Certbot - HTTP Challenge with NGINX and HTTP to HTTPS Redirects

SaAtomic · May 12, 2017, 9:01am

I’m trying to move from self-signed certificates to Let’s Encrypt certificates.

Webserver/OS: nginx 1.10.0-0ubuntu0.16.04.4

I ran this command: sudo certbot certonly --webroot --webroot-path=/var/www/letsencrypt/ -d sub.domain.tld

It produced this output:

Failed authorization procedure. sub.domain.tld (http-01): urn:acme:error:connection :: The server could not connect to the client to 
verify the domain :: Could not connect to sub.domain.tld

I have a permanent redirect from port 80 (http) to https and I’ve created a location block for letsencrypt:

location /.well-known {
        root /var/www/letsencrypt/;
        allow all;
}

But the creation of the certificate fails. I suspect that Let’s Encrypt fails at verifying my server due to the self-signed HTTPS certificate.
Is there a workaround, or how could I get this working?

edit: I did try to create a test file in /var/www/letsencrypt/.well-known/, which was accessible publicly via https://sub.domain.tld/.well-known/test.html and the request to http was successfully redirected from http to https.

edit2: From what I understand now, the issue is the redirect from http to https for requests to .well-known, as I am using webroot. Is that correct?

SaAtomic · May 12, 2017, 11:36am

I’ve resolved this issue by not using the --webroot plugin, but the --standalone --preferred-challenges http plugin and have nginx listen on port 443 only.

schoen · May 12, 2017, 11:13pm

I’m glad you got it working and I’m sorry that we didn’t manage to debug the previous way you were attempting to do it, which seems like it should have been technically possible. There was probably just some very small detail wrong with the web server configuration. (A self-signed certificate is actually OK for the HTTP-01 challenge that --webroot uses, if site visitors are redirected from HTTP to HTTPS.)

SaAtomic · May 22, 2017, 5:28am

After some debugging on the topic the issue turned out to be a firewall.
Port 80 was blocked during my attempts with --webroot, after all a good reason to facepalm.

Thank you for the feedback though!

system · June 21, 2017, 5:28am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.