Certbot failed to authenticate some domains

Help
1

My domain is:thecesar.tech

I ran this command:sudo certbot --nginx
It produced this output:

My web server is (include version):ertbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: thecesar.tech
Type: unauthorized
Detail: 34.75.79.52: Invalid response from http://thecesar.tech/.well-known/acme-challenge/A2_GD64yJVZjpG--cKNK5Y2VerpM5xhegRyuFTW9nSw: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

The operating system my web server runs on is (include version):Ubuntu 20.04.4 LTS

My hosting provider, if applicable, is:https://get.tech/

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 1.26.0

2

Welcome to the community @mrcesar95

It is unusual for certbot to fail on a new nginx config (I see your Hello World page). Certbot makes temp changes to your nginx conf to receive the http challenge from the Let's Encrypt servers. But, the LE server does not see that change.

Can you check your nginx access log? Is there any requests for the LE server challenges like this?

thecesar.tech/.well-known/acme-challenge/(someTokenValue)

I tried a couple times with token value of ForumTest so you should see those at least.

I also noticed you are using Fastly caching. Is that passing through all requests to your nginx server?

The answers will help focus on something odd in your nginx conf or something environmental. Thanks

2 Likes
3

Thaks for your answer.Here is the log file and a image of my project

image
image3687×3789 364 KB

2022-04-30 14:46:23,374:DEBUG:urllib3.connectionpool:http://localhost:None "GET /v2/connections?snap=certbot&interface=content HTTP/1.1" 200 97
2022-04-30 14:46:23,849:DEBUG:certbot._internal.main:certbot version: 1.26.0
2022-04-30 14:46:23,850:DEBUG:certbot._internal.main:Location of certbot entry point: /snap/certbot/1952/bin/certbot
2022-04-30 14:46:23,850:DEBUG:certbot._internal.main:Arguments: ['--nginx', '--preconfigured-renewal']
2022-04-30 14:46:23,850:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2022-04-30 14:46:23,862:DEBUG:certbot._internal.log:Root logging level set at 30
2022-04-30 14:46:23,863:DEBUG:certbot._internal.plugins.selection:Requested authenticator nginx and installer nginx
2022-04-30 14:46:23,955:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: Installer, Authenticator, Plugin
Entry point: nginx = certbot_nginx._internal.configurator:NginxConfigurator
Initialized: <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7fe6fd44abb0>
Prep: True
2022-04-30 14:46:23,956:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7fe6fd44abb0> and installer <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7fe6fd44abb0>
2022-04-30 14:46:23,956:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator nginx, Installer nginx
2022-04-30 14:46:23,963:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/521697587', new_authzr_uri=None, terms_of_service=None), 0b4818cb27c5d9974f2a1911a61b2ed2, Meta(creation_dt=datetime.datetime(2022, 4, 29, 19, 35, 30, tzinfo=), creation_host='localhost', register_to_eff='cesaruxfxtx@gmail.com'))>
2022-04-30 14:46:23,964:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2022-04-30 14:46:23,965:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2022-04-30 14:46:24,171:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
2022-04-30 14:46:24,172:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 30 Apr 2022 14:46:24 GMT
Content-Type: application/json
Content-Length: 658
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"JnYlR87AxaM": "Adding random entries to the directory",
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2022-04-30 14:46:29,372:DEBUG:certbot._internal.display.obj:Notifying user: Requesting a certificate for thecesar.tech
2022-04-30 14:46:29,588:DEBUG:certbot.crypto_util:Generating RSA key (2048 bits): /etc/letsencrypt/keys/0019_key-certbot.pem
2022-04-30 14:46:29,592:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0019_csr-certbot.pem
2022-04-30 14:46:29,592:DEBUG:acme.client:Requesting fresh nonce
2022-04-30 14:46:29,593:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2022-04-30 14:46:29,654:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2022-04-30 14:46:29,657:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 30 Apr 2022 14:46:29 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 0001nTCsNUrjFxn-i_QyAbmTp3fM6gGGHBEzfV17Cjk8H4Q
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

