Can reach testfile on webroot but challenge fails

Joera · November 5, 2023, 3:48pm

Hi, i have been using certbot for quite some years,. This time i am trying something specific, which keeps me guessing.

The server has two nginx installations. One on the machine that passes requests to upstream port 8081, which is mapped to 8080 inside the docker container that hosts the content. Within that container the nginx and certbot processes are started by user with limited permissions. While debugging i've set relevant dirs to 777.

I do get a result back from self created http://autonomous-times.com/.well-known/acme-challenge/test

but the challenge fails.

Could you have a look through the logs and see if there is anything there that i could help me?

2023-11-05 15:27:49,471:DEBUG:certbot._internal.main:certbot version: 2.7.4
2023-11-05 15:27:49,471:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/local/bin/certbot
2023-11-05 15:27:49,471:DEBUG:certbot._internal.main:Arguments: ['--webroot', '-w', '/.fluence/v1/services/workdir/060df9dc-864e-488c-8228-7c943c174e69/publication/public/autonomous-times.com', '--non-interactive', '--agree-tos', '--email', 'joera@joeramulders.com', '--http-01-port', '8080', '--https-port', '4430', '--domain', 'autonomous-times.com', '-v']
2023-11-05 15:27:49,471:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2023-11-05 15:27:49,479:DEBUG:certbot._internal.log:Root logging level set at 20
2023-11-05 15:27:49,480:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None
2023-11-05 15:27:49,480:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * webroot
Description: Saves the necessary validation files to a .well-known/acme-challenge/ directory within the nominated webroot path. A seperate HTTP server must be running and serving files from the webroot path. HTTP challenge only (wildcards not supported).
Interfaces: Authenticator, Plugin
Entry point: EntryPoint(name='webroot', value='certbot._internal.plugins.webroot:Authenticator', group='certbot.plugins')
Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0x7faeb27a3460>
Prep: True
2023-11-05 15:27:49,480:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.webroot.Authenticator object at 0x7faeb27a3460> and installer None
2023-11-05 15:27:49,480:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2023-11-05 15:27:49,513:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/1397216106', new_authzr_uri=None, terms_of_service=None), e7477670aae73f01254b7c6d31e67f46, Meta(creation_dt=datetime.datetime(2023, 11, 5, 14, 16, 8, tzinfo=<UTC>), creation_host='b40eabf036ec', register_to_eff=None))>
2023-11-05 15:27:49,513:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2023-11-05 15:27:49,514:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2023-11-05 15:27:54,989:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 752
2023-11-05 15:27:54,990:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 05 Nov 2023 15:27:54 GMT
Content-Type: application/json
Content-Length: 752
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "l_luSNCvCTU": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "renewalInfo": "https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-01/renewalInfo/",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2023-11-05 15:27:54,991:DEBUG:certbot._internal.display.obj:Notifying user: Requesting a certificate for autonomous-times.com
2023-11-05 15:27:55,000:DEBUG:acme.client:Requesting fresh nonce
2023-11-05 15:27:55,001:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2023-11-05 15:27:55,166:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2023-11-05 15:27:55,167:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 05 Nov 2023 15:27:55 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: QBeJ2mufUIX6WVceRQs833lOlYLOJwhbmsIs85etI7XkVIA4ymM
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


