404 on .well-known

kkoomen · April 2, 2020, 5:15am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

This is my /etc/nginx/sites-available/jinbin:

server {
  listen 80;
  listen [::]:80;

  server_name jinb.in;
  root /home/koomen/jinbin/src/public;

  passenger_enabled on;
  passenger_app_env production;

  location /cable {
    passenger_app_group_name jinbin_websocket;
    passenger_force_max_concurrent_requests_per_process 0;
  }

  location ~ /.well-known {
    allow all;
    root /home/koomen/jinbin/src/public;
  }

  # Allow uploads up to 100MB in size
  client_max_body_size 100m;

  location ~ ^/(assets|packs) {
    expires max;
    gzip_static on;
  }
}

I’m quite new to using nginx as well, so if I have to change configuration, please let me know.

My domain is: jinb.in

I ran this command: sudo certbot -d 'jinb.in' --staging (using --staging since I was at my limit of 5 per hour)

It produced this output:

$ sudo certbot -d 'jinb.in' --staging
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
^APerforming the following challenges:
http-01 challenge for jinb.in
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. jinb.in (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://jinb.in/.well-known/acme-challenge/RqdzMkqC8JwY1dWV94KDezEK6MXmSIAtumgCYT3M4AQ [2a02:2268:ffff:ffff::4]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: jinb.in
   Type:   unauthorized
   Detail: Invalid response from
   http://jinb.in/.well-known/acme-challenge/RqdzMkqC8JwY1dWV94KDezEK6MXmSIAtumgCYT3M4AQ
   [2a02:2268:ffff:ffff::4]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD
   HTML 2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 18.04.4 LTS

My hosting provider, if applicable, is: hostnet.nl

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no (it’s a vps)

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

I tried quite some links and read other posts on letsencrypt.org, but nothing worked properly. When creating a file in /home/koomen/jinbin/src/public/.well-known/acme-challenge/test and I open it in firefox then it gives a prompt to download, so I am able to reach it but when generating it with certbot it gives me the error, but I can’t even find a .well-known folder in my whole system.

_az · April 2, 2020, 5:31am

Your IPv4 and IPv6 addresses appear to be two different servers: https://letsdebug.net/jinb.in/118944

If your Digital Ocean droplet has an IPv6 address, update your domain’s AAAA DNS record with it.

Otherwise, just remove the current AAAA DNS record.

kkoomen · April 2, 2020, 5:49am

But this wouldn't fix the problem I have, right?

_az · April 2, 2020, 5:51am

I think it would fix your problem, yes.

As you can see in your error message:

Let's Encrypt is connecting to the IPv6 address for your domain.

Since that address isn't hosting your nginx server (obviously), it will always be a 404, and the process will fail.

By fixing/removing the errant IPv6 address, Let's Encrypt would stop connecting to the wrong place when checking the validation challenge.

kkoomen · April 2, 2020, 7:44am

Should I remove it in my domain provider hostnet.nl? because I do my DNS there. Digital Ocean is just the vps itself for me. I don't manage my domain there, or should I do that?

_az · April 2, 2020, 7:47am

Yes, your nameservers are with hostnet, so you should remove the AAAA address there.

kkoomen · April 2, 2020, 7:49am

That indeed fixed the problem! Many thanks for the quick and helpful replies!

9peppe · April 2, 2020, 7:53am

You could have just replaced it with the actual ipv6 of the DigitalOcean VPS.

kkoomen · April 2, 2020, 7:54am

I do want to ask 1 more thing about my nginx config. I read online many different solutions for this part:

server {
  ..

  location ~ /.well-known {
    allow all;
    root /home/koomen/jinbin/src/public;
  }
}

but is that part right? Or do I need to remove the root property? Like so:

server {
  ..

  location ~ /.well-known {
    allow all;
  }
}

9peppe · April 2, 2020, 7:56am

You don't need that location block. It might be useful when using certbot --webroot, but with certbot --nginx it's not needed.

kkoomen · April 2, 2020, 8:16am

Okay, clear. Thanks a lot!

system · May 2, 2020, 8:16am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.