Certbot creates /.well-known/acme-challenge/kjhkjhkjhkhkjhkjhkhkh but letsencrypt did't find it

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
sneakerdraws.com

I ran this command:
sudo certbot run -a webroot -i nginx -w /var/www/alexus/data/www/sneakerdraws.com -d sneakerdraws.com -d www.sneakerdraws.com --debug-challenges

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer nginx
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for sneakerdraws.com
http-01 challenge for www.sneakerdraws.com
Using the webroot path /var/www/alexus/data/www/sneakerdraws.com for all unmatched domains.
Waiting for verification…


Challenges loaded. Press continue to submit to CA. Pass “-v” for more info about
challenges.


Press Enter to Continue
Challenge failed for domain sneakerdraws.com
Challenge failed for domain www.sneakerdraws.com
http-01 challenge for sneakerdraws.com
http-01 challenge for www.sneakerdraws.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

My web server is (include version):
nginx version: nginx/1.16.1

The operating system my web server runs on is (include version):
CentOS 7.0
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
yes i use root

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
i don’t use control panek

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 1.0.0

Additional notes:
Whe i run certbot it ask me to press Enter
At this moment i look at /var/www/alexus/data/www/sneakerdraws.com/.well-known/acme-challenge folder and see 2 files with long names created by certbot i think.
These files are readable and accessible from http://sneakerdraws.com/.well-known/acme-challenge/. It means that nginx settings works correctly but it seems that certbot removes these files before checking from http

But when i press Enter it shows me error see above.
It means that nginx settings works correctly but it seems that certbot removes these files before checking from http

Any ideas ?
Thanks

is this an actual directory on your webserver?

look in your nginx server blocks for root /path/to/directory directives:

grep -ir 'root ' /etc/nginx/*

This is the problem. Your domain shows one thing (your website) for its IPv4 address, and another thing (an HTTP 403) for its IPv6 address.

Hi @alexus

there is a check of your domain, one hour old - https://check-your-website.server-daten.de/?q=sneakerdraws.com

There you see the problem.

You have ipv4 and ipv6.

Host T IP-Address is auth. ∑ Queries ∑ Timeout
sneakerdraws.com A 188.225.25.117 St Petersburg/St.-Petersburg/Russia (RU) - TimeWeb Co. LTD Hostname: 294351-cs09873.tmweb.ru yes 1 0
AAAA 2a03:6f00:1::5c35:607d St Petersburg/St.-Petersburg/Russia (RU) - TimeWeb Ltd. yes
www.sneakerdraws.com A 188.225.25.117 St Petersburg/St.-Petersburg/Russia (RU) - TimeWeb Co. LTD Hostname: 294351-cs09873.tmweb.ru yes 1 0
AAAA 2a03:6f00:1::5c35:607d St Petersburg/St.-Petersburg/Russia (RU) - TimeWeb Ltd. yes

But there are different answers.

K http://sneakerdraws.com/ 188.225.25.117, Status 200
http://sneakerdraws.com/ 2a03:6f00:1::5c35:607d, Status 403
configuration problem - different ip addresses with different status
K http://www.sneakerdraws.com/ 188.225.25.117, Status 200
http://www.sneakerdraws.com/ 2a03:6f00:1::5c35:607d, Status 403
configuration problem - different ip addresses with different status
K https://sneakerdraws.com/ 188.225.25.117, Status -2
https://sneakerdraws.com/ 2a03:6f00:1::5c35:607d, Status 403
configuration problem - different ip addresses with different status
K https://www.sneakerdraws.com/ 188.225.25.117, Status -2
https://www.sneakerdraws.com/ 2a03:6f00:1::5c35:607d, Status 403
configuration problem - different ip addresses with different status

Looks like your ipv6 doesn’t work.

But: You have a new certificate:

CN=sneakerdraws.com
	08.03.2020
	06.06.2020
expires in 82 days	sneakerdraws.com, www.sneakerdraws.com - 2 entries

Why do you want to create one?

What says

nginx -T

May be a Listen [::]:80 is missing.

I’m pretty sure the IPv4 and IPv6 addresses point to different physical servers, so the listen fix isn’t going to work:

$ nc -vvv -4 sneakerdraws.com 22
Connection to sneakerdraws.com 22 port [tcp/ssh] succeeded!
SSH-2.0-OpenSSH_7.4

$ nc -vvv -6 sneakerdraws.com 22
Connection to sneakerdraws.com 22 port [tcp/ssh] succeeded!
SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.13

Most probably, you need to just remove the AAAA DNS record.

