Authentication Error when getting certificate


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:cliff.dynu.net

I ran this command:sudo certbot --nginx --agree-tos --redirect --hsts --staple-ocsp --email cliff@mcloughlin.me.uk -d nextcloud.cliff.dynu.net

It produced this output:Failed authorization procedure. nextcloud.cliff.dynu.net (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://nextcloud.cliff.dynu.net/.well-known/acme-challenge/Mwxxl4emtnTupUtCHguSx4LOohRDP5Bv2RNfEI-OqOA [86.1.107.37]: 404

IMPORTANT NOTES:

My web server is (include version):nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version):Ubuntu 18.04

My hosting provider, if applicable, is:ISP - Virgin Media, DDNS dynu.com, Ubuntu on local box

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no_good_woman:


#2

Are you sure that http://nextcloud.cliff.dynu.net/.well-known/acme-challenge/test.txt is being served by nginx?

It is missing the Server: nginx header, which isn’t possible to remove without recompiling nginx from source.


#3

http://nextcloud.cliff.dynu.net/'s IPv6 address is an OpenDNS IP that doesn’t respond to HTTP.

Its IPv4 address returns HTML that, from Googling it, appears to be the login page for a camera.


#4

Thanks -az. I’m assuming that it is being served by nginx. I’m very much a Linux newbie being more experienced with Windows. I started with a cleaninstall of Ubuntu 18.04 and followed these sets of instructions: https://www.linuxbabe.com/ubuntu/install-lemp-stack-nginx-mariadb-php7-2-ubuntu-18-04-lts & https://www.linuxbabe.com/ubuntu/install-nextcloud-ubuntu-18-04-nginx-lemp.


#5

Thanks mnordhoff. I use OpenDNS for my DNS servers and dynu.com for DDNS. I had redirects for ports 80 & 443 setup on my router to point to the server and I was getting the Nginx page when I used the address or IP locally but after your reply, I tried from my phone over the 4G network and got my camera login. I rebooted the router and now get the certificate correctly but get this response from LE:

Deploying Certificate to VirtualHost /etc/nginx/conf.d/nextcloud.conf
Failed ensure-http-header for nextcloud.cliff.dynu.net
Unable to set enhancement ensure-http-header for nextcloud.cliff.dynu.net
Problem in /etc/nginx/conf.d/nextcloud.conf: tried to insert directive “[‘add_header’, ‘Strict-Transport-Security’, ‘“max-age=31536000”’, ‘always’]” but found conflicting “[‘add_header’, ‘X-Content-Type-Options’, ‘nosniff’]”.

IMPORTANT NOTES:

  • We were unable to set up enhancement ensure-http-header for your
    server, however, we successfully installed your certificate.
  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/nextcloud.cliff.dynu.net/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/nextcloud.cliff.dynu.net/privkey.pem
    Your cert will expire on 2018-09-01. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the “certonly” option. To non-interactively renew all of
    your certificates, run “certbot renew”

Should I worry about this?

Thanks again


#6

I don’t know. I’ve never seen that error before. It sounds like it might not be a showstopper. The Strict-Transport-Security header is good but not required.

You could edit the Nginx configuration to add it manually, but if Certbot has a bug, it might get confused in the future.

I hope a Certbot developer chimes in.

What version of Certbot are you using?

It may be good to file a bug with the Nginx configuration and Certbot letsencrypt.log.


#7

@sydneyli, could this relate to a problem in PR #5463 in case there is already an add_header directive unrelated to HSTS?

Like @mnordhoff, I’d also like to know which version of Certbot this is.


#8

@schoen Yes, I was able to reproduce this.
@cmcloughlin, your certificate should be installed correctly but we weren’t able to automatically set HSTS for you, which is a bug. I have a fix for this queued; for bookkeeping’s sake, can you fill out an issue here? EDIT: Thanks to @schoen’s quick review, we’ve merged the fix for this. Just in time, too-- the next Certbot release is scheduled for Wednesday :slight_smile: Let us know if this fixes it for you!


#9

Thanks for all your help. Will do


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.