Centos 7 404 not found acme-challenge


#1

My domain is: boom.pelmorex.com

I ran this command: cd /opt/certbot; ./certbot-auto certonly --nginx -d boom.pelmorex.com --non-interactive --agree-tos --email netops@pelmorex.com --staging

It produced this output:
Failed authorization procedure. boom.pelmorex.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://boom.pelmorex.com/.well-known/acme-challenge/9Xi0PElLfgt0d22mw-JZfk15fUzV8ToB0cZMUxrAvB8: “\r\n404 Not Found\r\n<body bgcolor=“white”>\r\n

404 Not Found

\r\n

IMPORTANT NOTES:

My web server is (include version): Nginx (act as redirector)

The operating system my web server runs on is (include version): CentOS 7.5

My hosting provider, if applicable, is: self-host

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

I have this current setup.

I have one server that handle only certificate generator (Let’s Encrypt) and I have other servers that either host webserver or redirectors.

For testing purpose, I’m working only on redirectors.
I have nginx that handle all the incoming traffic and redirect into https.

In encrypt server nginx conf, I left it almost by default except these lines.
listen 80 ;
#listen [::]:80 default_server;
server_name _;
#root /usr/share/nginx/html;

As for redirector server, nginx conf, I added/modified these lines.
server {
listen 80;

listen [::]:80 default_server;

    server_name  _;

root /usr/share/nginx/html;

    # Load configuration files for the default server block.
    include /etc/nginx/default.d/*.conf;

            location ^~ /.well-known/acme-challenge/ {
            default_type "text/plain";
            proxy_pass http://encrypt.pelmorex.com;
            allow all;
            #root /usr/share/nginx/html;
                                                    }

and the boom subdomain conf, is as follow.
server {
listen 80;
server_name boom.pelmorex.com;
root /var/www/html/boom;
access_log /var/log/nginx/boom_access.log main;
#return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name boom.pelmorex.com;
location ^~ /.well-known/acme-challenge {
default_type “text/plain”;
proxy_pass http://encrypt.pelmorex.com;
allow all;
}
# include conf.d/ssl_test;
access_log /var/log/nginx/boom_access.log main;
root /var/www/html/boom;
#return 301 https://www.pelmorex.com$request_uri;
}

I did a few tests and so far so good… What could have done wrong?
https://letsdebug.net/boom.pelmorex.com/6477
&
http://boom.pelmorex.com/.well-known/acme-challenge/test

P.S. If i’m missing anything or need clarification, let me know.

Thanks


#2

Hi @p_tekkenwar

looks like certbot doesn’t understand your configuration and saves the validation file in the wrong directory.

Use

--debug-challenges

After setting up challenges, wait for user input before submitting to CA

and theck, where the validation file is saved.

Or use the webroot with -w option.

PS: You have some

definitions. But fetching your file via browser or direct, there is a

Content-Type: application/octet-stream

sent, not “text/plain”. http, no redirect https. https has a timeout.


#3

Hi @JuergenAuer

Thanks for quick reply.
Unfortunately, I can’t locate the file where it saved…
Also, i don’t think I can’t use webroot in my current setup because my encrypt server doesn’t have a root folder as all of them are locate to my redirect server.

As for

I commented out. Thanks for pointing it out.

For the validation file, what could be an issue that doesn’t show in the proper location.

Also, I wanted to setup as Central Validation Servers for my encrypt server since I have a lot of frontend and redirector.
What will be the proper setup/configuration in this case?


#4

You must run your certbot on your redirect server, not on your encrypt server. So certbot must be able to find the webroot - direct or indirect.

Perhaps you should create your own client using an API or own functions, if you want to use such a “splitted configuration” with different servers and special needs.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.