Certbot Nginx: failed to authenticate; invalid response

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: plancourses.lol

I ran this command: sudo certbot --nginx -d plancourses.lol -d www.plancourses.lol

It produced this output:

Requesting a certificate for plancourses.lol and www.plancourses.lol

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: plancourses.lol
  Type:   unauthorized
  Detail: 192.64.119.171: Invalid response from http://www.plancourses.lol: "<!DOCTYPE html>\n<html lang=\"en\">\n  <head>\n    <meta charset=\"UTF-8\" />\n\t<link rel=\"apple-touch-icon\" sizes=\"180x180\" href=\"/appl"

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): nginx 1.18.0

The operating system my web server runs on is (include version): ubuntu 22.04

My hosting provider, if applicable, is: AWS ec2 server

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.21.0

Additional Comments:
Hello all, currently trying to add ssl to nginx proxying for a docker containerized app. Below is the server block config

server {
    listen 80;
    listen [::]:80;

    server_name plancourses.lol www.plancourses.lol; 

    location ^~ /.well-known/acme-challenge/ {
        alias /var/www/acme-challenge/;
    }

    location / {
        proxy_http_version 1.1;
        proxy_cache_bypass $http_upgrade;

        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_pass http://localhost:3000;
    }
}

any help will be appreciated!

1 Like

Hi @AlexanderZhou39, and welcome to the LE community forum :slight_smile:

Try changing alias to root in line:

[and make sure that path exists]

5 Likes

Also, there seems to me more to that config that isn't shown or overlaps with that config.
See:

curl -I plancourses.lol
HTTP/1.1 301 Moved Permanently
Date: Tue, 23 Aug 2022 20:03:55 GMT
Connection: keep-alive
Location: http://www.plancourses.lol
X-Served-By: Namecheap URL Forward
Server: namecheap-nginx

OK, I now see the problem with that: Server: namecheap-nginx.

Name:    plancourses.lol
Address: 192.64.119.171

Name:    www.plancourses.lol
Address: 13.56.227.89

As such, you won't be able to get a cert with both names on it:

3 Likes

Ok yeah doing this instead
sudo certbot --nginx -d www.plancourses.lol
worked!

Thank you so much for the help! I definitely would have not figured out the ip difference myself.

2 Likes

If you have control of the DNS zone, you should add an IP for the base domain name and remove the:

Then you can have a cert with both names on it :slight_smile:

5 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.