Certbot fails to get ssl certificate for nginx server

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
goransustekdoo.ddns.net

I ran this command:
certbot -v --nginx

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?

1: goransustekdoo.ddns.net

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for goransustekdoo.ddns.net
Performing the following challenges:
http-01 challenge for goransustekdoo.ddns.net
Waiting for verification...
Challenge failed for domain goransustekdoo.ddns.net
http-01 challenge for goransustekdoo.ddns.net

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: goransustekdoo.ddns.net
Type: connection
Detail: 141.136.177.98: Fetching http://goransustekdoo.ddns.net/.well-known/acme-challenge/aE05mG57wqV_JxByW25ed2oTqqNmAXvUAWOe6EP12H0: Error getting validation data

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
nginx/1.25.4

The operating system my web server runs on is (include version):
Ubuntu 22.04.4 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.21.0

I need the domain certificate. The port forwarding is set up and I can telnet to it via my domain address on port 80 but still it fails to create the cert. Here is last of the log:
2024-03-30 09:09:31,828:DEBUG:acme.client:Storing nonce: CwITDWGvFvJBTpfK8o0b48WYABLioRmFBuI18zPqGECP82EJTYs
2024-03-30 09:09:31,829:INFO:certbot._internal.auth_handler:Challenge failed for domain goransustekdoo.ddns.net
2024-03-30 09:09:31,829:INFO:certbot._internal.auth_handler:http-01 challenge for goransustekdoo.ddns.net
2024-03-30 09:09:31,830:DEBUG:certbot._internal.display.obj:Notifying user:
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: goransustekdoo.ddns.net
Type: connection
Detail: 141.136.177.98: Fetching http://goransustekdoo.ddns.net/.well-known/acme-challenge/aE05mG57wqV_JxByW25ed2oTqqNmAXvUAWOe6EP12H0: Error getting validation data

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

2024-03-30 09:09:31,831:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 90, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 178, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2024-03-30 09:09:31,831:DEBUG:certbot._internal.error_handler:Calling registered functions
2024-03-30 09:09:31,831:INFO:certbot._internal.auth_handler:Cleaning up challenges
2024-03-30 09:09:33,133:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 33, in
sys.exit(load_entry_point('certbot==1.21.0', 'console_scripts', 'certbot')())
File "/usr/lib/python3/dist-packages/certbot/main.py", line 15, in main
return internal_main.main(cli_args)
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1574, in main
return config.func(config, plugins)
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1287, in run
new_lineage = _get_and_save_cert(le_client, config, domains,
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 133, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 459, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 389, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 439, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 90, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 178, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2024-03-30 09:09:33,136:ERROR:certbot._internal.log:Some challenges have failed.

2

The Let's Encrypt server does not get the expected token from your server to satisfy the HTTP Challenge.

I get "empty reply" errors from my own test server and that looks like the same error the LE servers get. You may need to check your port routing. Check any firewalls and similar that might be rejecting the requests. The Let's Debug test site is helpful to test comms when setting up new sites.

My own tests see below. Should get some sort of HTTP response

curl -i http://goransustekdoo.ddns.net
curl: (52) Empty reply from server

curl -i http://goransustekdoo.ddns.net/.well-known/acme-challenge/Test404
curl: (52) Empty reply from server

Also try
https://letsdebug.net

2 Likes
3

I just realized that configuration for my domain in nginx is set to drop every request that is not type POST or GET and if is then it gets sent to the API. I do jot know how exactly certbot works but maybe some of my nginx config is getting in conflict with it when runned. Here is my domain config:


server {
                return 403;
        }

        server {
                listen 443;
        #       listen 5000 ssl;
        #       listen [::]:5000 ssl;
        
        #       ssl_certificate "/etc/nginx/ssl/fullchain1.pem";
        #       ssl_certificate_key "/etc/nginx/ssl/privkey1.pem";
        #       ssl_protocols       TLSv1.3;
                
                # Additional Security
                server_tokens off; # Doesn't show nginx version and OS
#               if ($request_method !~ ^(GET|POST)$ ) # If HTTP method isn't type GET or POST return 405
#                       {
#                               return 405;                    
#                       }
#               add_header X-Frame-Options "SAMEORIGIN"; # Same origin policy within iframe, no need becase no embedded html inside html


                # NGINX WAF security
                # ModSecurity 3 installed and configured
                # OWASP Core Rule Set


                server_name goransustekdoo.ddns.net;
                
#               location / {
                        # If request packer destination IP isn't myFQDN --> return 403
#                       if ($host !~* "goransustekdoo.ddns.net") {
#                               return 444;
#                       } 
#                       include proxy_params;
#                       proxy_pass http://127.0.0.1:30749;
#               }

                location /makni_iz_galerije {
                        # Set max body size
                        client_max_body_size 10000m;

                        include proxy_params;
                        proxy_pass http://127.0.0.1:30749;
                }

                location /dodaj_u_galeriju {
                        # Set max body size
                        client_max_body_size 10000m;

                        include proxy_params;
                        proxy_pass http://127.0.0.1:30749;
                }


        }

Is that maybe the problem? Also I am nit sure if I should have nginx started when running certbot

4

No. The example curl -i I used are GET requests. Also, if nginx rejects it with an error code I should see that HTTP response but there isn't anything. It looks more like a firewall is dropping the request. The return 444; in nginx could would cause the "no reply" too as that is a special value but in your config that is commented out.

Certbot doesn't actually make an HTTP request to your server. It makes a request to the Let's Encrypt Server. The LE Servers are the ones making the HTTP requests and those are GET type.

Yes, nginx should be started before running Certbot with --nginx plugin.

But, this is to avoid a known bug in Certbot. If nginx is not running before using --nginx plugin Certbot will start an nginx. But, it starts it using a very old method which causes conflict with modern systems. If you did that restarting your linux server will clear that up. Can also fix that looking at each running pid and killing them off but restarting is easier if you can tolerate that.

2 Likes
5

Where is the server block for port 80? Are you just relying on that default one? Because would be better to have an explicit server block for this domain.

The HTTP Challenge from the LE Servers are HTTP requests coming in on port 80

2 Likes
6

I do not have it, it used to be this one but after getting the cert first time I changed it to other port and continued my config as needed. So I shlud create normal port 80 server block and try again?

7

Yes but I am not sure that is causing the empty replies. You should have it anyway

2 Likes
8

The port forward is working you can telnet to it. Ufw status:
80 ALLOW Anywhere
Nginx Full ALLOW Anywhere

The port should not be the problem.

Now I curled with loopback and LAN address and got answer.

9

But something is. I can connect with telnet on port 80 but can't issue any commands. I get connection closed.

But, telnet is not what is important here. HTTP GET commands are not getting any reply from your domain. Not even error response headers.

Keep making changes and using the Let's Debug test site I linked earlier to test changes. You need to have working HTTP connections from outside your local network for the HTTP Challenge to work.

2 Likes
11

Finally found the issue. You where right it was a problem with port forwarding configuration on my side. I had two port 80 rules active at the same time. Thank you very much!

2 Likes
12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.