Certbot not working (anymore) on centos7 with nginx

swtrse · August 27, 2017, 9:25pm

This are the last entries

17.133.3.12 - - [27/Aug/2017:23:14:37 +0200] "GET /.well-known/acme-challenge/9MC2sCrLtCuJwnkAlN5F3UwdhyEHiQVPY2DRMpHK9rg: HTTP/1.1" 404 169 "-" "AppleNewsBot" "-"
198.27.189.127 - - [27/Aug/2017:23:17:18 +0200] "GET /.well-known/acme-challenge/sYSZcrUqG6Z6Y_Btd46OCf7rFCqNNXytEQg0h3EzwQU: HTTP/1.1" 404 169 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0" "-"
17.142.142.173 - - [27/Aug/2017:23:20:30 +0200] "GET /.well-known/acme-challenge/9MC2sCrLtCuJwnkAlN5F3UwdhyEHiQVPY2DRMpHK9rg: HTTP/1.1" 404 169 "-" "AppleNewsBot" "-"
17.142.142.173 - - [27/Aug/2017:23:20:30 +0200] "GET /.well-known/acme-challenge/9MC2sCrLtCuJwnkAlN5F3UwdhyEHiQVPY2DRMpHK9rg: HTTP/1.1" 404 169 "-" "AppleNewsBot" "-"
155.94.89.82 - - [27/Aug/2017:23:21:10 +0200] "GET / HTTP/1.0" 200 612 "-" "sysscan/1.0 (https://github.com/robertdavidgraham/sysscan)" "-"
173.12.123.89 - - [27/Aug/2017:23:22:45 +0200] "GET /.well-known/acme-challenge/sYSZcrUqG6Z6Y_Btd46OCf7rFCqNNXytEQg0h3EzwQU HTTP/1.1" 404 169 "-" "Wget/1.17.1 (linux-gnu)" "-"
173.12.123.89 - - [27/Aug/2017:23:22:53 +0200] "GET /.well-known/acme-challenge/sYSZcrUqG6Z6Y_Btd46OCf7rFCqNNXytEQg0h3EzwQU: HTTP/1.1" 404 169 "-" "Wget/1.17.1 (linux-gnu)" "-"
64.78.149.164 - - [27/Aug/2017:23:24:08 +0200] "GET /.well-known/acme-challenge/qH2nLSTSM3c9gkUSCcrgdoPVtEXa0sRedv31rcVCe4U HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"
17.133.7.60 - - [27/Aug/2017:23:24:12 +0200] "GET /.well-known/acme-challenge/9MC2sCrLtCuJwnkAlN5F3UwdhyEHiQVPY2DRMpHK9rg: HTTP/1.1" 404 169 "-" "AppleNewsBot" "-"
17.133.7.60 - - [27/Aug/2017:23:24:12 +0200] "GET /.well-known/acme-challenge/9MC2sCrLtCuJwnkAlN5F3UwdhyEHiQVPY2DRMpHK9rg: HTTP/1.1" 404 169 "-" "AppleNewsBot" "-"

schoen · August 27, 2017, 9:27pm

That showed the Let’s Encrypt server succeeding in downloading the validation beginning in qH2nL… do you have a corresponding log showing it claiming to fail?

swtrse · August 27, 2017, 9:31pm

Yes with the same message.

https://mega.nz/#!BZRRFRAB!7dZZBckmWSPr3zeMY3mefhcM1tavKhu6qZLjw_YSxPs

rg305 · August 27, 2017, 9:37pm

I’d like to check if your system is handling files without extensions incorrectly:
please place a “test3” file without an extension in the challenge folder.

swtrse · August 27, 2017, 9:42pm

Done. Looks fine. File got downloaded to my tablet

rg305 · August 27, 2017, 9:44pm

wget http://pool.swtrse.eu/.well-known/acme-challenge/test3
–2017-08-27 17:44:12-- http://pool.swtrse.eu/.well-known/acme-challenge/test3
Resolving pool.swtrse.eu (pool.swtrse.eu)… 195.39.201.12
Connecting to pool.swtrse.eu (pool.swtrse.eu)|195.39.201.12|:80… connected.
HTTP request sent, awaiting response… 403 Forbidden
2017-08-27 17:44:12 ERROR 403: Forbidden.

curl http://pool.swtrse.eu/.well-known/acme-challenge/test3
<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Strict//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd”>
<html lang=“en” xml:lang=“en” xmlns=“http://www.w3.org/1999/xhtml”>
<head>
<title>Request Denied</title>
<style type=“text/css”>body {font-family: Arial, Helvetica, Verdana, Sans-Serif;font-size: small;font-weight: normal;color: #000000;}div {margin-left: auto;margin-right: auto;text-align: center;}.box {width: 600px;background-color: #F2F2F2;border-left: solid 1px #C2C2C2;border-right: solid 1px #C2C2C2;vertical-align: middle;padding: 20px 10px 20px 10px;}p {text-align: left;}.red {font-weight: bold;color: Red;text-align: center;}.band {height: 20px;color: White;background: #333333;width: 600px;border-left: solid 1px #333333;border-right: solid 1px #333333;padding: 3px 10px 0px 10px;}div#wrap {margin-top: 50px;}</style>
</head>
<body>
<div id=“wrap”>
<div class=“band”></div>
<div class=“box”>
<p class=“red”>Request denied by WatchGuard Firewall.</p>
<p><b> Reason: </b> Application “File sharing services and tools/Web File Transfer” not allowed </p>
<p>Please contact your administrator for assistance.</p>
</div>
<div class=“band”>WatchGuard Technologies Inc.</div>
</div>
</body>
</html>

swtrse · August 27, 2017, 9:47pm

Hm it works with the browser…ok let’s dig into the application firewall…grml

swtrse · August 27, 2017, 9:50pm

Could you please try curl again. I have no external machine to catch that message.

swtrse · August 27, 2017, 9:53pm

Ok, thanks, it’s working now.
Seems like the reason was a new rule in the Application Firewall after an update.
After allowing that specific Application “File sharing services and tools/Web File Transfer” in the firewall policy everthing is working now.

Sorry for the inconvenience and thanks for the help.

system · September 26, 2017, 9:54pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Stuck on trying to issue a certificate. Error: The client lacks sufficient authorization Help	3	846	August 15, 2018
Certbot + Nginx + Centos 6: Failed Authorisation procedure with invalid response Server	2	1742	September 5, 2016
Error after running the "certbot certonly" on centos 7 - help would be appreciated - thank you Server	2	1150	March 14, 2018
Nginx certbot unauthorized Server	11	6183	May 1, 2018
Certbot, nginx centos 7 renew error Help	3	1179	May 5, 2021

Certbot not working (anymore) on centos7 with nginx

Related topics