Certbot failed to authenticate some domains (authenticator: webroot)

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: djangotest.reinventintelligence.com

I ran this command: docker-compose -f docker-compose.deploy.yml run --rm certbot /opt/certify-init.sh

It produced this output:

=> [2/3] COPY certify-init.sh /opt/ 0.1s
=> [3/3] RUN chmod +x /opt/certify-init.sh 1.1s
=> exporting to image 0.1s
=> => exporting layers 0.1s
=> => writing image sha256:3c29a869bd8d90f7dea405f8297092255098d6ab172d12649d413819cc2f09dc 0.0s
=> => naming to Docker 0.0s
Waiting for proxy...
Waiting for proxy...
Waiting for proxy...
Waiting for proxy...
Waiting for proxy...
Waiting for proxy...
Getting certificate...
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Account registered.
Requesting a certificate for djangotest.reinventintelligence.com

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: djangotest.reinventintelligence.com
Type: unauthorized
Detail: 3.145.132.244: Invalid response from http://djangotest.reinventintelligence.com/.well-known/acme-challenge/7YghhupPSAVTziYt-7wIOruvdPgSj_usyEmQTJvKKdc: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
[ec2-user@ip-172-31-33-125 project_X1]$ client_loop: send disconnect: Connection reset

My web server is (include version):

The operating system my web server runs on is (include version): Linux/UNIX

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot --version
-bash: certbot: command not found

Below is my default-ssl.conf.tpl file:

server {
    listen 80;
    server_name ${DOMAIN} www.${DOMAIN};

    location /.well-known/acme-challenge/ {
        root /vol/www/;
    }

    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen      443 ssl;
    server_name ${DOMAIN} www.${DOMAIN};

    ssl_certificate     /etc/letsencrypt/live/${DOMAIN}/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/${DOMAIN}/privkey.pem;

    include     /etc/nginx/options-ssl-nginx.conf;

    ssl_dhparam /vol/proxy/ssl-dhparams.pem;

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    location /static {
        alias /vol/static;
    }

    location / {
        uwsgi_pass           ${APP_HOST}:${APP_PORT};
        include              /etc/nginx/uwsgi_params;
        client_max_body_size 10M;
    }
}

and below is my certify-init.sh script:

#!/bin/sh

set -e

until nc -z proxy 80; do
    echo "Waiting for proxy..."
    sleep 5s & wait ${!}
done

echo "Getting certificate..."

certbot certonly \
    --webroot \
    --webroot-path "/vol/www/" \
    -d "$DOMAIN" \
    --email $EMAIL \
    --rsa-key-size 4096 \
    --agree-tos \
    --noninteractive

If you place a test text file in "/vol/www/", can it be reached from the Internet?

Also, you might want to include the "www":
-d www.$DOMAIN

3 Likes

Found the issue..I had to change my record details. I copied my old public ipv4 DNS.

But now getting a new error:

502 Bad Gateway


nginx/1.23.0

Below are the logs I found:

