I have problem when try obtain an SSL/TLS certificate for the domain.
My domain is: uasminas.medellin.unal.edu.co
I ran this command: sudo certbot certonly --webroot -w /var/www/uasminas.medellin.unal.edu.co/html -d uasminas.medellin.unal.edu.co
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for uasminas.medellin.unal.edu.co
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: uasminas.medellin.unal.edu.co
Type: unauthorized
Detail: 168.176.97.241: Invalid response from http://uasminas.medellin.unal.edu.co/.well-known/acme-challenge/8LVncFwUGskCtZfVWI0WeBipUdE991k4--vYgucCwfE: 503
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
My web server is (include version):
nginx version: nginx/1.18.0 (Ubuntu)
The operating system my web server runs on is (include version):
Ubuntu Server 22.04 LTS
My hosting provider, if applicable, is:
Organization's servers, virtual machine.
I can login to a root shell on my machine (yes or no, or I don't know):
yes.
When I try this request, I see a 404 error rather than the 503 error. I can't think of a reason why nginx would return the 503 error under any circumstances when trying to serve a static file. Can you find this 503 error in your nginx server log?
Is it possible that there's some kind of proxy or web application firewall in between your server and the Internet that might have returned the 503 error, perhaps because of geographic IP address blocking or something?
If I try impersonating the user agent of the Let's Encrypt validation server I get an Application Blocked page:
curl http://uasminas.medellin.unal.edu.co/.well-known/acme-challenge/8LVncFwUGskCtZfVWI0WeBipUdE991k4--vYgucCwfE: -A "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
...
<h1>Aplicacion Bloqueada!</h1>
<p>El acceso a esta aplicacion es bloqueado por las politicas de seguridad de la Universidad. <br></br> Por favor comuniquese con el administrador de seguridad si considera que es un error.</p>
<p><b>User:</b> 101.118.201.205 </p>
<p><b>Application:</b> acme-protocol </p>
...
This is perhaps the Palo Alto firewall block issue, so speak to your firewall administrator.
I concur: curl http://uasminas.medellin.unal.edu.co/.well-known/acme-challenge/8LVncFwUGskCtZfVWI0WeBipUdE991k4--vYgucCwfE -A "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
<html>
<head>
<title>Application Blocked</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
<style>
#content{border:3px solid#aaa;background-color:#fff;margin:40;padding:40;font-family:Tahoma,Helvetica,Arial,sans-serif;font-size:12px;}
h1{font-size:20px;font-weight:bold;color:#196390;}
b{font-weight:bold;color:#196390;}
</style>
</head>
<body bgcolor="#e7e8e9">
<div align="center">
<br></br><img src="http://www.medellin.unal.edu.co/Medellin_950/images/Escudo_UN.png" border=1 height=70 width=190></img>
<h1></h1>
</div>
<div id="content">
<h1>Aplicacion Bloqueada!</h1>
<p>El acceso a esta aplicacion es bloqueado por las politicas de seguridad de la Universidad. <br></br> Por favor comuniquese con el administrador de seguridad si considera que es un error.</p>
<p><b>User:</b> [MY.IP] </p>
<p><b>Application:</b> acme-protocol </p>
</div>
</body>
</html>
Yes, the problem was, again, Palo Alto Firewall. After having several conversations with the organization's Palo Alto Firewall administrator, after he tried several alternatives, the goal was achieved.
He said: "It was necessary to enable the acme protocol (outgoing and incoming requests) on the Palo Alto firewall so that outgoing requests install the certificate and incoming requests are read by the external client"
The key to solving the problem, which will guide the Firewall administrator, was in the command suggested by webprofusion. When executing the curl command on an organization's computer, it gave the expected message 404 (because this was only a test and the file did not exist on the server), BUT when running the same command outside the organization, the HTML error indicated by webprofusion was displayed.
