Certbot --nginx fails for same configuration across sites


#1

Dear community,

I’ve encountered issues with using certbot for a number of domains which share basically the same setup. It is a tad intricate, so some explanations first.

I have four domains:

a-a.org is the target domain, so to speak, as all other three redirect to the same subdirectory of it. a-a.org also has a subdomain x.a-a.org which redirects to the same subdirectory.

In nginx this looks like the following.

x.a-a.org (Subdomain)

server {

	root /var/www/a-a.org/x;

	index index.html index.htm index.nginx-debian.html;

	server_name x.a-a.org;

	location / {
	    return 301 https://a-a.org/x$request_uri;
	}

}

a-a.org (“Main” domain)

server {
	root /var/www/a-a.org;

	index index.html index.htm index.nginx-debian.html;

	server_name a-a.org www.a-a.org;

	location / {
		try_files $uri $uri/ =404;
	}

b-b.org, c-c.org, d.org (The three secondary domains):

server {
root /var/www/a-a.org;

index index.html index.htm index.nginx-debian.html;

server_name d.org www.d.org;

location = / {
    return 301 https://a-a.org/x;
}

}

server {
root /var/www/a-a.org;

index index.html index.htm index.nginx-debian.html;

server_name b-b.org www.b-b.org;

location = / {
    return 301 https://a-a.org/x;
}

}

When I run

certbot --nginx

I get the following results:

$ sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: d.org
2: www.d.org
3: a-a.org
4: x.a-a.org
5: www.a-a.org
6: b-b.org
7: www.b-b.org
9: c-c.org
10: www.c-c.org
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 

-------------------------------------------------------------------------------
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/other-domain.conf)

It contains these names: d.org, x.a-a.org,
other-domain, a-a.org, www.d.org,
www.a-a.org

You requested these names for the new certificate: d.org,
www.d.org, a-a.org, x.a-a.org,
www.a-a.org, b-b.org, www.b-b.org,
other-domain, c-c.org,
www.c-c.org.

Do you want to expand and replace this existing certificate with the new
certificate?
-------------------------------------------------------------------------------
(E)xpand/(C)ancel: E
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for d.org
http-01 challenge for www.d.org
http-01 challenge for a-a.org
http-01 challenge for x.a-a.org
http-01 challenge for www.a-a.org
http-01 challenge for b-b.org
http-01 challenge for www.b-b.org
tls-sni-01 challenge for other-domain
http-01 challenge for c-c.org
http-01 challenge for www.c-c.org
nginx: [warn] conflicting server name "x.a-a.org" on 0.0.0.0:80, ignored
Waiting for verification...
Cleaning up challenges
nginx: [warn] conflicting server name "x.a-a.org" on 0.0.0.0:80, ignored

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: c-c.org
   Type:   unauthorized
   Detail: Invalid response from
   http://c-c.org/.well-known/acme-challenge/{key}:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   Domain: www.c-c.org
   Type:   unauthorized
   Detail: Invalid response from
   http://www.c-c.org/.well-known/acme-challenge/{key}:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   Domain: b-b.org
   Type:   unauthorized
   Detail: Invalid response from
   http://b-b.org/.well-known/acme-challenge/{key}:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   Domain: www.b-b.org
   Type:   unauthorized
   Detail: Invalid response from
   http://www.b-b.org/.well-known/acme-challenge/{key}:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

So basically, b-b.org and c-c.org didn’t go through, while d.org worked fine despite having the same setup.

I’d be thankful for any pointer as to why this could possibly be the case.

All domains share the same IPv4 and IPv6 IPs…


#2

Hi,

Can you try comment off the location block?

Also, please fill in the form below:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

should move to #help

Thank you


#3

Thanks!

I’m providing the details for one of the domains that is failing, as it is failing attempting to install a cert only for that one. I’ve hit rate limits in the meantime, so will not be able to check solutions before next week/month I guess?

The nginx config you ask to be commented out would not be hit by the actual config of this domain, so I left it out here (but have tried it, it didn’t make any difference).


#4

Hi,

Can you try to create a file under your root for this domain?
(aka please try to create a file under /var/www/research-software.org/.well-known/acme-challenge/ and visit the link? )

and temporarily comment out the location block?

Then please visit the file you created under the directory to test

Thank you


#5

Hi @sdruskat,

As @stevenzhu said, you should do this

And you should only continue when you can reach that file from internet, also, before you get crazy, Let’s Encrypt prefers IPv6 over IPv4 and as you are advertising an AAAA record for your domains, Let’s encrypt will try to validate them using the IPv6 connection but your server is not configured in the same way for IPv6 as it is for IPv4.

Using IPv4:

$ curl -I4kL http://wissenschaftliche-software.org/
HTTP/1.1 301 Moved Permanently
Server: nginx/1.10.3 (Ubuntu)
Date: Thu, 22 Feb 2018 17:25:56 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
Location: https://research-software.org/citation

HTTP/1.1 301 Moved Permanently
Server: nginx/1.10.3 (Ubuntu)
Date: Thu, 22 Feb 2018 17:25:57 GMT
Content-Type: text/html
Content-Length: 194
Location: https://research-software.org/citation/
Connection: keep-alive

HTTP/1.1 200 OK
Server: nginx/1.10.3 (Ubuntu)
Date: Thu, 22 Feb 2018 17:25:57 GMT
Content-Type: text/html
Content-Length: 18006
Last-Modified: Sun, 18 Feb 2018 22:25:30 GMT
Connection: keep-alive
ETag: "5a89fd5a-4656"
Accept-Ranges: bytes

Using IPv6:

$ curl -I6kL http://wissenschaftliche-software.org/
HTTP/1.1 404 Not Found
Server: nginx/1.10.3 (Ubuntu)
Date: Thu, 22 Feb 2018 17:26:03 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive

So you should configure your server properly to answer IPv6 requests the same way as for IPv4 or remove the AAAA records for your domains.