2022-04-30 14:46:29,657:DEBUG:acme.client:Storing nonce: 0001nTCsNUrjFxn-i_QyAbmTp3fM6gGGHBEzfV17Cjk8H4Q
2022-04-30 14:46:29,658:DEBUG:acme.client:JWS payload:
b'{\n "identifiers": [\n {\n "type": "dns",\n "value": "thecesar.tech"\n }\n ]\n}'
2022-04-30 14:46:29,660:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNTIxNjk3NTg3IiwgIm5vbmNlIjogIjAwMDFuVENzTlVyakZ4bi1pX1F5QWJtVHAzZk02Z0dHSEJFemZWMTdDams4SDRRIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctb3JkZXIifQ",
"signature": "E-fTzG3RtNOeriBUzsBory8vPnQCqDrsWWVSmd2uDCUxVQL099Hq9e8fxhwVBwmNdwAoBlaV18nIluce7LrNpVQQN1ZL_MppANkXmgn_8A5rGZT-_1Di9fOCSsX4pYcaWYkDjUi1rthK6uyjnU6UBW-C1COPGxHbu8A_IUS8aB8S8-f1EQcsdJCBNXuz4eG2AFEP_bbi6C-FzHeIrsQ0XgGOsxVm8T08jxErzgFWTNWRn59sUxCQMGtiwwMbNlNi876Gk-V3SUoujlQDub1U0ZVbBvpw8qmeLciFjsdE7eJO0aOvIp4oZP_rJItUQkgcDxlNk6i7Y0svIfRLxsooiQ",
"payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogInRoZWNlc2FyLnRlY2giCiAgICB9CiAgXQp9"
}
2022-04-30 14:46:29,754:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 337
2022-04-30 14:46:29,754:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Sat, 30 Apr 2022 14:46:29 GMT
Content-Type: application/json
Content-Length: 337
Connection: keep-alive
Boulder-Requester: 521697587
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/521697587/84620125737
Replay-Nonce: 0001GrC0zfcLsP8JkpqhkuUrYoHlNs341d0WCX_vg6Kl1os
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"status": "pending",
"expires": "2022-05-07T14:46:29Z",
"identifiers": [
{
"type": "dns",
"value": "thecesar.tech"
}
],
"authorizations": [
"https://acme-v02.api.letsencrypt.org/acme/authz-v3/103686009507"
],
"finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/521697587/84620125737"
}
2022-04-30 14:46:29,755:DEBUG:acme.client:Storing nonce: 0001GrC0zfcLsP8JkpqhkuUrYoHlNs341d0WCX_vg6Kl1os
2022-04-30 14:46:29,755:DEBUG:acme.client:JWS payload:
b''
2022-04-30 14:46:29,756:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/103686009507:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNTIxNjk3NTg3IiwgIm5vbmNlIjogIjAwMDFHckMwemZjTHNQOEprcHFoa3VVcllvSGxOczM0MWQwV0NYX3ZnNktsMW9zIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8xMDM2ODYwMDk1MDcifQ",
"signature": "zaGp7JmRumDl_uRXFW6xTAPvKc9gtAKkt_l6iYjT5LoD8czAJgvSdyj06xOfjClYqEjJcswr_R1ZXNN9cgP-nXTGPfFd2NbU4z1mIV6Iib2F4z90Tq48nLt3gzzDW-cmQesIdw8_OB5uQ0dobK9xnid1Mh792xaRjkfY9IIVGTOVNcNfpAdjlYhe3wnQsMVZCAKc7I8qSsyyR9_fOxy9ah1IawM2X4asY4MTxv4skTCY-srs_3eldH3Ylo6iRXoaNZIfhtN7CmpUTDFUw0SZvAwZW0Mce5_xdyMxqI1hop2n51EtMHMe_vERmHNUOxVeM_4WFdGJ_4aHjIDertBnCA",
"payload": ""
}
2022-04-30 14:46:29,823:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/103686009507 HTTP/1.1" 200 797
2022-04-30 14:46:29,823:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 30 Apr 2022 14:46:29 GMT
Content-Type: application/json
Content-Length: 797
Connection: keep-alive
Boulder-Requester: 521697587
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 0001YDiTxl89fNrvd13quITWc5msNwB_euspkUqSjedLypQ
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "thecesar.tech"
},
"status": "pending",
"expires": "2022-05-07T14:46:29Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/103686009507/3zcb3Q",
"token": "ZaX1aL3WqvxFDaHPsMzSw573xKTJa67pC37opZPtKI8"
},
{
"type": "dns-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/103686009507/mNsHuA",
"token": "ZaX1aL3WqvxFDaHPsMzSw573xKTJa67pC37opZPtKI8"
},
{
"type": "tls-alpn-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/103686009507/v66pjg",
"token": "ZaX1aL3WqvxFDaHPsMzSw573xKTJa67pC37opZPtKI8"
}
]
}
2022-04-30 14:46:29,824:DEBUG:acme.client:Storing nonce: 0001YDiTxl89fNrvd13quITWc5msNwB_euspkUqSjedLypQ
2022-04-30 14:46:29,824:INFO:certbot._internal.auth_handler:Performing the following challenges:
2022-04-30 14:46:29,824:INFO:certbot._internal.auth_handler:http-01 challenge for thecesar.tech
2022-04-30 14:46:29,827:DEBUG:certbot_nginx._internal.http_01:Using default address 80 for authentication.
2022-04-30 14:46:29,827:DEBUG:certbot_nginx._internal.http_01:Generated server block:
[[['server'], [['listen', '80'], ['server_name', 'thecesar.tech'], ['root', '/var/lib/letsencrypt/http_01_nonexistent'], [['location', '=', '/.well-known/acme-challenge/ZaX1aL3WqvxFDaHPsMzSw573xKTJa67pC37opZPtKI8'], [['default_type', 'text/plain'], ['return', '200', 'ZaX1aL3WqvxFDaHPsMzSw573xKTJa67pC37opZPtKI8.cEXUnikbI0f6Ubx76JcKWih4Ngli7Vq1XgkGLTZ7ksI']]]]]]
2022-04-30 14:46:29,828:DEBUG:certbot.reverter:Creating backup of /etc/nginx/nginx.conf
2022-04-30 14:46:29,828:DEBUG:certbot.reverter:Creating backup of /etc/nginx/mime.types
2022-04-30 14:46:29,829:DEBUG:certbot_nginx._internal.parser:Writing nginx conf tree to /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
worker_connections 768;
# multi_accept on;
}

