Can not create SSL Certificate on Ubuntu/NGINX

Cycs · March 4, 2022, 8:44pm

Hi!

my problem is, that it's impossible to create a ssl certificate. That's strange because this is my second server (same brand, type, os and so on). On the first one all is okay. And now I have no clue what's going wrong.

My domain is:

node02.ironpvp.de (IP: 176.118.193.162)

I ran this command:

certbot --nginx --agree-tos --redirect --hsts --staple-ocsp --email info@ironpvp.de -d node02.ironpvp.de

It produced this output:

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for node02.ironpvp.de
Waiting for verification...
Challenge failed for domain node02.ironpvp.de
http-01 challenge for node02.ironpvp.de
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: node02.ironpvp.de
Type: unauthorized
Detail: Invalid response from
http://node02.ironpvp.de/.well-known/acme-challenge/sdFBYhiKxVlvdJbHgNQabjb7uVN07mn7nKc41afgne8
[176.118.193.162]: "var
x={o:'gNQabjb7uVN07mn7nKc41afgne8',t:'/iXcMe/.well-"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

My web server is (include version) / The operating system my web server runs on is (include version):

Ubuntu 20.04 LTS
NGINX: 1.20.1

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of or certbot-auto --version if you're using Certbot): 0.40.0

Can someone help me please?

9peppe · March 4, 2022, 8:52pm

wtf is this?

Did you follow the instructions?

_az · March 4, 2022, 8:55pm

There are some nginx distributions out there which have "security" modules that create JavaScript interstitials, sort of like the Cloudflare captcha page. They look a lot like that snippet.

If that's the case here, @Cycs will need to figure out where it's coming from and turn it off, or exclude these requests.

9peppe · March 4, 2022, 9:03pm

It looks like it

#  curl -iL http://node02.ironpvp.de/
HTTP/1.1 200 OK
Connection: close
Pragma: no-cache
cache-control: no-cache
Content-Type: text/html
Content-Length: 206

<!DOCTYPE html><html><title></title><script>var y=window</script><script>var x={o:'/44OLOWV/',c:1},z=2;function rsu(h){return(x.o).substr(0,x.c)+(x.o).substr(x.c+h)}y.location.assign(rsu(z))</script></html>

# curl -iL http://node02.ironpvp.de/.well-known/acme-challenge/sdFBYhiKxVlvdJbHgNQabjb7uVN07mn7nKc41afgne8
HTTP/1.1 200 OK
Connection: close
Pragma: no-cache
cache-control: no-cache
Content-Type: text/html
Content-Length: 247

<!DOCTYPE html><html><title></title><script>var y=window</script><script>var x={o:'gNQabjb7uVN07mn7nKc41afgne8',t:'/ZofKl/.well-known/acme-c',h:'hallenge/sdFBYhiKxVlvdJbH'};function rsu(){return x.t+x.h+x.o}y.location.assign(rsu())</script></html>

(It logs IP addresses, so I could not see it on my desktop because I had opened a page in Firefox)

@_az that webserver f*king answers 200 on every path. You only get a 404 after the javascript redirect (and letsdebug doesn't catch this).

Cycs · March 4, 2022, 9:10pm

Hi,

because of you question - I uninstalled the formerly install certbot instance and used snap. But this also doesn't work. I get this output:

root@node02:~# certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?

1: node02.ironpvp.de

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Requesting a certificate for node02.ironpvp.de

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: node02.ironpvp.de
Type: unauthorized
Detail: Invalid response from http://node02.ironpvp.de/.well-known/acme-challenge/UePRll-4JN2lcvi2hpKOpejuYvjg-7xF96WmpSQH6Qg [176.118.193.162]: "var x={o:'/LLLLLWhSp/.well-known/acme-challenge/UePRll-"

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

So ... it will not work.
Btw. you asked for the strange text ... I only copied the output from the shell.

