Certbot Invalid response 404

branding · September 22, 2022, 9:06am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: cachedesk.com

I ran this command: certbot --nginx --redirect --hsts --agree-tos --no-eff-email --staple-ocsp -d cachedesk.com -d www.cachedesk.com

It produced this output: Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: cachedesk.com
Type: unauthorized
Detail: 2604:a880:400:d0::201e:5001: Invalid response from http://cachedesk.com/.well-known/acme-challenge/YT_no9YBrw_DYsoXNXC3_GDXY0LUDAHe6TK2TXgGpc4: 404

Domain: www.cachedesk.com
Type: unauthorized
Detail: 2604:a880:400:d0::201e:5001: Invalid response from http://www.cachedesk.com/.well-known/acme-challenge/zarMlYBYfQ3dXF8cUBCvMLU388Y-OzaHJIsNzfsaEnE: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

My web server is (include version): nginx/1.18.0

The operating system my web server runs on is (include version): Ubuntu 22.04

My hosting provider, if applicable, is: digitalocean

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.21.0

I only have one IP and plan to run multiple sites, so I wrote my own script to batch create NGINX files and request certificates for them. This is bugging me because I have successfully changed DNS A records and AAAA records, but cannot apply for CA. i looked up similar issues in the forum within 48 hours, but none of them could be resolved. I really have a headache.

9peppe · September 22, 2022, 9:27am

nope. you have two.

$ dig +short aaaa www.cachedesk.com
2604:a880:400:d0::201e:5001
$ dig +short a www.cachedesk.com
159.89.230.13

Tell nginx to listen on ipv6 as well. (listen [::]:80 and listen [::]:443 for http and https respectively.)

branding · September 22, 2022, 9:42am

Thank you for help.
80 seems to be already listening to IPV6 by default, I don't have 443 blocks yet because I'm waiting for CERTBOT to auto-configure. Should I add the 443 block manually now?

/etc/nginx/sites-available/cachedesk.com
server {
listen 80;
listen [::]:80;

    root /var/www/template/html/;
    index index.html index.htm;

    server_name cachedesk.com www.cachedesk.com;

    location ~ /.well-known/acme-challenge {
            allow all;
            root /var/www/template/html/;
    }
    location ~ ^/(README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
            deny all;
    }
    location ~ ^/(bin|SQL)/ {
            deny all;
    }
    # A long browser cache lifetime can speed up repeat visits to your page
    location ~* \.(jpg|jpeg|gif|png|webp|svg|woff|woff2|ttf|css|js|ico|xml)$ {
            access_log        off;
            log_not_found     off;
            expires           360d;
    }

}

branding · September 22, 2022, 9:45am

I added listen [::]:443 to the block and retested it. But the result still returns 404

9peppe · September 22, 2022, 9:46am

Oh, come on.

Go with this: certbot -a webroot -w /var/www/template/html/ -i nginx --redirect --hsts --agree-tos --no-eff-email --staple-ocsp -d cachedesk.com -d www.cachedesk.com --dry-run

If it works, remove --dry-run and run it again.

9peppe · September 22, 2022, 9:47am

Don't put 80 and 443 in the same server block.

branding · September 22, 2022, 9:56am

Thank you soooo much for your help, it does work.
The system suggests that this command only works CERTONLY or RENEW, I used CERTONLY and it worked.

branding · September 22, 2022, 10:00am

But certbot does not automatically write 443 blocks. I still don't understand why only the WEBROOT command works.

9peppe · September 22, 2022, 10:15am

It will write it if you use the certbot install command

griffin · September 22, 2022, 10:30am

Giuseppe C.:

branding:

I only have one IP

nope. you have two.
$ dig +short aaaa www.cachedesk.com
2604:a880:400:d0::201e:5001
$ dig +short a www.cachedesk.com
159.89.230.13
Tell nginx to listen on ipv6 as well. (listen [::]:80 and listen [::]:443 for http and https respectively.)

then...

nginx -s reload

certbot --nginx -d "cachedesk.com,www.cachedesk.com"

branding · September 22, 2022, 10:56am

Thank you griffin,
But i think "certbot --nginx " it not working. As I described it.
Maybe because there are already certificates with other names installed on the server...

griffin · September 22, 2022, 11:35am

Did you run the first command to reload your nginx configuration before running certbot?

griffin · September 22, 2022, 11:38am

While correct in concept, the post to which I am currently replying isn't a complete solution nor even the heart of the actual solution, which was in @9peppe's first post. A complete solution is to add IPv6 support to the nginx configuration (addresses the real problem per @9peppe's first post), reload nginx (the part I identified was missing), then run certbot to acquire and install the certificate (should work via -a nginx -i nginx, which is the same as --nginx).

branding · September 22, 2022, 11:53am

I run
sudo nginx -t;
sudo systemctl reload nginx
and using certbot --ngin -d .....
Yep, [::]80 listed the server block, but it really doesn't work until you use the webroot command. I guess maybe it's because I have these sites pointing to the same directory

griffin · September 22, 2022, 11:57am

What is the output of sudo nginx -T ?

Be sure to post the output like this:

```
output
```

that's three backticks above and below the output.

griffin · September 22, 2022, 12:01pm

The only reason to use the webroot authenticator here instead of the nginx authenticator is if you have a nonstandard or buggy nginx installation/configuration.

branding · September 22, 2022, 12:06pm

I am new to nginx and followed a tutorial to configure nginx, I also made the mistake of removing the sites-available directory.
It has now been resolved, but I don't understand the difference. I've read a lot of posts here about 404, but it seems that there are so many reasons for this problem that any configuration error will result in a 404.

griffin · September 22, 2022, 12:10pm

The reason for the 404 is that when certbot acquires a certificate it adds its own temporary exception for the challenge directory to your nginx configuration that points to a special location.

I suspect that removing this section then reloading nginx then rerunning certbot per the certbot command that I provided above might resolve the issue:

Note that I removed --keep from the certbot command in my post above. That will ensure the your certificate acquisition method gets replaced in the certbot configuration file for your domain name when you successfully acquire a certificate using that command.

branding · September 22, 2022, 12:16pm

It' working now. i choiced 'Attempt to reinstall this existing certificate'.
Can you explain it is there an error in this code? Doesn't it mean to allow certificate verification? Also I've seen this solution in another post.

griffin · September 22, 2022, 12:18pm

Reinstalling an existing certificate will avoid attempting to acquire a new certificate.

Run this certbot command first to ensure that the acquisition will work:

certbot certonly --nginx -d "cachedesk.com,www.cachedesk.com" --dry-run

Once that succeeds, run this certbot command to acquire and install the new certificate:

certbot --nginx -d "cachedesk.com,www.cachedesk.com" --force-renewal

Do not repeatedly run that force-renewal command. You will get rate limited.