Certbot: Invalid Respons in acme-challenge because no such file


#1

Hi,

I’m trying to get new certificates. Unfortunately two of my subdomains get no authorization because an invalid response from my server:

Domain: cloud.flaemig42.de
Type: unauthorized
Detail: Invalid response from
http://cloud.flaemig42.de/.well-known/acme-challenge/nItIYdP8I2RmO4rJoie-ZtRj_J9_u-KQCWdfCyF7hyU:
"

<head data-requesttoken="URQVrqnfznAo+3ma0N7Ng9"

I checked my server logs and found this:

2017/04/11 12:32:06 [error] 22337#22337: *906 open() “/home/www/cloud.flaemig42.de/.well-known/acme-challenge/nItIYdP8I2RmO4rJoie-ZtRj_J9_u-KQCWdfCyF7hyU” failed (2: No such file or directory), client: 66.133.109.36, request: “GET /.well-known/acme-challenge/nItIYdP8I2RmO4rJoie-ZtRj_J9_u-KQCWdfCyF7hyU HTTP/1.1”, host: “cloud.flaemig42.de”, referrer: “http://cloud.flaemig42.de/.well-known/acme-challenge/nItIYdP8I2RmO4rJoie-ZtRj_J9_u-KQCWdfCyF7hyU

Looks like there is no file the acme-challenge is looking for.

The whole output of Certbot is this:

http-01 challenge for flaemig42.de
http-01 challenge for nextcloud.flaemig42.de
http-01 challenge for www.flaemig42.de
http-01 challenge for ajenti.flaemig42.de
http-01 challenge for bircloud.flaemig42.de
http-01 challenge for config.flaemig42.de
http-01 challenge for cloud.flaemig42.de
http-01 challenge for dyndns.flaemig42.de
http-01 challenge for mail.flaemig42.de
http-01 challenge for owncloud.flaemig42.de
Using the webroot path /home/www/flaemig42.de for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. cloud.flaemig42.de (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://cloud.flaemig42.de/.well-known/acme-challenge/nItIYdP8I2RmO4rJoie-ZtRj_J9_u-KQCWdfCyF7hyU: "

<head data-requesttoken="URQVrqnfznAo+3ma0N7Ng9", nextcloud.flaemig42.de (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://nextcloud.flaemig42.de/.well-known/acme-challenge/2HiNT4EbT4NoQOuLJeUw0wUdbjpAvxbsqidpVjAOvNE: " <head data-requesttoken="wCmwVGEs2baCnqoe66vVT+"

IMPORTANT NOTES:

  • The following errors were reported by the server:

Domain: cloud.flaemig42.de
Type: unauthorized
Detail: Invalid response from
http://cloud.flaemig42.de/.well-known/acme-challenge/nItIYdP8I2RmO4rJoie-ZtRj_J9_u-KQCWdfCyF7hyU:
"

<head data-requesttoken="URQVrqnfznAo+3ma0N7Ng9"

Domain: nextcloud.flaemig42.de
Type: unauthorized
Detail: Invalid response from
http://nextcloud.flaemig42.de/.well-known/acme-challenge/2HiNT4EbT4NoQOuLJeUw0wUdbjpAvxbsqidpVjAOvNE:
"

<head data-requesttoken="wCmwVGEs2baCnqoe66vVT+"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.

nextcloud, cloud, bircloud and owncloud are pointing to the same root path; bircloud and owncloud aren’t generating an error, cloud and nextcloud do.

Command I used:

sudo certbot certonly --webroot -w /home/www/flaemig42.de -d flaemig42.de -d nextcloud.flaemig42.de -d www.flaemig42.de -d ajenti.flaemig42.de -d bircloud.flaemig42.de -d config.flaemig42.de -d cloud.flaemig42.de -d dyndns.flaemig42.de -d mail.flaemig42.de -d owncloud.flaemig42.de

Does anybody has an idea, why acme-challenge isn’t working for these two subdomains?

BR

Christian


#2

See the difference? Those webroots not the same, so certbot places the challenge file in the wrong directory, a directory where your webserver isn’t getting the files from.


#3

Of course they are not the same.
www.flaemig42.de and flaemig42.de use /home/www/flaemig42.de
cloud.flaemig42de, nextcloud.flaemig42.de, owncloud.flaemig42.de and bircloud.flaemig42.de use /home/www/cloud.flaemig42.de as root.

Why does this work for owncloud and bircloud, but not for cloud and nextcloud?


#4

I don’t know, perhaps the webroot_map variable in the renewal configuration is set to the correct webroot for those other subdomains, but not for cloud/nextcloud. I’m not sure if certbot actually mentions the used webroot-path in the output or only mentions the “common” webroot-path and withholding the information about the other specific webroot-paths.

Some testing of my own confirms certbot not mentioning the actual webroot-path used. Only the path for “unmatched” domains… Not very helpful for debugging, why mention the “unmatched” webroot-path without mentioning specific webroot-paths? That’s very confusing…

@jekami There’s probably something wrong with the webroot paths you’re using. But as you didn’t entirely fill in the questionaire when you opened this thread, you didn’t post the actual command used, I don’t know how to help you further.


#5

sorry, added the command


#6

You only specified -w (the webroot-path) once. Every -d after it uses that webroot-path. But you clearly say those two domains have a different webroot-path. But you’re not specifying it. I’m sure you can connect the dots now :wink:


#7

Damned.

I connected the dots.

sudo certbot certonly --webroot -w /home/www/flaemig42.de -d flaemig42.de -d www.flaemig42.de -d ajenti.flaemig42.de -d config.flaemig42.de -d mail.flaemig42.de -w /home/www/cloud.flaemig42.de -d bircloud.flaemig42.de -d cloud.flaemig42.de -d owncloud.flaemig42.de -d nextcloud.flaemig42.de

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for flaemig42.de
http-01 challenge for www.flaemig42.de
http-01 challenge for ajenti.flaemig42.de
http-01 challenge for config.flaemig42.de
http-01 challenge for mail.flaemig42.de
http-01 challenge for bircloud.flaemig42.de
http-01 challenge for cloud.flaemig42.de
http-01 challenge for owncloud.flaemig42.de
http-01 challenge for nextcloud.flaemig42.de
Using the webroot path /home/www/cloud.flaemig42.de for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0001_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0001_csr-certbot.pem

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at
    /etc/letsencrypt/live/flaemig42.de-0001/fullchain.pem. Your cert
    will expire on 2017-07-10. To obtain a new or tweaked version of
    this certificate in the future, simply run certbot again. To
    non-interactively renew all of your certificates, run “certbot
    renew”
  • If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

It seems, it worked.

Thanks a lot!

Nevertheless, I don’t understand why it isn’t working with the webroot “/home/www/flaemig42.de”. Why certbot cares about the location of .well-known, as long as it is on my server?


#8

certbot just puts the challenge token in the specified directory. It doesn’t serve the files to the internet: that’s your webservers job (Apache/nginx/NodeJS/whatever).

And because you’ve set up your webserver to use those specified webroot paths. Your webserver only knows where to serve files from from its configuration. If you’ve configured certain virtualhosts to serve files from a different location, then you should also tell certbot to put the challenge tokens in that different location.

It’s actually quite simple: the webservers DocumentRoot (Apache) or root (nginx) directive need to correspond to the webroot-path you’ve told certbot.


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.