Certbot don't found .well-known file bit folder is accessible

Hello,

My domain is: rolling-server.bux.fr

My web server is : apache2 2.4.25-3+deb9u11 on debian 9

I have access to the ssh and can login into root.

I use certbot 0.28.0 .

I configured my apache2 virtual host as the following :

<VirtualHost *:80>
  DocumentRoot /srv/www/bux.fr/rolling-server.bux.fr
  ServerName rolling-server.bux.fr
  ErrorLog /var/log/apache2/error_rolling-server.bux.fr.log
  CustomLog /var/log/apache2/access_rolling-server.bux.fr.log combined
  <Directory "/srv/www/bux.fr/rolling-server.bux.fr">
    Require all granted
    Options -Indexes
    AllowOverride All
  </Directory>
</VirtualHost>

I can test the following file :

touch /srv/www/bux.fr/rolling-server.bux.fr/.well-known/toto.txt

By accessing with this url :

➜  ~ http -h  http://rolling-server.bux.fr/.well-known/toto.txt
HTTP/1.1 200 OK
[...]

But when running certbot :

certbot --webroot-path='/srv/www/bux.fr/rolling-server.bux.fr' --nginx -d rolling-server.bux.fr

I can see it failing to GET the generated .well-known file :

3.142.122.14 - - [18/Oct/2021:08:29:30 +0000] "GET /.well-known/acme-challenge/yjz8b9gnzHgbzoEkzS-_TMfcn7NEaSRIC-ZLKi7oyOE HTTP/1.1" 404 463 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
34.219.87.132 - - [18/Oct/2021:08:29:30 +0000] "GET /.well-known/acme-challenge/yjz8b9gnzHgbzoEkzS-_TMfcn7NEaSRIC-ZLKi7oyOE HTTP/1.1" 404 463 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
64.78.149.164 - - [18/Oct/2021:08:29:31 +0000] "GET /.well-known/acme-challenge/yjz8b9gnzHgbzoEkzS-_TMfcn7NEaSRIC-ZLKi7oyOE HTTP/1.1" 404 463 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

certbot command output :

Failed authorization procedure. rolling-server.bux.fr (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://rolling-server.bux.fr/.well-known/acme-challenge/yjz8b9gnzHgbzoEkzS-_TMfcn7NEaSRIC-ZLKi7oyOE [91.121.134.31]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

I don't understand why the generated certbot file is not accessible. How I'm supposed to use certbot with this virtual host ?

Thanks in advance !

1 Like

Hi @bux and welcome to the LE community forum :slight_smile:

This command is missing one small piece:

Try:
certbot --webroot --webroot-path='/srv/www/bux.fr/rolling-server.bux.fr' --nginx -d rolling-server.bux.fr
OR
certbot --webroot -w='/srv/www/bux.fr/rolling-server.bux.fr' --nginx -d rolling-server.bux.fr

See:User Guide — Certbot 1.19.0.dev0 documentation

Hello @rg305 ! Thanks for your time !

When I execute

 certbot --webroot --webroot-path='/srv/www/bux.fr/rolling-server.bux.fr' --nginx -d rolling-server.bux.fr

Output is :

Too many flags setting configurators/installers/authenticators 'nginx' -> 'webroot'

I notice i use the --nginx flag but I use apache2 ... With following :slight_smile:

certbot certonly --webroot -w '/srv/www/bux.fr/rolling-server.bux.fr' -d rolling-server.bux.fr

Command don't fail immediately. But renew fail:

root@s2:~# certbot certonly --webroot -w '/srv/www/bux.fr/rolling-server.bux.fr' -d rolling-server.bux.fr
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None

Please choose an account
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: s2.bux.fr@2018-07-23T14:06:30Z (4983)
2: s1.bux.fr@2016-05-29T17:23:29Z (25b4)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/rolling-server.bux.fr.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for rolling-server.bux.fr
Using the webroot path /srv/www/bux.fr/rolling-server.bux.fr for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. rolling-server.bux.fr (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://rolling-server.bux.fr/.well-known/acme-challenge/VPyk5R9MtJ6v79sUN70H99VbcOJM2YNXwoo9r3MIXa4 [91.121.134.31]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: rolling-server.bux.fr
   Type:   unauthorized
   Detail: Invalid response from
   http://rolling-server.bux.fr/.well-known/acme-challenge/VPyk5R9MtJ6v79sUN70H99VbcOJM2YNXwoo9r3MIXa4
   [91.121.134.31]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
1 Like