http {
server_names_hash_bucket_size 128;
include /etc/letsencrypt/le_http_01_cert_challenge.conf;

    ##
    # Basic Settings
    ##

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    # server_tokens off;

    # server_names_hash_bucket_size 64;
    # server_name_in_redirect off;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    ##
    # SSL Settings
    ##

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
    ssl_prefer_server_ciphers on;

    ##
    # Logging Settings
    ##

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    ##
    # Gzip Settings
    ##

    gzip on;

    # gzip_vary on;
    # gzip_proxied any;
    # gzip_comp_level 6;
    # gzip_buffers 16 8k;
    # gzip_http_version 1.1;
    # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

    ##
    # Virtual Host Configs
    ##

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;

}

#mail {

# See sample authentication script at:

# Using a PHP Script on an Apache Server as the IMAP Auth Backend | NGINX

# auth_http localhost/auth.php;

# pop3_capabilities "TOP" "USER";

# imap_capabilities "IMAP4rev1" "UIDPLUS";

server {

listen localhost:110;

protocol pop3;

proxy on;

}

server {

listen localhost:143;

protocol imap;

proxy on;

}

#}

2022-04-30 14:46:30,839:DEBUG:acme.client:JWS payload:
b'{}'
2022-04-30 14:46:30,841:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/103686009507/3zcb3Q:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNTIxNjk3NTg3IiwgIm5vbmNlIjogIjAwMDFZRGlUeGw4OWZOcnZkMTNxdUlUV2M1bXNOd0JfZXVzcGtVcVNqZWRMeXBRIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbC12My8xMDM2ODYwMDk1MDcvM3pjYjNRIn0",
"signature": "uBEIM-_yj1SNPvg-jUPC07-6pNTbNNv59teJDZaw0WANeg-0HXBv0sbIu2bQmHDq3rKE-723JCKNXRTcDc4tx_fJb7b7aiCNtRT6InExJwiEKNn-zK-rdx_wN6Hlk8s3YYSFiiv54bBg-QfrheZnx0z7Z5OX0vVMdGdMrRIdtBVd3UEfIUCFUcWDFRy_7DnGPbawhXRdI77Griq1Ojpv4BevlxRg29DOW-5drl39Ej4bFtwlfMVZU-iCY87s2E8oKOBppAkXVjVpQIaFceOcDFev0-DAQYu20xnYmkYviX0y2v8UsERPl-_tgovXtLnrcsU3kLkTGKYpWRoOCjR_aw",
"payload": "e30"
}
2022-04-30 14:46:30,913:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/103686009507/3zcb3Q HTTP/1.1" 200 187
2022-04-30 14:46:30,913:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 30 Apr 2022 14:46:30 GMT
Content-Type: application/json
Content-Length: 187
Connection: keep-alive
Boulder-Requester: 521697587
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index", https://acme-v02.api.letsencrypt.org/acme/authz-v3/103686009507;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/103686009507/3zcb3Q
Replay-Nonce: 00023NihzN5iv727rvqHbElmNyy1kZWqNMLYMffdNAvl-Kk
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"type": "http-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/103686009507/3zcb3Q",
"token": "ZaX1aL3WqvxFDaHPsMzSw573xKTJa67pC37opZPtKI8"
}
2022-04-30 14:46:30,913:DEBUG:acme.client:Storing nonce: 00023NihzN5iv727rvqHbElmNyy1kZWqNMLYMffdNAvl-Kk
2022-04-30 14:46:30,914:INFO:certbot._internal.auth_handler:Waiting for verification...
2022-04-30 14:46:31,915:DEBUG:acme.client:JWS payload:
b''
2022-04-30 14:46:31,917:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/103686009507:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNTIxNjk3NTg3IiwgIm5vbmNlIjogIjAwMDIzTmloek41aXY3MjdydnFIYkVsbU55eTFrWldxTk1MWU1mZmROQXZsLUtrIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8xMDM2ODYwMDk1MDcifQ",
"signature": "xWs-ZBYB2hmRkuKmQWtIN7sJHbrvvHovb9DIfQ5OuQmQvVAUnukVfAZwBZOLT5N09eHkA8j_Xa_9K_ClsUMzmUKbUI7fUlX60J_RSuu0yZyecS2tjOuz3zGSGmzqnG8e_JNW5WsORHUEo_iM3xS4gKdY5cvp2a-tzgsOK8f-xygbCaxWuhaxY1VXqNZ9zHSr9jzjES_I-Zo5lKlSBucNHgSWbMzqo5tCU48iphnuCwAg7_0SHNkXYk824ZZmYlDGixz6Jab7aqzxINqaRiGN18puO6l6Jwdd7PyQaQHnUmZgBvCPJrGXZHsp2u9BFINN6IXDNNVaYUs9diZBcj4RmA",
"payload": ""
}
2022-04-30 14:46:31,981:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/103686009507 HTTP/1.1" 200 1014
2022-04-30 14:46:31,982:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 30 Apr 2022 14:46:31 GMT
Content-Type: application/json
Content-Length: 1014
Connection: keep-alive
Boulder-Requester: 521697587
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 0002JpOWQovpJHWRNN871TE6EvT9oy3Zd2A-YaStkKDBj1M
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "thecesar.tech"
},
"status": "invalid",
"expires": "2022-05-07T14:46:29Z",
"challenges": [
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "34.75.79.52: Invalid response from http://thecesar.tech/.well-known/acme-challenge/ZaX1aL3WqvxFDaHPsMzSw573xKTJa67pC37opZPtKI8: 404",
"status": 403
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/103686009507/3zcb3Q",
"token": "ZaX1aL3WqvxFDaHPsMzSw573xKTJa67pC37opZPtKI8",
"validationRecord": [
{
"url": "http://thecesar.tech/.well-known/acme-challenge/ZaX1aL3WqvxFDaHPsMzSw573xKTJa67pC37opZPtKI8",
"hostname": "thecesar.tech",
"port": "80",
"addressesResolved": [
"34.75.79.52"
],
"addressUsed": "34.75.79.52"
}
],
"validated": "2022-04-30T14:46:30Z"
}
]
}
2022-04-30 14:46:31,982:DEBUG:acme.client:Storing nonce: 0002JpOWQovpJHWRNN871TE6EvT9oy3Zd2A-YaStkKDBj1M
2022-04-30 14:46:31,983:INFO:certbot._internal.auth_handler:Challenge failed for domain thecesar.tech
2022-04-30 14:46:31,983:INFO:certbot._internal.auth_handler:http-01 challenge for thecesar.tech
2022-04-30 14:46:31,983:DEBUG:certbot._internal.display.obj:Notifying user:
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: thecesar.tech
Type: unauthorized
Detail: 34.75.79.52: Invalid response from http://thecesar.tech/.well-known/acme-challenge/ZaX1aL3WqvxFDaHPsMzSw573xKTJa67pC37opZPtKI8: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

