Certbot not working (anymore) on centos7 with nginx

Hello I have this problem with certbot. I setup the same machine many time and everytime certbot setup did work flawlessly. In fact I’m following my own setup documentation that I have used many times. However this time certbot surprises me with an odd error message or no error message at all…

Please fill out the fields below so we can help you better.

My domain is: pool.swtrse.eu

I ran this command: certbot certonly --webroot --rsa-key-size 4096 -w /usr/share/nginx/html/ -d pool.swtrse.eu

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for pool.swtrse.eu
Using the webroot path /usr/share/nginx/html for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. pool.swtrse.eu (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://pool.swtrse.eu/.well-known/acme-challenge/9MC2sCrLtCuJwnkAlN5F3UwdhyEHiQVPY2DRMpHK9rg: “<html lang=“en” xml”

IMPORTANT NOTES:

My web server is (include version): nginx/1.12.1

The operating system my web server runs on is (include version): CentOS 7 (3.10.0-514.26.2.el7.x86_64 GNU/Linux)

My hosting provider, if applicable, is: nextlayer

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Hi @swtrse,

If you make a file /usr/share/nginx/html/test.txt, can you see it at http://pool.swtrse.eu/test.txt?

If you make a file /usr/share/nginx/html/.well-known/acme-challenge/test2.txt, can you see it at http://pool.swtrse.eu/.well-known/acme-challenge/test2.txt?

Has anything changed in your web server configuration that would have changed the answers to these questions?

1 Like

Nothing has changed. I created the files and as you can see they are displayed correctly.

Just to be sure this is the CAA entries I am using if for any chance this is the reason.

I don’t think CAA would be related because there’s a quite specific error about a mismatch.

You could try running with --debug-challenges, which will pause after it thinks the challenge is ready to be satisfied. Then you can see if you can access the challenge file in a browser, whether it’s been created in apparently the right place, and if you can see any other reason why the CA would not be able to reach the challenge file in the expected location.

I wonder if order matters…
Try this:
certbot certonly --rsa-key-size 4096 --webroot -w /usr/share/nginx/html/ -d pool.swtrse.eu

I stopped after challenges loaded.
http://pool.swtrse.eu/.well-known/acme-challenge/B-NBqlEwclI_gTbI3k5vHOqBNIVIQ_rWBi6EWVPyo80
seems to work fine

The order doesn’t matter in that sense.

It seemed to work OK for me—what happens when you continue?

same error

Press Enter to Continue
Cleaning up challenges
Unable to clean up challenge directory /usr/share/nginx/html/.well-known/acme-challenge
Failed authorization procedure. pool.swtrse.eu (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://pool.swtrse.eu/.well-known/acme-challenge/FA21PQgjMyrKvcT6oMmK5K3S2Fe45Nnm1l-eljX8LZg: “<html lang=“en” xml”

IMPORTANT NOTES:

do not mit the other link. I startet it twice

Could you post the log from /var/log/letsencrypt?

Did you start it twice at the same time, or one after another? Did you also check that the FA21… file was accessible?

Please show:
ls -l /usr/share/nginx/html/.well-known/
ls -l /usr/share/nginx/html/.well-known/acme-challenge/

I did one after another. The FA21 was accessible too.
I would upload the log but I can not since I am a new user.

[root@pool swtrse]# ls -l /usr/share/nginx/html/.well-known/
insgesamt 0
drwxr-xr-x. 2 root root 23 27. Aug 22:55 acme-challenge

[root@pool swtrse]# ls -l /usr/share/nginx/html/.well-known/acme-challenge/
insgesamt 4
-rw-r–r--. 1 root root 6 27. Aug 22:32 test2.txt
[root@pool swtrse]#

Please redo:
ls -l /usr/share/nginx/html/.well-known/acme-challenge/
While the challenge response is expected to be there.

[root@pool swtrse]# ls -l /usr/share/nginx/html/.well-known/acme-challenge/
insgesamt 8
-rw-r–r--. 1 root root 87 27. Aug 23:08 R25URICHwnH2X728IcFQd8MBFiixms3W8jHnA8AlMgU
-rw-r–r--. 1 root root 6 27. Aug 22:32 test2.txt
[root@pool swtrse]#

That seems correct and responds with:

Sorry about the new user thing; maybe you could upload it to pastebin.com or a similar service and then post the link here?

Let’s try
https://mega.nz/#!8RxXAJyI!XLxVWVOPS-5AZiJugcH6spwdvsX9-cLgFNH-7drLU-o

Thanks.

So, Certbot set up the challenge properly. But that <!DOCTYPE html PUBLIC response that the CA got from your system is not the 404 error from your nginx, which simply begins <html><head><title>404 Not Found</title></head>, so it most be something else!

Can you look in your nginx logs and see if you can see the CA attempting to download the file from you? (For the ones where you posted the link, you might also see me attempting to download it with a browser, or yourself attempting to download it with a browser, so hopefully you won’t get confused between these.) It looks like there’s either some nginx configuration or some firewall or other device that is returning a totally different error message in response to the CA’s attempts to download the challenge file, since it’s not just the nginx 404 page.