Can't generate ssl certificate, "Some challenges have failed."

My domain is:
mindset.ccgeo.info:84

I ran this command:
certbot --nginx -d mindset.ccgeo.info:84

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for mindset.ccgeo.info:84

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: mindset.ccgeo.info
Type: unauthorized
Detail: Invalid response from http://mindset.ccgeo.info/.well-known/acme-challenge/ByuMW_EdWzus5VhIErenZpQibHReUJy0mxG7vYqvoQs [45.202.17.189]: "\n\n404 Not Found\n\n

Not Found

\n<p"

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version):
UBUNTU 20.4

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Hi @ZAK and welcome to the LE community forum :slight_smile:

Unfortunately, LE is unable to validate HTTP-01 via any other port (only 80).
If port 80 can be made to reach your system, do that and retry your request.
[which it looks like port 80 can reached]

curl -Ii http://mindset.ccgeo.info/
HTTP/1.1 200 OK
Date: Tue, 16 Nov 2021 06:12:49 GMT
Server: Apache/2.4.18 (Ubuntu)

If port 80 is not able to reach your system, there is now only DNS-01 option.
DNS-01 is more complicated to automate.
It can be done manually, but that is then a requirement each 60-90 days.
It is best to use a DNS Service Provider (DSP) that supports updates via API.
And an ACME client that has a DNS plugin that supports that DSP.

1 Like

@rg305 Hello sir, Thankyou for your response. I've a url like this https://mindset.ccgeo.info:84, I just want to know if it's possible to generate ssl certificate with that kind of url ?

1 Like

You can use a certificate with any port.

But you can only obtain, and renew, a cert via two methods:

  • HTTP-01 authentication
    [requires TCP port 80 (HTTP) access to your server]
  • DNS-01 authentication
    [does not require any access to your server - DNS zone changes are required]

So the answer is both NO and YES.
[depending on which authentication method you wish to use]

3 Likes

As I mentioned previously:

Your site seems to be reachable via TCP port 80 (HTTP), so you should be able to use both authentication methods.

2 Likes

Would you like any help obtaining a cert?
OR reviewing/configuring your nginx to be able to obtain a cert?

2 Likes

Wow. Yes please. Should I post my nginx config here ?

1 Like

Yes, that would be a great place to start.
nginx -T

1 Like

This is the output

root@ccgeo:/# nginx -t
nginx: [warn] "ssl_stapling" ignored, issuer certificate not found for certificate "/etc/nginx/certificate.cert"
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
root@ccgeo:/#

use Capital T

1 Like

root@ccgeo:/# nginx -T

nginx: [warn] "ssl_stapling" ignored, issuer certificate not found for certificate "/etc/nginx/certificate.cert"
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 768;
        # multi_accept on;
}

http {

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        # server_tokens off;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        ##
        # Gzip Settings
        ##

        gzip on;

        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}


#mail {
#       # See sample authentication script at:
#       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#       # auth_http localhost/auth.php;
#       # pop3_capabilities "TOP" "USER";
#       # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#       server {
#               listen     localhost:110;
#               protocol   pop3;
#               proxy      on;
#       }
#
#       server {
#               listen     localhost:143;
#               protocol   imap;
#               proxy      on;
#       }
#}

# configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:
load_module modules/ngx_http_image_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:
load_module modules/ngx_http_xslt_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:
load_module modules/ngx_mail_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:
load_module modules/ngx_stream_module.so;

# configuration file /etc/nginx/mime.types:

types {
    text/html                             html htm shtml;
    text/css                              css;
    text/xml                              xml;
    image/gif                             gif;
    image/jpeg                            jpeg jpg;
    application/javascript                js;
    application/atom+xml                  atom;
    application/rss+xml                   rss;

    text/mathml                           mml;
    text/plain                            txt;
    text/vnd.sun.j2me.app-descriptor      jad;
    text/vnd.wap.wml                      wml;
    text/x-component                      htc;

    image/png                             png;
    image/tiff                            tif tiff;
    image/vnd.wap.wbmp                    wbmp;
    image/x-icon                          ico;
    image/x-jng                           jng;
    image/x-ms-bmp                        bmp;
    image/svg+xml                         svg svgz;
    image/webp                            webp;