2023-11-05 15:27:55,168:DEBUG:acme.client:Storing nonce: QBeJ2mufUIX6WVceRQs833lOlYLOJwhbmsIs85etI7XkVIA4ymM
2023-11-05 15:27:55,168:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "autonomous-times.com"\n    }\n  ]\n}'
2023-11-05 15:27:55,176:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTM5NzIxNjEwNiIsICJub25jZSI6ICJRQmVKMm11ZlVJWDZXVmNlUlFzODMzbE9sWUxPSndoYm1zSXM4NWV0STdYa1ZJQTR5bU0iLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1vcmRlciJ9",
  "signature": "S7E-CF1DSyI1n5exGGVVChw_ZGgm_HXNjvD8ghTmHo3dKVCLn-pv270Gw_6CheHQoiFXB4VW0fcftWWrklJMfTgiIt3wriyLR6bs_mTxi1-O13EY06YWY_te8aW-qBok2YDQOQ2uU7EKMUlT7iEWttY01UvWMJckELX83zekPmVFqnDKwYFWcDIGnzMdpVRMDWCEGk_1MU2-H93HrzAJ_JmTSlhsT8Ct7R4eLXigCh7_wmr7QthHd_P__lYPCuyleYIHLCn0f64F662ZsoNsbjxQt7g-egULmqTjfP3xFFXdfn61px_VD85z_nCMHlSDnMzExRpigTnI4D2_pxlfAg",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogImF1dG9ub21vdXMtdGltZXMuY29tIgogICAgfQogIF0KfQ"
}
2023-11-05 15:27:55,377:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 346
2023-11-05 15:27:55,378:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Sun, 05 Nov 2023 15:27:55 GMT
Content-Type: application/json
Content-Length: 346
Connection: keep-alive
Boulder-Requester: 1397216106
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/1397216106/220081813156
Replay-Nonce: QBeJ2mufoFQzEJmJsp722dbUR2KnwTMck703bbAgwuI9vSWLzpg
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2023-11-12T15:27:55Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "autonomous-times.com"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/280864803756"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/1397216106/220081813156"
}
2023-11-05 15:27:55,378:DEBUG:acme.client:Storing nonce: QBeJ2mufoFQzEJmJsp722dbUR2KnwTMck703bbAgwuI9vSWLzpg
2023-11-05 15:27:55,379:DEBUG:acme.client:JWS payload:
b''
2023-11-05 15:27:55,382:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/280864803756:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTM5NzIxNjEwNiIsICJub25jZSI6ICJRQmVKMm11Zm9GUXpFSm1Kc3A3MjJkYlVSMktud1RNY2s3MDNiYkFnd3VJOXZTV0x6cGciLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzI4MDg2NDgwMzc1NiJ9",
  "signature": "BUW3zIxwIVBalOBipqIzq0JGNUKu9RW57BZqZ4BxgfRJ92LwrhHjSJFoKeuh58OcWkfy9mM1B5Ub46eeQfPyO0hIQSRKlXrPVPGp_9GXGHcItBn48CvmheLIGt8YayHDQCjuQnCSVWGWwlAn3tkUZk0Q9Gm4u87kuN8qXz0zRa8LH3hm8PHJqsaZRYKwvbZerGcTS9wpKdRe_gGa5dwitE-4-uH1jJPkslijxFAZMFn91U5TH1w0CAQYgiUtdanSq04yaXlfep0CNJv0IPy6FXMpP7d7IgCl7kOBYBl57wuM6jiGruZVU6hc5tJ3KA3x3-bBJcYghVNduDK9yngtJw",
  "payload": ""
}
2023-11-05 15:27:55,542:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/280864803756 HTTP/1.1" 200 804
2023-11-05 15:27:55,543:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 05 Nov 2023 15:27:55 GMT
Content-Type: application/json
Content-Length: 804
Connection: keep-alive
Boulder-Requester: 1397216106
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 254jphsyhRG2kHz4UW8YmRbHoBpWVrJSFDlP6Smj1sD7_c1SKas
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "autonomous-times.com"
  },
  "status": "pending",
  "expires": "2023-11-12T15:27:55Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/280864803756/jq_egw",
      "token": "BqL-FFmX8ayrxjPNi6iui3FMGuzVe876-HNQjMtI_tc"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/280864803756/1a9POg",
      "token": "BqL-FFmX8ayrxjPNi6iui3FMGuzVe876-HNQjMtI_tc"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/280864803756/0y3M8w",
      "token": "BqL-FFmX8ayrxjPNi6iui3FMGuzVe876-HNQjMtI_tc"
    }
  ]
}
2023-11-05 15:27:55,543:DEBUG:acme.client:Storing nonce: 254jphsyhRG2kHz4UW8YmRbHoBpWVrJSFDlP6Smj1sD7_c1SKas
2023-11-05 15:27:55,544:INFO:certbot._internal.auth_handler:Performing the following challenges:
2023-11-05 15:27:55,545:INFO:certbot._internal.auth_handler:http-01 challenge for autonomous-times.com
2023-11-05 15:27:55,545:INFO:certbot._internal.plugins.webroot:Using the webroot path /.fluence/v1/services/workdir/060df9dc-864e-488c-8228-7c943c174e69/publication/public/autonomous-times.com for all unmatched domains.
2023-11-05 15:27:55,546:DEBUG:certbot._internal.plugins.webroot:Creating root challenges validation dir at /.fluence/v1/services/workdir/060df9dc-864e-488c-8228-7c943c174e69/publication/public/autonomous-times.com/.well-known/acme-challenge
2023-11-05 15:27:55,547:DEBUG:certbot._internal.plugins.webroot:Attempting to save validation to /.fluence/v1/services/workdir/060df9dc-864e-488c-8228-7c943c174e69/publication/public/autonomous-times.com/.well-known/acme-challenge/BqL-FFmX8ayrxjPNi6iui3FMGuzVe876-HNQjMtI_tc
2023-11-05 15:27:55,547:DEBUG:acme.client:JWS payload:
b'{}'
2023-11-05 15:27:55,548:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/280864803756/jq_egw:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTM5NzIxNjEwNiIsICJub25jZSI6ICIyNTRqcGhzeWhSRzJrSHo0VVc4WW1SYkhvQnBXVnJKU0ZEbFA2U21qMXNEN19jMVNLYXMiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2NoYWxsLXYzLzI4MDg2NDgwMzc1Ni9qcV9lZ3cifQ",
  "signature": "a8KJlytK3RENarYmrPhwTL1bLiLa2DkOH4huH5b7El07S4M2PnvYlwyxEDMva0e9iqdvtoWQM_2_0NWDS1uJ6QnQw9jwfnm-HSpMqErIgS2dfHxNbXPZ-gpeQn2fLU6VssVFNhLBGswIUYMS8UXjIcACeYZfcIA9Alnu_1CIP_Q38fAVWer35VWee7AYqZVj-HQ-6sNIK4O4kCYcRPgaBEXiTvicBF68zEUsqA9VWjHG2Cas1D-pikVCS_GzYpA3zkpIMSgnH-bUiGIXiYsPGS3UdnyJfc6lmWW9OeLeZ1PngAlSJKNjeO2P-2yDFTgnE7BlG6eiZT1Hi14zWXx3JQ",
  "payload": "e30"
}
2023-11-05 15:27:55,708:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/280864803756/jq_egw HTTP/1.1" 200 187
