When getting a certificate, it gives an authorization error

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: lefoshe.com

I ran this command: sudo certbot certonly -a webroot --webroot-path=/var/www/lefoshe.com/www/ -d lefoshe.com -d www.lefoshe.com

It produced this output: IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: www.lefoshe.com
  Type: unauthorized
  Detail: 5.101.51.238: Invalid response from
  http://www.lefoshe.com/.well-known/acme-challenge/ws38wc4kQJDqTHRcHXxfo6nnBg_ZK1I2f2X6aikbGtA:
  404

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address.

My web server is (include version): nginx

The operating system my web server runs on is (include version): Debian 9.13

My hosting provider, if applicable, is: I use vps server.

I can login to a root shell on my machine (yes or no, or I don't know): Yes.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.28

Hi @khorkov, and welcome to the LE community forum

Let's have a look at the full nginx config (if it isn't too big), with:
nginx -T

OR

Perhaps try it this way:
[wrapped only for visual simplification]

sudo certbot certonly \
--webroot -w /var/www/lefoshe.com/www \
-d lefoshe.com -d www.lefoshe.com

Hello, in short. Then from the moment of setting up until literally the last month, certificates were added without problems by the team that wrote above. I can't even imagine what could have happened. Because the state of the server has not changed since the last successful certificate request.

p.s How nginx is configured at this stage is not important, since the command above only adds certificates for manual configuration.

--webroot -w /var/www/lefoshe.com/www
-d lefoshe.com -d www.lefoshe.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for lefoshe.com
http-01 challenge for www.lefoshe.com
Using the webroot path /var/www/lefoshe.com/www for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.lefoshe.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 5.101.51.238: Invalid response from http://www.lefoshe.com/.well-known/acme-challenge/RgYCt_OgMp4dJippsmWe_jqwpsHKZvinaLUB-PF3Jc0: 404

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: www.lefoshe.com
  Type: unauthorized
  Detail: 5.101.51.238: Invalid response from
  http://www.lefoshe.com/.well-known/acme-challenge/RgYCt_OgMp4dJippsmWe_jqwpsHKZvinaLUB-PF3Jc0:
  404

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address.

<code>
upstream backend-lefoshe.com {server unix:/var/run/php7.4-lefoshe.com.sock;}
server { 
			listen 80;
			listen [::]:80;
			server_name lefoshe.com www.lefoshe.com;
			rewrite     ^   https://$server_name$request_uri? permanent;
			server_tokens off;
}
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name         lefoshe.com;

    ssl_certificate /etc/letsencrypt/live/lefoshe.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/lefoshe.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/lefoshe.com/chain.pem;

    if ($host = www.$server_name) {
        rewrite ^(.*) https://$server_name$request_uri? permanent;
    }

    if ($host != "lefoshe.com") {
        return 301 http://$http_host$request_uri;
    }

    include /etc/nginx/ssl;

    root                /var/www/lefoshe.com/www;
    access_log          /var/log/nginx/lefoshe.com-access.log;
    error_log           /var/log/nginx/lefoshe.com-error.log;
    index               index.php;
    server_tokens off;
    rewrite_log         on;

    location ~ /.well-known {
        allow all;
    }

    
    location /core/ {                                                                                                                                                                                                                               
        deny all;                                                                                                                                                                                                                                                    
    }
    location / {
        try_files       $uri $uri/ @rewrite;
    }
    location @rewrite {
        rewrite         ^/(.*)$ /index.php?q=$1;
    }
    location ~ \.php$ {
        include         fastcgi_params;
        fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_pass    backend-lefoshe.com;
    }
    location ~* ^.+\.(jpg|jpeg|gif|css|png|js|ico|bmp)$ {
       access_log       off;
       expires          10d;
       break;
    }
    location ~ /\.ht {
        deny            all;
    }

    include acme;
}

</code>

upstream backend-lefoshe.com {server unix:/var/run/php7.4-lefoshe.com.sock;}
server { 
			listen 80;
			listen [::]:80;
			server_name lefoshe.com www.lefoshe.com;
			rewrite     ^   https://$server_name$request_uri? permanent;
			server_tokens off;
}
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name         lefoshe.com;

    ssl_certificate /etc/letsencrypt/live/lefoshe.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/lefoshe.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/lefoshe.com/chain.pem;

    if ($host = www.$server_name) {
        rewrite ^(.*) https://$server_name$request_uri? permanent;
    }

    if ($host != "lefoshe.com") {
        return 301 http://$http_host$request_uri;
    }

    include /etc/nginx/ssl;

    root                /var/www/lefoshe.com/www;
    access_log          /var/log/nginx/lefoshe.com-access.log;
    error_log           /var/log/nginx/lefoshe.com-error.log;
    index               index.php;
    server_tokens off;
    rewrite_log         on;

    location ~ /.well-known {
        allow all;
    }

    
    location /core/ {                                                                                                                                                                                                                               
        deny all;                                                                                                                                                                                                                                                    
    }
    location / {
        try_files       $uri $uri/ @rewrite;
    }
    location @rewrite {
        rewrite         ^/(.*)$ /index.php?q=$1;
    }
    location ~ \.php$ {
        include         fastcgi_params;
        fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_pass    backend-lefoshe.com;
    }
    location ~* ^.+\.(jpg|jpeg|gif|css|png|js|ico|bmp)$ {
       access_log       off;
       expires          10d;
       break;
    }
    location ~ /\.ht {
        deny            all;
    }

    include acme;
}

Please show /etc/nginx/acme

location ~ /.well-known {
allow all;
}

On lefoshe.com there's WordPress, but on www.lefoshe.com there's the default server block.

There's also no redirect from http to https. You want to use return 301, not rewrite -- nginx isn't apache2.

I think you might want to use the nginx certbot plugin.

Yes, I understand. But for me it is not critical.

Since the command: sudo certbot certonly only gets the certificate, but does not install it, which means that nginx is not used.

It is used. It's serving the webroot.

And that webroot works for lefoshe.com but not for www.lefosche.com -- and I don't know why, from that config.

I tried it (sudo certbot certonly --standalone -d lefoshe.com -d www.lefoshe.com) and everything went well.

That means the problem was with the nginx configuration.

Using --standalone requires stopping nginx for renewals, it's not a good idea.

Try running

sudo certbot renew --dry-run --nginx --cert-name lefoshe.com

Should I perform this action after receiving the certificates?

It includes --dry-run, you can run it whenever you want.

Saving debug log to /var/log/letsencrypt/letsencrypt.log

• • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • -

You should install that...

What's wrong with this option if it works? ( sudo certbot certonly --standalone -d lefoshe.com -d www.lefoshe.com)

that option only works if nothing is listening on port 80.

nginx should be listening on port 80.