Certbot could not find a block to include challenges in /etc/nginx/nginx.conf

Canadian · August 11, 2020, 7:38pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ordertest.dmcontact.com

I ran this command: certbot-auto --nginx -d ordertest.dmcontact.com

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for ordertest.dmcontact.com
Cleaning up challenges
Certbot could not find a block to include challenges in /etc/nginx/nginx.conf.

My web server is (include version): nginx/1.14.2

The operating system my web server runs on is (include version): Debian 10.5

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 1.7.0

I’ve been reading some others posts and I’m quite certain this is due to the nginx conf file (we have no issues with a similar server running Apache). I’ve tried using both certbot and certbot-auto, and they both return the same error.

I did find that I could create a manual certificate with a TXT record, revoke that certificate completely and then it would seem to get the certificate, but a dry-run shows it would fail for renewal.

rg305 · August 11, 2020, 8:29pm

It would seem that there is no vhost config that covers the name “orderroman.dmcontact.com”.
How is that name being served by this nginx system?

rg305 · August 11, 2020, 8:31pm

And please don't revoke unused, no longer needed, certificates.

rg305 · August 11, 2020, 8:33pm

Do you have both (certbot and certbot-auto) ?

Canadian · August 11, 2020, 9:45pm

The issue here is that particular subdomain is hidden. I have however created a test page at https://ordertest.dmcontact.com/ it should be easily reachable and it has the same error of being unable to find a block.

Canadian · August 11, 2020, 9:49pm

Yes I can use both of these, but the error is always the same.

rg305 · August 12, 2020, 1:30am

Can you allow HTTP instead or catch the HTTP and redirect it to HTTPS?
Certbot is looking for an HTTP block for that name (not an HTTPS block) but it will follow a standard redirect.

Canadian · August 12, 2020, 5:21pm

This is my initial section of the conf file. Isn't this redirecting?

server {
if ($host = ordertest.dmcontact.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name ordertest.dmcontact.com;

location /.well-known {
        alias /var/www/ordertest.dmcontact.com/.well-known;
}
}

rg305 · August 13, 2020, 6:13am

I do see it redirecting:

curl -Iki http://ordertest.dmcontact.com/.well-known/acme-challenge/test-file-1234
HTTP/1.1 301 Moved Permanently
Server: nginx/1.14.2
Date: Thu, 13 Aug 2020 06:09:24 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: https://ordertest.dmcontact.com/.well-known/acme-challenge/test-file-1234

Please place a similar test text file in that challenge location and see if it can be reached via the Internet.

possible example:
echo "test" > /var/www/ordertest.dmcontact.com/.well-known/test-file-1234

rg305 · August 13, 2020, 6:16am

You’ve shown the port 80 block; but is there a server block that listens on port 443 that covers the name “ordertest.dmcontact.com” ?

system · September 12, 2020, 6:17am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.