Cerbout-auto stopped to work

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:


I ran this command:
sudo /root/certbot-auto certonly --manual -d mail4.zdrav36.ru
It produced this output:
Create a file containing just this data:

JLAOa_uXj9gknNkXLWmzioDPTfnnyaFc6GO8C1zTqjc.xbZwBu1QH2cof-1A96zxKw4KLjVJ03NsHjSBt2Uuf4g

And make it available on your web server at this URL:

http://mail4.zdrav36.ru/.well-known/acme-challenge/JLAOa_uXj9gknNkXLWmzioDPTfnnyaFc6GO8C1zTqjc


Press Enter to Continue
Waiting for verification...
Challenge failed for domain mail4.zdrav36.ru
http-01 challenge for mail4.zdrav36.ru
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

My web server is (include version):
nginx version: nginx/1.4.6 (Ubuntu)
built by gcc 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04.3)

The operating system my web server runs on is (include version):
Ubuntu 14.04.5 LTS

My hosting provider, if applicable, is:
own server

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/cryptography/hazmat/primitives/constant_time.py:26: CryptographyDeprecationWarning: Support for your Python version is deprecated. The next version of cryptography will remove support. Please upgrade to a release (2.7.7+) that supports hmac.compare_digest as soon as possible.
utils.PersistentlyDeprecated2018,
certbot 1.8.0

Hi everyone,

just got a problem. My certbot was working for long time but recently stopped to renew certificates with strange behavior. If I run automatic renewal I see that files are created but I get 404 error and cannot copy path to browser to check because they are removed very quickly. Then I tried to issue new certificate (with only one SAN to be easy). I created files, I could (and still can) access the files with browser but certbot returns 404 error. Please help, I really stopped to understand what's been broken.

Except the file in the top of the topic I have the following file in acme directory. They are still available but letscrypt could get all of them.
111.txt
crmcuzCLRRX809O4NthfTZFzlyXYfrg5u_xokdvXNkM
JLAOa_uXj9gknNkXLWmzioDPTfnnyaFc6GO8C1zTqjc
ROWHbBIcpyaevSxP83zRtazNAe-6cIeVq3JYg3dE5jM

1 Like

I can't reach them either:

curl -Iki http://mail4.zdrav36.ru/.well-known/acme-challenge/111.txt
HTTP/1.1 404 Not Found
Server: nginx
Date: Mon, 21 Sep 2020 19:34:30 GMT
Content-Type: text/html;charset=iso-8859-1
Content-Length: 274
Connection: keep-alive
Cache-Control: must-revalidate,no-cache,no-store
1 Like

An option to certbot exists called --debug-challenges which will pause certbot when the challenges are placed just before they are going to be authenticated by the Let's Encrypt servers. Not sure if this also works when you just use certbot renew with that option, but worth a try.

Also, I'm pretty sure this is because of a change in webserver configuration. As you're using nginx, it wouldn't be caused by .htaccess as that's an Apache thing.

1 Like

Please show (in your config) how that directory comes to be known as the acme directory.
[it seems that something isn't lining up right]

1 Like

Thank you for checking. It is very strange becasue I can get the file right now in my browser which is connected only to Internet and has not access to LAN.

Are you connecting to the IP address 185.183.174.100?

I tried `--debug-challenges, it makes pause and even ask me to press any button but somewhy proceed in 2-3 seconds. I also think that something changed on the web but cannot understand what because I actually didn't do anything this year. All was working at least month ago.

yes, sorry for unreadable symbols :slight_smile: it means non authoritive answer. Thera is a "loopback" on DNS for all unspecified subdomain.
C:\Users\sasha>nslookup mail4.zdrav36.ru
╤хЁтхЁ: UnKnown
Address: 79.104.14.247

Не заслуживающий доверия ответ:
╚ь : zdrav36.ru
Address: 185.183.174.100
Aliases: mail4.zdrav36.ru

It proceeds only when you press the button :wink: But before you press it, you can take a look around your webservers webroot to look for the file(s) in another shell.

config is only about http part. Since I'm trying for testing troubleshooting purposes I use non-existing site in nginx so it is redirected to "default" site. I also removed all http->https redirections for testing but it was below than acme.conf so it was not a problem last years.

upstream www.zdrav36.ru {
server 10.0.0.23:80;

server {
listen *:80 default_server;
server_name _;
client_max_body_size 1024M;

include acme.conf;
//////
content of acme.conf
lets encrypt test domain challenge
location /.well-known {
    root /srv/www/wellknown;
}
///

location / {
    proxy_pass http://www.zdrav36.ru;
    include /etc/nginx/proxy_params;
expires off;

proxy_connect_timeout 300s;
proxy_send_timeout 300s;
proxy_read_timeout 300s;
}
}

I know, but a strange thing that when I switched to another window even with mouse somewhy button was pressed and if I did nothing it was going forward. I alsmot smashed my head against the wall because of this bug then I started to use --manual key.

Could you please drop here html text of error? If I try to get wrong file then I get the following page:

<html><head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.4.6 (Ubuntu)</center>








</body></html>
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page --> 

mail4.zdrav36.ru/.well-known/acme-challenge/1112.txt

But if I use http://www.seowebpageanalyzer.com/ to check correct or incorrect files:

Title
Error 404 Not Found (19 characters)
Keywords
(0 phrases, 0 characters)
Keywords metatag is empty.
Description
(0 characters)
There are no description set for this page.

I'm concerned about title because it does not match. But why I can see the file and you and the analyzer not...

Maybe this is a clue to you:

curl http://mail4.zdrav36.ru/.well-known/acme-challenge/111.txt
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>Error 404 Not Found</title>
</head>
<body><h2>HTTP ERROR 404</h2>
<p>Problem accessing /service/.well-known/acme-challenge/111.txt. Reason:
<pre>    Not Found</pre></p>
</body>
</html>

/service/... ? ? ?

That should have been:
/srv/www/wellknown/acme-challenge/111.txt

thank you. I found out the issue. A security device which acts as NAT wrongly redirected 80 port for some ip subnets.

1 Like