Certbot --nginx failed with 404

engowl · February 2, 2023, 9:31am

Hi all,

I am trying to enable SSL with cerbot running the following command:

certbot --nginx

The server running on Ubuntu and the webserver is nginx, the nginx config is:

server {
        listen 80;
        listen [::]:80;

        server_name test.mysite.io;

        access_log /var/log/nginx/reverse-access.log;
        error_log /var/log/nginx/reverse-error.log;

        location ^~ /.well-known/acme-challenge/ {
                root /var/www/html;
        }
        location / {
                    proxy_pass http://XXX.XXX.XXX.XXX:8080;
        }
}

The output in  `/var/log/letsencrypt/letsencrypt.log`: 


2023-02-02 09:20:19,442:DEBUG:acme.client:JWS payload:
b''
2023-02-02 09:20:19,443:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/200202732737:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvODcxMzM5NjU3IiwgIm5vbmNlIjogIjVDQTJYRDJJaWU2QTJ1TTRfaUFFN19WdkFzR2FMY1d0aGZMeERpUm1kSEtwT1pzIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8yMDAyMDI3MzI3MzcifQ",
  "signature": "T9Ptn86Bi6YDDzwdusyDtjFATQ_6QVWfIugBE2I9qRkFFZQKb9DfdI-qPJhRcve4JnMjmb6fn7sZBOjCN0ArPJ6tgtoJpS8DUuXvTtVQwe3GRZBsUVQUZ6wPJxT7LBSwCdt2TUiwtd8bJiUueDwtqBs7-_DVRFM7LTWxK5CxYfW-xe1wbeSI44Mqe5zQ4UhkONWsnrPROkectoz5k9JVUmJ20rtraLwCm5fOX49StbwwESvLaZJUeZSdvPut4Q_pjseTG3EdYiW_Kk2glIl-tYeRS_jH0oBUMsg0ws-lsA-Qk5edhezz67dWcocsS6a6oXyVBn6Rq_YQAR74I0yolw",
  "payload": ""
}
2023-02-02 09:20:19,493:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/200202732737 HTTP/1.1" 200 801
2023-02-02 09:20:19,493:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 02 Feb 2023 09:20:19 GMT
Content-Type: application/json
Content-Length: 801
Connection: keep-alive
Boulder-Requester: 871339657
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 5CA2A9bxz7IosCswn74YO1xc1r0aQu4D6gOCUsWw8Fr_GmU
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "test.mysite.io"
  },
  "status": "pending",
  "expires": "2023-02-09T09:20:11Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/200202732737/p20HZw",
      "token": "HATZ2wCZM-Jup0FTjBVjMCnFQePDf9hd0ZcvrNgOH2U"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/200202732737/U5reAw",
      "token": "HATZ2wCZM-Jup0FTjBVjMCnFQePDf9hd0ZcvrNgOH2U"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/200202732737/mbeUCw",
      "token": "HATZ2wCZM-Jup0FTjBVjMCnFQePDf9hd0ZcvrNgOH2U"
    }
  ]
}
2023-02-02 09:20:19,493:DEBUG:acme.client:Storing nonce: 5CA2A9bxz7IosCswn74YO1xc1r0aQu4D6gOCUsWw8Fr_GmU


