./acme.sh --issue -d : invalid response acme-challenge

My domain is: ggc.world and www.ggc.world

I ran this command: marco@pc:~/acme.sh$ sudo ./acme.sh --issue -d ggc.world -w /home/wwwroot/ggc.world -d www.ggc.world --force --debug

It produced this output: certsIssueDebugOutput10_08_2019-01.txt (14.3 KB)

My web server is (include version): nginx version: nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 18.04.02 Server Edition

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): I’m using now acme.sh

Looking forward to your kind help.
Marco

On the face of it, it seems like the webroot is wrong or is not being used to serve this request.

Could you try this in your nginx config to make the path explicit for that URL?

 location /.well-known/acme-challenge/ {
    root /home/wwwroot/ggc.world;
}

Reload nginx and try again:

service nginx reload

My default.conf in /etc/nginx/conf.d is like this:

server {
    listen 443 ssl http2 default_server;
    server_name ggc.world www.ggc.world;

    ssl_certificate /etc/ssl/certs/chained.pem;
    ssl_certificate_key /etc/ssl/private/domain.key;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20- 
    draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:50m;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_stapling on;
    ssl_stapling_verify on;

    access_log /var/log/nginx/ggcworld-access.log combined;

    add_header Strict-Transport-Security "max-age=31536000";
    location = /favicon.ico { access_log off; log_not_found off; }
    location / {
        proxy_pass http://192.168.1.7:8081;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name ggc.world www.ggc.world;
    #return 443 https://$host$request_uri;
    return 301 https://$host$request_uri;

    access_log /var/log/nginx/ggcworld-access.log combined;

    add_header Strict-Transport-Security "max-age=31536000";
    location = /favicon.ico { access_log off; log_not_found off; }
    location / {
        proxy_pass http://192.168.1.7:8080;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

Where should I add the acme-challenge path?

The error makes sense, you’re proxying every request you receive.

Nothing wrong with that, it just means that we know for sure that you need to add that additional piece of config.

Add it directly below this block (in both instances of it):

    location / {
        proxy_pass http://192.168.1.7:8080;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

Now /etc/nginx/conf.d/default.conf is like this:

server {
    listen 443 ssl http2 default_server;
    server_name ggc.world www.ggc.world;

    ssl_certificate /etc/ssl/certs/chained.pem;
    ssl_certificate_key /etc/ssl/private/domain.key;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:50m;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_stapling on;
    ssl_stapling_verify on;

    access_log /var/log/nginx/ggcworld-access.log combined;

    add_header Strict-Transport-Security "max-age=31536000";
    location = /favicon.ico { access_log off; log_not_found off; }
    location / {
        proxy_pass http://192.168.1.7:8081;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

   location /.well-known/acme-challenge/ {
        root /home/wwwroot/ggc.world;
    }

}

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name ggc.world www.ggc.world;
    #return 443 https://$host$request_uri;
    return 301 https://$host$request_uri;

    access_log /var/log/nginx/ggcworld-access.log combined;

    add_header Strict-Transport-Security "max-age=31536000";
    location = /favicon.ico { access_log off; log_not_found off; }
    location / {
        proxy_pass http://192.168.1.7:8080;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    location /.well-known/acme-challenge/ {
        root /home/wwwroot/ggc.world;
    }

}

marco@pc:/etc/nginx/conf.d$ service nginx reload
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ===
Authentication is required to reload 'nginx.service'.
Authenticating as: marco,,, (marco)
Password: 
==== AUTHENTICATION COMPLETE ===
marco@pc:/etc/nginx/conf.d$ 

It seems that the certificates are now issued:

