Certbot HTTP-01 challenge fails

Question

This might be a simple error but I can't seem to use certbot to verify my domain. I am using nginx that is connected to an express application. I have commented out the configurations from the default nginx file and it only includes the configurations for my site from /etc/nginx/conf.d/mysite.info. In my configuration, the first location entry points to the root /.well-known/acme-challenge directory. Here's the settings from my nginx conf file:

server {
    listen 80;

    server_name <MYDOMAIN>.info www.<MYDOMAIN>.info;

    location '/.well-known/acme-challenge' {
            root /srv/www/<MY_ROOT_DIRECTORY>;
    }

    location / {
            proxy_pass http://localhost:4200;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection 'upgrade';
            proxy_set_header Host $host;
            proxy_cache_bypass $http_upgrade;
    }
    location /secure {
            auth_pam "Secure zone";
            auth_pam_service_name "nginx";
    }

}

To verfiy, I used the following certbot command:

certbot certonly --agree-tos --email <My_EMAIL>@gmail.com --webroot -w /srv/www/<ROOT_FOLDER>/ -d <DOMAIN>.info

The error for certbot are as follows:

Performing the following challenges:
http-01 challenge for <MYDOMAIN>.info
Using the webroot path /srv/www/<ROOT_FOLDER> for all unmatched domains.
Waiting for verification...
Challenge failed for domain <MYDOMAIN>.info
http-01 challenge for <MYDOMAIN>.info
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: <MYDOMAIN>.info
   Type:   unauthorized
   Detail: Invalid response from
   http://<MYDOMAIN>.info/.well-known/acme-challenge/Yb3c1WtCn5G43YatrhVorTbT_nn3WKTLwKjr0c9dW8E
   [74.208.<...>.<...>]: "<!DOCTYPE html>\n<html
   lang=\"en\">\n<head>\n<meta
   charset=\"utf-8\">\n<title>Error</title>\n</head>\n<body>\n<pre>Cannot
   GET /.well-known/"

I am literally clueless at this point. All the directories and files have read permission for all users and groups. Any suggestions will be highly appreciated.

EDIT

Since Nginx was failing to deliver the challenge files, I modified my express server to send the files. The express app is accessible and it was easy to send the challenge files to get certbot to work. Although not the desired solution it worked. However, I will keep the post open for a better answer.

Answer 1

About:

Challenge failed for domain

This error can happen if you don't have the port 443 opened in your firewall.

I have the same problem trying to make the certbot to work on AWS. After some attempts, I just needed to open the port 443 in the Security Group associated with the EC2 instance.

Answer 2

I was facing this issue, but my problem was little bit different, after doing some research i got to know that the domain on which i was trying certbot is protected by cloudflare , and there is a waf rule for country restriction, which was blocking all the traffic from the origin server, so turning off the country restriction for a while did the job.