404 Not Found during http-01 challenge

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.sasayaki-mvmt.com

I ran this command: sudo certbot certonly --webroot -w /etc/nginx/certs -d www.sasayaki-mvmt.com

It produced this output :

Performing the following challenges:
http-01 challenge for www.sasayaki-mvmt.com
Using the webroot path /etc/nginx/certs for all unmatched domains.
Waiting for verification...
Challenge failed for domain www.sasayaki-mvmt.com
http-01 challenge for www.sasayaki-mvmt.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.sasayaki-mvmt.com
   Type:   unauthorized
   Detail: Invalid response from
   http://www.sasayaki-mvmt.com/.well-known/acme-challenge/r5fIZ4ztZgK3QlXzi4F_usBW9ymuaThhTtD1yPQyEuc
   [3.132.64.203]: "<html>\r\n<head><title>404 Not
   Found</title></head>\r\n<body>\r\n<center><h1>404 Not
   Found</h1></center>\r\n<hr><center>nginx/1.18.0 (Ub"

My web server is (include version): nginx 1.18.0

The operating system my web server runs on is (include version): ubuntu 20.04

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.40.0

Hello, I'm having issues getting the certbot to certify, and no matter what I try I get the issue above.

My /etc/nginx/nginx.conf file looks as follows:

server{
listen 80;
server_name opencv www.sasayaki-mvmt.com;
location ^~ /.well-known{
root /etc/nginx/certs;
}
location / {
return 301 https://$host$request_uri;
}
}

Some other things to note:
I have tried below:
opencv -> sasayaki-mvmt.com in server_name
My block uses /etc/nginx/sites-available/opencv

I've checked other topics to see if they are any help, this topic seemed promising but it ultimately gave no avail.

Any help would be greatly appreciated.

1 Like

Hi @Sasayaki, welcome to the LE community forum :slight_smile:

The --webroot -w path must match the root served by your web server for that FQDN.
[unless otherwise specified in the nginx config]
I do see that you have tried to make such an explicit direction in your nginx config:

But it doesn't exactly match the complete challenge path and I'm not exactly sure how nginx would react to such requests.
That is to say...
Will nginx serve those requests directly from:

  • /etc/nginx/certs/
  • /etc/nginx/certs/.well-known/
  • /etc/nginx/certs/.well-known/acme-challenge/
  • /etc/nginx/certs/acme-challenge/

I can't say for sure.
I would place files in each to test - just because I'm curious and would like to know things...
But the real "fix" should be to make the location statement more exact.
Like:
location ^~ /.well-known/acme-challenge{

[and I would test that out as well - just to be sure]

3 Likes

@Sasayaki Glad you marked this as solved.

But, could you explain any more details of what you found wrong? I ask because I setup the same nginx conf as you and it worked as expected. That is,

server {
    listen       80 default;
    server_name  myserver.com;
    location ^~ /.well-known{
       root /usr/share/nginx/html;
    }
    location / { return 418; }
}

Which returned the file

/usr/share/nginx/html/.well-known/acme-challenge/Test-File-123

For a request of:

curl http://myserver.com/.well-known/acme-challenge/Test-File-123

Requests for any other location returned the 418.

I do not have any explanation for why yours did not work originally. It looked good to me. I was only going to suggest to try a hard restart and to run nginx -t to ensure you were running the conf you expected.

Note my domain was a ridiculously long test server name so I shortened it to myserver.com for this example.

3 Likes

I cannot tell you why my original was not working, its still a mystery to me; however one or all of these helped resolve the issue.

After getting the suggestion: I changed the nginx config file to

location ^~ /.well-known/acme-challenge{
    root /etc/nginx/certs;
}

Created a /.well-known/acme-challenge directory in /etc/nginx/certs, just in case this was the issue.

Restarted nginx after verification... using sudo systemctl reload nginx
And then I ran the certification again and this time it worked.

I'm honestly not sure why the original wasn't working either, but I guess that's how things are sometimes.

3 Likes

If you run certbot again but use the staging mode certbot renew --dry-run then, if successful, you can look at the log to see exactly in which directory it looked for and found the challenge. Any other directory path you created for the challenge can be deleted since it's not used at all.
That was an ingenious way to make sure the challenge would be found. Indeed! :+1: :slightly_smiling_face:

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.