At a later time, if your new server has an IPv6 address, you can re-add it to your DNS.

2 Likes

PS: Yep, as @_az wrote: The servers are different:

Domainname Http-Status redirect Sec. G
http://sneakerdraws.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 188.225.25.117 GZip used - 114 / 153 - 25,49 % Inline-JavaScript (∑/total): 0/0 Inline-CSS (∑/total): 0/0 404 Html is minified: 110,07 % 0.097 A
Not Found
Visible Content: 404 Not Found nginx/1.16.1
http://sneakerdraws.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 2a03:6f00:1::5c35:607d Inline-JavaScript (∑/total): 0/0 Inline-CSS (∑/total): 0/0 404 Html is minified: 100,00 % 0.110 A
Not Found
Visible Content: Not Found The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server.
http://www.sneakerdraws.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 188.225.25.117 GZip used - 114 / 153 - 25,49 % Inline-JavaScript (∑/total): 0/0 Inline-CSS (∑/total): 0/0 404 Html is minified: 110,07 % 0.077 A
Not Found
Visible Content: 404 Not Found nginx/1.16.1
http://www.sneakerdraws.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 2a03:6f00:1::5c35:607d Inline-JavaScript (∑/total): 0/0 Inline-CSS (∑/total): 0/0 404 Html is minified: 100,00 % 0.110 A
Not Found
Visible Content: Not Found The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server.

Ipv4 answers with a

404 Not Found nginx/1.16.1

Ipv6 with a

Not Found The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server.

and it is a

Server: nginx/1.14.1

Result of nginx -T

configuration file /etc/nginx/nginx.conf:

user apache;
worker_processes 1;

error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;

events {
worker_connections 1024;
}

http {
include /etc/nginx/mime.types;
default_type application/octet-stream;

log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                  '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$http_x_forwarded_for"';

access_log  /var/log/nginx/access.log  main;

sendfile        on;
#tcp_nopush     on;

keepalive_timeout  65;

#gzip  on;

include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/vhosts/*/*.conf;

server {
server_name localhost;
disable_symlinks if_not_owner;
listen 80;
listen [::]:80;
include /etc/nginx/vhosts-includes/*.conf;
location @fallback {
error_log /dev/null crit;
proxy_pass http://127.0.0.1:8080;
proxy_redirect http://127.0.0.1:8080 /;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
access_log off ;
}
}
client_max_body_size 128m;
}

configuration file /etc/nginx/mime.types:

types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;

text/mathml                                      mml;
text/plain                                       txt;
text/vnd.sun.j2me.app-descriptor                 jad;
text/vnd.wap.wml                                 wml;
text/x-component                                 htc;

image/png                                        png;
image/svg+xml                                    svg svgz;
image/tiff                                       tif tiff;
image/vnd.wap.wbmp                               wbmp;
image/webp                                       webp;
image/x-icon                                     ico;
image/x-jng                                      jng;
image/x-ms-bmp                                   bmp;

font/woff                                        woff;
font/woff2                                       woff2;

application/java-archive                         jar war ear;
application/json                                 json;
application/mac-binhex40                         hqx;
application/msword                               doc;
application/pdf                                  pdf;
application/postscript                           ps eps ai;
application/rtf                                  rtf;
application/vnd.apple.mpegurl                    m3u8;
application/vnd.google-earth.kml+xml             kml;
application/vnd.google-earth.kmz                 kmz;
application/vnd.ms-excel                         xls;
application/vnd.ms-fontobject                    eot;
application/vnd.ms-powerpoint                    ppt;
application/vnd.oasis.opendocument.graphics      odg;
application/vnd.oasis.opendocument.presentation  odp;
application/vnd.oasis.opendocument.spreadsheet   ods;
application/vnd.oasis.opendocument.text          odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation
                                                 pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
                                                 xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
                                                 docx;
application/vnd.wap.wmlc                         wmlc;
application/x-7z-compressed                      7z;
application/x-cocoa                              cco;
application/x-java-archive-diff                  jardiff;
application/x-java-jnlp-file                     jnlp;
application/x-makeself                           run;
application/x-perl                               pl pm;
application/x-pilot                              prc pdb;
application/x-rar-compressed                     rar;
application/x-redhat-package-manager             rpm;
application/x-sea                                sea;
application/x-shockwave-flash                    swf;
application/x-stuffit                            sit;
application/x-tcl                                tcl tk;
application/x-x509-ca-cert                       der pem crt;
application/x-xpinstall                          xpi;
application/xhtml+xml                            xhtml;
application/xspf+xml                             xspf;
application/zip                                  zip;

