404 on challenge

Kavelach · June 24, 2022, 6:53am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: kacper.grzybnia.de

I ran this command: certbot certonly --nginx --dry-run -d kacper.grzybnia.de -vv

It produced this output: # certbot certonly --nginx --dry-run -d kacper.grzybnia.de -vvRoot logging lev - Pastebin.com

My web server is (include version): nginx/1.14.2

The operating system my web server runs on is (include version): Debian 10

My hosting provider, if applicable, is: AlphaVPS

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.27.0

Additional notes: When I added --nginx-sleep-seconds and set it to some high number so I was able to go through changes in nginx's config myself, before certbot managed to make the requests, I was getting appropriate responses to the challenge URL (for example http://kacper.grzybnia.de/.well-known/acme-challenge/a1Y-bBmgmfpUsmnuqW4dBW-W98yir5vOf6rMPbHKlbU), but remote requests failed anyway.

When I'm making the requests, the nginx access.log looks like this:

[24/Jun/2022:02:46:22 -0400] "GET /.well-known/acme-challenge/a1Y-bBmgmfpUsmnuqW4dBW-W98yir5vOf6rMPbHKlbU HTTP/1.1" kacper.grzybnia.de kacper.grzybnia.de /.well-known/acme-challenge/a1Y-bBmgmfpUsmnuqW4dBW-W98yir5vOf6rMPbHKlbU 200 87 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0"

and when certbot does, it looks like this:

[24/Jun/2022:02:46:23 -0400] "GET /.well-known/acme-challenge/a1Y-bBmgmfpUsmnuqW4dBW-W98yir5vOf6rMPbHKlbU HTTP/1.1" pihole.grzybnia.de kacper.grzybnia.de /.well-known/acme-challenge/a1Y-bBmgmfpUsmnuqW4dBW-W98yir5vOf6rMPbHKlbU 404 143 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

I modified nginx's logs like so to get the relevant info:

log_format combined_server '[$time_local] '
                    '"$request" $server_name $host $uri $status $body_bytes_sent '
                    '"$http_referer" "$http_user_agent"';

If you take a look at the remote request, it does get matched on a totally different $server_name: pihole.grzybnia.de.
My full nginx config: # configuration file /etc/nginx/nginx.conf:user www-data;worker_processes au - Pastebin.com

Osiris · June 24, 2022, 9:40am

Shouldn't /etc/nginx/sites-enabled/kacper.grzybnia.de also contain a listen directive? E.g.:

    listen 80;
    listen [::]:80;

Kavelach · June 24, 2022, 10:02am

You are right! I don't know why it helped, since as I have said, going to that URL myself resulted in the right response, but this fixed it. Thanks!

Osiris · June 24, 2022, 10:05am

I think that's the weird part here

rg305 · June 24, 2022, 6:02pm

Not so weird, when you consider:

Name:      kacper.grzybnia.de
Addresses: 2a01:4f8:d0:3919::68b3
           194.35.12.231

If you don't have IPv6, then you might get a default IPv4 server block.
If you have IPv6, then you might get another server block.