Certbot: Invalid response http://www.example.org/.well-known/acme-challenge

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: I have many but for a usable example: bitwarden.walrussi.com

I ran this command: certbot renew

It produced this output:

Renewing an existing certificate for example.com and sub.example.com

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: sub.example.com
  Type:   unauthorized
  Detail: "IP-ADRESS": Invalid response from http://sub.example.com/.well-known/acme-challenge/CAh2KFOQD_O3S3ND6o94gp8wpfdTvw2khHEScIf5VLU: 500

  Domain: example.com
  Type:   unauthorized
  Detail: "IP-ADRESS": Invalid response from http://example.com/.well-known/acme-challenge/zLMmc9qC-YkhaGD4eAsvzQFhQmjxzXC0MQVV_iNimRA: 500

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

My web server is (include version): nginx version: nginx/1.18.0 (Ubuntu); I have a nginx reverse proxy

The operating system my web server runs on is (include version): Ubuntu 22.04.2 LTS

My hosting provider, if applicable, is: Host Europe

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.21.0

2

Welcome @frederik.lohse

Your server is failing HTTP requests even for your "home" page. When using the HTTP Challenge (like you are) your server must respond with the proper challenge token.

Your server is responding like this:

curl -i bitwarden.walrussi.com

HTTP/1.1 500 Internal Server Error
Server: nginx/1.22.0
Date: Tue, 27 Jun 2023 14:05:38 GMT

Internal Server Error
4 Likes
3

For general nginx information you might find nginx documentation and https://forum.nginx.org/ helpful. :slight_smile:

2 Likes
4

Thank you! I honestly don't know why my HTTP doesn't work I try to figure it out. :frowning:

2 Likes
5

"500" sounds like it's doing some kind of proxy and can't reach the final destination.

3 Likes
6

Yeah I know. But, I cant bind port 80 right know and the logs say nothing more. I still try to figure out why.

7

certbot can't bind to port 80?
If so, then you may be trying to run it in --standalone mode.
This would require exclusive use of port 80.
If not, please explain.

4 Likes
8

No sorry I didn't say enough. My NGINX Proxy cant bind 80. Its really nothing certbot related. The thread can be closed.

1 Like
9

What shows?:
netstat -pant | grep 80

3 Likes
10 
tcp   0   0 0.0.0.0:80   0.0.0.0:*   LISTEN    3366/nginx: master
11

nginx is already bound to port 80...

What do you mean by?:

3 Likes
12

Ok:

So my normal Proxy configuration is:

#server {
#listen *:80;
#listen [::]:80 ipv6only=on default_server;  
#  server_name bitwarden.walrussi.com; #Change this to your domain name
#}


server {
  listen 443 ssl http2;
  server_name bitwarden.walrussi.com; #Change this to your domain name
    ssl_certificate /etc/letsencrypt/live/bitwarden.walrussi.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/bitwarden.walrussi.com/privkey.pem; # managed by Certbot

  ssl_dhparam /etc/ssl/certs/dhparam.pem;

  # Allow large attachments
  client_max_body_size 128M;

  location / {
    proxy_pass http://0.0.0.0:8080;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
  }
  
  location /notifications/hub {
    proxy_pass http://0.0.0.0:3012;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
  }
  
  location /notifications/hub/negotiate {
    proxy_pass http://0.0.0.0:8080;
  }

location ~ /.well-known/acme-challenge/ {
    allow all;
}
}

The 80 is commented out because if not nginx won't start and this is the output:

nginx[1873050]: nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Unknown error)
14

Try:
listen 80;

2 Likes
15 
tcp   0   0 0.0.0.0:443   0.0.0.0:*   LISTEN    1876611/nginx: mast
16

tried it before. The "*:80;" is a product of problem solution.

nginx[1899500]: nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Unknown error)

17

What command are you running to produce that error message?

2 Likes
18

sudo systemctl restart nginx.service

19

Can you restart the entire system?

2 Likes
20

Yes I did, but I can do it one more time if you want.

21

What shows?
ps -ef | grep nginx | grep -v grep

2 Likes