Certbot can't issue certificate

alexMars · October 23, 2023, 11:23am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: screenglide.co www.screenglide.co

I ran this command: sudo certbot --nginx -d screenglide.co -d www.screenglide.co --redirect -n

It produced this output:
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: screenglide.co
Type: unauthorized
Detail: 54.158.45.35: Invalid response from http://screenglide.co/.well-known/acme-challenge/1vz0i_wb7F1d1BYknDA92Id9KijM0MoA22qnZACdv8k: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

My web server is (include version): nginx version: nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 18.04.5 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.7.2

Hello! We are trying to issue SSL cert with Nginx. And we can't issue. We have a lot of websites on this server. And some websites are working. Some websites are not working. I mean the certificate process. Could you check/.

alexMars · October 23, 2023, 11:51am

tried to run
sudo certbot certonly --nginx -d screenglide.co -d www.screenglide.co --redirect -n --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Simulating a certificate request for screenglide.co and www.screenglide.co
The dry run was successful.

but when I try to run it without --dry-run then I see this error
Requesting a certificate for screenglide.co and www.screenglide.co

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: screenglide.co
Type: unauthorized
Detail: 54.158.45.35: Invalid response from http://screenglide.co/.well-known/acme-challenge/TqkMsnUvkD6vU3UBF_xropvqo1f-nboCBDaWxxyMCnE: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

rg305 · October 23, 2023, 11:56am

Hi @alexMars, and welcome to the LE community forum

Using --nginx is generally [nearly] foolproof.
Let's review the nginx config file.
Post the output of:
nginx -T
[note: That is a Capital "T"]

Side notes:

Thanks for using the lates version of certbot
Ubuntu 18.04.5 LTS could use an update

alexMars · October 23, 2023, 12:00pm

sudo nginx -t

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

alexMars · October 23, 2023, 12:02pm

If I tried to use capital T then I have big response, because we have a lot of server directives. I can send you the nginx.conf and typical nginx server configuration

rg305 · October 23, 2023, 12:12pm

Ok, how about?:
nginx -T | grep -Ei 'listen|80|443|server_name'

alexMars · October 23, 2023, 12:13pm

nginx-conf.txt (1.6 KB)
nginx-server-directive.txt (1.3 KB)
Also we have two files with custom rules
custom-rules.txt (2.4 KB)

alexMars · October 23, 2023, 12:15pm

output.txt (114.5 KB)

rg305 · October 23, 2023, 12:25pm

The first location is overwritten by the second:

location ~* /wp-content/.*\.(php|pl|py|jsp|asp|sh|cgi)$ {
    deny all;
    access_log off;
  log_not_found off;
}
location ~* /wp-content/ {
  deny all;
  deny all;
access_log off;
  log_not_found off;
}

Denying these seems a bit unneccesary:

location = /favicon.ico {
   deny all;
   access_log off;
    log_not_found off;
}
location = /images/favicon.png {
   deny all;
   access_log off;
    log_not_found off;
}

You might also want to block:
.env

rg305 · October 23, 2023, 12:26pm

I can't find screenglide anywhere in the output.txt file.
Are you on the right server?

rg305 · October 23, 2023, 12:26pm

You might want to turn this off:
gzip on;

This could use an update:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

alexMars · October 23, 2023, 12:28pm

Now when I try to run certbot I see this
The nginx plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('Unable to lock /etc/nginx')

alexMars · October 23, 2023, 12:30pm

yes.
Our client tries to connect custom domain to website. In this case this custom domain will be added to default file by nginx with config that I sent you in file.

rg305 · October 23, 2023, 12:31pm

What client?

rg305 · October 23, 2023, 12:33pm

Sounds like you may be running the "update client" more than once.

alexMars · October 23, 2023, 12:35pm

could you clarify?

alexMars · October 23, 2023, 12:35pm

we have the platform to build landing pages. And clients can connect the custom domains

rg305 · October 23, 2023, 12:50pm

Whatever client you use to update the sites and cert might be running more than once.

alexMars · October 23, 2023, 12:52pm

but now seems that certbot is not working for this server with this error. How I can fix it?

rg305 · October 23, 2023, 12:52pm

Show us what's running.
ps -ef | grep certbot