Cannot renew "Failed authorization procedure"

Please fill out the fields below so we can help you better.

My domain is:

I ran this command: certbot-auto renew

It produced this output: Attempting to renew cert ( from /etc/letsencrypt/renewal/ produced an unexpected error: Failed authorization procedure. (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching,/.well-known/acme-challenge/nr5vlmOtWSkIMI-wfZhtvahZBDVFgFRDWQlGGeJQUtk: Error getting validation data. Skipping.

My web server is (include version): nginx

The operating system my web server runs on is (include version): ubuntu 14

My hosting provider, if applicable, is: self

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Hi @unruly1,

If you literally pasted the output there, then the trouble is the comma in the URL (notice that it says "," with a comma instead of just ""). As this is an HTTPS URL, it shows that the certificate authority is following a 301 redirect message sent by your web server. The problem would probably lie with a redirect rule set in your web server configuration that redirects people from HTTP to HTTPS — it probably contains a typo that has an extra comma that doesn't belong there.

Thanks for the quick reply. I did copy/paste the output.
I did notice that and I have been looking everywhere for what is putting that comma in there.. Thank you for pointing me to the redirect.
I fixed that and now I am having a problem bypassing the authentication prompt for the /.well-known directory despite this entry in the nginx reverse

location ~ /.well-known/acme-challenge/ {
auth_basic off;
autoindex on;

although I do have the following entry after that

  auth_basic "Restricted";

any help is appreciated.

Maybe it’s because you’ve written .wellknown instead of .well-known there?

oops. now THAT one was a typo… (fixed it on my post)
I verified it is correct on the server … any other ideas?

I don’t happen to know enough about nginx to diagnose this, unfortunately. (I’d agree that getting rid of the basic auth on that directory is necessary in order to let this renewal go ahead.)

yeah, the auto renew worked when I removed basic auth in the reverse config but I’d like to be able to script it to auto-renew while maintaining basic auth in my nginx reverse proxy…
I’ll do some more research
here is the tutorial I followed:
Secure nginx Reverse Proxy with Let’s Encrypt

It's been my experience that nginx is somewhat sensitive to the order of location blocks. Try moving the block that enables http auth earlier in the file to before the block that disables it for /.well-known.

EDIT: This would be the case if the location block that enables http auth also uses the ~ (regexp match) operator. If it's just enabled in location / as I would expect then it should be ok. :thinking:

You might also consider instead using:

location ^~ /.well-known/acme-challenge/

That is, use ^~ instead of ~. This operator causes nginx to bypass any ~ rules when the prefix matches.

Thank you for sharing your experience. I modified my file and an initial test indicates it is working properly.
Appreciate your help. Consider this resolved for now.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.