-----END CERTIFICATE-----
[Sat Aug 10 12:33:55 CEST 2019] Your cert is in  /home/marco/.acme.sh/ggc.world/ggc.world.cer 
[Sat Aug 10 12:33:55 CEST 2019] Your cert key is in  /home/marco/.acme.sh/ggc.world/ggc.world.key 
[Sat Aug 10 12:33:55 CEST 2019] v2 chain.
[Sat Aug 10 12:33:55 CEST 2019] The intermediate CA cert is in  /home/marco/.acme.sh/ggc.world
/ca.cer 
[Sat Aug 10 12:33:55 CEST 2019] And the full chain certs is there:  /home/marco/.acme.sh/ggc.world
/fullchain.cer 
[Sat Aug 10 12:33:55 CEST 2019] _on_issue_success

@_az https://check-your-website.server-daten.de/?q=ggc.world No trusted Certificate

What are the next steps I must take in order to automatically renew the certificates and to be able to use my domain https://ggc.world ?

Issuing is step 1/2. With acme.sh, you need to perform an “installation” step, which will also ensures that it reloads nginx at each renewal.

acme.sh --install-cert -d ggc.world \
--key-file       /etc/ssl/private/domain.key  \
--fullchain-file /etc/ssl/certs/chained.pem \
--reloadcmd     "service nginx force-reload"

If you haven’t been using acme.sh as root, I think you should probably start again doing everything as root. Otherwise you’re going to need to do some extra configuration with /etc/sudoers to allow your current user to reload nginx automatically.

I did this:

marco@pc:~/acme.sh$ sudo ./acme.sh --install-cert -d ggc.world --key-file /home/marco/.acme.sh
/ggc.world/ggc.world.key --fullchain-file /home/marco/.acme.sh/ggc.world/fullchain.cer --reloadcmd   
  "service nginx force-reload"
[Sat Aug 10 12:48:12 CEST 2019] Installing key to:/home/marco/.acme.sh/ggc.world/ggc.world.key
[Sat Aug 10 12:48:12 CEST 2019] Installing full chain to:/home/marco/.acme.sh/ggc.world/fullchain.cer
[Sat Aug 10 12:48:12 CEST 2019] Run reload cmd: service nginx force-reload
[Sat Aug 10 12:48:12 CEST 2019] Reload success
marco@pc:~/acme.sh$

But again: https://check-your-website.server-daten.de/?q=ggc.world
No trusted Certificate

I guess I have to do something more

The point of --key-file and --fullchain-file is to install your certificates to another location.

The paths I chose for you were based on your nginx configuration.

The paths you chose just overwrote the originals with themselves.

I am also really not convinced that using sudo ./acme.sh is gonna work out for you in the long run. It is not going to work from cron. I would suggest avoiding the non-root approach.

marco@pc:~/acme.sh$ sudo ./acme.sh --install-cert -d ggc.world \
> --key-file       /etc/ssl/private/domain.key  \
> --fullchain-file /etc/ssl/certs/chained.pem \
> --reloadcmd     "service nginx force-reload"
[Sat Aug 10 12:54:53 CEST 2019] Installing key to:/etc/ssl/private/domain.key
[Sat Aug 10 12:54:53 CEST 2019] Installing full chain to:/etc/ssl/certs/chained.pem
[Sat Aug 10 12:54:53 CEST 2019] Run reload cmd: service nginx force-reload
Job for nginx.service failed because the control process exited with error code.
See "systemctl status nginx.service" and "journalctl -xe" for details.

[Sat Aug 10 12:54:53 CEST 2019] Reload error for :

I then modified

marco@pc:/etc/nginx/conf.d$ systemctl status nginx.service
● nginx.service - A high performance web server and a reverse proxy server
   Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
   Active: active (running) (Result: exit-code) since Sat 2019-08-10 10:45:34 CEST; 2h 11min ago
     Docs: man:nginx(8)
  Process: 9674 ExecReload=/usr/sbin/nginx -g daemon on; master_process on; -s reload 
(code=exited, status=1/FAILURE)
 Main PID: 1012 (nginx)
    Tasks: 9 (limit: 4915)
   CGroup: /system.slice/nginx.service
           ├─1012 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
           ├─9527 nginx: worker process
           ├─9528 nginx: worker process
           ├─9529 nginx: worker process
           ├─9530 nginx: worker process
           ├─9531 nginx: worker process
           ├─9532 nginx: worker process
           ├─9533 nginx: worker process
           └─9534 nginx: worker process