2023-02-02 09:20:22,497:DEBUG:acme.client:JWS payload:
b''
2023-02-02 09:20:22,499:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/200202732737:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvODcxMzM5NjU3IiwgIm5vbmNlIjogIjVDQTJBOWJ4ejdJb3NDc3duNzRZTzF4YzFyMGFRdTRENmdPQ1VzV3c4RnJfR21VIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8yMDAyMDI3MzI3MzcifQ",
  "signature": "NCtGDO5fdsmFLXcSrCE1-dlgXUsTcFJy8EdIEI3A0tXNjYhrYYkozr_Y_MWe4Xl6zsK_Zn0mrv-4QHTHjKYkjdkikRwly6yl5EFNznbe_FgjULEs55t5P6B9tJqq0ikH9beMvEvXTDkmV5U6mMyWLX9rmRD0BOzfJSEJyUFSJU51D56O62b76lD7LtWajM9YjCoslTbsYgI2JPibKRkVk-FrJKq9ODASYacAGxhVB27FguhE33umu9yFLSL317W9uBAvSpwUPT1XUkNff5Bn3G4pfV2_-wILSfcgV7pN2iC_debnRTmv8uNh8khXqBZmFLaFrosq_ul4VyQxykDGMg",
  "payload": ""
}
2023-02-02 09:20:22,546:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/200202732737 HTTP/1.1" 200 1060
2023-02-02 09:20:22,546:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 02 Feb 2023 09:20:22 GMT
Content-Type: application/json
Content-Length: 1060
Connection: keep-alive
Boulder-Requester: 871339657
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 5CA2plz9u-6GaXETUgaBpihyEpX1Bqc1nypklTow2ot7-EU
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "test.mysite.io"
  },
  "status": "invalid",
  "expires": "2023-02-09T09:20:11Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:connection",
        "detail": "XXX.XXX.XXX.XXX: Fetching http://test.mysite.io/.well-known/acme-challenge/HATZ2wCZM-Jup0FTjBVjMCnFQePDf9hd0ZcvrNgOH2U: Timeout during connect (likely firewall problem)",
        "status": 400
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/200202732737/p20HZw",
      "token": "HATZ2wCZM-Jup0FTjBVjMCnFQePDf9hd0ZcvrNgOH2U",
      "validationRecord": [
        {
          "url": "http://test.mysite.io/.well-known/acme-challenge/HATZ2wCZM-Jup0FTjBVjMCnFQePDf9hd0ZcvrNgOH2U",
          "hostname": "test.mysite.io",
          "port": "80",
          "addressesResolved": [
            "XXX.XXX.XXX.XXX"
          ],
          "addressUsed": "XXX.XXX.XXX.XXX"
        }
      ],
      "validated": "2023-02-02T09:20:12Z"
    }
  ]
}
2023-02-02 09:20:22,547:DEBUG:acme.client:Storing nonce: 5CA2plz9u-6GaXETUgaBpihyEpX1Bqc1nypklTow2ot7-EU
2023-02-02 09:20:22,547:INFO:certbot._internal.auth_handler:Challenge failed for domain test.mysite.io
2023-02-02 09:20:22,547:INFO:certbot._internal.auth_handler:http-01 challenge for test.mysite.io
2023-02-02 09:20:22,547:DEBUG:certbot._internal.display.obj:Notifying user: 
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: test.mysite.io
  Type:   connection
  Detail: XXX.XXX.XXX.XXX: Fetching http://test.mysite.io/.well-known/acme-challenge/HATZ2wCZM-Jup0FTjBVjMCnFQePDf9hd0ZcvrNgOH2U: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

2023-02-02 09:20:22,547:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 90, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 178, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2023-02-02 09:20:22,548:DEBUG:certbot._internal.error_handler:Calling registered functions
2023-02-02 09:20:22,548:INFO:certbot._internal.auth_handler:Cleaning up challenges
2023-02-02 09:20:23,624:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 33, in <module>
    sys.exit(load_entry_point('certbot==1.21.0', 'console_scripts', 'certbot')())
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1574, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1287, in run
    new_lineage = _get_and_save_cert(le_client, config, domains,
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 133, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 459, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 389, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 439, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 90, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 178, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2023-02-02 09:20:23,625:ERROR:certbot._internal.log:Some challenges have failed.

Would you advise if I missed something here?

I have masked the domain for privacy.

9peppe · February 2, 2023, 10:12am

These don't work together.

Either use the first, or use the second with certbot --webroot

Osiris · February 2, 2023, 11:27am

Personally, I'd prefer the webroot plugin in combination with the location directive to un-complicate things.

MikeMcQ · February 2, 2023, 12:41pm

Your command should work even with the location block for acme-challenge. But, your domain is not reachable from the public internet.

