404 error at well-known/acme-challenge/

Lepiloff · October 15, 2017, 4:55pm

My domain is:protrack.by

I ran this command: sudo certbot certonly -a webroot --webroot-path=/var/www/html -d protrack.by

It produced this output:
Domain: protrack.by
Type: unauthorized
Detail: Invalid response from
http://protrack.by/.well-known/acme-challenge/-6BXBNubIwrfeP4H607tcTIeQ668H3MMR4hsJQLfETg:

My web server is (include version):nginx

The operating system my web server runs on is (include version): Debian 9.2

My hosting provider, if applicable, is: digitalocean

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): bash

In my Nginx configuration file at /etc/nginx/sites-available/default I add this code at **server **:
location ~ /.well-known {
allow all;
root /usr/share/nginx/html;
}
After running the command: sudo certbot certonly -a webroot --webroot-path=/var/www/html -d protrack.by I get the following errors reported.

mnordhoff · October 15, 2017, 5:15pm

Certbot and Nginx need to be configured to use the same location.

If changing one of them doesn't work, what's the rest of the Certbot error, and what does Nginx's error.log say?

Lepiloff · October 15, 2017, 5:56pm

Sorry, my mistake, I make copyright from another file. My true code

location ~ /.well-known {
allow all;
root /var/www/html;
}

mnordhoff · October 15, 2017, 6:11pm

What was the rest of the Certbot error?

What does /var/log/letsencrypt/letsencrypt.log contain?

What does Nginx’s error.log contain?

Lepiloff · October 15, 2017, 6:34pm

2017-10-15 12:32:01,991:DEBUG:certbot.main:Root logging level set at 30
2017-10-15 12:32:01,993:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2017-10-15 12:32:01,994:DEBUG:certbot.main:certbot version: 0.10.2
2017-10-15 12:32:01,994:DEBUG:certbot.main:Arguments: ['-q']
2017-10-15 12:32:01,995:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#webroot,PluginEntryPoin$2017-10-15 12:32:01,996:DEBUG:certbot.renewal:no renewal failures

Nginx’s error.log is empty

Certbot error

sudo certbot certonly -a webroot --webroot-path=/var/www/html -d protrack.by
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for protrack.by
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. protrack.by (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://protrack.by/.well-known/acme-challenge/k5dXhtkYzxkfjFcXKVKVMlQ5lS5BHxWsX3SRWDPoxt0: "

Page not"

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: protrack.by
Type: unauthorized
Detail: Invalid response from
http://protrack.by/.well-known/acme-challenge/k5dXhtkYzxkfjFcXKVKVMlQ5lS5BHxWsX3SRWDPoxt0:
"
Page not"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.

mnordhoff · October 15, 2017, 6:39pm

That 404 Not Found page was generated by Django.

It seems Nginx isn’t handling /.well-known/acme-challenge/ statically, as you wanted it to. Instead it’s passing it to Django, which isn’t configured to handle it either.

What’s the Nginx virtual host’s whole configuration?

Lepiloff · October 15, 2017, 6:49pm

In /etc/nginx/sites-available I have 2 files

Default server configuration

server {
	listen 80 default_server;
	listen [::]:80 default_server;

        # SSL configuration
          location ~ /.well-known {
                allow all;
          root /var/www/html;
        }
	

	root /var/www/html;


	server_name _;

	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		try_files $uri $uri/ =404;
	}

	
}

And protrack configurations

server {
    listen 80;
    server_name protrack.by;

    location = /favicon.ico { access_log off; log_not_found off; }
    location /static/ {
        root /home/gk/protrack;
    }

    location / {
        include         uwsgi_params;
        uwsgi_pass      unix:/run/uwsgi/protrack.sock;
    }
}

mnordhoff · October 15, 2017, 6:54pm

To the protrack configuration, add something like:

    location /.well-known/acme-challenge/ {
        root /var/www/html;
    }

Lepiloff · October 15, 2017, 7:04pm

It really works. Thank you very much for your help!

jsha · October 15, 2017, 8:47pm

Also, have you tried the Nginx-specific options described at https://certbot.eff.org/#ubuntutzesty-nginx ? That is:

sudo certbot --nginx

This should “just work” for your use case and save some trouble.

system · November 14, 2017, 8:48pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.