Certbot failed to authenticate some domains (authenticator: webroot)

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: pictures.go.ro

I ran this command: sudo certbot certonly --webroot -w /var/www/html -d pictures.go.ro

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for pictures.go.ro

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: pictures.go.ro
Type: unauthorized
Detail: 86.120.33.172: Invalid response from http://pictures.go.ro/.well-known/acme-challenge/10vJj9mn3LWTqZGOBZjmo8ii2EFQuK8VCHCUZhs1Zmo: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): I'm using prebuilt web servers from immich(Express)
, jellyfin(Kestrel), etc.

The operating system my web server runs on is (include version): Ubuntu 24.04 LTS (GNU/Linux 6.8.0-39-generic x86_64)

My hosting provider, if applicable, is: Self-hosted

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.9.0

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    server_name pictures.go.ro;

    root /var/www/html;

    # Let's Encrypt verification
    location /.well-known/acme-challenge/ {
        root /var/www/html;
        allow all;
    }

    # Redirect all HTTP traffic to HTTPS
    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name pictures.go.ro;

    ssl_certificate /etc/letsencrypt/live/REDACTED/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/REDACTED/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    root /var/www/html;

    # Root location (Main Page)
    location / {
        proxy_pass http://REDACTED:REDACTED;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    # Vaultwarden location
    location /vaultwarden {
        proxy_pass http://REDACTED:REDACTED;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    # Jellyfin location
    location /jellyfin {
        proxy_pass http://REDACTED:REDACTED;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    # Error page for blocked access
    error_page 403 /blocked.html;
    location = /blocked.html {
        root /var/www/html;
        internal;
    }
}

Any help would be greatly appreciated. Cheers!

1 Like
2

Let's make sure you are at the expected IP.
What shows?:
curl -4 ifconfig.me
curl -4 ifconfig.io

3 Likes
3

curl -4 ifconfig.me
86.120.33.172
curl -4 ifconfig.io
86.120.33.172

4

/var/log/letsencrypt/letsencrypt.log

2024/07/30 18:11:24 [emerg] 137659#137659: open() "/etc/letsencrypt/options-ssl-nginx.conf" failed (2: No such file or directory) in />
nginx: configuration file /etc/nginx/nginx.conf test failed

2024-07-30 18:11:24,734:DEBUG:certbot._internal.plugins.disco:Misconfigured PluginEntryPoint#nginx: Error while running nginx -c /etc/>

2024/07/30 18:11:24 [emerg] 137659#137659: open() "/etc/letsencrypt/options-ssl-nginx.conf" failed (2: No such file or directory) in />
nginx: configuration file /etc/nginx/nginx.conf test failed
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot_nginx/_internal/configurator.py", line 1013, in config_test
util.run_script([self.conf('ctl'), "-c", self.nginx_conf, "-t"])
File "/usr/lib/python3/dist-packages/certbot/util.py", line 199, in run_script
raise errors.SubprocessError(msg)
certbot.errors.SubprocessError: Error while running nginx -c /etc/nginx/nginx.conf -t.

2024/07/30 18:11:24 [emerg] 137659#137659: open() "/etc/letsencrypt/options-ssl-nginx.conf" failed (2: No such file or directory) in />
nginx: configuration file /etc/nginx/nginx.conf test failed

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/_internal/plugins/disco.py", line 112, in prepare
self._initialized.prepare()
File "/usr/lib/python3/dist-packages/certbot_nginx/_internal/configurator.py", line 209, in prepare
self.config_test()
File "/usr/lib/python3/dist-packages/certbot_nginx/_internal/configurator.py", line 1015, in config_test
raise errors.MisconfigurationError(str(err))
certbot.errors.MisconfigurationError: Error while running nginx -c /etc/nginx/nginx.conf -t.