2022-04-30 14:46:31,984:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/snap/certbot/1952/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 106, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/snap/certbot/1952/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 206, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2022-04-30 14:46:31,984:DEBUG:certbot._internal.error_handler:Calling registered functions
2022-04-30 14:46:31,984:INFO:certbot._internal.auth_handler:Cleaning up challenges
2022-04-30 14:46:33,059:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/snap/certbot/1952/bin/certbot", line 8, in
sys.exit(main())
File "/snap/certbot/1952/lib/python3.8/site-packages/certbot/main.py", line 19, in main
return internal_main.main(cli_args)
File "/snap/certbot/1952/lib/python3.8/site-packages/certbot/_internal/main.py", line 1723, in main
return config.func(config, plugins)
File "/snap/certbot/1952/lib/python3.8/site-packages/certbot/_internal/main.py", line 1432, in run
new_lineage = _get_and_save_cert(le_client, config, domains,
File "/snap/certbot/1952/lib/python3.8/site-packages/certbot/_internal/main.py", line 141, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/snap/certbot/1952/lib/python3.8/site-packages/certbot/_internal/client.py", line 513, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "/snap/certbot/1952/lib/python3.8/site-packages/certbot/_internal/client.py", line 441, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/snap/certbot/1952/lib/python3.8/site-packages/certbot/_internal/client.py", line 493, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
File "/snap/certbot/1952/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 106, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/snap/certbot/1952/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 206, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2022-04-30 14:46:33,061:ERROR:certbot._internal.log:Some challenges have failed.

