Certbot --nginx error

Help
1

Here are some of my misinformation
please help me :sob:

My domain is:zhifeng-like-dufen.xyz

I ran this command:certbot --nginx

It produced this output:

***2021-07-21 10:26:41,583:*DEBUG:urllib3.connectionpool:http://localhost:None "GET /v2/connections?snap=certbot&interface=content HTTP/1.1" 200 97
2021-07-21 10:26:41,871:DEBUG:certbot._internal.main:certbot version: 1.17.0
2021-07-21 10:26:41,872:DEBUG:certbot._internal.main:Location of certbot entry point: /snap/certbot/1280/bin/certbot
2021-07-21 10:26:41,872:DEBUG:certbot._internal.main:Arguments: ['--webroot', '--preconfigured-renewal']
2021-07-21 10:26:41,872:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-07-21 10:26:41,879:DEBUG:certbot._internal.log:Root logging level set at 30
2021-07-21 10:26:41,880:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None
2021-07-21 10:26:41,882:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot._internal.plugins.webroot:Authenticator
Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0x7f3fae400b80>
Prep: True
2021-07-21 10:26:41,882:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.webroot.Authenticator object at 0x7f3fae400b80> and installer None
2021-07-21 10:26:41,882:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2021-07-21 10:26:41,893:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/130771810', new_authzr_uri=None, terms_of_service=None), c7a7032ffe894d54383434d0fbe02811, Meta(creation_dt=datetime.datetime(2021, 7, 16, 4, 47, 14, tzinfo=), creation_host='iZuf67r5nyftzrd76ylv5hZ', register_to_eff=None))>
2021-07-21 10:26:41,894:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2021-07-21 10:26:41,895:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2021-07-21 10:26:42,395:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/snap/certbot/1280/lib/python3.8/site-packages/urllib3/connectionpool.py", line 699, in urlopen
httplib_response = self._make_request(
File "/snap/certbot/1280/lib/python3.8/site-packages/urllib3/connectionpool.py", line 382, in _make_request
self._validate_conn(conn)
File "/snap/certbot/1280/lib/python3.8/site-packages/urllib3/connectionpool.py", line 1010, in _validate_conn
conn.connect()
File "/snap/certbot/1280/lib/python3.8/site-packages/urllib3/connection.py", line 411, in connect
self.sock = ssl_wrap_socket(

  • File "/snap/certbot/1280/lib/python3.8/site-packages/urllib3/util/ssl_.py", line 449, in ssl_wrap_socket*
  • ssl_sock = _ssl_wrap_socket_impl(*
  • File "/snap/certbot/1280/lib/python3.8/site-packages/urllib3/util/ssl_.py", line 493, in _ssl_wrap_socket_impl*
  • return ssl_context.wrap_socket(sock, server_hostname=server_hostname)*
  • File "/snap/certbot/1280/usr/lib/python3.8/ssl.py", line 500, in wrap_socket*
  • return self.sslsocket_class._create(*
  • File "/snap/certbot/1280/usr/lib/python3.8/ssl.py", line 1040, in _create*
  • self.do_handshake()*
  • File "/snap/certbot/1280/usr/lib/python3.8/ssl.py", line 1309, in do_handshake*
  • self._sslobj.do_handshake()*
    ConnectionResetError: [Errno 104] Connection reset by peer
    During handling of the above exception, another exception occurred:
    During handling of the above exception, another exception occurred:
    Traceback (most recent call last):
    File "/snap/certbot/1280/bin/certbot", line 8, in
    sys.exit(main())
    File "/snap/certbot/1280/lib/python3.8/site-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
    File "/snap/certbot/1280/lib/python3.8/site-packages/certbot/_internal/main.py", line 1574, in main
    return config.func(config, plugins)
    File "/snap/certbot/1280/lib/python3.8/site-packages/certbot/_internal/main.py", line 1417, in certonly
    le_client = _init_le_client(config, auth, installer)
    File "/snap/certbot/1280/lib/python3.8/site-packages/certbot/_internal/main.py", line 770, in _init_le_client
    return client.Client(config, acc, authenticator, installer, acme=acme)
    File "/snap/certbot/1280/lib/python3.8/site-packages/certbot/_internal/client.py", line 253, in init
    acme = acme_from_config_key(config, self.account.key, self.account.regr)
    File "/snap/certbot/1280/lib/python3.8/site-packages/certbot/_internal/client.py", line 41, in acme_from_config_key
    return acme_client.BackwardsCompatibleClientV2(net, key, config.server)
    File "/snap/certbot/1280/lib/python3.8/site-packages/acme/client.py", line 824, in init
    directory = messages.Directory.from_json(net.get(server).json())
    File "/snap/certbot/1280/lib/python3.8/site-packages/acme/client.py", line 1168, in get
    self._send_request('GET', url, **kwargs), content_type=content_type)
    File "/snap/certbot/1280/lib/python3.8/site-packages/acme/client.py", line 1117, in _send_request
    response = self.session.request(method, url, *args, **kwargs)
    File "/snap/certbot/1280/lib/python3.8/site-packages/requests/sessions.py", line 542, in request
    resp = self.send(prep, **send_kwargs)
    File "/snap/certbot/1280/lib/python3.8/site-packages/requests/sessions.py", line 655, in send
    r = adapter.send(request, **kwargs)
    File "/snap/certbot/1280/lib/python3.8/site-packages/requests/adapters.py", line 498, in send
    raise ConnectionError(err, request=request)
    requests.exceptions.ConnectionError: ('Connection aborted.', ConnectionResetError(104, 'Connection reset by peer'))
    2021-07-21 10:26:42,408:ERROR:certbot._internal.log:An unexpected error occurred:
    2021-07-21 10:26:42,408:ERROR:certbot._internal.log:requests.exceptions.ConnectionError: ('Connection aborted.', ConnectionResetError(104, 'Connection reset by peer'))

