Certbot failes to authenticate

Udo · January 2, 2023, 7:15pm

Hi,

i just installed the current version Raspian OS alongside HAProxy, nginx as well as certbot, checked if my requests got through and startet certbot, which provided me the list of domains configured. I have then choosen the one listed below, and were confronted with an error message documented below. I di not find the .well-known/acme-challenge folder, so i created one by myself and ran touch combined with the name listed before. I had no problem to get to that file, both from outside or within my network.

My domain is: news.unzensiert.org

I ran this command: sudo certbot --nginx

It produced this output:

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: news.unzensiert.org
Type: unauthorized
Detail: 92.76.158.101: Invalid response from http://news.unzensiert.org/.well-known/acme-challenge/nrE3tCQqQIc5EYYnFGN_hHhm7_EngTV6F1XGX27b06w: 404

My web server is (include version): nginx/1.18.0

The operating system my web server runs on is (include version): Raspbian GNU/Linux 11 (bullseye)

My hosting provider, if applicable, is: self hosted.

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.32.2

Any ideas? Letsencrypt.log doesn't show much more as whats written above.
If you wish i can provide them in full length.

Kind regards

Udo

Bruce5051 · January 2, 2023, 7:22pm

Hello @Udo, welcome to the Let's Encrypt community.

Can you put and leave a test file in http://news.unzensiert.org/.well-known/acme-challenge/ for the duration of getting this running. Anything is fine like helloworld.txt with contents of "Hello, world."

Also is the time correct on your Raspberry Pi? I run Ubuntu on mine and I always have to set the time on power up for some reason.

Bruce5051 · January 2, 2023, 7:30pm

Also using this online tool https://dnsspy.io/ with unzensiert.org as the input I got these results DNS Spy report for unzensiert.org

Yet with nslookup I get these results, which to me do not see consistent with the above.

$ nslookup
> news.unzensiert.org
Server:         127.0.0.53
Address:        127.0.0.53#53

Non-authoritative answer:
news.unzensiert.org     canonical name = springfeld.ddns.net.
Name:   springfeld.ddns.net
Address: 92.76.158.101
> set q=ns
> news.unzensiert.org
Server:         127.0.0.53
Address:        127.0.0.53#53

Non-authoritative answer:
news.unzensiert.org     canonical name = springfeld.ddns.net.

Authoritative answers can be found from:
ddns.net
        origin = nf1.no-ip.com
        mail addr = hostmaster.no-ip.com
        serial = 2486550606
        refresh = 10800
        retry = 1800
        expire = 604800
        minimum = 1800
ddns.net
        origin = nf1.no-ip.com
        mail addr = hostmaster.no-ip.com
        serial = 2486550957
        refresh = 10800
        retry = 1800
        expire = 604800
        minimum = 1800
> server nf1.no-ip.com
Default server: nf1.no-ip.com
Address: 194.62.182.53#53
Default server: nf1.no-ip.com
Address: 2a07:dc00:1820::53#53
> news.unzensiert.org
Server:         nf1.no-ip.com
Address:        194.62.182.53#53

** server can't find news.unzensiert.org: REFUSED
> set q=a
> news.unzensiert.org
Server:         nf1.no-ip.com
Address:        194.62.182.53#53

** server can't find news.unzensiert.org: REFUSED
> set q=aaaa
> news.unzensiert.org
Server:         nf1.no-ip.com
Address:        194.62.182.53#53

** server can't find news.unzensiert.org: REFUSED
> set q=cname
> news.unzensiert.org
Server:         nf1.no-ip.com
Address:        194.62.182.53#53

** server can't find news.unzensiert.org: REFUSED
> exit

Udo · January 2, 2023, 7:35pm

Hello @Bruce5051, thanks for your welcoming reply.

