Certbot failed to authenticate some domains (authenticator: nginx)

Hello dear LE Support Team! I dunno what's wrong with my setup, but I'm not able to get my domain accepted. Hopefully you can help me to get things sorted out. Thanks in advance.

nginx config:

> server {
>         listen 80 default_server;
>         listen [::]:80 default_server;
> 
>         server_name musik.ferh.at;
> 
>         location / {
>                 proxy_pass http://192.168.1.127:4533;
>         }
> }

My domain is:

musik.ferh.at

I ran this command:

certbot --nginx -d musik.ferh.at -v

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Requesting a certificate for musik.ferh.at
Performing the following challenges:
http-01 challenge for musik.ferh.at
Waiting for verification...
Challenge failed for domain musik.ferh.at
http-01 challenge for musik.ferh.at

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: musik.ferh.at
Type: unauthorized
Detail: 31.223.106.226: Invalid response from http://musik.ferh.at/app/: "<!doctype html><html lang="en"><meta charset="utf-8"/><meta name="description" content="Navidrome Music Server - v0.48.0 ("

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):

nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version):

Ubuntu 22.04.1 LTS

My hosting provider, if applicable, is:

selfhosted

I can login to a root shell on my machine (yes or no, or I don't know):

yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 1.21.0

Is that IP on the same server OR another server?
If another server, which server is running certbot?
If same, let's have a look at the entire nginx config, with:
nginx -T

Also, this seems to be outdated:

5 Likes

Thanks for this quick response.

IP is on the same server.

certbot updated: certbot 1.21.0

Here the nginx config:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
	worker_connections 768;
	# multi_accept on;
}

http {

	##
	# Basic Settings
	##

	sendfile on;
	tcp_nopush on;
	types_hash_max_size 2048;
	# server_tokens off;

	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# SSL Settings
	##

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
	ssl_prefer_server_ciphers on;

	##
	# Logging Settings
	##

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	##
	# Gzip Settings
	##

	gzip on;

	# gzip_vary on;
	# gzip_proxied any;
	# gzip_comp_level 6;
	# gzip_buffers 16 8k;
	# gzip_http_version 1.1;
	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
}


#mail {
#	# See sample authentication script at:
#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#	# auth_http localhost/auth.php;
#	# pop3_capabilities "TOP" "USER";
#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#	server {
#		listen     localhost:110;
#		protocol   pop3;
#		proxy      on;
#	}
#
#	server {
#		listen     localhost:143;
#		protocol   imap;
#		proxy      on;
#	}
#}

# configuration file /etc/nginx/modules-enabled/50-mod-http-geoip2.conf:
load_module modules/ngx_http_geoip2_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:
load_module modules/ngx_http_image_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:
load_module modules/ngx_http_xslt_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:
load_module modules/ngx_mail_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:
load_module modules/ngx_stream_module.so;

# configuration file /etc/nginx/modules-enabled/70-mod-stream-geoip2.conf:
load_module modules/ngx_stream_geoip2_module.so;

# configuration file /etc/nginx/mime.types:

types {
    text/html                             html htm shtml;
    text/css                              css;
    text/xml                              xml;
    image/gif                             gif;
    image/jpeg                            jpeg jpg;
    application/javascript                js;
    application/atom+xml                  atom;
    application/rss+xml                   rss;

    text/mathml                           mml;
    text/plain                            txt;
    text/vnd.sun.j2me.app-descriptor      jad;
    text/vnd.wap.wml                      wml;
    text/x-component                      htc;

    image/png                             png;
    image/tiff                            tif tiff;
    image/vnd.wap.wbmp                    wbmp;
    image/x-icon                          ico;
    image/x-jng                           jng;
    image/x-ms-bmp                        bmp;
    image/svg+xml                         svg svgz;
    image/webp                            webp;

    application/font-woff                 woff;
    application/java-archive              jar war ear;
    application/json                      json;
    application/mac-binhex40              hqx;
    application/msword                    doc;
    application/pdf                       pdf;
    application/postscript                ps eps ai;
    application/rtf                       rtf;
    application/vnd.apple.mpegurl         m3u8;
    application/vnd.ms-excel              xls;
    application/vnd.ms-fontobject         eot;
    application/vnd.ms-powerpoint         ppt;
    application/vnd.wap.wmlc              wmlc;
    application/vnd.google-earth.kml+xml  kml;
    application/vnd.google-earth.kmz      kmz;
    application/x-7z-compressed           7z;
    application/x-cocoa                   cco;
    application/x-java-archive-diff       jardiff;
    application/x-java-jnlp-file          jnlp;
    application/x-makeself                run;
    application/x-perl                    pl pm;
    application/x-pilot                   prc pdb;
    application/x-rar-compressed          rar;
    application/x-redhat-package-manager  rpm;
    application/x-sea                     sea;
    application/x-shockwave-flash         swf;
    application/x-stuffit                 sit;
    application/x-tcl                     tcl tk;
    application/x-x509-ca-cert            der pem crt;
    application/x-xpinstall               xpi;
    application/xhtml+xml                 xhtml;
    application/xspf+xml                  xspf;
    application/zip                       zip;

    application/octet-stream              bin exe dll;
    application/octet-stream              deb;
    application/octet-stream              dmg;
    application/octet-stream              iso img;
    application/octet-stream              msi msp msm;

