Centos 7 404 not found acme-challenge

My domain is: boom.pelmorex.com

I ran this command: cd /opt/certbot; ./certbot-auto certonly --nginx -d boom.pelmorex.com --non-interactive --agree-tos --email netops@pelmorex.com --staging

It produced this output:
Failed authorization procedure. boom.pelmorex.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://boom.pelmorex.com/.well-known/acme-challenge/9Xi0PElLfgt0d22mw-JZfk15fUzV8ToB0cZMUxrAvB8: “\r\n404 Not Found\r\n<body bgcolor=“white”>\r\n

404 Not Found



My web server is (include version): Nginx (act as redirector)

The operating system my web server runs on is (include version): CentOS 7.5

My hosting provider, if applicable, is: self-host

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

I have this current setup.

I have one server that handle only certificate generator (Let’s Encrypt) and I have other servers that either host webserver or redirectors.

For testing purpose, I’m working only on redirectors.
I have nginx that handle all the incoming traffic and redirect into https.

In encrypt server nginx conf, I left it almost by default except these lines.
listen 80 ;
#listen [::]:80 default_server;
server_name _;
#root /usr/share/nginx/html;

As for redirector server, nginx conf, I added/modified these lines.
server {
listen 80;

listen [::]:80 default_server;

    server_name  _;

root /usr/share/nginx/html;

    # Load configuration files for the default server block.
    include /etc/nginx/default.d/*.conf;

            location ^~ /.well-known/acme-challenge/ {
            default_type "text/plain";
            proxy_pass http://encrypt.pelmorex.com;
            allow all;
            #root /usr/share/nginx/html;

and the boom subdomain conf, is as follow.
server {
listen 80;
server_name boom.pelmorex.com;
root /var/www/html/boom;
access_log /var/log/nginx/boom_access.log main;
#return 301 https://$server_name$request_uri;
server {
listen 443 ssl;
server_name boom.pelmorex.com;
location ^~ /.well-known/acme-challenge {
default_type “text/plain”;
proxy_pass http://encrypt.pelmorex.com;
allow all;
# include conf.d/ssl_test;
access_log /var/log/nginx/boom_access.log main;
root /var/www/html/boom;
#return 301 https://www.pelmorex.com$request_uri;

I did a few tests and so far so good… What could have done wrong?

P.S. If i’m missing anything or need clarification, let me know.


Hi @p_tekkenwar

looks like certbot doesn't understand your configuration and saves the validation file in the wrong directory.



After setting up challenges, wait for user input before submitting to CA

and theck, where the validation file is saved.

Or use the webroot with -w option.

PS: You have some

definitions. But fetching your file via browser or direct, there is a

Content-Type: application/octet-stream

sent, not "text/plain". http, no redirect https. https has a timeout.

Hi @JuergenAuer

Thanks for quick reply.
Unfortunately, I can't locate the file where it saved...
Also, i don't think I can't use webroot in my current setup because my encrypt server doesn't have a root folder as all of them are locate to my redirect server.

As for

I commented out. Thanks for pointing it out.

For the validation file, what could be an issue that doesn't show in the proper location.

Also, I wanted to setup as Central Validation Servers for my encrypt server since I have a lot of frontend and redirector.
What will be the proper setup/configuration in this case?

You must run your certbot on your redirect server, not on your encrypt server. So certbot must be able to find the webroot - direct or indirect.

Perhaps you should create your own client using an API or own functions, if you want to use such a "splitted configuration" with different servers and special needs.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.