Certbot Failed authorization procedure

  • My domain is: pedrogglima.com.br

I ran this command:

certbot certonly \
		--test-cert \
		--debug \
        --config-dir "${LETSENCRYPT_DIR:-/etc/letsencrypt}" \
		--agree-tos \
		--domains "www.pedrogglima.com.br" \
		--domains "pedrogglima.com.br" \
		--email "pedrogglima@gmail.com" \
		--expand \
		--noninteractive \
		--debug-challenges \
		--webroot -w /var/www/certbot \
		$OPTIONS || true

It produced this output:

Signature ok
subject=C = PT, ST = World, L = World, O = pedrogglima.com.br, OU = pedrogglima lda, CN = pedrogglima.com.br
Getting Private key
Setting up watches.
Watches established.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for pedrogglima.com.br
http-01 challenge for www.pedrogglima.com.br
Using the webroot path /var/www/certbot for all unmatched domains.
Waiting for verification...
Cleaning up challenges

certbot.plugins.webroot:Removing /var/www/certbot/.well-known/acme-challenge/token-abreviated-1
certbot.plugins.webroot:Removing /var/www/certbot/.well-known/acme-challenge/token-abreviated-2

Failed authorization procedure. www.pedrogglima.com.br (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization
Invalid response from http://www.pedrogglima.com.br/.well-known/acme-challenge/token-abreviated[104.248.86.239]: 
"<html>\r\n<head><title>404 Not Found</title></head>\r\n<body>\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>nginx/1.17.3</ce"

Failed authorization procedure. pedrogglima.com.br (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization
Invalid response from http://pedrogglima.com.br/.well-known/acme-challenge/token-abreviated[104.248.86.239]: 
"<html>\r\n<head><title>404 Not Found</title></head>\r\n<body>\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>nginx/1.17.3</ce"
  • My web server is (include version): Nginx 1.17.3

  • The operating system my web server runs on is (include version): Ubuntu 16.04.6 LTS

  • My hosting provider, if applicable, is: DigitalOcean

  • I can login to a root shell on my machine (yes or no, or I don’t know): yes

  • I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

  • The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): v0.38

Observations

  1. http://pedrogglima.com.br/.well-known/acme-challenge/test (Working)
  2. I added recently the flag staging (test-cert) to the certbot command to not hit the limit rate.

3 - Nginx access log

[09/Sep/2019:20:38:21 +0000] "GET /.well-known/acme-challenge/token-abreviated HTTP/1.1" 404 153 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
[09/Sep/2019:20:56:50 +0000] "GET /wea-125/if-you-could-be-mine-sara-farizan.pdf HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.96 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
[09/Sep/2019:21:02:16 +0000] "GET /.well-known/acme-challenge/test HTTP/1.1" 200 15 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36"

4 - Nginx error log

[error] 19#19: *1 open() "/var/www/certbot/token-abreviated-1" failed (2: No such file or directory), client: 10.255.0.2, server: pedrogglima.com.br, request: "GET /.well-known/acme-challenge/token-abreviated-1 HTTP/1.1", host: "pedrogglima.com.br"
[error] 19#19: *2 open() "/var/www/certbot/token-abreviated-2" failed (2: No such file or directory), client: 10.255.0.2, server: pedrogglima.com.br, request: "GET /.well-known/acme-challenge/token-abreviated-2 HTTP/1.1", host: "www.pedrogglima.com.br"

5 - Output from ls -l /var/www/

drwxr-xr-x 1 root root 4096 Sep  6 19:00 app
drwxr-xr-x 2 root root 4096 Sep  9 20:38 certbot

6 - Output from ls -l /var/www/certbot/

-rw-r--r-- 1 root root 15 Sep 9 20:38 test

7 - nginx.conf

upstream rails_app {
  server app:3000;
}

server {
  listen 80;
  server_name pedrogglima.com.br www.pedrogglima.com.br;

  # define the public application root
  root  /var/www/app/public/;
  index  index.html;

  # define where Nginx should write its logs
  access_log /var/www/app/log/nginx.access.log;
  error_log /var/www/app/log/nginx.error.log;

  # certificate for SSL connection
  location /.well-known/acme-challenge/ {
    alias /var/www/certbot/;
  }

  # send non-static file requests to the app server
  location / {
    return 301 https://$host$request_uri;
  }
}

server {
  listen 443 ssl;
  server_name pedrogglima.com.br www.pedrogglima.com.br;

  ssl_certificate /usr/share/nginx/certificates/fullchain.pem;
  ssl_certificate_key /usr/share/nginx/certificates/privkey.pem;
  include /etc/ssl-options/options-ssl-nginx.conf;
  ssl_dhparam /etc/ssl-options/ssl-dhparams.pem;

  # define the public application root
  root  /var/www/app/public;
  index  index.html;

  # define where Nginxshould write its logs
  access_log /var/www/app/log/nginx.access.ssl.log;
  error_log /var/www/app/log/nginx.error.ssl.log;
  
  # send non-static file requests to the app server
  location / {
    try_files $uri @rails;
  }

  location @rails {
    proxy_set_header X-Real-IP  $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_redirect off;
    proxy_pass http://rails_app;
  }
}

8 - Certbot is running on a Docker container with Nginx. I have these both process as entrypoint to the container that create and keep updated Certbot

### Send certbot Emission/Renewal to background 
$(while :; do /opt/certbot.sh; sleep "${RENEW_INTERVAL:-12h}"; done;) &

### Check for changes in the certificate (i.e renewals or first start) and send this process to background
$(while inotifywait -e close_write /usr/share/nginx/certificates; do nginx -s reload; done) &

Apparently I already generated certificates (https://crt.sh/?q=pedrogglima.com.br) but as I’m not using docker volumes to save data, I was constantly deleting and creating new container with new Certbot data added to it.

  1. From what I searched, the problem seems to be with Nginx permission to access the challenge on /var/www/certbot folder. I would like to print the permisson from the challange files to check if Nginx has access to them, but I don’t know how to do it because certbot command clean up those files after running. I don’t know what else to do, I need some guide here. Without the certbot the App is working fine with nginx.

Thanks in advance.

Use root, not alias. The latter causes the request to be resolved to the wrong filesystem path, because Certbot appends /.well-known/acme-challenge/ to its --webroot parameter.

Also, use --dry-run until you get this working, otherwise you’ll blow through your rate limits.

2 Likes