Certbot failed to authenticate some domains (authenticator: nginx)

nare · October 22, 2024, 4:10pm

Hi,

While trying to renew my certificate, it says :

Processing /etc/letsencrypt/renewal/xxx.xxx.xxxx.np.conf

Renewing an existing certificate for mentoring.cehrd.gov.np

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: xxx.xxx.xxxx.np
Type: connection
Detail: 103.XX.124.XX: Fetching http://xxx.xxx.xxxx.np/.well-known/acme-challenge/w0nwmYBmcc1u7cpWVx61l7bvbLrSX0hoUtxE4sLaQxM: Error getting validation data

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Failed to renew certificate mentoring.cehrd.gov.np with error: Some challenges have failed.

and the config are stored in /etc/nginx/conf.d

Can you guys please help me to resolve it ASAP. I need to provide demo tomorrow.

Thanks & Regard
Nare

MikeMcQ · October 22, 2024, 4:15pm

HTTP requests on port 80 to your domain are failing. Something on your system is blocking those requests. Or, something like NAT or port forwarding is no longer working

HTTPS requests using port 443 work fine (apart from your expired cert). So it is just port 80

The Let's Debug test site is helpful to test changes you make. Once that says OK you should be able to renew the cert.

Use "Rerun Test" after you make changes

nare · October 22, 2024, 4:23pm

Actually here is our config:

root@cloud:/etc/nginx/conf.d# cat api.conf

server {
    server_name mentoringapi.cehrd.gov.np;

    location / {
        proxy_pass http://localhost:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    access_log /var/log/nginx/api.tny.ws_access.log;
    error_log /var/log/nginx/api.tny.ws_error.log;

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/mentoringapi.cehrd.gov.np/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mentoringapi.cehrd.gov.np/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = mentoringapi.cehrd.gov.np) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    server_name mentoringapi.cehrd.gov.np;
    return 404; # managed by Certbot
}

can you please help me to fix it.

Bruce5051 · October 22, 2024, 4:25pm

For general nginx information you might find nginx documentation and https://forum.nginx.org/ helpful.

And here is what I see nmap showing Port 80 is filtered, implying that the firewalls and routers need to allow Port 80 through.

$ nmap -Pn -p80,443 mentoring.cehrd.gov.np
Starting Nmap 7.80 ( https://nmap.org ) at 2024-10-22 16:26 UTC
Nmap scan report for mentoring.cehrd.gov.np (103.69.124.47)
Host is up (0.31s latency).

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp open     https

Nmap done: 1 IP address (1 host up) scanned in 7.51 seconds

nare · October 22, 2024, 4:38pm

but its showing port 80 is open

petercooperjr · October 22, 2024, 4:42pm

Maybe from your network, but not from elsewhere in the world.

Bruce5051 · October 22, 2024, 4:43pm

Do you have any geo blocking?

As I still see

$ nmap -Pn -p80,443 mentoring.cehrd.gov.np                                                                           Starting Nmap 7.80 ( https://nmap.org ) at 2024-10-22 16:41 UTC
Nmap scan report for mentoring.cehrd.gov.np (103.69.124.47)
Host is up (0.43s latency).

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp open     https

Nmap done: 1 IP address (1 host up) scanned in 5.80 seconds

Please read these:

nare · October 22, 2024, 4:48pm

Probably, its a government server as they have some restriction and all.

MikeMcQ · October 22, 2024, 5:50pm

But, remember only HTTP (port 80) is blocked not HTTPS (port 443)

If you do not control the network config you will need to speak with them.

HTTP port 80 must have been working when you first got your cert. Something has changed since then.

nare · October 23, 2024, 8:46am

Hi everyone,

Thanks so much for all your responses! I finally resolved the issue by temporarily disabling the automatic redirect to HTTPS.

For those facing similar problems, here's how I managed to fix it.

Original Certbot-Managed Server Block:

Certbot was automatically redirecting all traffic to HTTPS using the following server block:

server {
    if ($host = mentoring.cehrd.gov.np) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80;
    server_name mentoring.cehrd.gov.np;
    return 404; # managed by Certbot
}

Since Certbot needs HTTP for the ACME challenge, I had to temporarily disable the HTTPS redirect. Here's the modified server block:

Temporary Server Block:

server {
    # Temporarily disable HTTPS redirection
    # if ($host = yourwebsite.com) {
    #     return 301 https://$host$request_uri;
    # } # managed by Certbot

    listen 80;
    server_name yourwebsite.com;

    # Allow HTTP for the ACME challenge
    location /.well-known/acme-challenge/ {
        root /your-web-root-path;  # Adjust to your webroot path
    }

    # Comment out the 404 return for Certbot to work
    # return 404; # managed by Certbot
}

Step-by-Step Process:

Save the changes to your NGINX configuration file.
Restart NGINX:
```
sudo systemctl restart nginx
```
Run the renewal command:
```
sudo certbot renew
```
If you see the error "Another instance of Certbot is already running," kill the running process and try again:
```
sudo pkill certbot
```

If the issue persists, remove any Certbot lock files:

sudo rm /var/log/letsencrypt/.certbot.lock
sudo rm /var/lib/letsencrypt/lock
sudo rm /var/lib/letsencrypt/.certbot.lock

Ensure the ACME challenge directory exists:

sudo mkdir -p /your-web-root-path/.well-known/acme-challenge/

Set correct permissions for the directory:

sudo chown -R www-data:www-data /your-web-root-path/.well-known/
sudo chmod -R 755 /your-web-root-path/.well-known/

Reload NGINX:
```
sudo systemctl reload nginx
```

Create a test file to verify the ACME challenge directory:

sudo echo "test" > /your-web-root-path/.well-known/acme-challenge/test-file

Check if you can access the test file via your browser or curl:
```
curl http://yourwebsite.com/.well-known/acme-challenge/test-file
```
If it returns "test," your configuration is correct.
Finally, renew the certificate:
```
sudo certbot renew
```

Once the renewal is successful, don't forget to revert your server block back to redirect traffic to HTTPS:

server {
    if ($host = yourwebsite.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80;
    server_name yourwebsite.com;
    return 404; # managed by Certbot
}

That’s it! After following these steps, your certificate should be renewed, and HTTPS redirection will be back in place. I hope this helps anyone facing similar issues!

system · November 22, 2024, 8:46am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
No longer able to renew existing cert, nor make new certs Help	7	531	September 24, 2021
Cert Renewal Failure Help	4	283	March 12, 2024
Renewing an existing certificate Help	10	1035	February 6, 2023
Certbot renew giving error Help	15	1908	August 26, 2021
Fails to renew my certificate Help	13	461	March 7, 2024

Certbot failed to authenticate some domains (authenticator: nginx)

Original Certbot-Managed Server Block:

Temporary Server Block:

Step-by-Step Process:

Related topics