`certbot --nginx` fails as the `.well-known` directory is handled by the reverse proxied service instead of Nginx

Question

I'm experiencing a strange issue when requesting Let's Encrypt certificates for a Next.js app hosted with Nginx reverse proxy.

I personally have a dedicated Nginx reverse proxy config template for configuring subdomains, which I used to configure web servers for multiple apps and subdomains:

server {
  server_name subdomain.example.com;
  location / {
    proxy_pass http://localhost:8888;
    include /etc/nginx/proxy_params;
  }
  access_log /var/log/nginx/example-subdomain.log;
  error_log /var/log/nginx/example-subdomain-error.log crit;
  proxy_buffer_size 128k;
  proxy_buffers 4 256k;
  proxy_busy_buffers_size 256k;
  listen 80;
}

However, when running sudo certbot --nginx -d subdomain.example.com, certbot fails with the following log. Note that this is the very first time I've encountered such an error, especially as both config and command were working successfully in my previous attempts.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for subdomain.example.com

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: quantumteknologi.com
  Type:   unauthorized
  Detail: 2400:6180:0:d0::15f6:1001: Invalid response from http://subdomain.example.com/.well-known/acme-challenge/hYZEXfMlhq-UDKblyOM2kXk_y-bbNJ5NOzTQly1AXeo: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

After further investigation the requested http://subdomain.example.com/.well-known/acme-challenge/hYZEXfMlhq-UDKblyOM2kXk_y-bbNJ5NOzTQly1AXeo is indeed not found, as Nginx simply passes the request into the Next.js application I built, instead of intercepting it and return it with proper response to continue my Let's Encrypt application.

Is there something wrong with my Nginx config? Or are there any missing steps which I've followed?

Answer 1

In my case, I was switching from one host to another and I had port 80 blocked on my router/server from the previous setup, so nginx couldn't connect to "http://..." to verify. I just temporarily enabled port 80 for this setup command and then disabled it again.