You should check your firewall and comms configs. I don't see any ports open for your jenkins..... domain

engowl · February 2, 2023, 12:43pm

I have used the webroot as below:

certbot certonly --webroot -w /var/www/html

But I still getting this error:

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: test.mysite.io
  Type:   connection
  Detail: XXX.XXX.XXX.XXX: Fetching http://test.mysite.io/.well-known/acme-challenge/5CtU4rjpLJZsdwjOG3QngSRyGMLUaVN2q5b3_gJXqKI: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

And here is the logs:

2023-02-02 12:42:25,397:DEBUG:acme.client:JWS payload:
b''
2023-02-02 12:42:25,399:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/200238451697:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvODcxMzM5NjU3IiwgIm5vbmNlIjogIjVDQTJVYU9FaVNVaUZQS3M0UEZfWm9HY05vLU5BRGdHdnhnNHRqQnB4bXRzZ0dRIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8yMDAyMzg0NTE2OTcifQ",
  "signature": "l7a5o-zwNyT65qsr0QOuKaCWsIhwlx7fbDdOV38UK_fwMmrlubhjlrYPH1952VMu3CF2Ma8V1rnuy10ByFagG4ix3t58sxw1yeb0LbpICvER1X9s3nhuL2pbdC8DI_YAgcXE1ES20vA1BMxhDjVoMQHBz6E5zmKc6OiqX1H7y2KMw4ecU5mpLyskglmbZZf9_v3TojIwfPjClaCureYjzmhj9cpPXi-UZPHavo3m9wT5YlQsEnxOCX3r1r1PNizSdzpXD91DKqp4NnTrRPTMPWrCCOva8kgXOA8RW2ByhBKiKQtIAoB1maGYVamRnOPNEOZlky4DFi1Sxy5WPzIwnQ",
  "payload": ""
}
2023-02-02 12:42:25,443:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/200238451697 HTTP/1.1" 200 1060
2023-02-02 12:42:25,444:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 02 Feb 2023 12:42:25 GMT
Content-Type: application/json
Content-Length: 1060
Connection: keep-alive
Boulder-Requester: 871339657
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 5CA2FTs5IfGvFtsnWFkryENnZl8agk1oLJcXMOf6koS6Hao
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "test.mysite.io"
  },
  "status": "invalid",
  "expires": "2023-02-09T12:42:14Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:connection",
        "detail": "XXX.XXX.XXX.XXX: Fetching http://test.mysite.io/.well-known/acme-challenge/4LIfa2oq872TEbgMH0BKWtCvaC4VfUZryNL-r-wkFEk: Timeout during connect (likely firewall problem)",
        "status": 400
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/200238451697/RjIVsA",
      "token": "4LIfa2oq872TEbgMH0BKWtCvaC4VfUZryNL-r-wkFEk",
      "validationRecord": [
        {
          "url": "http://test.mysite.io/.well-known/acme-challenge/4LIfa2oq872TEbgMH0BKWtCvaC4VfUZryNL-r-wkFEk",
          "hostname": "test.mysite.io",
          "port": "80",
          "addressesResolved": [
            "XXX.XXX.XXX.XXX"
          ],
          "addressUsed": "XXX.XXX.XXX.XXX"
        }
      ],
      "validated": "2023-02-02T12:42:15Z"
    }
  ]
}
2023-02-02 12:42:25,444:DEBUG:acme.client:Storing nonce: 5CA2FTs5IfGvFtsnWFkryENnZl8agk1oLJcXMOf6koS6Hao
2023-02-02 12:42:25,444:INFO:certbot._internal.auth_handler:Challenge failed for domain test.mysite.io
2023-02-02 12:42:25,444:INFO:certbot._internal.auth_handler:http-01 challenge for test.mysite.io
2023-02-02 12:42:25,444:DEBUG:certbot._internal.display.obj:Notifying user: 
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: test.mysite.io
  Type:   connection
  Detail: XXX.XXX.XXX.XXX: Fetching http://test.mysite.io/.well-known/acme-challenge/4LIfa2oq872TEbgMH0BKWtCvaC4VfUZryNL-r-wkFEk: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

