404 on .well-known/acme-challenge/

After running the command: ./letsencrypt-auto certonly -a webroot --webroot-path=/usr/share/nginx/html -d codepajamas.com -d www.codepajamas.com I get the following errors reported. Note: I’m running all these commands from a sudo user.

Domain: codepajamas.com
Type:   unauthorized
Detail: Invalid response from http://codepajamas.com/.well-known/acme-challenge/xd7VVkpRwg6587WsOp1MOAn6CDCvRFst_SzkTqbGo9s
[104.131.79.107]: 404

Domain: www.codepajamas.com
Type:   unauthorized
Detail: Invalid response from http://www.codepajamas.com/.well-known/acme-challenge/g2HetonoGE3ioZYg2Inmm0Dcf1zpx5kro0CVHbE7-Aw
[104.131.79.107]: 404

I’m running Nginx and Unicorn to a Ruby on Rails app and when I visit the page in the browser I get the Rails default 404 error message instead of my test page I created. All folders are set to permissions 755. Since I’m using Nginx my well-known folder location is actually at: /usr/share/nginx/html/.well-known

In my Nginx configuration file at /etc/nginx/sites-available/default I set the following

server {
        listen 80 default_server;
        listen [::]:80 default_server ipv6only=on;

        root /usr/share/nginx/html;
        index index.html index.htm;
        
         location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                try_files $uri $uri/ =404;
                # Uncomment to enable naxsi on this location
                # include /etc/nginx/naxsi.rules
        }
        
        location ~ /.well-known {
            allow all;
        }
}

I followed all the instructions from here: https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04

Anyone have any suggestions? Much appreciated.

If you create the file /usr/share/nginx/html/.well-known/acme-challenge/test with contents “success”

can you reach it externally OK using http://codepajamas.com/.well-known/acme-challenge/test ?

1 Like

You mentioned that you’re using unicorn as a backend server. You should have a proxy_pass directive pointing to the unicorn port or socket somewhere in your server block, or otherwise nginx wouldn’t be sending traffic to unicorn. Are you sure this is the correct server block/config file?

http://codepajamas.com/.well-known/acme-challenge/test I get a standard 404 screen from Rails (which means my rails app is spun up by nginx and unicorn and there is no route for /.well-known/…) the test file does not appear.

I set all permissions on /usr/share/nginx/html/.well-known to 755 also. There was nothing in the folder and there are no pem files appearing in /etc/letsencrypt/ either…

Good question I also have another Nginx config file at: /etc/nginx/nginx.conf

user www-data;
worker_processes 4;
pid /run/nginx.pid;

events {
	worker_connections 768;
}

http {

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	gzip on;
	gzip_disable "msie6";

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
}

and …

I found a few other files for nginx at /etc/default/nginx
But I’m on a Digital Ocean server and following their explicit directions of where to update the Nginx file so hopefully it is the correct location. https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04

Thanks,

Those instructions are not specific to your hosting provider. These things work exactly the same on every VPS/dedicated server out there.

More specifically, those instructions work on a standard nginx instance. In your case, however, you’re using nginx as a reverse proxy, forwarding all traffic to unicorn. Unicorn doesn’t know (or care) about nginx’s webroot, nor does rails.

You can use grep -r "proxy_pass" /etc/nginx to find the configuration file that actually handles the traffic to your rails app, and add the following section in the server block:

location ~ /\.well-known/acme-challenge {
	root /usr/share/nginx/html;
}

This will tell nginx that requests to /.well-known/acme-challenge should be served from your webroot (/usr/share/nginx/html), while everything else will still be served by unicorn/rails.

Thanks @pfg,

returns search results:

/etc/nginx/sites-available/default
/etc/nginx/sites-available/rails

I added the line as you suggested

location ~ /\.well-known/acme-challenge {
	root /usr/share/nginx/html;
}

to both default and rails, The latter file rails is most likely the one that connects my Rails app.

Then I ran the command sudo service nginx reload but when I try to

./letsencrypt-auto certonly -a webroot --webroot-path=/usr/share/nginx/html -d codepajamas.com -d www.codepajamas.com

I still get the same 404 errors.

I definitely think /etc/nginx/sites-available/rails is the correct file after looking it over.

upstream app_server {
    server unix:/var/run/unicorn.sock fail_timeout=0;
}

server {
    listen   80;
    root /home/rails/rails_project/public;
    server_name _;
    index index.htm index.html;

    location / {
            try_files $uri/index.html $uri.html $uri @app;
    }

    location ~* ^.+\.(jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|pdf|ppt|txt|tar|mid|midi|wav|bmp|rtf|mp3|flv|mpeg|avi)$ {
                    try_files $uri @app;
            }

     location @app {
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            proxy_redirect off;
            proxy_pass http://app_server;
    }

    location ~ /.well-known {
            allow all;
    }

    location ~ /\.well-known/acme-challenge {
	root /usr/share/nginx/html;
    }
}

One thing that this changed is that now the 404 page is the Nginx/Unbuntu 404 page and no longer the rails 404 page.

Hi I made progress I had to change one little thing about your code I instead had to remove the /acme-challenge and do just:

location ~ /.well-known {
        allow all;
	root /usr/share/nginx/html;
}

After that I can see my test file and no longer get 404.
Now I’m getting a new 500 error related to something else

DeserializationError('The following field are required: detail',)

so I’ll read up a bit on the error log and make a new thread if I get stuck thanks for your help @pfg!

This might be related to a partial outage that just started: Let's Encrypt Status

It'll probably work in a bit.

Thanks will try again in 30 minutes… Shortly after I got that initial 500 error I tried again and got a different error

raise errors.MissingNonce(response)
MissingNonce: Server POST response did not include a replay nonce, headers: {'Content-Length': '1488', 'Expires': 'Tue, 10 May 2016 16:57:05 GMT', 'Server': 'nginx', 'Connection': 'close', 'ETag': '"55f255cc-5d0"', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 10 May 2016 16:57:05 GMT', 'Content-Type': 'text/html'}`

Perhaps this also do to the partial outage?

This issue resolved itself I think it was just because of the outage. I was able to get the certificate! Hurray Thanks LetsEncrypt! :slight_smile:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.