Letsencrypt unable to verify the domain

I have the following config working:

upstream app_admin {
 server 127.0.0.1:8080;
}
server {
  listen 80 default_server;
  listen [::]:80 default_server ipv6only=on;

  server_name admin.test.com;

  location / {
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header X-Forwarded-For $remote_addr;

    proxy_pass http://app_admin;
    proxy_redirect off;
  }

    # for Let's Encrypt to work properly
    location ^~ /.well-known {
        root /var/www/;
        default_type "text/plain";
        allow all;
    }
}

I installed Letsencrypt and ran this command, but I get errors:

/opt/letsencrypt# ./letsencrypt-auto certonly -a webroot --webroot-path=/var/www -d admin.test.com

Performing the following challenges:
http-01 challenge for admin.test.com
Using the webroot path /var/www for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. admin.test.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://admin.test.com/.well-known/acme-challenge/zlmdu1lWhUxZdwyV_1Kf--vgzEM6ETXr_qZzwR4uf6pM: Timeout

IMPORTANT NOTES:

• The following errors were reported by the server:

Domain: admin.test.com
Type: connection
Detail: Fetching
http://admin.test.com /.well-known/acme-challenge/zlmdu1lWhUbfdwyV_1Kf–vgzEM6ETXr_qZytfR4I6pM:
Timeout

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

I can get to my site by going to admin.test.com without issues.

What am I doing wrong?

SO: https://stackoverflow.com/questions/44814830/letsencrypt-unable-to-verify-the-domain

I use letsencrypt certificates. I think letsencrypt should be installed in the same server to which admin.test.com is pointing.

The error clearly suggests it is looking for a key in .well-known folder on admin.test.com and is not able to find it.

Please refer to excellent documentation. https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04

I installed letsencrypt on the same server. So far:

$ mkdir -p /var/www
$ git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
$ cd /opt/letsencrypt
$ ./letsencrypt-auto certonly -a webroot --webroot-path=/var/www -d admin.test.com

The last line is where I get the error.

I also tried just:

$ ./letsencrypt-auto certonly --standalone

Please enter in your domain name(s) (comma and/or space separated) (Enter 'c’
to cancel):admin.test.com

Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for admin.test.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. admin.test.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout

Again, I CAN get to my site with: admin.test.com (port 80)

With this command, I got the following:

$ ./letsencrypt-auto certonly --standalone

Please enter in your domain name(s) (comma and/or space separated) (Enter 'c’
to cancel):admin.test.com

Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for admin.test.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. admin.test.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout
Preformatted text

Again, I CAN get to my site with: admin.test.com (port 80).

Looking at the bottom of the log

/var/log/letsencrypt/letsencrypt.log

To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you’re using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
2017-06-29 03:09:34,776:INFO:certbot.auth_handler:Cleaning up challenges
2017-06-29 03:09:34,777:DEBUG:certbot.plugins.standalone:Stopping server at :::443…
2017-06-29 03:09:35,014:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/root/.local/share/letsencrypt/bin/letsencrypt”, line 11, in
sys.exit(main())
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py”, line 743, in main
return config.func(config, plugins)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py”, line 683, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py”, line 82, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/client.py”, line 344, in obtain_and_enroll_certificate
certr, chain, key, _ = self.obtain_certificate(domains)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/client.py”, line 313, in obtain_certificate
self.config.allow_subset_of_names)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 81, in get_authorizations
self._respond(resp, best_effort)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 138, in _respond
self._poll_challenges(chall_update, best_effort)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 202, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. admin.test.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout

Found the issue. I had blocked access to outside requests in my security group on AWS.