Acme challenge returned error 404

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | mektenglegacy.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

Hello,

To begin, my certificate has expired, and I'd like to renew it, but I keep receiving a 404 error. Then I tried again and again until I was limited to renewing the certificate, and now I have to try again with the staging version to figure out what the problem is. I'm not sure what's wrong because I keep getting a 404 error. I tried to find a similar case to mine, but I couldn't find anything that was relevant. Please kindly assist me on this. Thank you.

My domain is:

mektenglegacy.com / www.mektenglegacy.com

I ran this command:

certonly --non-interactive --webroot --webroot-path=/var/www/html -d mektenglegacy.com -d www.mektenglegacy.com --dry-run -v

It produced this output:

certbot | Saving debug log to /var/log/letsencrypt/letsencrypt.log
certbot | Plugins selected: Authenticator webroot, Installer None
certbot | Simulating a certificate request for mektenglegacy.com and www.mektenglegacy.com
certbot | Performing the following challenges:
certbot | http-01 challenge for mektenglegacy.com
certbot | http-01 challenge for www.mektenglegacy.com
certbot | Using the webroot path /var/www/html for all unmatched domains.
certbot | Waiting for verification...
certbot | Challenge failed for domain mektenglegacy.com
certbot | Challenge failed for domain www.mektenglegacy.com
certbot | http-01 challenge for mektenglegacy.com
certbot | http-01 challenge for www.mektenglegacy.com
certbot |
certbot | Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
certbot | Domain: mektenglegacy.com
certbot | Type: unauthorized
certbot | Detail: 139.59.113.192: Invalid response from http://mektenglegacy.com/.well-known/acme-challenge/ni7OVG6RThBq9seuwR6HMPwFM07uSIVIZ-ma7-oxTKI: 404
certbot |
certbot | Domain: www.mektenglegacy.com
certbot | Type: unauthorized
certbot | Detail: 139.59.113.192: Invalid response from http://www.mektenglegacy.com/.well-known/acme-challenge/FlFdFNIAGFNFPELhHbKDtFryqsKx4Qn6fO-ALC8qAOk: 404
certbot |
certbot | Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
certbot |
certbot | Cleaning up challenges
certbot | Some challenges have failed.
certbot | Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):

nginx:1.15.12-alpine

The operating system my web server runs on is (include version):

Ubuntu 22.04 LTS (GNU/Linux 5.15.0-25-generic x86_64)
Docker version 20.10.17, build 100c701

My hosting provider, if applicable, is:

Domain: Namecheap
Server: DigitalOcean

I can login to a root shell on my machine (yes or no, or I don't know):

Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 2.0.0
docker image certbot/certbot

2

Is nginx also running in docker? If so, is it in the same docker as certbot?

I ask because certbot webroot will write a file to the webroot-path. This must be the same path as used by nginx root folder. These paths must be the same because certbot requests a cert but the Let's Encrypt Server must find the challenge file by issuing an HTTP request to your nginx server.

3 Likes
3

That's not required if you map the volumes properly tho.

2 Likes
4

I agree. I didn't mean to say it was required. It is just useful info to know to help debug.

4 Likes
5

yes, nginx also in the docker.

6

"in docker, but a different container" or "in exactly the same container"?

4 Likes
7

in docker with different container. certbot and nginx (webserver) container.
i follow this tutorial, previously it ok only happen when i want to renew the cert.

8

Please show the docker-compose.yml file and also nginx.conf.