4

Thanx for your answer.Here is a image of my project and the log file

image
image3687×3789 364 KB

2022-04-30 14:46:23,374:DEBUG:urllib3.connectionpool:http://localhost:None "GET /v2/connections?snap=certbot&interface=content HTTP/1.1" 200 97
2022-04-30 14:46:23,849:DEBUG:certbot._internal.main:certbot version: 1.26.0
2022-04-30 14:46:23,850:DEBUG:certbot._internal.main:Location of certbot entry point: /snap/certbot/1952/bin/certbot
2022-04-30 14:46:23,850:DEBUG:certbot._internal.main:Arguments: ['--nginx', '--preconfigured-renewal']
2022-04-30 14:46:23,850:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2022-04-30 14:46:23,862:DEBUG:certbot._internal.log:Root logging level set at 30
2022-04-30 14:46:23,863:DEBUG:certbot._internal.plugins.selection:Requested authenticator nginx and installer nginx
2022-04-30 14:46:23,955:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: Installer, Authenticator, Plugin
Entry point: nginx = certbot_nginx._internal.configurator:NginxConfigurator
Initialized: <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7fe6fd44abb0>
Prep: True
2022-04-30 14:46:23,956:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7fe6fd44abb0> and installer <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7fe6fd44abb0>
2022-04-30 14:46:23,956:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator nginx, Installer nginx
2022-04-30 14:46:23,963:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/521697587', new_authzr_uri=None, terms_of_service=None), 0b4818cb27c5d9974f2a1911a61b2ed2, Meta(creation_dt=datetime.datetime(2022, 4, 29, 19, 35, 30, tzinfo=), creation_host='localhost', register_to_eff='cesaruxfxtx@gmail.com'))>
2022-04-30 14:46:23,964:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2022-04-30 14:46:23,965:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2022-04-30 14:46:24,171:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
2022-04-30 14:46:24,172:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 30 Apr 2022 14:46:24 GMT
Content-Type: application/json
Content-Length: 658
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"JnYlR87AxaM": "Adding random entries to the directory",
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2022-04-30 14:46:29,372:DEBUG:certbot._internal.display.obj:Notifying user: Requesting a certificate for thecesar.tech
2022-04-30 14:46:29,588:DEBUG:certbot.crypto_util:Generating RSA key (2048 bits): /etc/letsencrypt/keys/0019_key-certbot.pem
2022-04-30 14:46:29,592:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0019_csr-certbot.pem
2022-04-30 14:46:29,592:DEBUG:acme.client:Requesting fresh nonce
2022-04-30 14:46:29,593:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2022-04-30 14:46:29,654:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2022-04-30 14:46:29,657:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 30 Apr 2022 14:46:29 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 0001nTCsNUrjFxn-i_QyAbmTp3fM6gGGHBEzfV17Cjk8H4Q
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