2024/07/30 18:11:24 [emerg] 137659#137659: open() "/etc/letsencrypt/options-ssl-nginx.conf" failed (2: No such file or directory) in />
nginx: configuration file /etc/nginx/nginx.conf test failed

2024-07-30 18:12:19,240:DEBUG:certbot._internal.main:certbot version: 2.9.0
2024-07-30 18:12:19,240:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2024-07-30 18:12:19,240:DEBUG:certbot._internal.main:Arguments: ['--nginx', '-d', 'pictures.go.ro', '-d', 'pictures.go.ro/jellyfin', '>
2024-07-30 18:12:19,240:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#ngin>
2024-07-30 18:12:19,247:DEBUG:certbot._internal.log:Root logging level set at 30
2024-07-30 18:12:19,247:DEBUG:certbot._internal.plugins.selection:Requested authenticator nginx and installer nginx
2024-07-30 18:12:19,255:ERROR:certbot.util:Error while running nginx -c /etc/nginx/nginx.conf -t.

2024/07/30 18:12:19 [emerg] 137911#137911: cannot load certificate "/etc/letsencrypt/live/pictures.go.ro/fullchain.pem": BIO_new_file(>
nginx: configuration file /etc/nginx/nginx.conf test failed

2024/07/30 18:12:19,255:DEBUG:certbot._internal.plugins.disco:Misconfigured PluginEntryPoint#nginx: Error while running nginx -c /etc/>

2024/07/30 18:12:19 [emerg] 137911#137911: cannot load certificate "/etc/letsencrypt/live/pictures.go.ro/fullchain.pem": BIO_new_file(>
nginx: configuration file /etc/nginx/nginx.conf test failed
Traceback (most recent call last):

sudo certbot --nginx

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Could not parse file: /etc/nginx/conf.d/crowdsec_nginx.conf due to Expected string_end, found 'init' (at char 179), (line:7, col:1)

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.

1: pictures.go.ro

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
** Error - Invalid selection **

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.

1: pictures.go.ro

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for pictures.go.ro

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: pictures.go.ro
Type: unauthorized
Detail: 86.120.33.172: Invalid response from http://pictures.go.ro/.well-known/acme-challenge/rWI67VGUB4p3dR17IVnlrCLK0m4TQzaBXv8UCauh4qs: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Could not parse file: /etc/nginx/conf.d/crowdsec_nginx.conf due to Expected string_end, found 'init' (at char 179), (line:7, col:1)
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Maybe this info helps.

5

I don't think port 80 is being handled by nginx:

curl -Ii pictures.go.ro
HTTP/1.1 404 Not Found
content-type: text/html; charset=utf-8
server: Rocket     <<<<<<<<<<<<<<<<<<<<<<<<< Who is operating the "Rocket"?
...

You may have to switch to using webroot.
What shows?:
certbot certificates

3 Likes
6

sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
I corrected the port situation, was trying to see if NPM handeled the matter differently.

No certificates found.

7

Where are these certs?:
crt.sh | pictures.go.ro
image

3 Likes
8

Oddly, your topic includes "(authenticator: webroot)"
Where did you read that?

3 Likes
9

A few lines a code prior I had this issue: I ran this command: sudo certbot certonly --webroot -w /var/www/html -d pictures.go.ro

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for pictures.go.ro

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: pictures.go.ro
Type: unauthorized
Detail: 86.120.33.172: Invalid response from http://pictures.go.ro/.well-known/acme-challenge/10vJj9mn3LWTqZGOBZjmo8ii2EFQuK8VCHCUZhs1Zmo: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

But in the meantime i tried to many times and got the too many failed authorizations recently: see Failed Validation Limit - Let's Encrypt :sweat_smile:

The certificates you mentioned are part of a NPM configuration I had on docker, but due to a recent event (I was missing a propper croudsec config and my DNS isn't as permise as others - but it's free) so I'm now trying to ditch docker and have it all installed in my host server. I used the tutorial here https://docs.crowdsec.net/u/bouncers/nginx/ and after configuring this and that ended up here.

10

You're going in an nginx circle.
The problem is that port 80 is NOT being served by nginx:

It is flying in a "Rocket".

Until you can locate that "Rocket" and steer those requests to wherever they land...
You are not going to get a cert from this system [this way].

