Certbot - Configure NGINX for HTTP Challenge

Response for LetsEncrypt:

certbot certonly --webroot --webroot-path=/usr/share/nginx/html -d bots.artbelka.by
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
An unexpected error occurred:
There were too many requests of a given type :: Error creating new authz :: Too many invalid authorizations recently.
Please see the logfiles in /var/log/letsencrypt for more details.
root@tsd-ubuntu-do:/opt/letsencrypt# certbot certonly --webroot --webroot-path=/usr/share/nginx/html -d bots.artbelka.by --staging
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for bots.artbelka.by
Using the webroot path /usr/share/nginx/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. bots.artbelka.by (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://bots.artbelka.by/.well-known/acme-challenge/kEccrFvyjw3-lTaPHRvhUE0edUOgjhmN8GXMayU7uiw: "

404 Not Found

Not Found

<p"

IMPORTANT NOTES:

  • The following errors were reported by the server:

Domain: bots.artbelka.by
Type: unauthorized
Detail: Invalid response from
http://bots.artbelka.by/.well-known/acme-challenge/kEccrFvyjw3-lTaPHRvhUE0edUOgjhmN8GXMayU7uiw:
"

404 Not Found

Not Found

<p"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.

Response for local machine:

curl -L http://bots.artbelka.by/.well-known/acme-challenge/kEccrFvyjw3-lTaPHRvhUE0edUOgjhmN8GXMayU7uiw:

403 Forbidden

403 Forbidden


nginx/1.10.0 (Ubuntu)

LetsEncrypt log:

2017-06-01 21:04:40,096:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: bots.artbelka.by
Type: unauthorized
Detail: Invalid response from http://bots.artbelka.by/.well-known/acme-challenge/kEccrFvyjw3-lTaPHRvhUE0edUOgjhmN8GXMayU7uiw: "

404 Not Found

Not Found

<p"

To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address.
2017-06-01 21:04:40,096:INFO:certbot.auth_handler:Cleaning up challenges
2017-06-01 21:04:40,096:DEBUG:certbot.plugins.webroot:Removing /usr/share/nginx/html/.well-known/acme-challenge/kEccrFvyjw3-lTaPHRvhUE0edUOgjhmN8GXMayU7uiw
2017-06-01 21:04:40,097:DEBUG:certbot.plugins.webroot:All challenges cleaned up, removing /usr/share/nginx/html/.well-known/acme-challenge
2017-06-01 21:04:40,097:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 11, in
load_entry_point('certbot==0.14.2', 'console_scripts', 'certbot')()
File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 742, in main
return config.func(config, plugins)
File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 682, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 82, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 344, in obtain_and_enroll_certificate
certr, chain, key, _ = self.obtain_certificate(domains)
File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 313, in obtain_certificate
self.config.allow_subset_of_names)
File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 81, in get_authorizations
self._respond(resp, best_effort)
File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 138, in _respond
self._poll_challenges(chall_update, best_effort)
File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 202, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. bots.artbelka.by (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://bots.artbelka.by/.well-known/acme-challenge/kEccrFvyjw3-lTaPHRvhUE0edUOgjhmN8GXMayU7uiw: "

404 Not Found

Not Found

<p"

NGINX file:
server {
autoindex on;
listen 80 default_server;
root /usr/share/nginx/html;

#    server_name bots.artbelka.by *.bots.artbelka.by;

        location /.well-known/ {
                return 403;
                root /usr/share/nginx/html;
                allow all;
        }

        location ~ /.well-known {
        return 403;
                add_header Content-Type text/plain;
                allow all;
        }
}

NGINX NEED RETURN 403 FOR LETSENCRYPT, BUT LETSENCRYPT SERVERS TELL ME ABOUT 404 RESPONSE... WHY? And local machine tell me about 403 response - correct response. Lets Encrypt not called my domain?

bots.artbelka.by is available over both IPv4 and IPv6, but that Nginx server block only applies to IPv4. Let’s Encrypt’s requests are using IPv6, and apparently getting a 404 error.

You need to make sure that the IPv6 address is correct, and add an IPv6 listen directive like “listen [::]:80 default_server;” to the appropriate Nginx server block.

Or remove the AAAA DNS record.

Hello! Thank you for you feedback!
My nginx config - https://pastebin.com/febAfSWZ
And certbot return response 404 and not 403.

hi @anboo

I am also getting 404 errors

This looks like an IPV4 server

Also - why are you trying to have 403 and 404 errors. It’s the idea to serve back the correct content.

Troubleshooting along your lines is not going to help you with certificate issuance so I suggest configuring the directory in a way that lets Let’s Encrypt validate properly and not worry about 404 vs 403 errors (this is not a useful thing to investigate)

Andrei

Yes, returning a 403 error is also not going to allow the validation to succeed. The CA expects to receive a file (with a 200 OK) or a redirection to another server or path which contains that file (via a 301 redirect). 403 is considered a failure and will not pass the validation challenge.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.