    application/font-woff                 woff;
    application/java-archive              jar war ear;
    application/json                      json;
    application/mac-binhex40              hqx;
    application/msword                    doc;
    application/pdf                       pdf;
    application/postscript                ps eps ai;
    application/rtf                       rtf;
    application/vnd.apple.mpegurl         m3u8;
    application/vnd.ms-excel              xls;
    application/vnd.ms-fontobject         eot;
    application/vnd.ms-powerpoint         ppt;
    application/vnd.wap.wmlc              wmlc;
    application/vnd.google-earth.kml+xml  kml;
    application/vnd.google-earth.kmz      kmz;
    application/x-7z-compressed           7z;
    application/x-cocoa                   cco;
    application/x-java-archive-diff       jardiff;
    application/x-java-jnlp-file          jnlp;
    application/x-makeself                run;
    application/x-perl                    pl pm;
    application/x-pilot                   prc pdb;
    application/x-rar-compressed          rar;
    application/x-redhat-package-manager  rpm;
    application/x-sea                     sea;
    application/x-shockwave-flash         swf;
    application/x-stuffit                 sit;
    application/x-tcl                     tcl tk;
    application/x-x509-ca-cert            der pem crt;
    application/x-xpinstall               xpi;
    application/xhtml+xml                 xhtml;
    application/xspf+xml                  xspf;
    application/zip                       zip;

    application/octet-stream              bin exe dll;
    application/octet-stream              deb;
    application/octet-stream              dmg;
    application/octet-stream              iso img;
    application/octet-stream              msi msp msm;

    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
    application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;

    audio/midi                            mid midi kar;
    audio/mpeg                            mp3;
    audio/ogg                             ogg;
    audio/x-m4a                           m4a;
    audio/x-realaudio                     ra;

    video/3gpp                            3gpp 3gp;
    video/mp2t                            ts;
    video/mp4                             mp4;
    video/mpeg                            mpeg mpg;
    video/quicktime                       mov;
    video/webm                            webm;
    video/x-flv                           flv;
    video/x-m4v                           m4v;
    video/x-mng                           mng;
    video/x-ms-asf                        asx asf;
    video/x-ms-wmv                        wmv;
    video/x-msvideo                       avi;
}

# configuration file /etc/nginx/sites-enabled/ckan:
proxy_cache_path /tmp/nginx_cache levels=1:2 keys_zone=cache:30m max_size=250m;
proxy_temp_path /tmp/nginx_proxy 1 2;

server {
    listen 80;
    server_name mindset.ccgeo.info:84;
    return 301 https://$server_name&request_uri;
}

server {
    listen 443 ssl;
    ssl_certificate certificate.cert;
    ssl_certificate_key certificate.key;

    client_max_body_size 100M;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSV1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;

    add_header Strict-Transport-Security "max-age=63072000" always;
    ssl_stapling on;
    ssl_stapling_verify on;

    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    }
    location / {
        proxy_pass http://127.0.0.1:8080/;
        proxy_set_header Host $host;
        proxy_set_header X-Url-Scheme $scheme;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_cache cache;
        proxy_cache_bypass $cookie_auth_tkt;
        proxy_no_cache $cookie_auth_tkt;
        proxy_cache_valid 30m;
        proxy_cache_key $host$scheme$proxy_host$request_uri;
        # In emergency comment out line to force caching;
        # proxy_ignore_headers X-Accel-Expires Expires Cache-Control;
    }

}

There much better!

2 Likes

Ok this section needs some love:

server {
    listen 80;
    server_name mindset.ccgeo.info:84;
    return 301 https://$server_name&request_uri;
}

let me redo that for you...
give me a minute

2 Likes

This is what I have so far:

server {
    listen 80;
    server_name mindset.ccgeo.info;
    location ^/(?!\.well-known) {            # skip challenge requests
      return 301 https://$host$request_uri;  # send all requests to HTTPS
    }# location
    root /new/dedicated/challenge/path;      # path for challenge requests
}

But I need to understand why you were using :84?
Do you also want to respond to HTTP (or HTTPS) requests on port 84?

We also need talk about:

1 Like

BTW sir mindset.ccgeo.info is not same as mindset.ccgeo.info:84, We've one public IP address so :84 is assigned to my test server

Is that okay to post that picture above ?

hmm...
But isn't this server listening to incoming requests on port 80?

Yes that is not secret stuff - ok to post.

1 Like

So do you want to use :84 for HTTP or HTTPS?
If you need both, you must use two ports.
But most importantly you must make the system that is hearing the port 80 requests answer properly OR pass those authentication requests to your test server.

That said, I need a better picture of what all is going on here.
How many servers are there?

1 Like

HTTPS sir.
We only have one server sir. that's serving the

mindset.ccgeo.info

using port forwarding. Since we only have 1 public IP my test server assigned in mindset.ccgeo.info:84

1 Like