Good luck,
sahsanu


#6

Thanks both, will try as you advised before getting back :).


#7

The file is reachable at https://research-software.org/.well-known/acme-challenge/file (0b touch-created).


#8

@sdruskat, please, put some text in that file, just “This is a test” so we know we are reaching the right file.


#9

@sahsanu It’s now https://research-software.org/.well-known/acme-challenge/file.html and should read “certbot test”… Thanks!


#10

Ok, now, with research-software.org is working fine using IPv4 and IPv6:

$ curl -ikL4 http://research-software.org/.well-known/acme-challenge/file.html
HTTP/1.1 301 Moved Permanently
Server: nginx/1.10.3 (Ubuntu)
Date: Fri, 23 Feb 2018 09:27:52 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
Location: https://research-software.org/.well-known/acme-challenge/file.html

HTTP/1.1 200 OK
Server: nginx/1.10.3 (Ubuntu)
Date: Fri, 23 Feb 2018 09:27:52 GMT
Content-Type: text/html
Content-Length: 13
Last-Modified: Fri, 23 Feb 2018 09:23:20 GMT
Connection: keep-alive
ETag: "5a8fdd88-d"
Accept-Ranges: bytes

certbot test



$ curl -ikL6 http://research-software.org/.well-known/acme-challenge/file.html
HTTP/1.1 301 Moved Permanently
Server: nginx/1.10.3 (Ubuntu)
Date: Fri, 23 Feb 2018 09:28:00 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
Location: https://research-software.org/.well-known/acme-challenge/file.html

HTTP/1.1 200 OK
Server: nginx/1.10.3 (Ubuntu)
Date: Fri, 23 Feb 2018 09:28:00 GMT
Content-Type: text/html
Content-Length: 13
Last-Modified: Fri, 23 Feb 2018 09:23:20 GMT
Connection: keep-alive
ETag: "5a8fdd88-d"
Accept-Ranges: bytes

certbot test

Using wissenschaftliche-software.org doesn’t work neither using IPv4 nor IPv6 but the data is different regarding the IPvX protocol used…

$ curl -ikL4 http://wissenschaftliche-software.org/.well-known/acme-challenge/file.html
HTTP/1.1 301 Moved Permanently
Server: nginx/1.10.3 (Ubuntu)
Date: Fri, 23 Feb 2018 09:29:55 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
Location: https://research-software.org/citation

HTTP/1.1 301 Moved Permanently
Server: nginx/1.10.3 (Ubuntu)
Date: Fri, 23 Feb 2018 09:29:55 GMT
Content-Type: text/html
Content-Length: 194
Location: https://research-software.org/citation/
Connection: keep-alive

HTTP/1.1 200 OK
Server: nginx/1.10.3 (Ubuntu)
Date: Fri, 23 Feb 2018 09:29:55 GMT
Content-Type: text/html
Content-Length: 18006
Last-Modified: Sun, 18 Feb 2018 22:25:30 GMT
Connection: keep-alive
ETag: "5a89fd5a-4656"
Accept-Ranges: bytes

<!DOCTYPE html>
<html lang="en"><!--
 __  __                __                                     __
/\ \/\ \              /\ \             __                    /\ \
\ \ \_\ \   __  __    \_\ \      __   /\_\      __       ___ \ \ \/'\
 \ \  _  \ /\ \/\ \   /'_` \   /'__`\ \/\ \   /'__`\    /'___\\ \ , <
  \ \ \ \ \\ \ \_\ \ /\ \L\ \ /\  __/  \ \ \ /\ \L\.\_ /\ \__/ \ \ \\`\
   \ \_\ \_\\/`____ \\ \___,_\\ \____\ _\ \ \\ \__/.\_\\ \____\ \ \_\ \_\
    \/_/\/_/ `/___/> \\/__,_ / \/____//\ \_\ \\/__/\/_/ \/____/  \/_/\/_/
                /\___/                \ \____/
                \/__/                  \/___/
[more html removed]


$ curl -ikL6 http://wissenschaftliche-software.org/.well-known/acme-challenge/file.html
HTTP/1.1 404 Not Found
Server: nginx/1.10.3 (Ubuntu)
Date: Fri, 23 Feb 2018 09:33:18 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive

<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.10.3 (Ubuntu)</center>
</body>
</html>

#11

Yes, I’ve just realized that as well. Weird. Must be an nginx setup problem, as it seems changes in the setup in sites-available aren’t picked up. I’ll try to fix this and get back.

Thanks for your help so far!


#12

Okay, fixed the original issue by properly setting up all domain configs again. Seems like I hadn’t managed to set up IPv6 correctly for the multi-domain usage.

Now I’m running into https://github.com/certbot/certbot/issues/5550, but there’s a workaround available so I’ll just try this for now.

Thanks!

Issue can be closed.


#13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.