404 on challenge

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: kacper.grzybnia.de

I ran this command: certbot certonly --nginx --dry-run -d kacper.grzybnia.de -vv

It produced this output: # certbot certonly --nginx --dry-run -d kacper.grzybnia.de -vvRoot logging lev - Pastebin.com

My web server is (include version): nginx/1.14.2

The operating system my web server runs on is (include version): Debian 10

My hosting provider, if applicable, is: AlphaVPS

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.27.0

Additional notes: When I added --nginx-sleep-seconds and set it to some high number so I was able to go through changes in nginx's config myself, before certbot managed to make the requests, I was getting appropriate responses to the challenge URL (for example http://kacper.grzybnia.de/.well-known/acme-challenge/a1Y-bBmgmfpUsmnuqW4dBW-W98yir5vOf6rMPbHKlbU), but remote requests failed anyway.

When I'm making the requests, the nginx access.log looks like this:

[24/Jun/2022:02:46:22 -0400] "GET /.well-known/acme-challenge/a1Y-bBmgmfpUsmnuqW4dBW-W98yir5vOf6rMPbHKlbU HTTP/1.1" kacper.grzybnia.de kacper.grzybnia.de /.well-known/acme-challenge/a1Y-bBmgmfpUsmnuqW4dBW-W98yir5vOf6rMPbHKlbU 200 87 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0"

and when certbot does, it looks like this:

[24/Jun/2022:02:46:23 -0400] "GET /.well-known/acme-challenge/a1Y-bBmgmfpUsmnuqW4dBW-W98yir5vOf6rMPbHKlbU HTTP/1.1" pihole.grzybnia.de kacper.grzybnia.de /.well-known/acme-challenge/a1Y-bBmgmfpUsmnuqW4dBW-W98yir5vOf6rMPbHKlbU 404 143 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

I modified nginx's logs like so to get the relevant info:

log_format combined_server '[$time_local] '
                    '"$request" $server_name $host $uri $status $body_bytes_sent '
                    '"$http_referer" "$http_user_agent"';

If you take a look at the remote request, it does get matched on a totally different $server_name: pihole.grzybnia.de.
My full nginx config: # configuration file /etc/nginx/nginx.conf:user www-data;worker_processes au - Pastebin.com

1 Like

Shouldn't /etc/nginx/sites-enabled/kacper.grzybnia.de also contain a listen directive? E.g.:

    listen 80;
    listen [::]:80;

You are right! I don't know why it helped, since as I have said, going to that URL myself resulted in the right response, but this fixed it. Thanks!


I think that's the weird part here :grin:


Not so weird, when you consider:

Name:      kacper.grzybnia.de
Addresses: 2a01:4f8:d0:3919::68b3

If you don't have IPv6, then you might get a default IPv4 server block.
If you have IPv6, then you might get another server block.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.