    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
    application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;

    audio/midi                            mid midi kar;
    audio/mpeg                            mp3;
    audio/ogg                             ogg;
    audio/x-m4a                           m4a;
    audio/x-realaudio                     ra;

    video/3gpp                            3gpp 3gp;
    video/mp2t                            ts;
    video/mp4                             mp4;
    video/mpeg                            mpeg mpg;
    video/quicktime                       mov;
    video/webm                            webm;
    video/x-flv                           flv;
    video/x-m4v                           m4v;
    video/x-mng                           mng;
    video/x-ms-asf                        asx asf;
    video/x-ms-wmv                        wmv;
    video/x-msvideo                       avi;
}

# configuration file /etc/nginx/sites-enabled/default:
server {
        listen 80 default_server;
        listen [::]:80 default_server;

        server_name musik.ferh.at;

        location / {
                proxy_pass http://192.168.1.127:4533;
        }
}
1 Like

Try updating certbot to latest version.

5 Likes

certbot updated: certbot 1.21.0

But still no luck:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Requesting a certificate for musik.ferh.at
Performing the following challenges:
http-01 challenge for musik.ferh.at
Waiting for verification...
Challenge failed for domain musik.ferh.at
http-01 challenge for musik.ferh.at

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: musik.ferh.at
  Type:   unauthorized
  Detail: 31.223.106.226: Invalid response from http://musik.ferh.at/app/: "<!doctype html><html lang=\"en\"><head><meta charset=\"utf-8\"/><meta name=\"description\" content=\"Navidrome Music Server - v0.48.0 ("

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

That can't be right!

Should have:
certbot 1.32.2

5 Likes

Tried:

apt update
apt install --only-upgrade certbot

but I'm still on certbot 1.21.0

You need to uninstall the apt version and install form snap
See:
Certbot Instructions | Certbot (eff.org)

4 Likes

Certbot 1.21.0 should work just fine. Upgrading isn't going to help in this case.

The problem is that your server (musik.ferh.at) is not serving HTTP traffic from nginx:

$ curl -i musik.ferh.at
HTTP/1.1 302 Found
Content-Type: text/html; charset=utf-8
Location: /app/
Permissions-Policy: autoplay=(), camera=(), microphone=(), usb=()
Referrer-Policy: same-origin
Vary: Origin
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Date: Tue, 27 Dec 2022 21:56:37 GMT
Content-Length: 28

<a href="/app/">Found</a>.

If it was nginx, we'd see a Server: nginx header there.

So you will need to investigate about who is actually responding to requests on port 80.

8 Likes

Thanks _az for your response.

I still tried to follow the steps from the instructions rg305 sent.

Uninstall the apt version: done

Did install snap:


snap    2.57.5+22.04ubuntu0.1
snapd   2.57.5+22.04ubuntu0.1
series  16
ubuntu  22.04
kernel  5.10.60-qnap

But unfortunately I geht this error when trying to install certbot with snap:


error: system does not fully support snapd: cannot mount squashfs image using "fuse.snapfuse":
       fuse: failed to open /dev/fuse: Permission denied

Did you do?:
sudo snap install core; sudo snap refresh core

4 Likes

@dosboxfero I would suggest focusing on @_az's concern from earlier. If nginx isn't answering the requests on port 80, no version of Certbot—updated or not—will be able to make certbot --nginx work to get you a certificate.

The fact that there is no Server: nginx header does indicate that nginx is not answering those requests.

6 Likes

Thanks for your response schoen.
Ok I will investigate more into the concern which _az came up with.

I have another Ubuntu container running where I host a Nextcloud installation. It runs on Apache and as I can remember the port forwarding is 80 -> 80 and 433 -> 433. Could this be the reason?

The nginx server's port forwarding preferences are 80,433 -> 4533

1 Like

yes I tried but still the same error as before.

Something is very non-standard with your installation.
Ubuntu 22 should already come with snapd installed.

As for the port forwarding mentioned...

Is that actually?:
443 -> 443

Also, it is not normal to send secure and insecure connections to the same port:

5 Likes

Correct, snaped should be already installed. But I really dunno what's going on there.

So sorry! Of course it's 443.

1 Like

That other, separate container running Nextcloud is listening on port 80? That would account for this problem.

7 Likes

I'll try to implement a reverse proxy into the apache server, which shows to the nginx server with the navidrome installation. will let you know how it went.

I just wanted to report back that I got it solved.

A fresh apache proxy server install, which handles all incoming connections did the job.

Thank you all for the knowledge and your time.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.