Verify error

[longshaof]

ubuntu 18.04 +nginx 域名用 domain.com 替代了

[Tue Jul  3 14:12:50 UTC 2018] Getting webroot for domain='www.domain.com'
[Tue Jul  3 14:12:50 UTC 2018] Getting new-authz for domain='www.domain.com'
[Tue Jul  3 14:12:50 UTC 2018] The new-authz request is ok.
[Tue Jul  3 14:12:50 UTC 2018] Verifying:domain.com
[Tue Jul  3 14:12:53 UTC 2018] domain.com:Verify error:Fetching http://domain.com/.well-known/acme-challenge/vIu6rudp1C8_tqcBqc7y9U2tBr3JH_1YfuHbKtP3miw: Connection refused
[Tue Jul  3 14:12:53 UTC 2018] Please add '--debug' or '--log' to check more details.
[Tue Jul  3 14:12:53 UTC 2018] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
➜  ~ acme.sh  --issue  -d domain.com -d www.domain.com  --webroot  /var/www/html/domain.com --debug
[Tue Jul  3 14:13:09 UTC 2018] Lets find script dir.
[Tue Jul  3 14:13:09 UTC 2018] _SCRIPT_='/root/.acme.sh/acme.sh'
[Tue Jul  3 14:13:09 UTC 2018] _script='/root/.acme.sh/acme.sh'
[Tue Jul  3 14:13:09 UTC 2018] _script_home='/root/.acme.sh'
[Tue Jul  3 14:13:09 UTC 2018] Using config home:/root/.acme.sh
https://github.com/Neilpang/acme.sh
v2.7.9
[Tue Jul  3 14:13:09 UTC 2018] _main_domain='domain.com'
[Tue Jul  3 14:13:09 UTC 2018] _alt_domains='www.domain.com'
[Tue Jul  3 14:13:09 UTC 2018] Using config home:/root/.acme.sh
[Tue Jul  3 14:13:09 UTC 2018] ACME_DIRECTORY='https://acme-v01.api.letsencrypt.org/directory'
[Tue Jul  3 14:13:09 UTC 2018] DOMAIN_PATH='/root/.acme.sh/domain.com'
[Tue Jul  3 14:13:09 UTC 2018] Using ACME_DIRECTORY: https://acme-v01.api.letsencrypt.org/directory
[Tue Jul  3 14:13:09 UTC 2018] _init api for server: https://acme-v01.api.letsencrypt.org/directory
[Tue Jul  3 14:13:09 UTC 2018] GET
[Tue Jul  3 14:13:09 UTC 2018] url='https://acme-v01.api.letsencrypt.org/directory'
[Tue Jul  3 14:13:09 UTC 2018] timeout=
[Tue Jul  3 14:13:09 UTC 2018] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  -g '
[Tue Jul  3 14:13:10 UTC 2018] ret='0'
[Tue Jul  3 14:13:10 UTC 2018] ACME_KEY_CHANGE='https://acme-v01.api.letsencrypt.org/acme/key-change'
[Tue Jul  3 14:13:10 UTC 2018] ACME_NEW_AUTHZ='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Tue Jul  3 14:13:10 UTC 2018] ACME_NEW_ORDER='https://acme-v01.api.letsencrypt.org/acme/new-cert'
[Tue Jul  3 14:13:10 UTC 2018] ACME_NEW_ACCOUNT='https://acme-v01.api.letsencrypt.org/acme/new-reg'
[Tue Jul  3 14:13:10 UTC 2018] ACME_REVOKE_CERT='https://acme-v01.api.letsencrypt.org/acme/revoke-cert'
[Tue Jul  3 14:13:10 UTC 2018] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
[Tue Jul  3 14:13:10 UTC 2018] ACME_NEW_NONCE
[Tue Jul  3 14:13:10 UTC 2018] ACME_VERSION
[Tue Jul  3 14:13:10 UTC 2018] Le_NextRenewTime
[Tue Jul  3 14:13:10 UTC 2018] _on_before_issue
[Tue Jul  3 14:13:10 UTC 2018] _chk_main_domain='domain.com'
[Tue Jul  3 14:13:10 UTC 2018] _chk_alt_domains='www.domain.com'
[Tue Jul  3 14:13:10 UTC 2018] Le_LocalAddress
[Tue Jul  3 14:13:10 UTC 2018] d='domain.com'
[Tue Jul  3 14:13:10 UTC 2018] Check for domain='domain.com'
[Tue Jul  3 14:13:10 UTC 2018] _currentRoot='/var/www/html/domain.com'
[Tue Jul  3 14:13:10 UTC 2018] d='www.domain.com'
[Tue Jul  3 14:13:10 UTC 2018] Check for domain='www.domain.com'
[Tue Jul  3 14:13:10 UTC 2018] _currentRoot='/var/www/html/domain.com'
[Tue Jul  3 14:13:10 UTC 2018] d
[Tue Jul  3 14:13:10 UTC 2018] _saved_account_key_hash is not changed, skip register account.