2022-04-30 14:46:29,657:DEBUG:acme.client:Storing nonce: 0001nTCsNUrjFxn-i_QyAbmTp3fM6gGGHBEzfV17Cjk8H4Q
2022-04-30 14:46:29,658:DEBUG:acme.client:JWS payload:
b'{\n "identifiers": [\n {\n "type": "dns",\n "value": "thecesar.tech"\n }\n ]\n}'
2022-04-30 14:46:29,660:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNTIxNjk3NTg3IiwgIm5vbmNlIjogIjAwMDFuVENzTlVyakZ4bi1pX1F5QWJtVHAzZk02Z0dHSEJFemZWMTdDams4SDRRIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctb3JkZXIifQ",
"signature": "E-fTzG3RtNOeriBUzsBory8vPnQCqDrsWWVSmd2uDCUxVQL099Hq9e8fxhwVBwmNdwAoBlaV18nIluce7LrNpVQQN1ZL_MppANkXmgn_8A5rGZT-_1Di9fOCSsX4pYcaWYkDjUi1rthK6uyjnU6UBW-C1COPGxHbu8A_IUS8aB8S8-f1EQcsdJCBNXuz4eG2AFEP_bbi6C-FzHeIrsQ0XgGOsxVm8T08jxErzgFWTNWRn59sUxCQMGtiwwMbNlNi876Gk-V3SUoujlQDub1U0ZVbBvpw8qmeLciFjsdE7eJO0aOvIp4oZP_rJItUQkgcDxlNk6i7Y0svIfRLxsooiQ",
"payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogInRoZWNlc2FyLnRlY2giCiAgICB9CiAgXQp9"
}
2022-04-30 14:46:29,754:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 337
2022-04-30 14:46:29,754:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Sat, 30 Apr 2022 14:46:29 GMT
Content-Type: application/json
Content-Length: 337
Connection: keep-alive
Boulder-Requester: 521697587
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/521697587/84620125737
Replay-Nonce: 0001GrC0zfcLsP8JkpqhkuUrYoHlNs341d0WCX_vg6Kl1os
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"status": "pending",
"expires": "2022-05-07T14:46:29Z",
"identifiers": [
{
"type": "dns",
"value": "thecesar.tech"
}
],
"authorizations": [
"https://acme-v02.api.letsencrypt.org/acme/authz-v3/103686009507"
],
"finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/521697587/84620125737"
}
2022-04-30 14:46:29,755:DEBUG:acme.client:Storing nonce: 0001GrC0zfcLsP8JkpqhkuUrYoHlNs341d0WCX_vg6Kl1os
2022-04-30 14:46:29,755:DEBUG:acme.client:JWS payload:
b''
2022-04-30 14:46:29,756:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/103686009507:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNTIxNjk3NTg3IiwgIm5vbmNlIjogIjAwMDFHckMwemZjTHNQOEprcHFoa3VVcllvSGxOczM0MWQwV0NYX3ZnNktsMW9zIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8xMDM2ODYwMDk1MDcifQ",
"signature": "zaGp7JmRumDl_uRXFW6xTAPvKc9gtAKkt_l6iYjT5LoD8czAJgvSdyj06xOfjClYqEjJcswr_R1ZXNN9cgP-nXTGPfFd2NbU4z1mIV6Iib2F4z90Tq48nLt3gzzDW-cmQesIdw8_OB5uQ0dobK9xnid1Mh792xaRjkfY9IIVGTOVNcNfpAdjlYhe3wnQsMVZCAKc7I8qSsyyR9_fOxy9ah1IawM2X4asY4MTxv4skTCY-srs_3eldH3Ylo6iRXoaNZIfhtN7CmpUTDFUw0SZvAwZW0Mce5_xdyMxqI1hop2n51EtMHMe_vERmHNUOxVeM_4WFdGJ_4aHjIDertBnCA",
"payload": ""
}
2022-04-30 14:46:29,823:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/103686009507 HTTP/1.1" 200 797
2022-04-30 14:46:29,823:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 30 Apr 2022 14:46:29 GMT
Content-Type: application/json
Content-Length: 797
Connection: keep-alive
Boulder-Requester: 521697587
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 0001YDiTxl89fNrvd13quITWc5msNwB_euspkUqSjedLypQ
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "thecesar.tech"
},
"status": "pending",
"expires": "2022-05-07T14:46:29Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/103686009507/3zcb3Q",
"token": "ZaX1aL3WqvxFDaHPsMzSw573xKTJa67pC37opZPtKI8"
},
{
"type": "dns-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/103686009507/mNsHuA",
"token": "ZaX1aL3WqvxFDaHPsMzSw573xKTJa67pC37opZPtKI8"
},
{
"type": "tls-alpn-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/103686009507/v66pjg",
"token": "ZaX1aL3WqvxFDaHPsMzSw573xKTJa67pC37opZPtKI8"
}
]
}
2022-04-30 14:46:29,824:DEBUG:acme.client:Storing nonce: 0001YDiTxl89fNrvd13quITWc5msNwB_euspkUqSjedLypQ
2022-04-30 14:46:29,824:INFO:certbot._internal.auth_handler:Performing the following challenges:
2022-04-30 14:46:29,824:INFO:certbot._internal.auth_handler:http-01 challenge for thecesar.tech
2022-04-30 14:46:29,827:DEBUG:certbot_nginx._internal.http_01:Using default address 80 for authentication.
2022-04-30 14:46:29,827:DEBUG:certbot_nginx._internal.http_01:Generated server block:
[[['server'], [['listen', '80'], ['server_name', 'thecesar.tech'], ['root', '/var/lib/letsencrypt/http_01_nonexistent'], [['location', '=', '/.well-known/acme-challenge/ZaX1aL3WqvxFDaHPsMzSw573xKTJa67pC37opZPtKI8'], [['default_type', 'text/plain'], ['return', '200', 'ZaX1aL3WqvxFDaHPsMzSw573xKTJa67pC37opZPtKI8.cEXUnikbI0f6Ubx76JcKWih4Ngli7Vq1XgkGLTZ7ksI']]]]]]
2022-04-30 14:46:29,828:DEBUG:certbot.reverter:Creating backup of /etc/nginx/nginx.conf
2022-04-30 14:46:29,828:DEBUG:certbot.reverter:Creating backup of /etc/nginx/mime.types
2022-04-30 14:46:29,829:DEBUG:certbot_nginx._internal.parser:Writing nginx conf tree to /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
worker_connections 768;
# multi_accept on;
}

http {
server_names_hash_bucket_size 128;
include /etc/letsencrypt/le_http_01_cert_challenge.conf;

    ##
    # Basic Settings
    ##

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    # server_tokens off;

    # server_names_hash_bucket_size 64;
    # server_name_in_redirect off;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    ##
    # SSL Settings
    ##

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
    ssl_prefer_server_ciphers on;

    ##
    # Logging Settings
    ##

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    ##
    # Gzip Settings
    ##

    gzip on;

    # gzip_vary on;
    # gzip_proxied any;
    # gzip_comp_level 6;
    # gzip_buffers 16 8k;
    # gzip_http_version 1.1;
    # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

    ##
    # Virtual Host Configs
    ##

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;

}

#mail {

# See sample authentication script at:

# Using a PHP Script on an Apache Server as the IMAP Auth Backend | NGINX

# auth_http localhost/auth.php;

# pop3_capabilities "TOP" "USER";

# imap_capabilities "IMAP4rev1" "UIDPLUS";

server {

listen localhost:110;

protocol pop3;

proxy on;

}

server {

listen localhost:143;

protocol imap;

proxy on;