2023-11-05 15:27:55,709:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 05 Nov 2023 15:27:55 GMT
Content-Type: application/json
Content-Length: 187
Connection: keep-alive
Boulder-Requester: 1397216106
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz-v3/280864803756>;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/280864803756/jq_egw
Replay-Nonce: 254jphsy-5ukUTacVzxdY39oT5lbhTcDCWN6HUS703z7wAFsPH4
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/280864803756/jq_egw",
  "token": "BqL-FFmX8ayrxjPNi6iui3FMGuzVe876-HNQjMtI_tc"
}
2023-11-05 15:27:55,709:DEBUG:acme.client:Storing nonce: 254jphsy-5ukUTacVzxdY39oT5lbhTcDCWN6HUS703z7wAFsPH4
2023-11-05 15:27:55,710:INFO:certbot._internal.auth_handler:Waiting for verification...
2023-11-05 15:27:56,711:DEBUG:acme.client:JWS payload:
b''
2023-11-05 15:27:56,715:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/280864803756:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTM5NzIxNjEwNiIsICJub25jZSI6ICIyNTRqcGhzeS01dWtVVGFjVnp4ZFkzOW9UNWxiaFRjRENXTjZIVVM3MDN6N3dBRnNQSDQiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzI4MDg2NDgwMzc1NiJ9",
  "signature": "F1q5bSMF3rwujt6tdVsG77EQmd75uELTbpZWLQt9jDi7HcRZ3FzejOjFTY1PhmvjnL2q_Igpp6o1PwPcuViN2CPC2XPggdSLguVFzzwX5KQD8IdHvd5d4KVd6nxUNvlqmVIyu2JWJjv0da8G-_tVrDyHNLbTnaLr5hzYBO1NwypbVnTU4kGEfKBtCAo513kuMnieAvaYHW7zyIys8aaq4cA2L9vXiGNCStzIFEHmcoiPnNVaM2dWGxhblv2d-ZB58e_atzkxCwrX830ecOvRxmWH22s0XvEwnWMzLXPMLK0mHNOWlWDlbNXhV_LJTxqyAHrCOZDHBzXHr9jSWRC0wg",
  "payload": ""
}
2023-11-05 15:27:56,874:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/280864803756 HTTP/1.1" 200 804
2023-11-05 15:27:56,875:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 05 Nov 2023 15:27:56 GMT
Content-Type: application/json
Content-Length: 804
Connection: keep-alive
Boulder-Requester: 1397216106
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 254jphsyMrzVOIs9Vx2CEWIxAQLAH10jEf5AsMYWS89zETeLYDo
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "autonomous-times.com"
  },
  "status": "pending",
  "expires": "2023-11-12T15:27:55Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/280864803756/jq_egw",
      "token": "BqL-FFmX8ayrxjPNi6iui3FMGuzVe876-HNQjMtI_tc"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/280864803756/1a9POg",
      "token": "BqL-FFmX8ayrxjPNi6iui3FMGuzVe876-HNQjMtI_tc"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/280864803756/0y3M8w",
      "token": "BqL-FFmX8ayrxjPNi6iui3FMGuzVe876-HNQjMtI_tc"
    }
  ]
}
2023-11-05 15:27:56,876:DEBUG:acme.client:Storing nonce: 254jphsyMrzVOIs9Vx2CEWIxAQLAH10jEf5AsMYWS89zETeLYDo
2023-11-05 15:27:59,877:DEBUG:acme.client:JWS payload:
b''
2023-11-05 15:27:59,878:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/280864803756:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTM5NzIxNjEwNiIsICJub25jZSI6ICIyNTRqcGhzeU1yelZPSXM5VngyQ0VXSXhBUUxBSDEwakVmNUFzTVlXUzg5ekVUZUxZRG8iLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzI4MDg2NDgwMzc1NiJ9",
  "signature": "X2pJivU8nE1xH0AVNdvFlc_fRaTDz6jUMLEHlPPbmr4s0KuDZfiksKowxexBdf8MavafZhuyAt6RKnsRQylq6c8WK7avXfTjuWQYCffIEEmy4uROkKyrotpVwzeDzWp16UE8yHVjJZW3S2lL1uYNGSGAFw_VRPBgMDJdwg1Q2_IEUmMkK2ZByps4wj1-IBJvaknMEGTCtAa5RIuYO0rGQBXrpFE9OIQa_bKL8SzGIE2kSxVM2mYJh39iDp6vq5tQWXhLlM1m4irWXo5CicazWeNIVq9NjjLcbG3OxZ-ADWAPch2rJ8kMC-MKcOom-SgzlB-pxDnF3zGXFRFfTHdc9A",
  "payload": ""
}
2023-11-05 15:28:00,035:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/280864803756 HTTP/1.1" 200 1051
2023-11-05 15:28:00,036:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 05 Nov 2023 15:27:59 GMT
Content-Type: application/json
Content-Length: 1051
Connection: keep-alive
Boulder-Requester: 1397216106
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 254jphsyGDIic_MnBUNWoFuf1vGDhLj72Fd1_XYPOQMKeR4ov_c
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "autonomous-times.com"
  },
  "status": "invalid",
  "expires": "2023-11-12T15:27:55Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "143.176.14.172: Invalid response from http://autonomous-times.com/.well-known/acme-challenge/BqL-FFmX8ayrxjPNi6iui3FMGuzVe876-HNQjMtI_tc: 404",
        "status": 403
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/280864803756/jq_egw",
      "token": "BqL-FFmX8ayrxjPNi6iui3FMGuzVe876-HNQjMtI_tc",
      "validationRecord": [
        {
          "url": "http://autonomous-times.com/.well-known/acme-challenge/BqL-FFmX8ayrxjPNi6iui3FMGuzVe876-HNQjMtI_tc",
          "hostname": "autonomous-times.com",
          "port": "80",
          "addressesResolved": [
            "143.176.14.172"
          ],
          "addressUsed": "143.176.14.172"
        }
      ],
      "validated": "2023-11-05T15:27:55Z"
    }
  ]
}
2023-11-05 15:28:00,036:DEBUG:acme.client:Storing nonce: 254jphsyGDIic_MnBUNWoFuf1vGDhLj72Fd1_XYPOQMKeR4ov_c
2023-11-05 15:28:00,037:INFO:certbot._internal.auth_handler:Challenge failed for domain autonomous-times.com
2023-11-05 15:28:00,037:INFO:certbot._internal.auth_handler:http-01 challenge for autonomous-times.com
2023-11-05 15:28:00,038:DEBUG:certbot._internal.display.obj:Notifying user: 
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: autonomous-times.com
  Type:   unauthorized
  Detail: 143.176.14.172: Invalid response from http://autonomous-times.com/.well-known/acme-challenge/BqL-FFmX8ayrxjPNi6iui3FMGuzVe876-HNQjMtI_tc: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

