Certbot failed to download the challenge files

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: fabrizio.zyxel.me

I ran this command: sudo certbot certonly --standalone --preferred-challenges http -d fabrizio.zyxel.me

It produced this output: Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: fabrizio.zyxel.me
Type: unauthorized
Detail: Invalid response from http://fabrizio.zyxel.me/r51253,/desktop,/index.html: "\n\n\n\t<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">\n\t<meta http-equiv="X-UA-Compa"
(letsencrypt.log file available if necessary)

My web server is (include version): nginx (?) embedded in Zyxel NAS326

The operating system my web server runs on is (include version): NAS326 Linux kernel 3.10.39 (Busybox command set)

My hosting provider, if applicable, is: Zyxel dynamic DNS

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.6.0

Welcome @Usodimare

First, using --standalone requires certbot to have access to port 80. But, you have a webserver responding to http (port 80) requests already.

Second, Apache is responding to http right now. How is nginx involved?

Normally if you have a webserver you can use --webroot method or even the plug-in for Apache or nginx (--apache --nginx). These methods allow getting a cert without stopping your webserver.

If you need to use --standalone you will need to stop whatever is handing HTTP requests before running certbot.

One last item, the Apache service you have is doing very unusual redirects which will interfere with using it to get a cert. We'd have to know more about your system before advising further. You might just have to stop Apache and use standalone if you can't change the Apache config yourself

(test version of HTTP Challenge request for cert, redirect format is wrong)
curl -I fabrizio.zyxel.me/.well-known/acme-challenge/Test123
HTTP/1.1 302 Found
Server: Apache
Location: /r51253,/desktop,/index.html

(below is not use by Let's Encrypt but just noting use of alternate port for home page)
curl -I fabrizio.zyxel.me
HTTP/1.1 301 Moved Permanently
Server: Apache
Location: http://fabrizio.zyxel.me:5000/DYNAMIC_STRING/desktop,/

As far as I know, those Zyxel NAS devices don't have any ACME integration. Only a web panel to install your own certificate or generate a CSR.

So OP might need to put something in between the NAS and the internet, e.g. nginx :stuck_out_tongue:

By the way, I wouldn't for the life of it make my NAS accessible from the public internet :scream: Even if it has a password protection. I don't have much faith in Zyxel or similar companies updating the FW of old devices if exploits are found. Or not any time soon anyway.


You are right: i definitely need to install a "true" network server. I am using Zyxel NAS just as exercise. However thank You very much for your assistance.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.