That said, there may be "other ways" to get a cert:

  • via DNS authentication [locally]
  • via DNS authentication [remotely and then copy the cert over]
  • stopping the "Rocket" web service and using certbot with standalone
3 Likes
11

Please show [either of these - whichever works]:

sudo netstat -plnt
sudo ss -plnt
3 Likes
12

You are trying to use nginx:

But you don't show nginx being the web server:

3 Likes
13

sudo ss -plnt

State Recv-Q Send-Q Local Address:Port
Peer Address:Port
Process
LISTEN 0 4096 [0.0.0.0:9015](http://0.0.0.0:9015)
0.0.0.0:*
users:(("docker-proxy",pid=2000,fd=4))
LISTEN 0 50 [0.0.0.0:445](http://0.0.0.0:445)
0.0.0.0:*
users:(("smbd",pid=1432,fd=30))
LISTEN 0 50 [0.0.0.0:139](http://0.0.0.0:139)
0.0.0.0:*
users:(("smbd",pid=1432,fd=31))
LISTEN 0 511 [0.0.0.0:80](http://0.0.0.0:80)
0.0.0.0:*
users:(("nginx",pid=1420,fd=5),("nginx",pid=1419,fd=5),("nginx",pid=1418,fd=5),("nginx",pid=1417,fd=5),("nginx",pid=1416,fd=5))
LISTEN 0 4096 [100.69.230.60:48852](http://100.69.230.60:48852)
0.0.0.0:*
users:(("tailscaled",pid=1074,fd=28))
LISTEN 0 4096 [192.168.100.54:22300](http://192.168.100.54:22300)
0.0.0.0:*
users:(("docker-proxy",pid=2014,fd=4))
LISTEN 0 4096 [127.0.0.54:53](http://127.0.0.54:53)
0.0.0.0:*
users:(("systemd-resolve",pid=906,fd=17))
LISTEN 0 4096 [0.0.0.0:2283](http://0.0.0.0:2283)
0.0.0.0:*
users:(("docker-proxy",pid=2182,fd=4))
LISTEN 0 4096 [127.0.0.1:6060](http://127.0.0.1:6060)
0.0.0.0:*
users:(("crowdsec",pid=3035,fd=24))
LISTEN 0 4096 127.0.0.53%lo:53
0.0.0.0:*
users:(("systemd-resolve",pid=906,fd=15))
LISTEN 0 4096 [0.0.0.0:6881](http://0.0.0.0:6881)
0.0.0.0:*
users:(("docker-proxy",pid=2031,fd=4))
LISTEN 0 4096 [0.0.0.0:8096](http://0.0.0.0:8096)
0.0.0.0:*
users:(("docker-proxy",pid=1975,fd=4))
LISTEN 0 4096 [0.0.0.0:8090](http://0.0.0.0:8090)
0.0.0.0:*
users:(("docker-proxy",pid=2093,fd=4))
LISTEN 0 4096 [0.0.0.0:8033](http://0.0.0.0:8033)
0.0.0.0:*
users:(("docker-proxy",pid=2040,fd=4))
LISTEN 0 4096 [::]:9015
[::]:*
users:(("docker-proxy",pid=2009,fd=4))
LISTEN 0 50 [::]:445
[::]:*
users:(("smbd",pid=1432,fd=28))
LISTEN 0 50 [::]:139
[::]:*
users:(("smbd",pid=1432,fd=29))
LISTEN 0 4096 *:22
*:*
users:(("sshd",pid=3674,fd=3),("systemd",pid=1,fd=92))
LISTEN 0 511 [::]:80
[::]:*
users:(("nginx",pid=1420,fd=6),("nginx",pid=1419,fd=6),("nginx",pid=1418,fd=6),("nginx",pid=1417,fd=6),("nginx",pid=1416,fd=6))
LISTEN 0 4096 [::]:2283
[::]:*
users:(("docker-proxy",pid=2191,fd=4))
LISTEN 0 4096 [::]:6881
[::]:*
users:(("docker-proxy",pid=2049,fd=4))
LISTEN 0 4096 [::]:8096
[::]:*
users:(("docker-proxy",pid=1988,fd=4))
LISTEN 0 4096 [::]:8090
[::]:*
users:(("docker-proxy",pid=2100,fd=4))
LISTEN 0 4096 *:8080
*:*
users:(("crowdsec",pid=3035,fd=3))
LISTEN 0 4096 [::]:8033
[::]:*
users:(("docker-proxy",pid=2062,fd=4))
LISTEN 0 4096 [fd7a:115c:a1e0::c501:e63c]:39880
[::]:*
14

There seems to be a lot going on there:

docker, tailscaled, nginx, crowdsec

Do they provide any installation/usage instruction?

3 Likes
15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.