[Tue Jul  3 14:13:10 UTC 2018] Read key length:
[Tue Jul  3 14:13:10 UTC 2018] _createcsr
[Tue Jul  3 14:13:10 UTC 2018] Multi domain='DNS:domain.com,DNS:www.domain.com'
[Tue Jul  3 14:13:10 UTC 2018] Getting domain auth token for each domain
[Tue Jul  3 14:13:10 UTC 2018] d='domain.com'
[Tue Jul  3 14:13:10 UTC 2018] Getting webroot for domain='domain.com'
[Tue Jul  3 14:13:10 UTC 2018] _w='/var/www/html/domain.com'
[Tue Jul  3 14:13:10 UTC 2018] _currentRoot='/var/www/html/domain.com'
[Tue Jul  3 14:13:10 UTC 2018] Getting new-authz for domain='domain.com'
[Tue Jul  3 14:13:10 UTC 2018] _init api for server: https://acme-v01.api.letsencrypt.org/directory
[Tue Jul  3 14:13:10 UTC 2018] Try new-authz for the 0 time.
[Tue Jul  3 14:13:10 UTC 2018] url='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Tue Jul  3 14:13:10 UTC 2018] payload='{"resource": "new-authz", "identifier": {"type": "dns", "value": "domain.com"}}'
[Tue Jul  3 14:13:10 UTC 2018] RSA key
[Tue Jul  3 14:13:10 UTC 2018] GET
[Tue Jul  3 14:13:10 UTC 2018] url='https://acme-v01.api.letsencrypt.org/directory'
[Tue Jul  3 14:13:10 UTC 2018] timeout=
[Tue Jul  3 14:13:10 UTC 2018] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  -g '
[Tue Jul  3 14:13:10 UTC 2018] ret='0'
[Tue Jul  3 14:13:10 UTC 2018] POST
[Tue Jul  3 14:13:10 UTC 2018] _post_url='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Tue Jul  3 14:13:10 UTC 2018] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  -g '
[Tue Jul  3 14:13:11 UTC 2018] _ret='0'
[Tue Jul  3 14:13:11 UTC 2018] code='201'
[Tue Jul  3 14:13:11 UTC 2018] The new-authz request is ok.