I have placed a file name hellloworld.txt with "Hello, world." here:
http://news.unzensiert.org/.well-known/acme-challenge/helloworld.txt

Date gives me:
Mon 2 Jan 19:34:13 GMT 2023

Kind regards,

Udo

Bruce5051 · January 2, 2023, 7:49pm

At this point, kindly wait for more knowledgeable Let's Encrypt community volunteers to assist.

It does not seem like the HTTP-01 Challenge response file is being created (my guess).

Using the online tool Let's Debug is showing no problem https://letsdebug.net/news.unzensiert.org/1320534

Supplemental information:

$ nmap news.unzensiert.org
Starting Nmap 7.80 ( https://nmap.org ) at 2023-01-02 19:42 UTC
Nmap scan report for news.unzensiert.org (92.76.158.101)
Host is up (0.18s latency).
rDNS record for 92.76.158.101: dslb-092-076-158-101.092.076.pools.vodafone-ip.de
Not shown: 948 filtered ports, 50 closed ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 6.95 seconds

$ curl -Ii http://news.unzensiert.org/.well-known/acme-challenge/helloworld.txt
HTTP/1.1 200 OK
Server: nginx/1.18.0
Date: Mon, 02 Jan 2023 19:42:33 GMT
Content-Type: text/plain
Content-Length: 14
Last-Modified: Mon, 02 Jan 2023 19:28:11 GMT
Connection: keep-alive
ETag: "63b3304b-e"
Accept-Ranges: bytes

MikeMcQ · January 2, 2023, 7:54pm

Yes, it would be helpful to see the whole log. Copy it to a .txt and use the upload button in the tool menu for each post.

The --nginx authenticator makes temp changes to your nginx config and it looks like something has gone wrong. The log should help us identify what.

Instead of that you could upload your entire nginx config. Create a file like this:

sudo nginx -T >upload.txt

And upload the (large) upload.txt file. Be sure to use capital T. We can often identify the problem from this too.

rg305 · January 2, 2023, 11:07pm

hmm...

Which responds to the inbound HTTP requests?
Which should be handling the HTTPS connections?
Which should be using the certificate(s)?

Udo · January 7, 2023, 12:04pm

Hi @bruce5051,

had to fight with some illness in the meantime, but since i'm up and running (kinda), here are both files you requested.

To be honest: I only made changes to sites-*/, left the other config alone.

Kind regards,

Udo
letsencrypt.log.txt (29.7 KB)
nginx.cfg.txt (8.9 KB)

Udo · January 7, 2023, 12:07pm

Hi @rg305,

you asked:

Which responds to inbound HTTP requests?

HAProxy isn't terminating SSL connection, if you ask for.

nginx is configured to listen to :8000 and :44300. That works fine - at least for http.

Kind regards,

Udo

MikeMcQ · January 7, 2023, 1:48pm

@Udo Because you listen on a non-standard port, you must use the --http-01-port option with the nginx plug-in. So, like this:

sudo certbot --nginx -d news.unzensiert.org --http-01-port 8000 --dry-run

If successful, remove --dry-run to get and install the production cert.

--http-01-port HTTP01_PORT
Port used in the http-01 challenge. This only affects the port Certbot listens on. A conforming ACME server will still attempt to connect on port 80. (default: 80)

And, the --nginx plug-in will create a server block for HTTPS. It usually sets it up to listen on port 443. But, I think if you specify this it will set the listen to the port indicated.

--https-port HTTPS_PORT
Port used to serve HTTPS. This affects which port Nginx will listen on after a LE certificate is installed. (default: 443)

system · February 6, 2023, 1:49pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Nginx Acme Challenge fails Help	4	307	August 25, 2023
Certbot Verification Issue (Challenge failed for domain) Help	5	17969	January 10, 2020
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems: Help	10	911	September 14, 2023
Certbot Fails to Renew SSL - 404 on .well-known/acme-challenge Help	19	154	November 22, 2024
Ubuntu 20.04 TLS acme-challenge failed Help	5	881	March 17, 2022

Certbot failes to authenticate

Related topics