Certbot can't issue certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: screenglide.co www.screenglide.co

I ran this command: sudo certbot --nginx -d screenglide.co -d www.screenglide.co --redirect -n

It produced this output:
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: screenglide.co
Type: unauthorized
Detail: 54.158.45.35: Invalid response from http://screenglide.co/.well-known/acme-challenge/1vz0i_wb7F1d1BYknDA92Id9KijM0MoA22qnZACdv8k: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

My web server is (include version): nginx version: nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 18.04.5 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.7.2

Hello! We are trying to issue SSL cert with Nginx. And we can't issue. We have a lot of websites on this server. And some websites are working. Some websites are not working. I mean the certificate process. Could you check/.

tried to run
sudo certbot certonly --nginx -d screenglide.co -d www.screenglide.co --redirect -n --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Simulating a certificate request for screenglide.co and www.screenglide.co
The dry run was successful.

but when I try to run it without --dry-run then I see this error
Requesting a certificate for screenglide.co and www.screenglide.co

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: screenglide.co
Type: unauthorized
Detail: 54.158.45.35: Invalid response from http://screenglide.co/.well-known/acme-challenge/TqkMsnUvkD6vU3UBF_xropvqo1f-nboCBDaWxxyMCnE: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Hi @alexMars, and welcome to the LE community forum :slight_smile:

Using --nginx is generally [nearly] foolproof.
Let's review the nginx config file.
Post the output of:
nginx -T
[note: That is a Capital "T"]

Side notes:

  • Thanks for using the lates version of certbot
  • Ubuntu 18.04.5 LTS could use an update
2 Likes

sudo nginx -t

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

If I tried to use capital T then I have big response, because we have a lot of server directives. I can send you the nginx.conf and typical nginx server configuration

Ok, how about?:
nginx -T | grep -Ei 'listen|80|443|server_name'

2 Likes

nginx-conf.txt (1.6 KB)
nginx-server-directive.txt (1.3 KB)
Also we have two files with custom rules
custom-rules.txt (2.4 KB)

output.txt (114.5 KB)

The first location is overwritten by the second:

location ~* /wp-content/.*\.(php|pl|py|jsp|asp|sh|cgi)$ {
    deny all;
    access_log off;
  log_not_found off;
}
location ~* /wp-content/ {
  deny all;
  deny all;
access_log off;
  log_not_found off;
}

Denying these seems a bit unneccesary:

location = /favicon.ico {
   deny all;
   access_log off;
    log_not_found off;
}
location = /images/favicon.png {
   deny all;
   access_log off;
    log_not_found off;
}

You might also want to block:
.env

2 Likes

I can't find screenglide anywhere in the output.txt file.
Are you on the right server?

2 Likes

You might want to turn this off:
gzip on;

This could use an update:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

2 Likes

Now when I try to run certbot I see this
The nginx plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('Unable to lock /etc/nginx')

yes.
Our client tries to connect custom domain to website. In this case this custom domain will be added to default file by nginx with config that I sent you in file.

What client?

2 Likes

Sounds like you may be running the "update client" more than once.

2 Likes

could you clarify?

we have the platform to build landing pages. And clients can connect the custom domains

Whatever client you use to update the sites and cert might be running more than once.

2 Likes

but now seems that certbot is not working for this server with this error. How I can fix it?

Show us what's running.
ps -ef | grep certbot

2 Likes