[Tue Jul  3 14:13:11 UTC 2018] entry='"type":"http-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/3ujo4DGuHkImgTW3L4yfJ6kcFtYtazwNfI3oINWgwsg/5435997724","token":"wRZRgNHEE-Ue6Oa5ZPr9CY8Y9lN9mHUsAWczIyZAi_g"'
[Tue Jul  3 14:13:11 UTC 2018] token='wRZRgNHEE-Ue6Oa5ZPr9CY8Y9lN9mHUsAWczIyZAi_g'
[Tue Jul  3 14:13:11 UTC 2018] uri='https://acme-v01.api.letsencrypt.org/acme/challenge/3ujo4DGuHkImgTW3L4yfJ6kcFtYtazwNfI3oINWgwsg/5435997724'
[Tue Jul  3 14:13:11 UTC 2018] keyauthorization='wRZRgNHEE-Ue6Oa5ZPr9CY8Y9lN9mHUsAWczIyZAi_g.RoF7Zin7piGuTsjPPGTfMLUiABWnxWHvlg7TnWXHI0s'
[Tue Jul  3 14:13:11 UTC 2018] dvlist='domain.com#wRZRgNHEE-Ue6Oa5ZPr9CY8Y9lN9mHUsAWczIyZAi_g.RoF7Zin7piGuTsjPPGTfMLUiABWnxWHvlg7TnWXHI0s#https://acme-v01.api.letsencrypt.org/acme/challenge/3ujo4DGuHkImgTW3L4yfJ6kcFtYtazwNfI3oINWgwsg/5435997724#http-01#/var/www/html/domain.com'
[Tue Jul  3 14:13:11 UTC 2018] d='www.domain.com'
[Tue Jul  3 14:13:11 UTC 2018] Getting webroot for domain='www.domain.com'
[Tue Jul  3 14:13:11 UTC 2018] _w='/var/www/html/domain.com'
[Tue Jul  3 14:13:11 UTC 2018] _currentRoot='/var/www/html/domain.com'
[Tue Jul  3 14:13:11 UTC 2018] Getting new-authz for domain='www.domain.com'
[Tue Jul  3 14:13:11 UTC 2018] _init api for server: https://acme-v01.api.letsencrypt.org/directory
[Tue Jul  3 14:13:11 UTC 2018] Try new-authz for the 0 time.
[Tue Jul  3 14:13:11 UTC 2018] url='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Tue Jul  3 14:13:11 UTC 2018] payload='{"resource": "new-authz", "identifier": {"type": "dns", "value": "www.domain.com"}}'
[Tue Jul  3 14:13:11 UTC 2018] POST
[Tue Jul  3 14:13:11 UTC 2018] _post_url='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Tue Jul  3 14:13:11 UTC 2018] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  -g '
[Tue Jul  3 14:13:12 UTC 2018] _ret='0'
[Tue Jul  3 14:13:12 UTC 2018] code='201'
[Tue Jul  3 14:13:12 UTC 2018] The new-authz request is ok.
[Tue Jul  3 14:13:12 UTC 2018] entry='"type":"http-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/snnBUhF26a04w1mN_UDYLcXWIvP3MC-DR5BfVdJC3Zs/5435997883","token":"oKm_iVbdyXGFE_wVitnzD66YGyLSAPE5UIeZRXHpJQY"'
[Tue Jul  3 14:13:12 UTC 2018] token='oKm_iVbdyXGFE_wVitnzD66YGyLSAPE5UIeZRXHpJQY'
[Tue Jul  3 14:13:12 UTC 2018] uri='https://acme-v01.api.letsencrypt.org/acme/challenge/snnBUhF26a04w1mN_UDYLcXWIvP3MC-DR5BfVdJC3Zs/5435997883'
[Tue Jul  3 14:13:12 UTC 2018] keyauthorization='oKm_iVbdyXGFE_wVitnzD66YGyLSAPE5UIeZRXHpJQY.RoF7Zin7piGuTsjPPGTfMLUiABWnxWHvlg7TnWXHI0s'
[Tue Jul  3 14:13:12 UTC 2018] dvlist='www.domain.com#oKm_iVbdyXGFE_wVitnzD66YGyLSAPE5UIeZRXHpJQY.RoF7Zin7piGuTsjPPGTfMLUiABWnxWHvlg7TnWXHI0s#https://acme-v01.api.letsencrypt.org/acme/challenge/snnBUhF26a04w1mN_UDYLcXWIvP3MC-DR5BfVdJC3Zs/5435997883#http-01#/var/www/html/domain.com'
[Tue Jul  3 14:13:12 UTC 2018] d
