Acme Challenge 404 with webroot

Hello! I am trying to get a subdomain working with https so I can properly host audio provided by Icecast. I run my own icecast instance and by default it is only through http, but is able to provide the audio through ssl if configured properly on the page. I have been attempting for the past few weeks to get Let's Encrypt to provide an ssl certificate on my page that allows icecast to broadcast to 443 or similar ports, but as seen below it continues to fail when testing renewals.

I have checked my dns various times so that does not seem to be the issue.

My domain is: radio.youaremachines.com

I ran this command: certbot renew --dry-run

It produced this output:

My web server is (include version): nginx 1.18.0-6.1+deb11u3

The operating system my web server runs on is (include version): Debian 11

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.12.0

Hello @NoahC, welcome to the Let's Encrypt community. :slightly_smiling_face:

Do you have some geo blocking?

Please read these:

Edit:
And using the online tool Let's Debug yields these results
https://letsdebug.net/radio.youaremachines.com/1964683

UnexpectedHttpResponse
WARNING
Sending an ACME HTTP validation request to radio.youaremachines.com results in unexpected HTTP response 403 Forbidden. This indicates that the webserver is misconfigured or misbehaving.
403 Forbidden

<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx</center>
</body>
</html>


Trace:
@0ms: Making a request to http://radio.youaremachines.com/.well-known/acme-challenge/letsdebug-test (using initial IP 45.55.196.154)
@0ms: Dialing 45.55.196.154
@195ms: Server response: HTTP 403 Forbidden
1 Like

Thank you for fast response my friend! I do not believe I have any geo blocking going on. That 403 is something I am trying to solve now as I just a few moments ago added a .well-known file to my server based off of what other material online has said. This seems a bit better than getting a 404 over and over again though, but let me know if adding that folder manually is an issue

2 Likes

Adding the folder manually, with the correct owner and permissions, shouldn't cause an issue;
as in the case for a renewal the folder would already be there. The question I would be asking is why the folder wasn't created to begin with.

Edit:
@NoahC, using the online tool Let's Debug now yields these results, showing an IPv6 Address
https://letsdebug.net/radio.youaremachines.com/1964726

AAAANotWorking
ERROR
radio.youaremachines.com has an AAAA (IPv6) record (2604:a880:800:10::add:2001) but a test request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address. You should either ensure that validation requests to this domain succeed over IPv6, or remove its AAAA record.
A timeout was experienced while communicating with radio.youaremachines.com/2604:a880:800:10::add:2001: Get "http://radio.youaremachines.com/.well-known/acme-challenge/letsdebug-test": context deadline exceeded

Trace:
@0ms: Making a request to http://radio.youaremachines.com/.well-known/acme-challenge/letsdebug-test (using initial IP 2604:a880:800:10::add:2001)
@0ms: Dialing 2604:a880:800:10::add:2001
@10000ms: Experienced error: context deadline exceeded

And I see too with nmap

 nslookup radio.youaremachines.com ns3.epik.com.
Server:         ns3.epik.com.
Address:        45.88.202.88#53

Name:   radio.youaremachines.com
Address: 45.55.196.154
Name:   radio.youaremachines.com
Address: 2604:a880:800:10::add:2001

As well as https://unboundtest.com/ showing an IPv6 address also.
https://unboundtest.com/m/AAAA/radio.youaremachines.com/4U2FUO5M

Best Practice - Keep Port 80 Open

@NoahC one more thing
Testing and debugging are best done using the Staging Environment as the Rate Limits are much higher.

And you are at the limit. :frowning:
https://tools.letsdebug.net/cert-search?m=domain&q=radio.youaremachines.com&d=168

1 Like

Thank you very much for all this. I will chill out and do some more research before going straight to production tests. I've been dealing with this for the past week so I have done quite a bit of troubleshooting with no success as you can see ):

This all stemmed when I attempted to get icecast to serve over https, because before I just had radio.youaremachines.com certified using the --nginx option and that worked like a charm

2 Likes

@NoahC there are other Free ACME Certificate Authorities also

3 Likes