Try:
certbot -i apache --webroot -w='/srv/www/bux.fr/rolling-server.bux.fr' -d rolling-server.bux.fr

@rg305 Sadly, fail on 404 too :frowning:

Failed authorization procedure. rolling-server.bux.fr (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://rolling-server.bux.fr/.well-known/acme-challenge/qrwwOvIQtIoB4_vfurP514MbvQa11uUO6zioY0EazRk [91.121.134.31]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

Please show:
sudo apachectl -t -D DUMP_VHOSTS

Try:

certbot certonly -d rolling-server.bux.fr \
--webroot -w /srv/www/bux.fr/rolling-server.bux.fr \
--dry-run --debug-challenges

when Certbot says:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Challenges loaded. Press continue to submit to CA. Pass "-v" for more info about
challenges.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

Don't press Enter ...

... then check what's inside the /srv/www/bux.fr/rolling-server.bux.fr/.well-known/acme-challenge/ directory.

You should see the challenge file in there.

Try access it in the browser. If it gives you a 404, try checking the Apache error_log.

@rg305 There is :

root@s2:~#  sudo apachectl -t -D DUMP_VHOSTS | grep rolling-server
     port 80 namevhost rolling-server.bux.fr (/etc/apache2/sites-enabled/rolling-server.bux.fr.conf:1)

@_az Hello !

root@s2:~# ls -l /srv/www/bux.fr/rolling-server.bux.fr/.well-known/acme-challenge/
total 4
-rw-r--r-- 1 root root 87 Oct 18 11:23 LxVUKW4jlbW2pYESkgQn_r0lY5auZQO2j_tZl6BhcT4
➜  ~ http http://rolling-server.bux.fr/.well-known/acme-challenge/LxVUKW4jlbW2pYESkgQn_r0lY5auZQO2j_tZl6BhcT4 
HTTP/1.1 404 Not Found

I only see this log in my apache2 logs:

==> /var/log/apache2/access_rolling-server.bux.fr.log <==
5.182.253.246 - - [18/Oct/2021:11:30:37 +0000] "GET /.well-known/acme-challenge/LxVUKW4jlbW2pYESkgQn_r0lY5auZQO2j_tZl6BhcT4 HTTP/1.1" 404 500 "-" "HTTPie/1.0.3"

It's weird ... :thinking:

Additional information about acme-challenge folder :

Oh :dizzy_face: I found this :

    IW   /etc/apache2/conf-available/le.conf                                                         Row 1    Col 1   
Alias /.well-known/acme-challenge/ "/var/www/html/.well-known/acme-challenge/"
<Directory "/var/www/html/">
    AllowOverride None
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    Require method GET POST OPTIONS
</Directory>
root@s2:~# ls -l /var/www/html/.well-known/acme-challenge/
total 4
-rw-r--r-- 1 www-data www-data  0 Aug 23  2018 hello
-rw-r--r-- 1 www-data www-data 10 Jul  4  2019 hello.txt
-rw-r--r-- 1 root     root      0 Sep 20  2018 hello.txt~
-rw-r--r-- 1 www-data www-data  0 Jan  8  2019 test.txt

I think we have found the origin of error ...

Sorry for this lost of time ! But your time halp me to find the problem ! Tou're awesome !

3 Likes

Why are you trying to force a renewal when the cert isn't due for renewal yet anyway by the way? :thinking:

@Osiris Hello. Certificate was expired when try to display page in web browser. I don't know why it was not indicated as it in command line ...

I use to face the same problem when i run nginx server then i deleted my nginx default config from sites-enabled after that is work fine try to delete default.conf from your /etc/apache2/sites-enabled

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.