404 error from setting up a certificate for my nginx hosted website

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: aar.siclib.org

I ran this command: sudo certbot --nginx -d aar.siclib.org

It produced this output: Invalid response from http://aar.siclib.org/.well-known/acme-challenge/LGeWDo8UE6JZ6i-37xofJ6mz-HjIlSR6rwql3iViVWs: 404

My web server is (include version): Nginx

The operating system my web server runs on is (include version):Ubuntu 23.10

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.10.0

I just want to make same post like yours... Recently, my daily script to perform the auto renew was stuck.

For testing, I run this command: certbot certonly --dry-run -v --nginx -d mydomain
This ended up with 404 error...

However when I try to use manual: certbot certonly --dry-run -v --manual -d mydomain
which then I have to manually create the folder, and make new file with specific data in it, the renew process is working.

Could run yours with manual mode? And let's share what your result, please?

Currently I try to find almost same solution like yours. I don't get it why Certbot doesn't perform like before, why it can create the folder and file automatically.

Welcome @TomNguyen10101

A 404 error when using the --nginx plugin usually means there is something wrong with your nginx conf. Probably that you don't have a dedicated server block to handle that domain name on port 80.

Can you post the output of this? A capital T is needed to show the active nginx conf

sudo nginx -T

@dhicom Please start a new thread. A 404 error can be caused by many things. And, is often different for someone just starting rather than someone renewing like yours.

We prefer working on each person's problem in their own thread. The answers to the form you will be shown will be helpful. Thank you

This is the result from running the command "sudo nginx -t": nginx: configuration file /etc/nginx/nginx.conf test is successful.

This is how my nginx.conf looking right now:
nginx.conf.txt (1.9 KB)

This is how my aar.siclib.org.conf looking right now:
aar.siclib.org.conf.txt (535 Bytes)

The requested command sudo nginx -T with a capital T. Case matters.

Oh my bad, this is the result from the command: "sudo nginx -T":
result.txt (10.1 KB)

Oh, you have a server block for aar.siclib.org but the listen is for port 81. The default port for HTTP is 80. You have this

# configuration file /etc/nginx/sites-enabled/aar.siclib.org:
server {
    listen 81;
    server_name aar.siclib.org;

If you need to use an alternate port 81 you need to tell Certbot to setup for that:

sudo certbot --nginx -d aar.siclib.org -http-01-port 81

More details from the docs:

--http-01-port HTTP01_PORT
Port used in the http-01 challenge. This only affects the port Certbot listens on. A conforming ACME server will still attempt to connect on port 80. (default: 80)

Which means you need to have something (like a router) mapping the incoming request from Let's Encrypt Server on port 80 to your nginx as port 81.

I tried the command that you recommended: sudo certbot --nginx -d aar.siclib.org -http-01-port 81
And I was successfully able to get the certificate for the website, however now when i try to access the website through the web browser i am getting an 503 error: Service Unavailable.
The aar.siclib.org is actually an subdomain of siclib.org which is being hosted by apache2. And so for it redirect correctly to port 81 that i want, this is what I wrote in the conf file for it in apache2:

<VirtualHost *:80>
    ServerName aar.siclib.org
    ProxyPass / http://aar.siclib.org:81/
    ProxyPassReverse / http://aar.siclib.org:81/
</VirtualHost>

Could this be why is it not working?

Note: I already have siclib.org have a certificate that run on port 80/443

Oh, I see. You will need to have a port 80 and port 443 VirtualHost for aar.siclib.org in your Apache server. You should be able to use whatever method you used for Apache and your base domain name.

You don't need a cert in nginx at all. Your VirtualHosts in Apache for aar domain can use HTTP to proxy to it.

I'm sorry, I'm not quite understand what I need to do from what you are saying. Could you give me an example? I'm quite new in this.

Note: This is what i am doing for the base domain:

LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
<VirtualHost *:80>
    ServerName your_domain
    AllowEncodedSlashes On
    ProxyPreserveHost On
    ProxyPass "/"  "http://localhost:8080/"
RewriteEngine on
RewriteCond %{SERVER_NAME} =siclib.org [OR]
RewriteCond %{SERVER_NAME} =your_domain
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

Oh I seems to found a solution that works which is using the flag --expand.

sudo -certbot --expand --apache2 -d aar.siclib.org

Your Apache server is handling the connection from clients (like a browser) for your aar domain. So, it must have a VirtualHost for port 443 and SSL enabled. It also then should have a port 80 VirtualHost.

If you proxy from Apache to something else that is a second connection. You can use HTTP if you are on your own private network and in this case you are. No certificate is needed for that (in your case in nginx).

I think your mistake was thinking you needed a cert in nginx since the connection ends there. What I was trying to describe is that when you do a reverse proxy like you are there are two separate connections.

If you want to double check what you have please show output of these two:

sudo apache2ctl -t -D DUMP_VHOSTS
sudo certbot certificates

Thank you for your help.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.