[Tue Jul  3 14:13:12 UTC 2018] vlist='domain.com#wRZRgNHEE-Ue6Oa5ZPr9CY8Y9lN9mHUsAWczIyZAi_g.RoF7Zin7piGuTsjPPGTfMLUiABWnxWHvlg7TnWXHI0s#https://acme-v01.api.letsencrypt.org/acme/challenge/3ujo4DGuHkImgTW3L4yfJ6kcFtYtazwNfI3oINWgwsg/5435997724#http-01#/var/www/html/domain.com,www.domain.com#oKm_iVbdyXGFE_wVitnzD66YGyLSAPE5UIeZRXHpJQY.RoF7Zin7piGuTsjPPGTfMLUiABWnxWHvlg7TnWXHI0s#https://acme-v01.api.letsencrypt.org/acme/challenge/snnBUhF26a04w1mN_UDYLcXWIvP3MC-DR5BfVdJC3Zs/5435997883#http-01#/var/www/html/domain.com,'
[Tue Jul  3 14:13:12 UTC 2018] d='domain.com'
[Tue Jul  3 14:13:12 UTC 2018] d='www.domain.com'
[Tue Jul  3 14:13:12 UTC 2018] ok, let's start to verify
[Tue Jul  3 14:13:12 UTC 2018] Verifying:domain.com
[Tue Jul  3 14:13:12 UTC 2018] d='domain.com'
[Tue Jul  3 14:13:12 UTC 2018] keyauthorization='wRZRgNHEE-Ue6Oa5ZPr9CY8Y9lN9mHUsAWczIyZAi_g.RoF7Zin7piGuTsjPPGTfMLUiABWnxWHvlg7TnWXHI0s'
[Tue Jul  3 14:13:12 UTC 2018] uri='https://acme-v01.api.letsencrypt.org/acme/challenge/3ujo4DGuHkImgTW3L4yfJ6kcFtYtazwNfI3oINWgwsg/5435997724'
[Tue Jul  3 14:13:12 UTC 2018] _currentRoot='/var/www/html/domain.com'
[Tue Jul  3 14:13:12 UTC 2018] wellknown_path='/var/www/html/domain.com/.well-known/acme-challenge'
[Tue Jul  3 14:13:12 UTC 2018] writing token:wRZRgNHEE-Ue6Oa5ZPr9CY8Y9lN9mHUsAWczIyZAi_g to /var/www/html/domain.com/.well-known/acme-challenge/wRZRgNHEE-Ue6Oa5ZPr9CY8Y9lN9mHUsAWczIyZAi_g
[Tue Jul  3 14:13:12 UTC 2018] Changing owner/group of .well-known to root:root
[Tue Jul  3 14:13:12 UTC 2018] url='https://acme-v01.api.letsencrypt.org/acme/challenge/3ujo4DGuHkImgTW3L4yfJ6kcFtYtazwNfI3oINWgwsg/5435997724'
[Tue Jul  3 14:13:12 UTC 2018] payload='{"resource": "challenge", "keyAuthorization": "wRZRgNHEE-Ue6Oa5ZPr9CY8Y9lN9mHUsAWczIyZAi_g.RoF7Zin7piGuTsjPPGTfMLUiABWnxWHvlg7TnWXHI0s"}'
[Tue Jul  3 14:13:12 UTC 2018] POST
[Tue Jul  3 14:13:12 UTC 2018] _post_url='https://acme-v01.api.letsencrypt.org/acme/challenge/3ujo4DGuHkImgTW3L4yfJ6kcFtYtazwNfI3oINWgwsg/5435997724'
[Tue Jul  3 14:13:12 UTC 2018] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  -g '
[Tue Jul  3 14:13:13 UTC 2018] _ret='0'
[Tue Jul  3 14:13:13 UTC 2018] code='202'
[Tue Jul  3 14:13:13 UTC 2018] sleep 2 secs to verify
[Tue Jul  3 14:13:15 UTC 2018] checking
[Tue Jul  3 14:13:15 UTC 2018] GET
[Tue Jul  3 14:13:15 UTC 2018] url='https://acme-v01.api.letsencrypt.org/acme/challenge/3ujo4DGuHkImgTW3L4yfJ6kcFtYtazwNfI3oINWgwsg/5435997724'
[Tue Jul  3 14:13:15 UTC 2018] timeout=
[Tue Jul  3 14:13:15 UTC 2018] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  -g '
[Tue Jul  3 14:13:15 UTC 2018] ret='0'
[Tue Jul  3 14:13:15 UTC 2018] domain.com:Verify error:Fetching http://domain.com/.well-known/acme-challenge/wRZRgNHEE-Ue6Oa5ZPr9CY8Y9lN9mHUsAWczIyZAi_g: Connection refused
[Tue Jul  3 14:13:15 UTC 2018] Debug: get token url.