Aug 10 12:56:52 pc systemd[1]: nginx.service: Control process exited, code=exited status=1
Aug 10 12:56:52 pc systemd[1]: Reload failed for A high performance web server and a reverse proxy 
server.
Aug 10 12:57:11 pc systemd[1]: Reloading A high performance web server and a reverse proxy server.
Aug 10 12:57:11 pc nginx[9664]: nginx: [emerg] PEM_read_bio_X509_AUX("/etc/ssl/certs
/chained.pem") failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED 
CERTIFICATE)
Aug 10 12:57:11 pc systemd[1]: nginx.service: Control process exited, code=exited status=1
Aug 10 12:57:11 pc systemd[1]: Reload failed for A high performance web server and a reverse proxy 
server.
Aug 10 12:57:22 pc systemd[1]: Reloading A high performance web server and a reverse proxy server.
Aug 10 12:57:22 pc nginx[9674]: nginx: [emerg] PEM_read_bio_X509_AUX("/etc/ssl/certs
/chained.pem") failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED
 CERTIFICATE)
Aug 10 12:57:22 pc systemd[1]: nginx.service: Control process exited, code=exited status=1
Aug 10 12:57:22 pc systemd[1]: Reload failed for A high performance web server and a reverse proxy 
server.
marco@pc:/etc/nginx/conf.d$ 

PS: I also modified the port in /etc/nginx/conf.d/default.conf

   location / {
        proxy_pass http://192.168.1.7:8080;  # From 8081 -> 8080
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

@_az Do you think I will resolve all these issues with sudo passwd root before issuing and installing the certificates?

@_az I entered as root (su -) and reinstalled as root acme.sh:

root@pc:~/acme.sh# apt-get install socat
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed
  socat
0 to upgrade, 1 to newly install, 0 to remove and 7 not to upgrade.
Need to get 342 kB of archives.
After this operation, 1,034 kB of additional disk space will be used.
Get:1 http://gb.archive.ubuntu.com/ubuntu bionic/main amd64 socat amd64 1.7.3.2-2ubuntu2 [342 kB]
Fetched 342 kB in 10s (33.5 kB/s)
Selecting previously unselected package socat.
(Reading database ... 116435 files and directories currently installed.)
Preparing to unpack .../socat_1.7.3.2-2ubuntu2_amd64.deb ...
Unpacking socat (1.7.3.2-2ubuntu2) ...
Setting up socat (1.7.3.2-2ubuntu2) ...
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...

root@pc:~/acme.sh# ./acme.sh --install
[Sat 10 Aug 13:18:50 CEST 2019] Installing to /root/.acme.sh
[Sat 10 Aug 13:18:50 CEST 2019] Installed to /root/.acme.sh/acme.sh
[Sat 10 Aug 13:18:50 CEST 2019] Installing alias to '/root/.bashrc'
[Sat 10 Aug 13:18:50 CEST 2019] OK, Close and reopen your terminal to start using acme.sh
[Sat 10 Aug 13:18:50 CEST 2019] Installing cron job
23 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
[Sat 10 Aug 13:18:50 CEST 2019] Good, bash is found, so change the shebang to use bash as 
preferred.
[Sat 10 Aug 13:18:50 CEST 2019] OK
root@pc:~/acme.sh# 

@_az this is the output’s error : acme.sh-CertificationIssuing10_08_2019ErrorMessage.txt (16.9 KB)

I open a new help request, since the error message is a different one. Looking forward to your kind help

@_az now it seems resolved and working. The only question left is: how to automatically renew the certificates with acme.sh?

acme.sh automatically sets up a cronjob when you first install it. Any certificates it manages will be automatically renewed. You should be able to see it in the root user’s cron:

crontab -l

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.