2023-11-05 15:28:00,039:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/local/lib/python3.10/dist-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/usr/local/lib/python3.10/dist-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2023-11-05 15:28:00,039:DEBUG:certbot._internal.error_handler:Calling registered functions
2023-11-05 15:28:00,039:INFO:certbot._internal.auth_handler:Cleaning up challenges
2023-11-05 15:28:00,040:DEBUG:certbot._internal.plugins.webroot:Removing /.fluence/v1/services/workdir/060df9dc-864e-488c-8228-7c943c174e69/publication/public/autonomous-times.com/.well-known/acme-challenge/BqL-FFmX8ayrxjPNi6iui3FMGuzVe876-HNQjMtI_tc
2023-11-05 15:28:00,040:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2023-11-05 15:28:00,041:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.10/dist-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
  File "/usr/local/lib/python3.10/dist-packages/certbot/_internal/main.py", line 1873, in main
    return config.func(config, plugins)
  File "/usr/local/lib/python3.10/dist-packages/certbot/_internal/main.py", line 1600, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/local/lib/python3.10/dist-packages/certbot/_internal/main.py", line 143, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/local/lib/python3.10/dist-packages/certbot/_internal/client.py", line 517, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/local/lib/python3.10/dist-packages/certbot/_internal/client.py", line 428, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/local/lib/python3.10/dist-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "/usr/local/lib/python3.10/dist-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/usr/local/lib/python3.10/dist-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2023-11-05 15:28:00,043:ERROR:certbot._internal.log:Some challenges have failed.