[Tue Jul  3 14:13:15 UTC 2018] GET
[Tue Jul  3 14:13:15 UTC 2018] url='http://domain.com/.well-known/acme-challenge/wRZRgNHEE-Ue6Oa5ZPr9CY8Y9lN9mHUsAWczIyZAi_g'
[Tue Jul  3 14:13:15 UTC 2018] timeout=1
[Tue Jul  3 14:13:15 UTC 2018] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  -g  --connect-timeout 1'
[Tue Jul  3 14:13:15 UTC 2018] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 7
[Tue Jul  3 14:13:15 UTC 2018] ret='7'
[Tue Jul  3 14:13:15 UTC 2018] Debugging, skip removing: /var/www/html/domain.com/.well-known/acme-challenge/wRZRgNHEE-Ue6Oa5ZPr9CY8Y9lN9mHUsAWczIyZAi_g
[Tue Jul  3 14:13:15 UTC 2018] pid
[Tue Jul  3 14:13:15 UTC 2018] No need to restore nginx, skip.
[Tue Jul  3 14:13:15 UTC 2018] _clearupdns
[Tue Jul  3 14:13:15 UTC 2018] skip dns.
[Tue Jul  3 14:13:15 UTC 2018] _on_issue_err
[Tue Jul  3 14:13:15 UTC 2018] Please add '--debug' or '--log' to check more details.
[Tue Jul  3 14:13:15 UTC 2018] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
[Tue Jul  3 14:13:15 UTC 2018] url='https://acme-v01.api.letsencrypt.org/acme/challenge/3ujo4DGuHkImgTW3L4yfJ6kcFtYtazwNfI3oINWgwsg/5435997724'
[Tue Jul  3 14:13:15 UTC 2018] payload='{"resource": "challenge", "keyAuthorization": "wRZRgNHEE-Ue6Oa5ZPr9CY8Y9lN9mHUsAWczIyZAi_g.RoF7Zin7piGuTsjPPGTfMLUiABWnxWHvlg7TnWXHI0s"}'
[Tue Jul  3 14:13:15 UTC 2018] POST
[Tue Jul  3 14:13:15 UTC 2018] _post_url='https://acme-v01.api.letsencrypt.org/acme/challenge/3ujo4DGuHkImgTW3L4yfJ6kcFtYtazwNfI3oINWgwsg/5435997724'
[Tue Jul  3 14:13:15 UTC 2018] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  -g '
[Tue Jul  3 14:13:16 UTC 2018] _ret='0'
[Tue Jul  3 14:13:16 UTC 2018] code='400'
[Tue Jul  3 14:13:16 UTC 2018] url='https://acme-v01.api.letsencrypt.org/acme/challenge/snnBUhF26a04w1mN_UDYLcXWIvP3MC-DR5BfVdJC3Zs/5435997883'
[Tue Jul  3 14:13:16 UTC 2018] payload='{"resource": "challenge", "keyAuthorization": "oKm_iVbdyXGFE_wVitnzD66YGyLSAPE5UIeZRXHpJQY.RoF7Zin7piGuTsjPPGTfMLUiABWnxWHvlg7TnWXHI0s"}'
[Tue Jul  3 14:13:16 UTC 2018] POST
[Tue Jul  3 14:13:16 UTC 2018] _post_url='https://acme-v01.api.letsencrypt.org/acme/challenge/snnBUhF26a04w1mN_UDYLcXWIvP3MC-DR5BfVdJC3Zs/5435997883'
[Tue Jul  3 14:13:16 UTC 2018] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  -g '
[Tue Jul  3 14:13:17 UTC 2018] _ret='0'
[Tue Jul  3 14:13:17 UTC 2018] code='202'
[Tue Jul  3 14:13:17 UTC 2018] Diagnosis versions: 
openssl:openssl
OpenSSL 1.1.0g  2 Nov 2017
apache:
apache doesn't exists.