4 Likes
9

here is my setting

docker-compose.yml

version: '3'
services:
    db:
        image: mysql:8.0
        container_name: db
        restart: unless-stopped
        env_file: .env
        environment:
            - MYSQL_DATABASE=wordpress
        volumes:
            - dbdata:/var/lib/mysql
        command: '--default-authentication-plugin=mysql_native_password'
        networks:
            - app-network
    wordpress:
        depends_on:
            - db
        image: wordpress:6.0.0-fpm-alpine
        container_name: wordpress
        restart: unless-stopped
        env_file: .env
        environment:
            - WORDPRESS_DB_HOST=db:3306
            - WORDPRESS_DB_USER=$MYSQL_USER
            - WORDPRESS_DB_PASSWORD=$MYSQL_PASSWORD
            - WORDPRESS_DB_NAME=wordpress
        volumes:
            - ./wordpress:/var/www/html
        networks:
            - app-network
    webserver:
        depends_on:
            - wordpress
        image: nginx:1.15.12-alpine
        container_name: webserver
        restart: unless-stopped
        ports:
            - "80:80"
            - "443:443"
        volumes:
            - ./wordpress:/var/www/html
            - ./nginx-conf:/etc/nginx/conf.d
            - certbot-etc:/etc/letsencrypt
        networks:
            - app-network
    certbot:
        depends_on:
            - webserver
        image: certbot/certbot
        container_name: certbot
        volumes:
            - certbot-etc:/etc/letsencrypt
            - wordpress:/var/www/html
        #command: certonly --non-interactive --webroot --webroot-path=/var/www/html --email [redacted]@gmail.com --agree-tos --no-eff-email --force-renewal -d mektenglegacy.com -d www.mektenglegacy.com
        command: certonly --non-interactive --webroot --webroot-path=/var/www/html -d mektenglegacy.com -d www.mektenglegacy.com --dry-run -v
        #command: --version
        #command: delete --cert-name mektenglegacy.com
volumes:
    certbot-etc:
    wordpress:
    dbdata:
networks:
    app-network:
        driver: bridge

nginx.conf

server {
        listen 80;
        listen [::]:80;
        server_name mektenglegacy.com www.mektenglegacy.com;
        index index.php index.html index.htm;
        root /var/www/html;
        location ~ /.well-known/acme-challenge {
                allow all;
                root /var/www/html;
        }
        location / {
                try_files $uri $uri/ /index.php$is_args$args;
        }
        location ~ \.php$ {
                try_files $uri =404;
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
                fastcgi_pass wordpress:9000;
                fastcgi_index index.php;
                include fastcgi_params;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                fastcgi_param PATH_INFO $fastcgi_path_info;
        }
        location ~ /\.ht {
                deny all;
        }
        location = /favicon.ico { 
                log_not_found off; access_log off; 
        }
        location = /robots.txt { 
                log_not_found off; access_log off; allow all; 
        }
        location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
                expires max;
                log_not_found off;
        }
}
10

This:

is different compared to:

The guide you've linked above does not use ./, did you add that yourself?

Also:

Please don't use this option. There are only a tiny few reasons to use that option to begin with, but clearly you don't understand its purpose. If you don't understand what an option does, please don't use it, especially this one.

3 Likes
11

i put like this because want to link the physical file on the host with the file inside docker container.

./wordpress:/var/www/html

i have added ./wordpress to certbot to make it same with the volumes in wordpress container then i get the dry-run success.

certbot | Saving debug log to /var/log/letsencrypt/letsencrypt.log
certbot | Plugins selected: Authenticator webroot, Installer None
certbot | Simulating a certificate request for mektenglegacy.com and www.mektenglegacy.com
certbot | Performing the following challenges:
certbot | http-01 challenge for mektenglegacy.com
certbot | http-01 challenge for www.mektenglegacy.com
certbot | Using the webroot path /var/www/html for all unmatched domains.
certbot | Waiting for verification...
certbot | Cleaning up challenges
certbot | The dry run was successful

dry-run successful means ok right?

for the “force-renewal” command, if cannot use this may i know the right command to use for cert renewal?

12

Yes, it does.

Just remove the --dry-run option. And DON'T use --force-renewal, as it only works when renewal is actually working anyway (it won't magically force Let's Encrypt to issue a certificate if it's not allowed to.. That would be BAD), but can only lead to rate limits.

Again: please read the documentation for any option you don't know the function of.. If you did that, you would have known the function of the --dry-run option and you would have known to remove it to actually renew the cert.

4 Likes
13

Thanks Osiris for your support. Now my certificates renewed after i changed the volume names in both containers.

I will go through the documentation as per your suggestions. Thank you :smiley:

4 Likes
14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.