Certbot certonly webroot fail to create challenge file

Help
1

My domain is: radicalsolution.com

I ran this command: certbot certonly --webroot --agree-tos -m nicolas@radicalsolution.com -w /home/www/sslencrypt/ -d radicalsolution.com

It produced this output:
Failed authorization procedure. radicalsolution.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://radicalsolution.com/.well-known/acme-challenge/6Jow9P57JBucoOkgc3nPom08JFst88TYLYytJVdbYQ0:

on the web server log I have :
open() “/var/www/sslencrypt/acme-challenge/6Jow9P57JBucoOkgc3nPom08JFst88TYLYytJVdbYQ0” failed (2: No such file or directory), client: 66.133.109.36, server: s.radicalsolution.com, request: “GET /.well-known/acme-challenge/4PyN-_z6Z8Lb_H9RSXhOCx0JWxJ-khZy09Ha6SbHY4o HTTP/1.1”, host: “radicalsolution.com”

indeed no file is created inside /var/www/sslencrypt/

[ actually web server is on docker container, hence the apparent difference in file path ]

replacing --webroot by --manual and creating the file myself is OK

it doesn’t seems to be related to file’s right…I even tried with 777 right on acme-challenge

any hint ?

2

Did you manually map this path with Docker? Certbot will create the file in the subdirectory .well-known/acme-challenge under the path that you specified with -w.

3

Thanks for your answer

My Nginx container is started with

-v /home/www:/var/www -v /etc/letsencrypt:/etc/letsencrypt

And the location /.well-known is aliased To /var/www/sslencrypt on the vhost in the nginx container

I’m running certbot on the host ( Ubuntu 18.04 )

Nicolas LESCURE
Mob : +33 6 0857 5500
…
La beauté vient en premier. La victoire en second. L’important, c’est la joie
Sòcrates

4

When you say "aliased" do you mean you used the alias directive in your nginx configuration? If so, does it work if you try root instead? Or else alias it directly to /var/www/sslencrypt/.well-known/

5

thanks for your input.

indeed it does work with root !

location /.well-known {

alias /var/www/sslencrypt; # does work with certbot certonly --manual but not certbot certonly --webroot 

root /var/www/sslencrypt;  # does work with  `certbot certonly --webroot` ( one has to create also a new directory  /var/www/sslencrypt/**.well-known** )

}

hence certbot renew worked too :grinning:

1 Like
6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.