nginx:
nginx version: nginx/1.14.0 (Ubuntu)
built with OpenSSL 1.1.0g  2 Nov 2017
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-mcUg8N/nginx-1.14.0=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module
socat:
socat by Gerhard Rieger and contributors - see www.dest-unreach.org
Usage:
socat [options] <bi-address> <bi-address>
   options:
      -V     print version and feature information to stdout, and exit
      -h|-?  print a help text describing command line options and addresses
      -hh    like -h, plus a list of all common address option names
      -hhh   like -hh, plus a list of all available address option names
      -d     increase verbosity (use up to 4 times; 2 are recommended)
      -D     analyze file descriptors before loop
      -ly[facility]  log to syslog, using facility (default is daemon)
      -lf<logfile>   log to file
      -ls            log to stderr (default if no other log)
      -lm[facility]  mixed log mode (stderr during initialization, then syslog)
      -lp<progname>  set the program name used for logging
      -lu            use microseconds for logging timestamps
      -lh            add hostname to log messages
      -v     verbose data traffic, text
      -x     verbose data traffic, hexadecimal
      -b<size_t>     set data buffer size (8192)
      -s     sloppy (continue on error)
      -t<timeout>    wait seconds before closing second channel
      -T<timeout>    total inactivity timeout in seconds
      -u     unidirectional mode (left to right)
      -U     unidirectional mode (right to left)
      -g     do not check option groups
      -L <lockfile>  try to obtain lock, or fail
      -W <lockfile>  try to obtain lock, or wait
      -4     prefer IPv4 if version is not explicitly specified
      -6     prefer IPv6 if version is not explicitly specified
   bi-address:
      pipe[,<opts>] groups=FD,FIFO
      <single-address>!!<single-address>
      <single-address>
   single-address:
      <address-head>[,<opts>]
   address-head:
      abstract-client:<filename>    groups=FD,SOCKET,RETRY,UNIX
      abstract-connect:<filename>   groups=FD,SOCKET,RETRY,UNIX
      abstract-listen:<filename>    groups=FD,SOCKET,LISTEN,CHILD,RETRY,UNIX
      abstract-recv:<filename>  groups=FD,SOCKET,RETRY,UNIX
      abstract-recvfrom:<filename>  groups=FD,SOCKET,CHILD,RETRY,UNIX
      abstract-sendto:<filename>    groups=FD,SOCKET,RETRY,UNIX
      create:<filename> groups=FD,REG,NAMED
      exec:<command-line>   groups=FD,FIFO,SOCKET,EXEC,FORK,TERMIOS,PTY,PARENT,UNIX
      fd:<num>  groups=FD,FIFO,CHR,BLK,REG,SOCKET,TERMIOS,UNIX,IP4,IP6,UDP,TCP,SCTP
      gopen:<filename>  groups=FD,FIFO,CHR,BLK,REG,SOCKET,NAMED,OPEN,TERMIOS,UNIX
      interface:<interface> groups=FD,SOCKET
      ip-datagram:<host>:<protocol> groups=FD,SOCKET,RANGE,IP4,IP6
      ip-recv:<protocol>    groups=FD,SOCKET,RANGE,IP4,IP6
      ip-recvfrom:<protocol>    groups=FD,SOCKET,CHILD,RANGE,IP4,IP6
      ip-sendto:<host>:<protocol>   groups=FD,SOCKET,IP4,IP6
      ip4-datagram:<host>:<protocol>    groups=FD,SOCKET,RANGE,IP4
