Cant create a cert - verification failed

Hi all,
i have a Problem to create a certificate. In the openmediavault plugin i have the very simple logcodr:`Command: export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; export LANG=C; /usr/bin/certbot certonly --non-interactive --test-cert --rsa-key-size 4096 --text --keep-until-expiring --agree-tos --allow-subset-of-names --cert-name --email --webroot -w /var/www/ -d 2>&1

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for
Using the webroot path /var/www for all unmatched domains.
Waiting for verification…
Challenge failed for domain
Cleaning up challenges
Challenges failed for all domains

and in the letsencrypt log i have the folowing errorcode
Connection: keep-alive

“identifier”: {
“type”: “dns”,
“value”: “
“status”: “invalid”,
“expires”: “2018-01-13T20:34:37Z”,
“challenges”: [
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:acme:error:unauthorized”,
“detail”: “Invalid response from [XXX.XXX.XXX.XXX]: 404”,
“status”: 403

My domain is:

I ran this command:

It produced this output:

My web server is (include version):nginx

The operating system my web server runs on is (include version): openmediavault 4.0.16 (debian 9.x)

My hosting provider, if applicable, is: Strato

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Web Gui of openmediavault and the login

What are the permissions for your .well-known/acme-challenge folders ? the error is that an external connection can not reach the files in that location.

the /var/www folder for the .well-known have drwxr-xr-x but i havent a .well-known folder. What does i need?

edit; i create new folder for certifications
drwxrws—+ 1 www-data www-data 22 Jan 6 22:42 certificate

but it doesnt work

okay… i have looked again in the folder an see a folder with .well-known. and oll the premissions are vor groop and user www-data. But it doessn’t work. The error is the same

If you add a plain text file ( called test ) in the .well-known/acme-challenge folder, can you then reach that in a browser

If not, what do your nginx logs show

I found something in my nginx log. Mybe it helps.
/wTbQRK7FelF1qgCzROGamuobneuAMwxLU9T6axy_2kI HTTP/1.1", host: ""
2018/01/08 19:08:45 [error] 30831#30831: *2132 access forbidden by rule, client:, server:, request: "GET /.well-known/acme-challenge

OK, so you have something blocking it in your nginx config by the look of it.

What is your nginx config ( apart from email addresses or anything else private you may have in there )

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.