsuWPd7Ls2S3FXzPHg",
          "hostname": "searx.ryspace.xyz",
          "port": "80",
          "addressesResolved": [
            "144.91.111.173",
            "2a02:c207:2062:9291::1"
          ],
          "addressUsed": "2a02:c207:2062:9291::1"
        }
      ],
      "validated": "2021-07-18T20:18:39Z"
    }
  ]
}
Storing nonce: 0101LWEoEng_dRxjq3U1IBlc2IYh-maf1gZ3DvUQEqaFqWA
Challenge failed for domain searx.ryspace.xyz
http-01 challenge for searx.ryspace.xyz
Reporting to user: The following errors were reported by the server:

Domain: searx.ryspace.xyz
Type:   unauthorized
Detail: Invalid response from http://searx.ryspace.xyz/.well-known/acme-challenge/pbotxsphIj5YhOc0-t_8rpdB7UsuWPd7Ls2S3FXzPHg [2a02:c207:2062:9291::1]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body>\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>nginx/1.18.0 (Ub"

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

Calling registered functions
Cleaning up challenges
Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.40.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1382, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1132, in run
    new_lineage = _get_and_save_cert(le_client, config, domains,
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 121, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 417, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 348, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 396, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: searx.ryspace.xyz
   Type:   unauthorized
   Detail: Invalid response from
   http://searx.ryspace.xyz/.well-known/acme-challenge/pbotxsphIj5YhOc0-t_8rpdB7UsuWPd7Ls2S3FXzPHg
   [2a02:c207:2062:9291::1]: "<html>\r\n<head><title>404 Not
   Found</title></head>\r\n<body>\r\n<center><h1>404 Not
   Found</h1></center>\r\n<hr><center>nginx/1.18.0 (Ub"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): nginx version: nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is: Contabo

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.40.0

1 Like
2

Welcome to the Let's Encrypt Community :slightly_smiling_face:

Well... there are multiple things amiss here.

Your IPv6 (AAAA record) and IPv4 (A record) addresses seem to be pointing to different servers. I suspect your IPv6 address to be incorrect. The server at your IPv4 address is responding with HTTP 500 INTERNAL SERVER ERROR for all port 80 (http) queries.

An http-01 challenge starts from a domain name on port 80 (http) then follows up to 10 redirects to domain names on either port 80 (http) or port 443 (https). IPv6 addresses (DNS AAAA records) are given priority over IPv4 addresses (DNS A records) for challenge requests.

1 Like
3

Your IPv6 (AAAA record) and IPv4 (A record) addresses seem to be pointing to different servers

I don't know how that's possible. Multiple other subdomains on this top level are working just fine (e.g. nextcloud., mail.) - I set this one up exactly the same with a CNAME entry for searx.

One thing I noticed after posting is that I forgot a listen [::]:80 ; line in my nginx conf for this particular subdomain. I'd attempt to see if that fixed the problem, however, I'm currently rate limited (I was rage "change and try again"-ing) so I'll have to wait a bit to see.

This particular setup is weird compared to other subdomains, as the instructions to install this particular instance (it's a Searx search engine) actually set the root to somewhere in /usr/local/.... rather than the typical /var/www/ so it's been throwing me for a loop.

Once I'm no longer rate limited, I'll take another crack at it and see how it goes.

Thanks for taking the time to look at this with me.

1 Like
4

You really should be testing with the staging environment.

Use this for now (--dry-run uses the staging environment):

sudo certbot certonly --nginx -d "searx.ryspace.xyz" --dry-run

User this when you're no longer rate-limited:

sudo certbot --nginx -d "searx.ryspace.xyz"

1 Like
5

staging environment

Honestly didn't even know that was a thing, lol

When I was putting this together, I was just kind of expecting it to go through without a hitch, but for future projects, I'll keep that in mind

1 Like
6

You can test right now using the staging environment without needing to wait for the production environment rate limit to phase out.

1 Like
7

So there were several configuration issues I had in the application itself, but I'm pretty sure that the main cause of this particular error was that there wasn't anything listening on the IPv6 address.

I've gone through, reinstalled and reconfigured the application, ran a dry run, and it appeared to have gone through with no issues.

I ran it live, and it was successful. The only thing is, I'm used to it asking me if I want to automatically redirect all HTTP traffic through TLS which this particular version of the command didn't do, so all I have left to do is just go manually add the lines that certbot usually does (I can just copy those from my other subdomains)

server {
    if ($host = searx.ryspace.xyz) {
        return 301 https://$host$request_uri;
    }

    # My usual listen on :80 & [::]:80 lines and server_name call here

    return 404;
}

server {

    listen [::]:443 ssl; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    server_name searx.ryspace.xyz;

    ssl_certificate /etc/letsencrypt/live/searx.ryspace.xyz/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/searx.ryspace.xyz/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
1 Like
8

I don't see a listen [::]:80 anywhere in there.

1 Like
9

Did you use the second command I gave you or just remove --dry-run from the first command?

(Note the absence of certonly in the second command.)

1 Like
10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.