      ip4-recv:<protocol>   groups=FD,SOCKET,RANGE,IP4
      ip4-recvfrom:<protocol>   groups=FD,SOCKET,CHILD,RANGE,IP4
      ip4-sendto:<host>:<protocol>  groups=FD,SOCKET,IP4
      ip6-datagram:<host>:<protocol>    groups=FD,SOCKET,RANGE,IP6
      ip6-recv:<protocol>   groups=FD,SOCKET,RANGE,IP6
      ip6-recvfrom:<protocol>   groups=FD,SOCKET,CHILD,RANGE,IP6
      ip6-sendto:<host>:<protocol>  groups=FD,SOCKET,IP6
      open:<filename>   groups=FD,FIFO,CHR,BLK,REG,NAMED,OPEN,TERMIOS
      openssl:<host>:<port> groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,TCP,OPENSSL
      openssl-listen:<port> groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP4,IP6,TCP,OPENSSL
      pipe:<filename>   groups=FD,FIFO,NAMED,OPEN
      proxy:<proxy-server>:<host>:<port>    groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,TCP,HTTP
      pty   groups=FD,NAMED,TERMIOS,PTY
      sctp-connect:<host>:<port>    groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,SCTP
      sctp-listen:<port>    groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP4,IP6,SCTP
      sctp4-connect:<host>:<port>   groups=FD,SOCKET,CHILD,RETRY,IP4,SCTP
      sctp4-listen:<port>   groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP4,SCTP
      sctp6-connect:<host>:<port>   groups=FD,SOCKET,CHILD,RETRY,IP6,SCTP
      sctp6-listen:<port>   groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP6,SCTP
      socket-connect:<domain>:<protocol>:<remote-address>   groups=FD,SOCKET,CHILD,RETRY
      socket-datagram:<domain>:<type>:<protocol>:<remote-address>   groups=FD,SOCKET,RANGE
      socket-listen:<domain>:<protocol>:<local-address> groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE
      socket-recv:<domain>:<type>:<protocol>:<local-address>    groups=FD,SOCKET,RANGE
      socket-recvfrom:<domain>:<type>:<protocol>:<local-address>    groups=FD,SOCKET,CHILD,RANGE
      socket-sendto:<domain>:<type>:<protocol>:<remote-address> groups=FD,SOCKET
      socks4:<socks-server>:<host>:<port>   groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,TCP,SOCKS4
      socks4a:<socks-server>:<host>:<port>  groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,TCP,SOCKS4
      stderr    groups=FD,FIFO,CHR,BLK,REG,SOCKET,TERMIOS,UNIX,IP4,IP6,UDP,TCP,SCTP
      stdin groups=FD,FIFO,CHR,BLK,REG,SOCKET,TERMIOS,UNIX,IP4,IP6,UDP,TCP,SCTP
      stdio groups=FD,FIFO,CHR,BLK,REG,SOCKET,TERMIOS,UNIX,IP4,IP6,UDP,TCP,SCTP
      stdout    groups=FD,FIFO,CHR,BLK,REG,SOCKET,TERMIOS,UNIX,IP4,IP6,UDP,TCP,SCTP
      system:<shell-command>    groups=FD,FIFO,SOCKET,EXEC,FORK,TERMIOS,PTY,PARENT,UNIX
      tcp-connect:<host>:<port> groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,TCP
      tcp-listen:<port> groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP4,IP6,TCP
      tcp4-connect:<host>:<port>    groups=FD,SOCKET,CHILD,RETRY,IP4,TCP
      tcp4-listen:<port>    groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP4,TCP
      tcp6-connect:<host>:<port>    groups=FD,SOCKET,CHILD,RETRY,IP6,TCP
