Certbot Fails to Renew SSL - 404 on .well-known/acme-challenge

Help
1

Hi everyone,

I'm having issues renewing my SSL certificate using Certbot with Nginx on Alpine Linux. I’m stuck with 404 errors on the .well-known/acme-challenge/ directory during the certificate renewal process.

  • Domain: crm.anl.club
  • Operating System: Alpine Linux (Docker container)
  • Nginx Version: nginx/1.25.3
  • Certbot Command: certbot renew

I’m getting 404 errors when trying to validate the domain with the Let's Encrypt CA:

The error I’m seeing:

The Certificate Authority failed to download the temporary challenge files created by

Nginx Configuration:

Here’s how my Nginx config looks for the domain:

nginx

server {
    listen 80;
    server_name crm.anl.club;

    root /usr/share/nginx/html;

    location /.well-known/acme-challenge/ {
        allow all;
    }

    location / {
        try_files $uri $uri/ =404;
    }
}

Any Advice?

1 Like
2

Just today morning, I resolve this issue.
If you want to know how I did it, check out my threat : Certbot failed to authenticate some domains (authenticator: nginx) - #11 by nare ( at the last comment )

and also share your screenshot or full error log so that I can help you on this.

Thanks

3 Likes
3

Thanks a lot for the help.

I read your thread but I'm not redirecting from http to https, I have no idea why this error is happening.

Captura de ecrã de 2024-10-23 10-04-35
Captura de ecrã de 2024-10-23 10-04-351913×854 107 KB

1 Like
4

2024-10-23 09:04:09,069:DEBUG:certbot._internal.display.obj:Notifying user:
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: crm.anl.club
Type: unauthorized
Detail: 149.100.158.86: Invalid response from http://crm.anl.club/.well-known/acme-challenge/3khZWnYfVOD30Uwr5ZSmfGp2K-ZxvMMLaAsMD5SsiR8: 404
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and
that files created there can be downloaded from the internet.
2024-10-23 09:04:09,070:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/usr/lib/python3.11/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
File "/usr/lib/python3.11/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2024-10-23 09:04:09,070:DEBUG:certbot._internal.error_handler:Calling registered functions
2024-10-23 09:04:09,070:INFO:certbot._internal.auth_handler:Cleaning up challenges
2024-10-23 09:04:09,070:DEBUG:certbot._internal.plugins.webroot:Removing /usr/share/nginx/html/.well-known/acme-challenge/3khZWnYfVOD30Uwr5ZSmfGp2K-ZxvMMLaAsMD5SsiR8
2024-10-23 09:04:09,071:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2024-10-23 09:04:09,071:ERROR:certbot._internal.renewal:Failed to renew certificate crm.anl.club with error: Some challenges have failed.
2024-10-23 09:04:09,073:DEBUG:certbot._internal.renewal:Traceback was:

5

This is the exact error which I have received yesterday.

Please follow my instruction and also share your server config so that I can guide you.

1 Like
6

I'm trying to do this really simple

Captura de ecrã de 2024-10-23 10-32-05
Captura de ecrã de 2024-10-23 10-32-05755×304 18.9 KB

7

I did your steps and I got the same error :frowning:

8

Is the the same config?
can you share me your nginx config path and file?

1 Like
9

You mean this code? This is the conf in my container

/usr/share/nginx/html # cat /etc/nginx/conf.d/default.conf
server {
    listen 80;
    server_name crm.anl.club;

    root /usr/share/nginx/html;  # Ensure this matches your webroot

    location /.well-known/acme-challenge/ {
        allow all;  # Allow access to the challenge files
    }

    location / {
        try_files $uri $uri/ =404;
    }
}
10

can you confirm do you have this folder in your /usr/share/nginx/html ?