Certbot version with snap is: 1.24.0

Cycs · March 4, 2022, 9:13pm

Uh ... sorry. I do not know.
I only installed the server from scratch. That means, I clicked on "install server with Ubuntu 20.04 LTS" on my providers panel. After that I installed NGINX in this way:

add-apt-repository ppa:ondrej/nginx
apt install nginx-core nginx-common nginx nginx-full

Is it wrong? I never had problems before with it.

Cycs · March 4, 2022, 9:22pm

Giuseppe C.:

#  curl -iL http://node02.ironpvp.de/
HTTP/1.1 200 OK
Connection: close
Pragma: no-cache
cache-control: no-cache
Content-Type: text/html
Content-Length: 206

<!DOCTYPE html><html><title></title><script>var y=window</script><script>var x={o:'/44OLOWV/',c:1},z=2;function rsu(h){return(x.o).substr(0,x.c)+(x.o).substr(x.c+h)}y.location.assign(rsu(z))</script></html>

That's crazy. If I run this command I get the following:

curl -iL http://node02.ironpvp.de/
HTTP/1.1 200 OK
Server: nginx/1.20.1
Date: Fri, 04 Mar 2022 21:20:25 GMT
Content-Type: text/html
Content-Length: 101
Last-Modified: Fri, 04 Mar 2022 19:27:48 GMT
Connection: keep-alive
ETag: "62226834-65"
Accept-Ranges: bytes

<html>
 <head>
  <title>Node02</title>
 </head>
 <body>
   <h1>This is Node02!</h1>
 </body>
</html>

9peppe · March 4, 2022, 9:24pm

So do I if I use an IP address that opened a page with an actual browser.

_az · March 4, 2022, 9:36pm

ls /etc/nginx/modules-enabled/

Cycs · March 4, 2022, 9:37pm

ls /etc/nginx/modules-enabled/
50-mod-brotli.conf 50-mod-http-echo.conf 50-mod-http-image-filter.conf 50-mod-http-xslt-filter.conf 50-mod-stream.conf
50-mod-http-auth-pam.conf 50-mod-http-geoip2.conf 50-mod-http-subs-filter.conf 50-mod-mail.conf 70-mod-stream-geoip2.conf
50-mod-http-dav-ext.conf 50-mod-http-geoip.conf 50-mod-http-upstream-fair.conf 50-mod-ssl-ct.conf 70-mod-stream-geoip.conf

_az · March 4, 2022, 9:39pm

Ah, it's not actually nginx doing this.

The clue is that @9peppe's curl response does not contain the Server header. This is usually a dead giveaway that there's some kind of proxy sitting in front.

I'd contact your host. I think it's some kind of HTTP firewall on their side.

rg305 · March 4, 2022, 11:20pm

curl -Ii http://node02.ironpvp.de/.well-known/acme-challenge/Test_File-1234
HTTP/1.1 302 Found
Location: /KVkVN/.well-known/acme-challenge/Test_File-1234

curl -Ii http://node02.ironpvp.de/KVkVN/.well-known/acme-challenge/Test_File-1234
HTTP/1.1 302 Found
Location: /pYaZV/KVkVN/.well-known/acme-challenge/Test_File-1234

curl -Ii http://node02.ironpvp.de/pYaZV/KVkVN/.well-known/acme-challenge/Test_File-1234
HTTP/1.1 302 Found
Location: /NnMRd/pYaZV/KVkVN/.well-known/acme-challenge/Test_File-1234

curl -Ii http://node02.ironpvp.de/NnMRd/pYaZV/KVkVN/.well-known/acme-challenge/Test_File-1234
HTTP/1.1 302 Found
Location: /ehkSV/NnMRd/pYaZV/KVkVN/.well-known/acme-challenge/Test_File-1234

There seems to be no end to it.

Cycs · March 5, 2022, 6:31am

Huh? What's going on there? Never seen before.
I don't know why this happens.

system · April 4, 2022, 6:32am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.