Acme-challenge directory is up, but cert challenge still failed


#1

Hi, I’m trying to install a cert on a VPS intended to use subdomain media.smarteye.id.
I already created the .well-known/acme-challenge dir, and can test a file from that dir. (It’s still available on: http://media.smarteye.id/.well-known/acme-challenge/test.html).

I use nginx as webserver and here is the content of the “server” block:
server {
listen 80;
server_name media.smarteye.id;
root /home/ubuntu;

    ###########################################################################################
    # General
    ###########################################################################################
    location ^~ /.well-known/ {
        access_log           off;
        log_not_found        off;
        root                 /home/ubuntu;
        autoindex            off;
        index                index.html; # "no-such-file.txt",if expected protos don't need it
        try_files            $uri $uri/ =404;
    }
    
    location / {
        index                       index.html;
    }
}

The error message mentions possibility of AAAA IPv6 entry so I checked that as well. It seems there is no IPv6 entry for my site:

fahmi@fahmi-pc:~$ curl -X GET -I -6 http://media.smarteye.id/.well-known/acme-challenge/test.txt
curl: (6) Could not resolve host: media.smarteye.id
fahmi@fahmi-pc:~$ curl -X GET -I -4 http://media.smarteye.id/.well-known/acme-challenge/test.txt
HTTP/1.1 200 OK
Server: nginx/1.11.5
Date: Thu, 30 Aug 2018 01:54:48 GMT
Content-Type: text/plain
Content-Length: 7
Last-Modified: Thu, 30 Aug 2018 01:45:30 GMT
ETag: “5b874c3a-7”
Accept-Ranges: bytes

My domain is:
media.smarteye.id

I ran this command:
sudo certbot --nginx certonly -d media.smarteye.id

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for media.smarteye.id
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. media.smarteye.id (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://media.smarteye.id/.well-known/acme-challenge/-HC8uTlbnLBV5JeRQhyp7GXaEZjSxw3t38a8fHbNl5M: "

404 Not Found

404 Not Found


"

IMPORTANT NOTES:

My web server is (include version): Nginx 1.11.5

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#2

Hi,

Can you please try to remove the root from the location ^~ /.well-known/ block?
That means, when a user / bot ( or whatever) visit your site, (for example, at http://media.smarteye.id/.well-known/acme-challenge/test.html) would visit /home/ubuntu/index.html instead of /home/Ubuntu/.well-known/acme-challenge/test.html

For reference: https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/#root-inside-location-block

Disclaimer: I’m not sure if the above fix would resolve the issue… (Since I may miss something, especially during midnight…)
sudo certbot certonly --nginx -d media.smarteye.id
(This should work after you remove the root inside the well-known block)

Or

You might try this (without fix the root inside location block)
sudo certbot -a webroot -w /home/ubuntu/acme-challenge/ -i nginx -d media.smarteye.id

Thank you


#3

Hi stevenzhu,
Thank you for your suggestion. I agree with you, seems the location block needs correction. So I did remove the root from location block, but seems it still not enough because the error still persists.

The server uses a built nginx with custom http module located in /usr/local/sbin/nginx. Previously we started the certbot using that nginx. So this time we tried using the default nginx instead, while still using the same config file, and it worked!

Not sure why the different behavior between standard nginx and custom built one though.

Thanks all!


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.