My web server is (include version):
nginx version: nginx/1.14.0

The operating system my web server runs on is (include version):
(Ubuntu18.04)

My hosting provider, if applicable, is: ALi

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 1.17.0

1 Like
2

Welcome to the Let's Encrypt Community, Li :slightly_smiling_face:

Your IP address may be blocked by Let's Encrypt.

@lestaff

The IP address for zhifeng-like-dufen.xyz is 47.101.51.253.

2 Likes
3

hi griffin
Is there any good way to solve this problem?
:sob:

1 Like
4

We haven't blocked that IP address, so the problem is something else.

1 Like
5

I just executed certbot -- nginx
There was a mistake

root@zhifeng:~# certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?

1: zhifeng-like-dufen.xyz
2: www.zhifeng-like-dufen.xyz

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Requesting a certificate for zhifeng-like-dufen.xyz and www.zhifeng-like-dufen.xyz

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: www.zhifeng-like-dufen.xyz
Type: unauthorized
Detail: Invalid response from http://www.zhifeng-like-dufen.xyz/.well-known/acme-challenge/zwOgxwtVXxMm0SBjjWLsERgdLZvNALQJJe53hPEw6Nc [47.101.51.253]: "\n\n<meta http-equiv="Content-Type" content="textml;charset=UTF-8" />\n body{background-color:#FFFFFF}"

Domain: zhifeng-like-dufen.xyz
Type: unauthorized
Detail: Invalid response from http://zhifeng-like-dufen.xyz/.well-known/acme-challenge/tU9nidj_9ntnV0o0Qu03iC4MWMeI8fhA_5vzLja5nlY [47.101.51.253]: "\n\n<meta http-equiv="Content-Type" content="textml;charset=UTF-8" />\n body{background-color:#FFFFFF}"

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

1 Like
6

When I visit your domain, I see this page: http://batit.aliyun.com/alww.html

I think you need to apply for your "website license" before you will be able to get your Let's Encrypt certificate.

Your web host is intercepting the web requests due to the website license problem, and it causes the domain validation process to fail.

1 Like
7

I asked Ali's staff
He told me this would not affect
So it should be caused by other problems

1 Like
8

I think they are mistaken.

The HTML shown in the error from Let's Encrypt:

... "<html>\n<head>\n<meta http-equiv=\"Content-Type\" content=\"textml;charset=UTF-8\" />\n   <style>body{background-color:#FFFFFF}</style>"

matches exactly the HTML that causes the site license page to be shown:

$ curl -i http://www.zhifeng-like-dufen.xyz/.well-known/acme-challenge/zwOgxwtVXxMm0SBjjWLsERgdLZvNALQJJe53hPEw6Nc
HTTP/1.1 403 Forbidden
Server: Beaver
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 597
Connection: close

<html>
<head>
<meta http-equiv="Content-Type" content="textml;charset=UTF-8" />
  <style>body{background-color:#FFFFFF}</style>
<title>TestPage184</title>
  <script language="javascript" type="text/javascript">
        window.onload = function () {
          document.getElementById("mainFrame").src= "http://batit.aliyun.com/alww.html";
            }
</script>
</head>
  <body>
    <iframe style="width:860px; height:500px;position:absolute;margin-left:-430px;margin-top:-250px;top:50%;left:50%;" id="mainFrame" src="" frameborder="0" scrolling="no"></iframe>
    </body>
      </html>

Aliyun is intercepting the Let's Encrypt HTTP challenge request and responding to it with the site licence iframe.

2 Likes
9

thanks _az
Then I'll wait for Ali's approval before test
:grinning:

2 Likes
10

If that fails, or just as a one time measure, you could try manually validating the requests by DNS instead.

1 Like
11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.