Certbot failed to authenticate some domains

Mr.Haze · August 17, 2023, 4:04am

Hey Guys, since 4 Days we have problem to renew the certificate also our 3 Websites run for 1 Hour then they stopped working so you cant connect through browser, after 2 Hours it works again realy strange, but the panel we even dont get to work.

My domain is: panel.zhrp.live (maindomain : zhrp.live

I ran this command: certbot certonly --nginx -d panel.zhrp.live

It produced this output:
´´´
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: panel.zhrp.live
Type: unauthorized
Detail: 94.143.231.75: Invalid response from http://panel.zhrp.live/.well-known/acme-challenge/U96Nmj3KUuMr3SpuWsJ2EIHvQPxqtSdmNPqFAEGo_tA: "var x={o:'/999MUWLT/.well-known/acme-challenge/U96Nmj3K"

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
´´´

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: Avoro

I can login to a root shell on my machine (yes or no, or I don't know): yes i can login to root

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): just for the the Main-Server this Panel is Petorodactyl

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): snap certbot (2.6.0)

rg305 · August 17, 2023, 4:31am

Hi @Mr.Haze, and welcome to the LE community forum

You need to exclude the ACME challenge path from whatever protections are in place:

curl -Ii http://panel.zhrp.live/.well-known/acme-challenge/U96Nmj3KUuMr3SpuWsJ2EIHvQPxqtSdmNPqFAEGo_tA
HTTP/1.1 302 Found
Connection: close
Pragma: no-cache
cache-control: no-cache
Location: /PaYXU/.well-known/acme-challenge/U96Nmj3KUuMr3SpuWsJ2EIHvQPxqtSdmNPqFAEGo_tA

curl -Ii http://panel.zhrp.live/PaYXU/.well-known/acme-challenge/U96Nmj3KUuMr3SpuWsJ2EIHvQPxqtSdmNPqFAEGo_tA
HTTP/1.1 302 Found
Connection: close
Pragma: no-cache
cache-control: no-cache
Location: /ooOMS/PaYXU/.well-known/acme-challenge/U96Nmj3KUuMr3SpuWsJ2EIHvQPxqtSdmNPqFAEGo_tA

As for the UP then DOWN problem...
I don't think think is the forum for that problem.

rg305 · August 17, 2023, 4:34am

Are you using anything like Fail2BAN ?

curl -Ii http://panel.zhrp.live/
HTTP/1.1 302 Found
Connection: close
Pragma: no-cache
cache-control: no-cache
Location: /KRLVe/

curl -Ii http://panel.zhrp.live/KRLVe/
HTTP/1.1 302 Found
Connection: close
Pragma: no-cache
cache-control: no-cache
Location: /

curl -Ii http://panel.zhrp.live/
curl: (56) Recv failure: Connection reset by peer

Even following the redirects...
It looks like my IP was banned.

Mr.Haze · August 17, 2023, 4:48am

Hey thx for you fast response and sorry for my bad English. Im totaly new in this so understand if i dont get something at the frist time.

No we dont use this or something like this.

MikeMcQ · August 17, 2023, 1:16pm

For my test challenge I should get a 404 Not Found but instead a 200 OK with html for a script. The error in your first post looks like this too.

Do you know what might be returning this script info? With Certbot --nginx it makes a temp change to the nginx config which should return the challenge token created by Certbot. So, this looks like something before nginx like a firewall or an inbound HTTP inspection service.

Instead your server returns something like this:

curl -iL http://panel.zhrp.live/.well-known/acme-challenge/Test123
HTTP/1.1 200 OK
Connection: close
Pragma: no-cache
cache-control: no-cache
Content-Type: text/html
Content-Length: 211

<!DOCTYPE html><html><title></title><script>var y=window</script>
<script>var x={o:'allenge/Test123',t:'/acjYd/.well-',h:'known/acme-ch'};
function rsu(){return x.t+x.h+x.o}y.location.assign(rsu())</script></html>

NOTE: I get a different response when using a HEAD request. A GET request more closely shows the error in post #1

rg305 · August 17, 2023, 2:53pm

Someone is using something that returns rewrites and then temporarily bans non-compliant IPs [of its' very weird compliance hurdles].

Mr.Haze · August 17, 2023, 6:11pm

I got it, the problem was that our in site-available all our configs head a .confg behind... i updated the certbot and deleted the .confg at the end. thy for your help

system · September 16, 2023, 6:11pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.