application/octet-stream                         bin exe dll;
application/octet-stream                         deb;
application/octet-stream                         dmg;
application/octet-stream                         iso img;
application/octet-stream                         msi msp msm;

audio/midi                                       mid midi kar;
audio/mpeg                                       mp3;
audio/ogg                                        ogg;
audio/x-m4a                                      m4a;
audio/x-realaudio                                ra;

video/3gpp                                       3gpp 3gp;
video/mp2t                                       ts;
video/mp4                                        mp4;
video/mpeg                                       mpeg mpg;
video/quicktime                                  mov;
video/webm                                       webm;
video/x-flv                                      flv;
video/x-m4v                                      m4v;
video/x-mng                                      mng;
video/x-ms-asf                                   asx asf;
video/x-ms-wmv                                   wmv;
video/x-msvideo                                  avi;

}

configuration file /etc/nginx/conf.d/default.conf:

Disabled by ISPmanager

configuration file /etc/nginx/vhosts/alexus/sneakerdraws.com.conf:

map $sent_http_content_type $expires {^M
“text/html” epoch;^M
“text/html; charset=utf-8” epoch;^M
default off;^M
}^M
server {^M
server_name sneakerdraws.com www.sneakerdraws.com;^M
charset UTF-8;^M
index index.php index.html;^M
disable_symlinks if_not_owner from=$root_path;^M
include /etc/nginx/vhosts-includes/.conf;^M
include /etc/nginx/vhosts-resources/sneakerdraws.com/
.conf;^M
access_log /var/www/httpd-logs/sneakerdraws.com.access.log;^M
error_log /var/www/httpd-logs/sneakerdraws.com.error.log notice;^M
ssi on;^M
set $root_path /var/www/alexus/data/www/sneakerdraws.com;^M
root $root_path;^M
^M
gzip on;^M
gzip_types text/plain application/xml text/css application/javascript;^M
gzip_min_length 1000;^M
^M
location ^~ /.well-known/acme-challenge/ {^M
alias /var/www/alexus/data/www/sneakerdraws.com/.well-known/acme-challenge/;^M
}^M
^M
location / {^M
expires $expires;^M
proxy_redirect off;^M
proxy_set_header Host $host;^M
proxy_set_header X-Real-IP $remote_addr;^M
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;^M
proxy_set_header X-Forwarded-Proto scheme;^M proxy_read_timeout 1m;^M proxy_connect_timeout 1m;^M proxy_pass http://127.0.0.1:3000; # set the address of the Node.js instance here^M }^M ^M listen 80;^M listen [::]:80; ^M location ~ \.php {^M
fastcgi_pass unix:/var/run/php-fpm/sneakerdraws.com.sock;^M
fastcgi_index index.php;^M
fastcgi_param SCRIPT_FILENAME $request_filename;^M
include fastcgi_params;^M
} ^M
}^M

configuration file /etc/nginx/vhosts-includes/awstats.conf:

location /awstatsicons/ {
alias /usr/share/awstats/wwwroot/icon/;
}

configuration file /etc/nginx/vhosts-includes/blacklist-nginx.conf:

    location @blacklist {
    proxy_redirect off ;
    proxy_pass https://188.225.25.117:1500;
    rewrite (.*) /mancgi/ddos break;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X_ISP_FIREWALLSEC 626c6de34895556e28b98bfa29fc6383c9efaa0654a2527f5e7600a5201059a87a4a5
    }

configuration file /etc/nginx/vhosts-includes/disabled.conf:

location /disabled/ {
alias /usr/local/mgr5/www/disabled/;
}

configuration file /etc/nginx/fastcgi_params:

fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;

fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;

fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;

fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;

PHP only, required if PHP was built with --enable-force-cgi-redirect

fastcgi_param REDIRECT_STATUS 200;
fastcgi_param SCRIPT_FILENAME $request_filename;

Sorry, that’s not relevant if there are different machines.

Your ipv6 is wrong. Change it or remove it.

I have removed AAAA DNS record
And all works now
Thanks a lot

2 Likes