1 Like
11 
/usr/share/nginx/html # ls /usr/share/nginx/html/.
../           ./            .well-known/
/usr/share/nginx/html # ls /usr/share/nginx/html/.well-known/
acme-challenge
/usr/share/nginx/html # ls /usr/share/nginx/html/.well-known/acme-challenge/
test.txt
/usr/share/nginx/html # ls -ld /usr/share/nginx/html/.well-known
drwxr-xr-x    3 nginx    nginx         4096 Oct 22 15:17 /usr/share/nginx/html/.well-known
/usr/share/nginx/html # ls -ld /usr/share/nginx/html/.well-known/acme-challenge/
drwxr-xr-x    2 nginx    nginx         4096 Oct 23 09:37 /usr/share/nginx/html/.well-known/acme-challenge/
/usr/share/nginx/html #
12

Can you explain more about the "container"? What is running in the host and what is running in containers? Is Certbot running in the same container as nginx?

Also, do you still have that test.txt file in your acme-challenge folder? Because I cannot see it

curl -i http://crm.anl.club/.well-known/acme-challenge/test.txt
HTTP/1.1 404 Not Found
Server: nginx/1.25.3
3 Likes
13

The host is an ubuntu and the guest is a docker container running an alpine.
This is super weird, you are right, I can't download the file, but it's there.

/usr/share/nginx/html # ls -l .well-known/acme-challenge/test.txt 
-rwxr-xr-x    1 nginx    nginx           10 Oct 22 15:17 .well-known/acme-challenge/test.txt
14

If you can't see it then Let's Encrypt won't find it either :slight_smile: I am not a container expert but you should just review your port and volume shares carefully.

I also don't see any "home" page for that domain. Is there any other URL that should work?

curl -i http://crm.anl.club
HTTP/1.1 404 Not Found
Server: nginx/1.25.3

Do you have an nginx server running in both the host and a container? The replying nginx does look like what you said is your Alpine but just want to make sure.

3 Likes
15

I'm super confuse, looks like it forces use you to use the certificate even if it's not working and he can't renew.

Captura de ecrã de 2024-10-23 14-22-53
Captura de ecrã de 2024-10-23 14-22-531891×532 85.4 KB

16

Ah, good clue.

Any HTTP request on port 80 get "404" (even home page)

But, HTTPS requests on port 443 work properly (ignoring the expired cert).

There is probably something wrong with your nginx config. Sometimes this kind of thing happens if you route port 80 to the wrong place. But, the "Server" response header for both HTTP and HTTPS are identical so I don't think that is what is happening here.

Can you show entire output of the below command? An upper case T is essential. The info will be very long. If you cannot copy/paste the entire output then redirect to an output file and upload that.

sudo nginx -T

Or this and upload the txt file

sudo nginx -T >config.txt
3 Likes
17

Here the output

config.txt (8.2 KB)

1 Like
18

Can you see the problem? The nginx -T shows the active config being used.

But, the server block for port 80 is not the same as you showed earlier.

Would you show the contents of below file. This will show what your renew expects

/etc/letsencrypt/renewal/crm.anl.club.conf

This is your active nginx config and your directory for the HTTP challenge is /var/www/certbot not /usr/share/nginx/html

Either your nginx renewal config needs updating or your nginx config. At least we now know why you get a "404" for HTTP requests

# TODO : http should be redirected to https
  server {
    listen 80;
    #server_name  localhost;

    #root   /usr/share/nginx/html;
    #index  index.html index.htm;
    #include /etc/nginx/mime.types;

    #gzip on;
    #gzip_min_length 1000;
    #gzip_proxied expired no-cache no-store private auth;
    #gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;

    location /.well-known/acme-chalenge/ {
      root /var/www/certbot;
    }

    location / {
      root /var/www/certbot;
    }

    #location / {
      #try_files $uri $uri/ /index.html;
    #}

    #location /anl/api {
       #proxy_pass http://rest-server:3000;
       #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       #proxy_set_header X-Forwarded-Proto $scheme;
       #proxy_set_header X-Forwarded-Port $server_port;
     #proxy_set_header X-Forwarded-Host $host:$server_port;
       #proxy_hide_header   Referer;
       ##proxy_hide_header   Origin;
       #proxy_set_header  Referer         '';
       #proxy_set_header  Origin          '';
    #}
  }
3 Likes
19

Ohhhh finally the problem was it! Thanks a lot guys!

2 Likes
20

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.