django_container1     | Starting development server at http://0.0.0.0:8000/
django_container1     | Quit the server with CONTROL-C.
project_x1-proxy-1    | 2023/01/18 17:43:26 [error] 9#9: *1 open() "/vol/www/.well-known/acme-challenge/7YghhupPSAVTziYt-7wIOruvdPgSj_usyEmQTJvKKdc:" failed (2: No such file or directory), client: 17.58.81.144, server: djangotest.reinventintelligence.com, request: "GET /.well-known/acme-challenge/7YghhupPSAVTziYt-7wIOruvdPgSj_usyEmQTJvKKdc: HTTP/1.1", host: "djangotest.reinventintelligence.com"
project_x1-proxy-1    | 17.58.81.144 - - [18/Jan/2023:17:43:26 +0000] "GET /.well-known/acme-challenge/7YghhupPSAVTziYt-7wIOruvdPgSj_usyEmQTJvKKdc: HTTP/1.1" 404 153 "-" "AppleNewsBot" "-"
project_x1-proxy-1    | 2023/01/18 17:44:06 [error] 9#9: *2 connect() failed (111: Connection refused) while connecting to upstream, client: 195.211.77.140, server: djangotest.reinventintelligence.com, request: "GET / HTTP/1.1", upstream: "uwsgi://172.21.0.3:9000", host: "djangotest.reinventintelligence.com"
project_x1-proxy-1    | 195.211.77.140 - - [18/Jan/2023:17:44:06 +0000] "GET / HTTP/1.1" 502 559 "-" "Mozilla/5.0 (Windows NT 8.1; WOW64) AppleWebKit/537.34 (KHTML, like Gecko) Chrome/36.0.2039.82 Safari/537.34" "-"
project_x1-proxy-1    | 2023/01/18 17:44:12 [error] 9#9: *6 connect() failed (111: Connection refused) while connecting to upstream, client: 39.110.218.101, server: djangotest.reinventintelligence.com, request: "GET / HTTP/1.1", upstream: "uwsgi://172.21.0.3:9000", host: "djangotest.reinventintelligence.com"
project_x1-proxy-1    | 39.110.218.101 - - [18/Jan/2023:17:44:12 +0000] "GET / HTTP/1.1" 502 157 "-" "Mozilla/5.0 (Linux; U; Android 2.2; ja-jp; SC-02B Build/FROYO) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1" "-"
project_x1-proxy-1    | 2023/01/18 17:44:12 [error] 9#9: *4 connect() failed (111: Connection refused) while connecting to upstream, client: 49.32.164.13, server: djangotest.reinventintelligence.com, request: "GET / HTTP/1.1", upstream: "uwsgi://172.21.0.3:9000", host: "djangotest.reinventintelligence.com"
project_x1-proxy-1    | 49.32.164.13 - - [18/Jan/2023:17:44:12 +0000] "GET / HTTP/1.1" 502 157 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0" "-"
project_x1-proxy-1    | 2023/01/18 17:44:29 [error] 9#9: *9 connect() failed (111: Connection refused) while connecting to upstream, client: 54.158.17.110, server: djangotest.reinventintelligence.com, request: "GET /.git/config HTTP/1.1", upstream: "uwsgi://172.21.0.3:9000", host: "djangotest.reinventintelligence.com"
project_x1-proxy-1    | 54.158.17.110 - - [18/Jan/2023:17:44:29 +0000] "GET /.git/config HTTP/1.1" 502 559 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.9999.0 Safari/537.36" "-"
project_x1-proxy-1    | 2023/01/18 17:44:58 [error] 9#9: *11 open() "/vol/www/.well-known/acme-challenge/7YghhupPSAVTziYt-7wIOruvdPgSj_usyEmQTJvKKdc:" failed (2: No such file or directory), client: 17.121.203.87, server: djangotest.reinventintelligence.com, request: "GET /.well-known/acme-challenge/7YghhupPSAVTziYt-7wIOruvdPgSj_usyEmQTJvKKdc: HTTP/1.1", host: "djangotest.reinventintelligence.com"
project_x1-proxy-1    | 17.121.203.87 - - [18/Jan/2023:17:44:58 +0000] "GET /.well-known/acme-challenge/7YghhupPSAVTziYt-7wIOruvdPgSj_usyEmQTJvKKdc: HTTP/1.1" 404 153 "-" "AppleNewsBot" "-"
project_x1-proxy-1    | 2023/01/18 17:45:01 [error] 9#9: *4 connect() failed (111: Connection refused) while connecting to upstream, client: 49.32.164.13, server: djangotest.reinventintelligence.com, request: "GET / HTTP/1.1", upstream: "uwsgi://172.21.0.3:9000", host: "djangotest.reinventintelligence.com"
project_x1-proxy-1    | 49.32.164.13 - - [18/Jan/2023:17:45:01 +0000] "GET / HTTP/1.1" 502 157 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0" "-"
project_x1-proxy-1    | 2023/01/18 17:49:58 [error] 9#9: *13 connect() failed (111: Connection refused) while connecting to upstream, client: 49.32.164.13, server: djangotest.reinventintelligence.com, request: "GET /.well-known/acme-challenge/7YghhupPSAVTziYt-7wIOruvdPgSj_usyEmQTJvKKdc HTTP/1.1", upstream: "uwsgi://172.21.0.3:9000", host: "djangotest.reinventintelligence.com"
project_x1-proxy-1    | 49.32.164.13 - - [18/Jan/2023:17:49:58 +0000] "GET /.well-known/acme-challenge/7YghhupPSAVTziYt-7wIOruvdPgSj_usyEmQTJvKKdc HTTP/1.1" 502 157 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0" "-"

