404 not found on certificate


#1

Hey everybody.

I’m trying to set certificates for my website but I’m struggling a little bit. I have two servers. My website run on dockers on server 2 (nginx, php, …) and server 1 run a nginx on port 7777. For the website, my nginx configuration is like that (port 80):

location ~ /.well-known {
	allow all;
	proxy_pass http://<server 1 ip>:7777;
	proxy_set_header Host            $host;
	proxy_set_header X-Forwarded-For $remote_addr;
	proxy_set_header X-Forwarded-Proto https;
}

The server 1 just for the .well-known folder. That’s the conf:

location ~ /.well-known {
	allow all;
	root /var/www/letsencrypt;
}

The certbot is on my server 2 and when I try to generate the certificate I got a 404 not found ( http:///.well-known/acme-challenge/c1mXZoarf…). It seems it’s not a problem of permission. I added an index.html on the /var/www/letsencrypt folder and curl <server 1 ip>:7777 return the file.

That’s the certbot command I’m using:
docker-compose run certbot certonly --standalone -d <domain name> --email <email> --rsa-key-size 4096 --verbose --standalone-supported-challenges http-01 --staging

Do you have any idea what could be the cause of the problem?

Thanks a lot!


#2

From your setup:
Server 2 would have to place a file in server 1 /var/www/letsencrypt [location]
Is that possible?


#3

Like with some kind of nfs sharing?


#4

Possible. But why?
Do you need the cert in server 1?
[server 2 is the one facing the Internet]


#5

Yeah you right. So I moved the nginx to server 2 with the same configuration but I still have the same issue. Certbot should be able to generate file on /var/www/letsencrypt. I shared the volume like that (on the docker compose of certbot):

    volumes:
      - /var/www/letsencrypt:/var/www/letsencrypt

I also tried to add --webroot-path=/var/www/letsencrypt as an argument but it doesn’t seems to change anything.

Thank you for your help :slight_smile:


#6

Did you remove the proxy?


#7

Yes. I removed it and added the line: root /var/www/letsencrypt;


#8

Try changing this:

To this:
location ~ /.well-known/acme-challenge {

and then place a test.txt file as: /var/www/letsencrypt/test.txt
See if it can be hit form the Internet via: http://your.domain/.well-known/acme-challenge/test.txt


#9

I tried and It seems like it can’t find the file: nginx_1 | 2018/11/16 13:24:37 [error] 7#7: *51 open() "/var/www/letsencrypt/.well-known/acme-challenge/test.txt" failed (2: No such file or directory), client: ...., server: <domain>, request: "GET /.well-known/acme-challenge/test.txt HTTP/1.1", host: "<domain>". It’s homehow searching on the wrong path.


#10

Okay. By using alias and changing the nginx conf to

    location /.well-known/acme-challenge/ {
        allow all;
        alias /var/www/letsencrypt/;
    }

I can get the test file: curl http://<url>/.well-known/acme-challenge/test.txt. Unfortunately I still have a 404

I also don’t think it’s a permission issue because certbot seems to be able to create files. I tried like that $ docker-compose run certbot --help; touch /var/www/letsencrypt/aaa.txt (var/www/letsencrypt is shared)


#11

Is it possible that’s is an issue related to ipv6? I have a curl: (6) Could not resolve host: <....> when I tried this command curl -ikL6 http://<url>/.well-known/acme-challenge/test.txt (working fine with -ikL4)

Does anyone have an idea? I’m pretty much lost at this point :frowning:


#12

Does your domain use IPv4 and IPv6?

Try specific dedicated location:
location /.well-known/acme-challenge/ {
allow all;
root /acme-challenges/;
}

[requires: mkdir /acme-challenges]