A fresh noob needs help for its first certificate

Hello,
I own a OVH VPS and a domain pointing on it with several subdomains like vpn.mydomain.ovh (for my vpn) and media.mydomain.ovh (fot my muximux). I tried to install a certificate for media but it failed (for other subdomains also) by using :

~/letsencrypt$ sudo ./letsencrypt-auto

But as a result I have this error and I do not know what to do or what to check.
I have added an AAAA point to the ipv6 of my VPS with no positive result.

 Domain: media.mydomain.ovh
   Type:   unauthorized
   Detail: Invalid response from
   http://media.mydomain.ovh/.well-known/acme-challenge/WyxV8RbmiQIKrt93S5xh0B76WJKN0jLtN38KdNOIYmc
   [xxx.xxx.xxx.xxx]: "<html>\r\n<head><title>404 Not
   Found</title></head>\r\n<body>\r\n<center><h1>404 Not
   Found</h1></center>\r\n<hr><center>nginx/1.16.1</ce"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

we need to know what choices you made when certbot asked.

if you don’t remember, use sudo ./letsencrypt-auto --dry-run and try

Please show the nginx section for media.mydomain.ovh

The sonarr section does not work by the way… I am not yet confortable with nginx.

    server {
      listen 80;
      # listen [::]:80;
      server_name media.mydomain.ovh;

      access_log /var/log/nginx/media.mydomain.ovh.log;

      location / {
          proxy_pass http://localhost:8010/;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header Host $host;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header X-Forwarded-Proto $scheme;
          proxy_redirect off;
          proxy_buffering off;
          }

      location /sonarr {
          proxy_pass http://localhost:8989/;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header Host $host;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header X-Forwarded-Proto $scheme;
          proxy_redirect off;
          proxy_buffering off;
          }
    }

Hi @redfirebrooks

your domain name is required.

I tried this

  master@vps726152:~/letsencrypt$ sudo ./letsencrypt-auto --dry-run certonly
./letsencrypt-auto has insecure permissions!
To learn how to fix them, visit https://community.letsencrypt.org/t/certbot-auto-deployment-best-practices/91979/
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Nginx Web Server plugin (nginx)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator nginx, Installer None
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): media.mydomain.ovh
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for media.mydomain.ovh
Waiting for verification...
Challenge failed for domain media.mydomain.ovh
http-01 challenge for media.mydomain.ovh
Cleaning up challenges
Some challenges have failed.

Please provide the actual domain name and this file:

The log attached letsencrypt.txt (22.9 KB)

From your log file:

      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "Invalid response from http://media.exstasi.ovh/.well-known/acme-challenge/pcugupwK-lcbV2ni-oiOlx5ggTWGSMkttdEhn2VweOk [145.239.87.58]: \"\u003chtml\u003e\\r\\n\u003chead\u003e\u003ctitle\u003e404 Not Found\u003c/title\u003e\u003c/head\u003e\\r\\n\u003cbody\u003e\\r\\n\u003ccenter\u003e\u003ch1\u003e404 Not Found\u003c/h1\u003e\u003c/center\u003e\\r\\n\u003chr\u003e\u003ccenter\u003enginx/1.16.1\u003c/ce\"",
        "status": 403
      },

Domain: media.exstasi.ovh
Type:   unauthorized
Detail: Invalid response from http://media.exstasi.ovh/.well-known/acme-challenge/pcugupwK-lcbV2ni-oiOlx5ggTWGSMkttdEhn2VweOk [145.239.87.58]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body>\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>nginx/1.16.1</ce"

We can see that there are authorization requirements to reach file in the /.well-known/acme-challenge/ directory.
That is bad.
The /.well-known/acme-challenge/ folder must not require any type of login.

1 Like

But typically with --nginx or choosing the nginx authenticator from the menu, Certbot should take care of ensuring that it doesn't!

1 Like

I tried

sudo certbot --dry-run renew --nginx

but it gives same errors

Attempting to renew cert (media.exstasi.ovh) from /etc/letsencrypt/renewal/media.exstasi.ovh.conf produced an unexpected error: Failed authorization procedure. media.exstasi.ovh (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://media.exstasi.ovh/.well-known/acme-challenge

I give up.
How can I unsinstall all this cerbot and other stuff like letsencrypt ?

Checking your domain - https://check-your-website.server-daten.de/?q=media.exstasi.ovh

http is correct, answers. Checking /.well-known/acme-challenge/random-filename has the expected result http status 404 - Not Found. Https sends the `exstasi.ovh' certificate.

So your vHost configuration is wrong / buggy / missing.

What says

nginx -T

this is the output of “sudo nginx -T” nginxT.txt (15.4 KB)

Why do you think that should work?

You have a proxy solution, that's not a noob configuration. So Certbot doesn't know something about your proxy / backend.

Read

then change your proxy, so /.well-known/acme-challenge doesn't use the proxy.

include snippets/letsencrypt.conf;
# configuration file /etc/nginx/snippets/letsencrypt.conf:
location ^~ /.well-known/acme-challenge/ {
  allow all;
  root /var/lib/letsencrypt/;
  default_type "text/plain";
  try_files $uri =404;
}

where does this come from?

if you want to use this, invoke certbot with

certbot --webroot -w /var/lib/letsencrypt

but change that directory and find whoever told you that was a good idea and tell them to pull their head out of their…

I guess I took it from a tutorial few months ago but I do not remember exactly.
How can I return to a clean state ?

remove the snippet and remove the lines that include it.

I messed up something, cant acces anymore my vpn...
ok I give up, i can live without a certificate

no, you definitely cannot.

relax, we'll be here to help you when you've cleared your mind.

Thanks a lot but the situation is worse now than before. I cant acces anymore my vpn url.
Now I am completly lost.