      tcp6-listen:<port>    groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP6,TCP
      tun[:<ip-addr>/<bits>]    groups=FD,CHR,NAMED,OPEN,INTERFACE
      udp-connect:<host>:<port> groups=FD,SOCKET,IP4,IP6,UDP
      udp-datagram:<host>:<port>    groups=FD,SOCKET,RANGE,IP4,IP6,UDP
      udp-listen:<port> groups=FD,SOCKET,LISTEN,CHILD,RANGE,IP4,IP6,UDP
      udp-recv:<port>   groups=FD,SOCKET,RANGE,IP4,IP6,UDP
      udp-recvfrom:<port>   groups=FD,SOCKET,CHILD,RANGE,IP4,IP6,UDP
      udp-sendto:<host>:<port>  groups=FD,SOCKET,IP4,IP6,UDP
      udp4-connect:<host>:<port>    groups=FD,SOCKET,IP4,UDP
      udp4-datagram:<remote-address>:<port> groups=FD,SOCKET,RANGE,IP4,UDP
      udp4-listen:<port>    groups=FD,SOCKET,LISTEN,CHILD,RANGE,IP4,UDP
      udp4-recv:<port>  groups=FD,SOCKET,RANGE,IP4,UDP
      udp4-recvfrom:<host>:<port>   groups=FD,SOCKET,CHILD,RANGE,IP4,UDP
      udp4-sendto:<host>:<port> groups=FD,SOCKET,IP4,UDP
      udp6-connect:<host>:<port>    groups=FD,SOCKET,IP6,UDP
      udp6-datagram:<host>:<port>   groups=FD,SOCKET,RANGE,IP6,UDP
      udp6-listen:<port>    groups=FD,SOCKET,LISTEN,CHILD,RANGE,IP6,UDP
      udp6-recv:<port>  groups=FD,SOCKET,RANGE,IP6,UDP
      udp6-recvfrom:<port>  groups=FD,SOCKET,CHILD,RANGE,IP6,UDP
      udp6-sendto:<host>:<port> groups=FD,SOCKET,IP6,UDP
      unix-client:<filename>    groups=FD,SOCKET,NAMED,RETRY,UNIX
      unix-connect:<filename>   groups=FD,SOCKET,NAMED,RETRY,UNIX
      unix-listen:<filename>    groups=FD,SOCKET,NAMED,LISTEN,CHILD,RETRY,UNIX
      unix-recv:<filename>  groups=FD,SOCKET,NAMED,RETRY,UNIX
      unix-recvfrom:<filename>  groups=FD,SOCKET,NAMED,CHILD,RETRY,UNIX
      unix-sendto:<filename>    groups=FD,SOCKET,NAMED,RETRY,UNIX

[orgoj]

You have redirect on acme chalenge URL. Fix this.

$ curl -vs http://domain.com/.well-known/acme-challenge/wRZRgNHEE-Ue6Oa5ZPr9CY8Y9lN9mHUsAWczIyZAi_g
*   Trying 18.221.195.49...
* Connected to domain.com (18.221.195.49) port 80 (#0)
> GET /.well-known/acme-challenge/wRZRgNHEE-Ue6Oa5ZPr9CY8Y9lN9mHUsAWczIyZAi_g HTTP/1.1
> Host: domain.com
> User-Agent: curl/7.47.0
> Accept: */*
> 
< HTTP/1.1 301 Moved Permanently
< Server: nginx
< Date: Wed, 04 Jul 2018 15:42:48 GMT
< Content-Type: text/html
< Content-Length: 178
< Connection: keep-alive
< Location: https://domain.com/.well-known/acme-challenge/wRZRgNHEE-Ue6Oa5ZPr9CY8Y9lN9mHUsAWczIyZAi_g
< 
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>

[longshaof]

@orgoj i have tried this command,but still get some error curl -vs http://domain.com/.well-known/acme-challenge/wRZRgNHEE-Ue6Oa5ZPr9CY8Y9lN9mHUsAWczIyZAi_g

[orgoj]

You still have redirect. Exist file /var/www/html/domain.com/.well-known/acme-challenge/wRZRgNHEE-Ue6Oa5ZPr9CY8Y9lN9mHUsAWczIyZAi_g ? You must modifi nginx domain.com virtual config, for not to redirect /.well-known/acme-challenge/ to CMS.

[DolorHunter]

Same problem. Take a long time to figure out.

My solution: Edite NGINX config to disable 301 redirections (http to https), restart NGINX, then run the command to get the cert.