2023-02-02 12:42:25,445:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 90, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 178, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2023-02-02 12:42:25,445:DEBUG:certbot._internal.error_handler:Calling registered functions
2023-02-02 12:42:25,445:INFO:certbot._internal.auth_handler:Cleaning up challenges
2023-02-02 12:42:25,445:DEBUG:certbot._internal.plugins.webroot:Removing /var/www/html/.well-known/acme-challenge/4LIfa2oq872TEbgMH0BKWtCvaC4VfUZryNL-r-wkFEk
2023-02-02 12:42:25,445:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2023-02-02 12:42:25,446:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 33, in <module>
    sys.exit(load_entry_point('certbot==1.21.0', 'console_scripts', 'certbot')())
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1574, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1434, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 133, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 459, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 389, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 439, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 90, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 178, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2023-02-02 12:42:25,446:ERROR:certbot._internal.log:Some challenges have failed.

MikeMcQ · February 2, 2023, 12:46pm

We probably cross-posted but please see my post just prior to yours

Use the Let's Debug test site for your domain (link here). It will test your comms and firewall as you make changes to open port 80 (http) to the public internet. You must have a working http site to use the --nginx plug-in or --webroot.

engowl · February 2, 2023, 12:56pm

I believe it is not network/firewall issue. but nginx is reverse traffic to port 8080, and the app when receive the request do internal 301 to login page. So I think for some reason the problem it is not able to validate the domain is the redirection and the traffic of the .well-known/ is not being intercepted by nginx.

here is a curl to port 80:

root@001:~# curl test.mysite.io
<html><head><meta http-equiv='refresh' content='1;url=/login?from=%2F'/><script>window.location.replace('/login?from=%2F');</script></head><body style='background-color:white; color:white;'>


Authentication required
<!--
-->

</body></html>

MikeMcQ · February 2, 2023, 12:59pm

That looks like a curl from your own network. But, your domain must be reachable from the public internet. Try a connect from Let's Debug. Or, use a mobile phone with wifi disabled to use the carrier's network.

Yes, it's possible if you do port forwarding/NAT that it is not setup right. That would be a comms config problem.

engowl · February 2, 2023, 1:00pm

The curl is from other device in different network.

MikeMcQ · February 2, 2023, 1:09pm

Then do you have some sort of geographic IP blocking or something?

Because Let's Debug cannot see your site (did you try it?) and neither can I from my own test server. I also tried another test site that checks from various points around the globe and none can see your domain using http.

Certbot makes a request to Let's Encrypt. The LE servers must then reach your domain from various points around the world to prove you control that domain name. The error message is clear that this is failing. This is almost always a firewall but can be a comms config issue too.

If you share more details of your network perhaps we can make suggestions. Keeping all your info private while still wanting help with this kind of problem is difficult.

rg305 · February 2, 2023, 6:37pm

Unrelated to your firewall problem...

This could be security issue:

If you ever intend on ever securing access to anything within that folder, that access can be circumvented by using this unrestricted path to it.

engowl · February 5, 2023, 8:29am

Thanks all for the feedback, it was actually a firewall problem that restrict the access to the domain by ACL. These ACL includes subnet range that allow country level access. when it was disabled the cert generated successfully.

system · March 7, 2023, 8:30am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Cerbot with NGINX failes with Status 403 and unauthorized Help	5	2840	May 4, 2022
Certbot HTTP Webroot Setup Failing - Nginx Config Block Not Pointing to Correct Location Help	3	1733	June 2, 2017
HTTP-01 invalid status Error 400 Help	9	2846	September 20, 2021
Need help with K8s - Certbot nginx plugin failing (again) Help	8	478	November 2, 2023
Help geting cerbot to work again Help	2	736	June 5, 2020

Certbot --nginx failed with 404

Related topics