Certbot Failed authorization procedure

Help
1
  • My domain is: pedrogglima.com.br

I ran this command:

certbot certonly \
		--test-cert \
		--debug \
        --config-dir "${LETSENCRYPT_DIR:-/etc/letsencrypt}" \
		--agree-tos \
		--domains "www.pedrogglima.com.br" \
		--domains "pedrogglima.com.br" \
		--email "pedrogglima@gmail.com" \
		--expand \
		--noninteractive \
		--debug-challenges \
		--webroot -w /var/www/certbot \
		$OPTIONS || true

It produced this output:

Signature ok
subject=C = PT, ST = World, L = World, O = pedrogglima.com.br, OU = pedrogglima lda, CN = pedrogglima.com.br
Getting Private key
Setting up watches.
Watches established.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for pedrogglima.com.br
http-01 challenge for www.pedrogglima.com.br
Using the webroot path /var/www/certbot for all unmatched domains.
Waiting for verification...
Cleaning up challenges

certbot.plugins.webroot:Removing /var/www/certbot/.well-known/acme-challenge/token-abreviated-1
certbot.plugins.webroot:Removing /var/www/certbot/.well-known/acme-challenge/token-abreviated-2

Failed authorization procedure. www.pedrogglima.com.br (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization
Invalid response from http://www.pedrogglima.com.br/.well-known/acme-challenge/token-abreviated[104.248.86.239]: 
"<html>\r\n<head><title>404 Not Found</title></head>\r\n<body>\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>nginx/1.17.3</ce"

Failed authorization procedure. pedrogglima.com.br (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization
Invalid response from http://pedrogglima.com.br/.well-known/acme-challenge/token-abreviated[104.248.86.239]: 
"<html>\r\n<head><title>404 Not Found</title></head>\r\n<body>\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>nginx/1.17.3</ce"

  • My web server is (include version): Nginx 1.17.3

  • The operating system my web server runs on is (include version): Ubuntu 16.04.6 LTS

  • My hosting provider, if applicable, is: DigitalOcean

  • I can login to a root shell on my machine (yes or no, or I don’t know): yes

  • I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

  • The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): v0.38

Observations

  1. http://pedrogglima.com.br/.well-known/acme-challenge/test (Working)
  2. I added recently the flag staging (test-cert) to the certbot command to not hit the limit rate.

3 - Nginx access log

[09/Sep/2019:20:38:21 +0000] "GET /.well-known/acme-challenge/token-abreviated HTTP/1.1" 404 153 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
[09/Sep/2019:20:56:50 +0000] "GET /wea-125/if-you-could-be-mine-sara-farizan.pdf HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.96 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
[09/Sep/2019:21:02:16 +0000] "GET /.well-known/acme-challenge/test HTTP/1.1" 200 15 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36"

4 - Nginx error log

[error] 19#19: *1 open() "/var/www/certbot/token-abreviated-1" failed (2: No such file or directory), client: 10.255.0.2, server: pedrogglima.com.br, request: "GET /.well-known/acme-challenge/token-abreviated-1 HTTP/1.1", host: "pedrogglima.com.br"
[error] 19#19: *2 open() "/var/www/certbot/token-abreviated-2" failed (2: No such file or directory), client: 10.255.0.2, server: pedrogglima.com.br, request: "GET /.well-known/acme-challenge/token-abreviated-2 HTTP/1.1", host: "www.pedrogglima.com.br"

5 - Output from ls -l /var/www/

drwxr-xr-x 1 root root 4096 Sep  6 19:00 app
drwxr-xr-x 2 root root 4096 Sep  9 20:38 certbot

6 - Output from ls -l /var/www/certbot/

-rw-r--r-- 1 root root 15 Sep 9 20:38 test

7 - nginx.conf

upstream rails_app {
  server app:3000;
}

server {
  listen 80;
  server_name pedrogglima.com.br www.pedrogglima.com.br;

  # define the public application root
  root  /var/www/app/public/;
  index  index.html;

  # define where Nginx should write its logs
  access_log /var/www/app/log/nginx.access.log;
  error_log /var/www/app/log/nginx.error.log;

  # certificate for SSL connection
  location /.well-known/acme-challenge/ {
    alias /var/www/certbot/;
  }

  # send non-static file requests to the app server
  location / {
    return 301 https://$host$request_uri;
  }
}

server {
  listen 443 ssl;
  server_name pedrogglima.com.br www.pedrogglima.com.br;

  ssl_certificate /usr/share/nginx/certificates/fullchain.pem;
  ssl_certificate_key /usr/share/nginx/certificates/privkey.pem;
  include /etc/ssl-options/options-ssl-nginx.conf;
  ssl_dhparam /etc/ssl-options/ssl-dhparams.pem;

  # define the public application root
  root  /var/www/app/public;
  index  index.html;

  # define where Nginxshould write its logs
  access_log /var/www/app/log/nginx.access.ssl.log;
  error_log /var/www/app/log/nginx.error.ssl.log;
  
  # send non-static file requests to the app server
  location / {
    try_files $uri @rails;
  }

  location @rails {
    proxy_set_header X-Real-IP  $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_redirect off;
    proxy_pass http://rails_app;
  }
}

8 - Certbot is running on a Docker container with Nginx. I have these both process as entrypoint to the container that create and keep updated Certbot

### Send certbot Emission/Renewal to background 
$(while :; do /opt/certbot.sh; sleep "${RENEW_INTERVAL:-12h}"; done;) &

### Check for changes in the certificate (i.e renewals or first start) and send this process to background
$(while inotifywait -e close_write /usr/share/nginx/certificates; do nginx -s reload; done) &

Apparently I already generated certificates (https://crt.sh/?q=pedrogglima.com.br) but as I’m not using docker volumes to save data, I was constantly deleting and creating new container with new Certbot data added to it.

  1. From what I searched, the problem seems to be with Nginx permission to access the challenge on /var/www/certbot folder. I would like to print the permisson from the challange files to check if Nginx has access to them, but I don’t know how to do it because certbot command clean up those files after running. I don’t know what else to do, I need some guide here. Without the certbot the App is working fine with nginx.

Thanks in advance.

2

Use root, not alias. The latter causes the request to be resolved to the wrong filesystem path, because Certbot appends /.well-known/acme-challenge/ to its --webroot parameter.

Also, use --dry-run until you get this working, otherwise you'll blow through your rate limits.

2 Likes
3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.