Certbot failed to authenticate some domains (authenticator: nginx)

Help
1

Hello, I tried to set up SSL for my website that I hosted in Digital Ocean. I am new at configuring the server and I face an issue using Let's Encrypt.

My domain is:
http://nvblog.site/

I ran this command:
sudo certbot --nginx -d nvblog.site -d www.nvblog.site -v

It produced this output:

Renewing an existing certificate for nvblog.site and www.nvblog.site
Performing the following challenges:
http-01 challenge for www.nvblog.site
Waiting for verification...
Challenge failed for domain www.nvblog.site
http-01 challenge for www.nvblog.site

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: www.nvblog.site
  Type:   unauthorized
  Detail: 152.42.230.92: Invalid response from http://www.nvblog.site/.well-known/acme-challenge/si2iJEMSbVgOVmUInOR5A2I4dR6hgFh-SZdBDhgILVY: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.

My web server is (include version):
nginx version: nginx/1.24.0 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 24.04 LTS

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Certbot 2.9.0

Additional Error Log:

2024-06-15 05:25:40,574:DEBUG:acme.client:Storing nonce: 5yfKMBJJyoWWUYxJZmSP8ofkYw2_9GdTMgU9RMGr8F2sDOZfeBI
2024-06-15 05:25:40,574:DEBUG:acme.client:JWS payload:
b''
2024-06-15 05:25:40,576:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/364148938097:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTc4MzExNTg4NyIsICJub25jZSI6ICI1eWZLTUJKSnlvV1dVWXhKWm1TUDhvZmtZdzJfOUdkVE1nVTlSTUdyOEYyc0RPWmZlQkkiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzM2NDE0ODkzODA5NyJ9",
  "signature": "YiCfg9BkuDEn8CEXl86M5dA5uhZ0oA9WUDbccH43sRH9_3-3V1qneJEHjB_zr3YW9K4Dh0Tr3ACbTbZAsuR_3JqxHhHtoXDLRkjQ4qPthqSp2oACdtC50RNs_0sw3cMZN3D8tu2-ZZPDEq4yOZjA-EdF1NChTqF0VEFCgD5DUHD1SVNggtklcLiWuz79bcAXBI5j3aSG_YYqxIdZUYwqA8SbRsE3_sXbadlYPa4P744VAsLu3ms5WTkAy3OiyaxDHM4dSsS8nFRG7GZOq_sDr1hjNodNPKsakV8ZJG82uj0kTkfaN9H_aOQz5rw-SVF_qdY2Qy9Sdre8JucoPNKLZw",
  "payload": ""
}
2024-06-15 05:25:40,798:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/364148938097 HTTP/1.1" 200 1028
2024-06-15 05:25:40,799:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 15 Jun 2024 05:25:40 GMT
Content-Type: application/json
Content-Length: 1028
Connection: keep-alive
Boulder-Requester: 1783115887
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 5yfKMBJJ6YUVLPHwBbp7zT35bJ9xVPNO31pWlLFdpeW7kE9tSYw
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "www.nvblog.site"
  },
  "status": "invalid",
  "expires": "2024-06-22T05:25:37Z",
  "challenges": [
    {
      "type": "http-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/364148938097/6HLyTw",
      "status": "invalid",
      "validated": "2024-06-15T05:25:39Z",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "152.42.230.92: Invalid response from http://www.nvblog.site/.well-known/acme-challenge/si2iJEMSbVgOVmUInOR5A2I4dR6hgFh-SZdBDhgILVY: 404",
        "status": 403
      },
      "token": "si2iJEMSbVgOVmUInOR5A2I4dR6hgFh-SZdBDhgILVY",
      "validationRecord": [
        {
          "url": "http://www.nvblog.site/.well-known/acme-challenge/si2iJEMSbVgOVmUInOR5A2I4dR6hgFh-SZdBDhgILVY",
          "hostname": "www.nvblog.site",
          "port": "80",
          "addressesResolved": [
            "152.42.230.92"
          ],
          "addressUsed": "152.42.230.92"
        }
      ]
    }
  ]
}
2024-06-15 05:25:40,799:DEBUG:acme.client:Storing nonce: 5yfKMBJJ6YUVLPHwBbp7zT35bJ9xVPNO31pWlLFdpeW7kE9tSYw
2024-06-15 05:25:40,799:INFO:certbot._internal.auth_handler:Challenge failed for domain www.nvblog.site
2024-06-15 05:25:40,799:INFO:certbot._internal.auth_handler:http-01 challenge for www.nvblog.site
2024-06-15 05:25:40,800:DEBUG:certbot._internal.display.obj:Notifying user: 
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: www.nvblog.site
  Type:   unauthorized
  Detail: 152.42.230.92: Invalid response from http://www.nvblog.site/.well-known/acme-challenge/si2iJEMSbVgOVmUInOR5A2I4dR6hgFh-SZdBDhgILVY: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

2024-06-15 05:25:40,803:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2024-06-15 05:25:40,803:DEBUG:certbot._internal.error_handler:Calling registered functions
2024-06-15 05:25:40,803:INFO:certbot._internal.auth_handler:Cleaning up challenges
2024-06-15 05:25:41,987:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 33, in <module>
    sys.exit(load_entry_point('certbot==2.9.0', 'console_scripts', 'certbot')())
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1894, in main
    return config.func(config, plugins)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1450, in run
    new_lineage = _get_and_save_cert(le_client, config, domains,
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 131, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/usr/lib/python3/dist-packages/certbot/_internal/renewal.py", line 399, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
                                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 428, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2024-06-15 05:25:41,994:ERROR:certbot._internal.log:Some challenges have failed.

Nginx Conf:

server {
    listen 80;
    server_name nvblog.site www.nvblog.site;

    location / {
        proxy_pass http://0.0.0.0:443;  # Forward requests to Uvicorn
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    location ~ /.well-known {
      allow all;
    }

    location /.well-known/acme-challenge/ {
        alias /var/www/html/.well-known/acme-challenge/;
        try_files $uri =404;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/nvblog.site/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/nvblog.site/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = nvblog.site) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80;
    server_name nvblog.site www.nvblog.site;
    return 404; # managed by Certbot
}

Thank you

2

if you passed to 443 it should be https not http

proxy_pass http://0.0.0.0:443;  # Forward requests to Uvicorn
1 Like
3 
server {
    server_name nvblog.site www.nvblog.site;

    location / {
        proxy_pass http://0.0.0.0:443;  # Forward requests to Uvicorn
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/nvblog.site/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/nvblog.site/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {
    if ($host = www.nvblog.site) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    if ($host = nvblog.site) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80;
    server_name nvblog.site www.nvblog.site;
    return 404; # managed by Certbot
}

After I stopped my uvicorn, the setup of SSL using certbot was successful. However, now I can't run my uvicorn: uvicorn main:app --host 0.0.0.0 --port 443 with error:
ERROR: [Errno 98] error while attempting to bind on address ('0.0.0.0', 443): address already in use

Any idea why this is happening?

Update: Solved (Change port and firewall)

4

Yes, nginx was listening on port 443 once it got a certificate.

By the way, usually one uses 127.0.0.1 as the destination IP address to connect to "localhost". Using 0.0.0.0 works on Linux apparently, but that IP address is not really meant as a destination address. It might work now, but it might not work later or on other systems.

Also, if Uvicorn is indeed a HTTP service (i.e., not HTTPS), it doesn't make much sense to have had it listening on port 443 anyway, as that port is reserved for HTTPS.

1 Like
5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.