Certbot - HTTP-01 Challenge in NGINX in Docker

dgdosen · June 1, 2017, 6:42pm

Please fill out the fields below so we can help you better.

I ran this command:
certbot-auto renew

It produced this output:
Attempting to renew cert from /etc/letsencrypt/renewal/beta-api.sessuru.com.conf produced an unexpected error: Failed authorization procedure. beta-api.sessuru.com (http-01): urn:acme:error:unauthorized :: :: Invalid response from http://beta-api.sessuru.com/.well-known/acme-challenge/JKotJbamhuI8SmVP5MdIiRJLQeNRGVvgiV-K57SgMy0 [159.203.202.60]: 404. Skipping.

My web server is (include version):
nginx

The operating system my web server runs on is (include version):
ubuntu 14.04

My hosting provider, if applicable, is:
digital ocean

I can login to a root shell on my machine (yes or no, or I don’t know):
I can sudo

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

I’ve got four domains in the same boat.

My questions are:

I don’t think the ‘well-known’ challenges ever existed. We’ve been using letsencrypt for over a year - might those have never been created in our original setup?
Is there an issue with removing everything and installing again?

Osiris · June 1, 2017, 7:02pm

The client has chosen the http-01 (which uses the /.well-known/acme-challenge/ directory) because the renewal configuration file mentioned in your log told the client to do so. This means the initial issueing of the certificate would also have used the http-01 challenge.

Also, certbot automatically makes the directories when needed.

You should check your nginx error or access log file to see where it tries to access the challenge file on your file system. You initially entered a webroot path on the first run of certbot. The webroot path (you can check it in the mentioned renewal configuration file) should be the same as the document root of your website.

A possible reason for renewal not to work might be because of the HTTP to HTTPS redirect in place. But most of the time the HTTP and HTTPS sites have the same webroot, so that wouldn't matter. It might be your HTTP and HTTPS webroot paths differ and hence the error.

dgdosen · June 1, 2017, 8:33pm

Thanks for the reply - when you say http-01 challenge -are there multiple challenges the renewal process will potentially use? You just gave me something to google for.

I can see the webroot path from configuration - but I don’t think it’s ever been used. Can that be right?

Thank for helping me dig deeper into this issue.

schoen · June 1, 2017, 9:56pm

[quote=“dgdosen, post:3, topic:35353, full:true”]
Thanks for the reply - when you say http-01 challenge -are there multiple challenges the renewal process will potentially use? You just gave me something to google for.[/quote]

There are three challenges that the Let’s Encrypt CA can use (DNS-01, HTTP-01, and TLS-SNI-01), but Certbot tries to use the same one that was used the last time when renewing a certificate. The --webroot method always uses HTTP-01.

dgdosen · June 1, 2017, 10:09pm

one reason I ask - I’ve got a docker solution using nginx - and I know it’s been renewed in the past, but now it’s coughing on the same http-01 issue… I know for a fact that .well-known path was never set for nginx on that slice…

schoen · June 1, 2017, 10:39pm

The .well-known path itself isn’t supposed to be set, just the web content root. Certbot itself will add /.well-known/acme-challenge to the path.

system · July 1, 2017, 10:39pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.