Why are the challenge requests being proxied?

2 Likes

No Idea, I was following one link - Django Docker Deployment with HTTPS using Letsencrypt – London App Developer

And wanted to replicate this at my end.

Sorry I can't give you more information on this. I am new to this part.

It is being proxied because the HTTP server block is being ignored:

And it redirects to HTTPS:

And then the HTTPS has no location for the challenge files and proxies it:

2 Likes

We must be hitting two different web servers.
My requests are not being redirected:

curl -Ii http://djangotest.reinventintelligence.com/.well-known/acme-challenge/Test_File-1234
HTTP/1.1 404 Not Found
Server: nginx/1.23.0
Date: Wed, 18 Jan 2023 18:06:11 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive
2 Likes

Web server is the same..i copied this name from aws route53 records tab. Do you think there could be any other reasons

Okay, what is your suggestion? What should I do here?

Make the two be one.

My domain is

reinventintelligence.com

and the web server is

djangotest.reinventintelligence.com

I have attached my record details. Kindly let me know how to make one from two

2 Likes

http results - 404 Not Found
https results - 502 Bad Gateway

>curl -4 -k -Ii http://djangotest.reinventintelligence.com/.well-known/acme-challenge/sometestfile
HTTP/1.1 404 Not Found
Server: nginx/1.23.0
Date: Thu, 19 Jan 2023 17:04:57 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive

>curl -4 -k -Ii http://djangotest.reinventintelligence.com/.well-known/acme-challenge/sometestfile -A "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
HTTP/1.1 404 Not Found
Server: nginx/1.23.0
Date: Thu, 19 Jan 2023 17:05:03 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive

>curl -4 -k -Ii https://djangotest.reinventintelligence.com/.well-known/acme-challenge/sometestfile                    HTTP/1.1 502 Bad Gateway
Server: nginx/1.23.0
Date: Thu, 19 Jan 2023 17:05:10 GMT
Content-Type: text/html
Content-Length: 157
Connection: keep-alive
Strict-Transport-Security: max-age=31536000; includeSubDomains

>curl -4 -k -Ii https://djangotest.reinventintelligence.com/.well-known/acme-challenge/sometestfile -A "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
HTTP/1.1 502 Bad Gateway
Server: nginx/1.23.0
Date: Thu, 19 Jan 2023 17:05:24 GMT
Content-Type: text/html
Content-Length: 157
Connection: keep-alive
Strict-Transport-Security: max-age=31536000; includeSubDomains

1 Like

got it. thanks

so we are blocking http but it redirects to https? what should be done here

3 Likes

I believe that was a bad idea (or assumption) on my part.
Sorry. :frowning:

1 Like

Kindly wait for more knowledgeable Let's Encrypt community volunteers to assist.

1 Like

Please show the entire nginx config, with:
nginx -T

2 Likes

I can't get any output from this command. Attached is the screenshot
ngnix_logs

Try it as Rudy spelled it :slight_smile:

3 Likes

:face_with_open_eyes_and_hand_over_mouth:

My bad..pls see the output below

[ec2-user@ip-172-31-33-125 ~]$ nginx -T
-bash: nginx: command not found
[ec2-user@ip-172-31-33-125 ~]$

2 Likes