Can't get a sub domain secured on nginx

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: hl521.me

I ran this command: certbot --nginx (used option 3)

It produced this output:

root@k10 ~# certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?


1: hl521.me
2: files.hl521.me
3: mail.hl521.me
4: nvr.hl521.me
5: unifi.hl521.me
6: www.hl521.me


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 3
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mail.hl521.me
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. mail.hl521.me (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: The key authorization file from the server did not match this challenge "P7Xzecjm2NVqv7DYtTeTvV4zSD7SMLwzrOzjUv54yBw.8ZukyMoL-46saffGWh-AmWuXNTJWsViQDCLz8Emp07w" != ""

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: mail.hl521.me
    Type: unauthorized
    Detail: The key authorization file from the server did not match
    this challenge
    "P7Xzecjm2NVqv7DYtTeTvV4zSD7SMLwzrOzjUv54yBw.8ZukyMoL-46saffGWh-AmWuXNTJWsViQDCLz8Emp07w"
    != ""

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

My web server is (include version): Nginx 1.14.2-2

The operating system my web server runs on is (include version): Debian 10 (Buster)

My hosting provider, if applicable, is: N/A, Hosting locally

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No, all via remote shell

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

2 Likes

Welcome to the Let's Encrypt Community, Derek :slightly_smiling_face:

The redirects in place will make it impossible to authenticate mail.hl521.me via an http-01 challenge.

Screenshot_20201101-160213_Samsung Internet

Visiting http://mail.hl521.me/.well-known/acme-challenge/test should produce a 404 Not Found (unless test actually exists, in which case a 200 OK along with the content should be produced).

1 Like

Hey thanks, griffin!

I'm assuming it's just a config thing I need to do with nginx? I'm honestly wondering if IRedMail under nginx is messing with my unifi server now too since it isn't able to detect my devices anymore lol

2 Likes

Certbot actually adds a temporary exception to your nginx configuration to serve the challenge file that appears to be located in /.well-known/acme-challenge/. Your specific nginx configuration is probably interfering. There is a workaround that temporarily shuts down nginx and spins up a temporary web server. Not ideal, but possible.

Why does a BigIP webserver answer?

1 Like

Hm, strange. After deleting the symlink in /etc/nginx/sites-enabled for mail.hl521.me.conf, Unifi retains the issue where it doesn't detect the devices, so I doubt that the config for that was the issue.

Also, what was your last question?

1 Like

Do you see the problem?

2 Likes

Aaaaaaaah....
All the LittleIP client questions!

2 Likes

Edit: I just realized I can probably change the sub domain so it goes away from hovers reservation of mail.hl521.me instead so I only have to pay for the domain

wow I don't know why I didn't see that, thank you. I just assumed that with a domain it would point all traffic to my IP, and that the email specific stuff that you have to buy with the domain was for mail hosted BY the domain provider lol. I guess this answers my question :slight_smile:

3 Likes

2 Likes