MikeMcQ · November 5, 2023, 3:52pm

Hmm. I get a 200 response but no data (content-length=0). Is there anything in that test file?

I also get a 200 for any other name so something seems wrong

curl -i http://autonomous-times.com/.well-known/acme-challenge/test
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 05 Nov 2023 15:51:05 GMT
Content-Type: application/octet-stream
Content-Length: 0
Connection: keep-alive

curl -i http://autonomous-times.com/.well-known/acme-challenge/test404
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 05 Nov 2023 15:51:15 GMT
Content-Type: application/octet-stream
Content-Length: 0
Connection: keep-alive

MikeMcQ · November 5, 2023, 3:59pm

Further, if I understand correctly, you have an nginx system that sees all incoming requests. It then proxies certain requests to a docker container.

Can't you have the "first" nginx handle both HTTP and HTTPS for the domain or URI you proxy back to the container? That is, just redirect any HTTP to HTTPS. And, when it gets HTTPS it can just proxy back using HTTP.

Is there a reason you need to use HTTPS to access the container rather than just using HTTP?

Joera · November 5, 2023, 4:19pm

mm yes, thanks .. i had a false sense of a working nginx conf ...

Joera · November 5, 2023, 4:28pm

yes, i understand you doubt my sanity. I am trying a distributed hosting setup. The user inside the docker container needs to restart nginx with new config and then run certbot. It should not have access to the host machine outside the container.

MikeMcQ · November 5, 2023, 4:43pm

Sure, and, maybe I am missing something. But, it sounds like you have nginx1 proxying traffic to nginx2. For nginx1 to handle an incoming HTTPS request it needs a cert for the domain name in the request.

It's fine if for some reason you also need HTTPS between nginx1 and nginx2 and even using a public CA cert. But, if these are your own systems on your own network I was just asking why HTTP wouldn't be sufficient. If it is then nginx2 does not need Certbot or certificates at all. This doesn't change what access the container has to the host. It just changes the protocol between nginx1 and nginx2.

Or, perhaps just use a self-signed cert in nginx2 to allow the proxy to it to use HTTPS.

Again, it's fine if you need to do what you are trying. I was just suggesting other solutions that might be simpler.

Joera · November 5, 2023, 5:19pm

thanks for thinking with me. nginx1 doesnt know the domain.

I am assuming i can let nginx1 reverse proxy the request to nginx2 in the container where nginx conf is generated and a certificate is generated. It would also update DNS records to point domain at nginx1

MikeMcQ · November 5, 2023, 5:29pm

How does nginx1 handle incoming HTTPS requests?

I am not sure if you are doing something incredibly clever or don't understand something well enough

Joera · November 5, 2023, 5:32pm

how about both

MikeMcQ · November 5, 2023, 5:32pm

Do you have an example server block for nginx1 that will handle incoming HTTPS requests (typically port 443).

Joera · November 5, 2023, 5:45pm

i will be back tomorrow ...

Joera · November 5, 2023, 8:30pm

got back behind the computer and found a fix!

so, yea .. i screwed up my nginx2 config while debugging certbot. Fixed that first.

Then i copied a ssl passthrough example to use on nginx1. I works

Thanks for helping out

MikeMcQ · November 5, 2023, 8:52pm

Sure. I don't see HTTP working to that domain name so a cert request using an HTTP Challenge would fail.

Also, you already got 3 certs for that domain name today. You are only allowed 5 identical certs per week so please use the Let's Encrypt staging system when testing. If you get Rate Limited for this reason you have to wait a week to get another cert.

For Certbot and --webroot just add --dry-run to the command. Or, even use --test-cert although --dry-run is usually best when testing Certbot itself. See the Certbot docs for what these do.