404 for .well-known/acme-challenge

Hello everyone. I can not get a certificate, but test file can be loaded:

   certbot certonly --dry-run -d shop.batario.ru
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for shop.batario.ru
Using the webroot path /home/webadmin/common for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Running post-hook command: service nginx reload
Failed authorization procedure. shop.batario.ru (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://shop.batario.ru/.well-known/acme-challenge/23RW7uILRmc1tPON-EQRhDVtPvGS2mhkxx3QGCfuRWo: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: shop.batario.ru
   Type:   unauthorized
   Detail: Invalid response from
   http://shop.batario.ru/.well-known/acme-challenge/23RW7uILRmc1tPON-EQRhDVtPvGS2mhkxx3QGCfuRWo:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

curl -I http://shop.batario.ru/.well-known/acme-challenge/test
HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Tue, 18 Jul 2017 19:11:13 GMT
Content-Type: application/octet-stream
Content-Length: 6
Last-Modified: Tue, 18 Jul 2017 19:11:10 GMT
Connection: keep-alive
ETag: "596e5d4e-6"
Accept-Ranges: bytes

Hi @itelmenko,

Where is the test file in your filesystem? And where is the test file on your web site?

Hello, @schoen

On website http://shop.batario.ru/.well-known/acme-challenge/test

In filesystem:

ls -l /home/webadmin/common/acme-challenge/test 
-rw-r--r-- 1 root root 6 Jul 18 22:11 /home/webadmin/common/acme-challenge/test

in nginx config:

# letsencript (certbot) 
	location /.well-known/ {
		allow all;
		alias /home/webadmin/common/;
	}

So test file is available , but certbot say “404 Not Found”

Aha! I see the problem. Thanks for sharing the configuration file.

Your alias should say /home/webadmin/common/.well-known instead. This is because when you specify -w /home/webadmin/common, Certbot will create /.well-known inside of that directory (it is looking for the directory that corresponds to / in the URL, not the directory that corresponds to /.well-known in the URL).

If /.well-known is an nginx alias to /home/webadmin/common/.well-known, then -w /home/webadmin/common will be correct from Certbot’s point of view.

Hm… But why my test file loads correctly?

You put your test file in /home/webadmin/common/acme-challenge, but Certbot, when you specify -w /home/webadmin/common, will put the validation files in /home/webadmin/common/.well-known/acme-challenge, not /home/webadmin/common/acme-challenge. With your current mapping, the files created by Certbot end up on the web site at http://shop.batario.ru/.well-known/.well-known/acme-challenge, not http://shop.batario.ru/.well-known/acme-challenge.

Oh! Yes! Thank you!

Now I have changed it to
root /home/webadmin/common;
and now it works!

Great! I hope you enjoy your certificate.

Sure! It is very good idea to make ssl certificates free and multi-domain. And also automatically prolonged.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.