}

#}

2022-04-30 14:46:30,839:DEBUG:acme.client:JWS payload:
b'{}'
2022-04-30 14:46:30,841:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/103686009507/3zcb3Q:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNTIxNjk3NTg3IiwgIm5vbmNlIjogIjAwMDFZRGlUeGw4OWZOcnZkMTNxdUlUV2M1bXNOd0JfZXVzcGtVcVNqZWRMeXBRIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbC12My8xMDM2ODYwMDk1MDcvM3pjYjNRIn0",
"signature": "uBEIM-_yj1SNPvg-jUPC07-6pNTbNNv59teJDZaw0WANeg-0HXBv0sbIu2bQmHDq3rKE-723JCKNXRTcDc4tx_fJb7b7aiCNtRT6InExJwiEKNn-zK-rdx_wN6Hlk8s3YYSFiiv54bBg-QfrheZnx0z7Z5OX0vVMdGdMrRIdtBVd3UEfIUCFUcWDFRy_7DnGPbawhXRdI77Griq1Ojpv4BevlxRg29DOW-5drl39Ej4bFtwlfMVZU-iCY87s2E8oKOBppAkXVjVpQIaFceOcDFev0-DAQYu20xnYmkYviX0y2v8UsERPl-_tgovXtLnrcsU3kLkTGKYpWRoOCjR_aw",
"payload": "e30"
}
2022-04-30 14:46:30,913:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/103686009507/3zcb3Q HTTP/1.1" 200 187
2022-04-30 14:46:30,913:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 30 Apr 2022 14:46:30 GMT
Content-Type: application/json
Content-Length: 187
Connection: keep-alive
Boulder-Requester: 521697587
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index", https://acme-v02.api.letsencrypt.org/acme/authz-v3/103686009507;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/103686009507/3zcb3Q
Replay-Nonce: 00023NihzN5iv727rvqHbElmNyy1kZWqNMLYMffdNAvl-Kk
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"type": "http-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/103686009507/3zcb3Q",
"token": "ZaX1aL3WqvxFDaHPsMzSw573xKTJa67pC37opZPtKI8"
}
2022-04-30 14:46:30,913:DEBUG:acme.client:Storing nonce: 00023NihzN5iv727rvqHbElmNyy1kZWqNMLYMffdNAvl-Kk
2022-04-30 14:46:30,914:INFO:certbot._internal.auth_handler:Waiting for verification...
2022-04-30 14:46:31,915:DEBUG:acme.client:JWS payload:
b''
2022-04-30 14:46:31,917:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/103686009507:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNTIxNjk3NTg3IiwgIm5vbmNlIjogIjAwMDIzTmloek41aXY3MjdydnFIYkVsbU55eTFrWldxTk1MWU1mZmROQXZsLUtrIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8xMDM2ODYwMDk1MDcifQ",
"signature": "xWs-ZBYB2hmRkuKmQWtIN7sJHbrvvHovb9DIfQ5OuQmQvVAUnukVfAZwBZOLT5N09eHkA8j_Xa_9K_ClsUMzmUKbUI7fUlX60J_RSuu0yZyecS2tjOuz3zGSGmzqnG8e_JNW5WsORHUEo_iM3xS4gKdY5cvp2a-tzgsOK8f-xygbCaxWuhaxY1VXqNZ9zHSr9jzjES_I-Zo5lKlSBucNHgSWbMzqo5tCU48iphnuCwAg7_0SHNkXYk824ZZmYlDGixz6Jab7aqzxINqaRiGN18puO6l6Jwdd7PyQaQHnUmZgBvCPJrGXZHsp2u9BFINN6IXDNNVaYUs9diZBcj4RmA",
"payload": ""
}
2022-04-30 14:46:31,981:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/103686009507 HTTP/1.1" 200 1014
2022-04-30 14:46:31,982:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 30 Apr 2022 14:46:31 GMT
Content-Type: application/json
Content-Length: 1014
Connection: keep-alive
Boulder-Requester: 521697587
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 0002JpOWQovpJHWRNN871TE6EvT9oy3Zd2A-YaStkKDBj1M
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "thecesar.tech"
},
"status": "invalid",
"expires": "2022-05-07T14:46:29Z",
"challenges": [
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "34.75.79.52: Invalid response from http://thecesar.tech/.well-known/acme-challenge/ZaX1aL3WqvxFDaHPsMzSw573xKTJa67pC37opZPtKI8: 404",
"status": 403
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/103686009507/3zcb3Q",
"token": "ZaX1aL3WqvxFDaHPsMzSw573xKTJa67pC37opZPtKI8",
"validationRecord": [
{
"url": "http://thecesar.tech/.well-known/acme-challenge/ZaX1aL3WqvxFDaHPsMzSw573xKTJa67pC37opZPtKI8",
"hostname": "thecesar.tech",
"port": "80",
"addressesResolved": [
"34.75.79.52"
],
"addressUsed": "34.75.79.52"
}
],
"validated": "2022-04-30T14:46:30Z"
}
]
}
2022-04-30 14:46:31,982:DEBUG:acme.client:Storing nonce: 0002JpOWQovpJHWRNN871TE6EvT9oy3Zd2A-YaStkKDBj1M
2022-04-30 14:46:31,983:INFO:certbot._internal.auth_handler:Challenge failed for domain thecesar.tech
2022-04-30 14:46:31,983:INFO:certbot._internal.auth_handler:http-01 challenge for thecesar.tech
2022-04-30 14:46:31,983:DEBUG:certbot._internal.display.obj:Notifying user:
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: thecesar.tech
Type: unauthorized
Detail: 34.75.79.52: Invalid response from http://thecesar.tech/.well-known/acme-challenge/ZaX1aL3WqvxFDaHPsMzSw573xKTJa67pC37opZPtKI8: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

