503 error - Type: unauthorized

Hello community,

Please help me! :frowning:

I have problem when try obtain an SSL/TLS certificate for the domain.

My domain is:

I ran this command:
sudo certbot certonly --webroot -w /var/www/uasminas.medellin.unal.edu.co/html -d uasminas.medellin.unal.edu.co

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for uasminas.medellin.unal.edu.co

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: uasminas.medellin.unal.edu.co
  Type:   unauthorized
  Detail: Invalid response from http://uasminas.medellin.unal.edu.co/.well-known/acme-challenge/8LVncFwUGskCtZfVWI0WeBipUdE991k4--vYgucCwfE: 503

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
nginx version: nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu Server 22.04 LTS

My hosting provider, if applicable, is:
Organization's servers, virtual machine.

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site:

The version of my client is:
certbot 1.21.0

Other informarion:


uasminas.medellin.unal.edu.co file in /etc/nginx/sites-available:

server {
        listen 80;
        listen [::]:80;

        root /var/www/uasminas.medellin.unal.edu.co/html;
        index index.html index.htm index.nginx-debian.html;

        server_name uasminas.medellin.unal.edu.co;

        location / {
                try_files $uri $uri/ =404;

ufw status:

Status: active

To                         Action      From
--                         ------      ----
80                         ALLOW       Anywhere                                  
443                        ALLOW       Anywhere                                          
80 (v6)                    ALLOW       Anywhere (v6)              
443 (v6)                   ALLOW       Anywhere (v6)             

Thanks! :slight_smile:

Hola @Lucas,

When I try this request, I see a 404 error rather than the 503 error. I can't think of a reason why nginx would return the 503 error under any circumstances when trying to serve a static file. Can you find this 503 error in your nginx server log?

Is it possible that there's some kind of proxy or web application firewall in between your server and the Internet that might have returned the 503 error, perhaps because of geographic IP address blocking or something?


If I try impersonating the user agent of the Let's Encrypt validation server I get an Application Blocked page:

curl http://uasminas.medellin.unal.edu.co/.well-known/acme-challenge/8LVncFwUGskCtZfVWI0WeBipUdE991k4--vYgucCwfE: -A "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"


<h1>Aplicacion Bloqueada!</h1>
<p>El acceso a esta aplicacion es bloqueado por las politicas de seguridad de la Universidad. <br></br> Por favor comuniquese con el administrador de seguridad si considera que es un error.</p>
<p><b>User:</b> </p>
<p><b>Application:</b> acme-protocol </p>

This is perhaps the Palo Alto firewall block issue, so speak to your firewall administrator.


I concur:
curl http://uasminas.medellin.unal.edu.co/.well-known/acme-challenge/8LVncFwUGskCtZfVWI0WeBipUdE991k4--vYgucCwfE -A "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

<title>Application Blocked</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
#content{border:3px solid#aaa;background-color:#fff;margin:40;padding:40;font-family:Tahoma,Helvetica,Arial,sans-serif;font-size:12px;}
<body bgcolor="#e7e8e9">
<div align="center">

        <br></br><img src="http://www.medellin.unal.edu.co/Medellin_950/images/Escudo_UN.png" border=1 height=70 width=190></img>


<div id="content">
<h1>Aplicacion Bloqueada!</h1>
<p>El acceso a esta aplicacion es bloqueado por las politicas de seguridad de la Universidad. <br></br> Por favor comuniquese con el administrador de seguridad si considera que es un error.</p>
<p><b>User:</b> [MY.IP] </p>
<p><b>Application:</b> acme-protocol </p>

curl http://uasminas.medellin.unal.edu.co/.well-known/acme-challenge/8LVncFwUGskCtZfVWI0WeBipUdE991k4--vYgucCwfE

<head><title>404 Not Found</title></head>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.18.0 (Ubuntu)</center>

Great catch!


Thanks to all of you:


Yes, the problem was, again, Palo Alto Firewall. After having several conversations with the organization's Palo Alto Firewall administrator, after he tried several alternatives, the goal was achieved.

He said: "It was necessary to enable the acme protocol (outgoing and incoming requests) on the Palo Alto firewall so that outgoing requests install the certificate and incoming requests are read by the external client"

The key to solving the problem, which will guide the Firewall administrator, was in the command suggested by webprofusion. When executing the curl command on an organization's computer, it gave the expected message 404 (because this was only a test and the file did not exist on the server), BUT when running the same command outside the organization, the HTML error indicated by webprofusion was displayed.

Thanks again!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.