2022-04-30 14:46:31,984:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/snap/certbot/1952/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 106, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/snap/certbot/1952/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 206, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2022-04-30 14:46:31,984:DEBUG:certbot._internal.error_handler:Calling registered functions
2022-04-30 14:46:31,984:INFO:certbot._internal.auth_handler:Cleaning up challenges
2022-04-30 14:46:33,059:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/snap/certbot/1952/bin/certbot", line 8, in
sys.exit(main())
File "/snap/certbot/1952/lib/python3.8/site-packages/certbot/main.py", line 19, in main
return internal_main.main(cli_args)
File "/snap/certbot/1952/lib/python3.8/site-packages/certbot/_internal/main.py", line 1723, in main
return config.func(config, plugins)
File "/snap/certbot/1952/lib/python3.8/site-packages/certbot/_internal/main.py", line 1432, in run
new_lineage = _get_and_save_cert(le_client, config, domains,
File "/snap/certbot/1952/lib/python3.8/site-packages/certbot/_internal/main.py", line 141, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/snap/certbot/1952/lib/python3.8/site-packages/certbot/_internal/client.py", line 513, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "/snap/certbot/1952/lib/python3.8/site-packages/certbot/_internal/client.py", line 441, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/snap/certbot/1952/lib/python3.8/site-packages/certbot/_internal/client.py", line 493, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
File "/snap/certbot/1952/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 106, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/snap/certbot/1952/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 206, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2022-04-30 14:46:33,061:ERROR:certbot._internal.log:Some challenges have failed.

5

I was asking about the nginx access log. But, let's ignore that for the moment.

You show a load balancer in front of your web servers. Does it terminate TLS for the clients (browsers, ...).

Getting certs for servers behind load balancers requires special processing for http challenges. The reason is that you make a request from Certbot for a cert. It then has the Let's Encrypt servers make an http request to your server. The LE server must see the change made by Certbot. But, if your load balancer directed the LE server request to the other server it will not be there. I believe this is what is happening.

Some load balancers can terminate TLS and this may mean you don't need Let's Encrypt certs on each server. Sorting this out is the first step.

2 Likes
6

the access.log is empty...
when i install nginx i have to delete the default file.will it be for this?
what is LE server?

7

I think you have a lot to learn about designing your system config. A Load Balancer setup (presumably with Fastly?) and multiple nginx servers is far more complicated than a single server.

I saw Fastly responding in my test requests to your server so this topic on the Fastly site is a good starting point.

To learn more about Let's Encrypt you should review below topics. Still, I emphasize that you may not even need to get LE certs yourself. Fastly can get them on your behalf.
Let's Encrypt Overview
Let's Encrypt Challenge Types

2 Likes
8

yes, until now I am starting in the world of devops
uninstall haproxy and it worked.Thax for your help

9

Ok, I see you got a cert for www.thecesar.tech but you were trying to get one for just thecesar.tech. People often get a cert with both the apex and www names in it.

Also, the DNS entries for both of those point to different servers. That is not normal.

Name:   thecesar.tech
Address: 34.75.79.52

Name:   www.thecesar.tech
Address: 54.82.79.170
2 Likes
10

You say that both have to stay in the same server?
Can have another cert with cerbot for thecesar.tech?
When i try to configure /etc/haproxy/haproxy.cfg

this appears
[ALERT] 119/195742 (130587) : parsing [/etc/haproxy/haproxy.cfg:37] : 'bind *:443' : unable to load SSL private key from PEM file '/etc/letsencrypt/live/www.thecesar.tech/fullchain.pem'.
[ALERT] 119/195742 (130587) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg
[ALERT] 119/195742 (130587) : Fatal errors found in configuration.

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES>
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_>
    ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend http
bind *:80
bind *:443 ssl crt /etc/letsencrypt/live/www.thecesar.tech/fullchain.pem
mode http
default_backend web-server
backend web-server
balance roundrobin
server 3774-web-01 34.75.79.52:80 check
server 3774-web-02 54.85.108.121:80 check

11

If that IP points to the same server, which it didn't:

There is no private key in that file.
You may need to review the HAPROXY configuration requirements.

2 Likes
12

If you want to serve the same site on both, yes. If you want to serve different websites, they can be on different servers.

Or if you want to use only one, and have a dedicated redirect server... it's not wrong per se, it's just very unusual.

1 Like
13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.