Certbot not working (anymore) on centos7 with nginx

This are the last entries

17.133.3.12 - - [27/Aug/2017:23:14:37 +0200] “GET /.well-known/acme-challenge/9MC2sCrLtCuJwnkAlN5F3UwdhyEHiQVPY2DRMpHK9rg: HTTP/1.1” 404 169 “-” “AppleNewsBot” "-"
198.27.189.127 - - [27/Aug/2017:23:17:18 +0200] “GET /.well-known/acme-challenge/sYSZcrUqG6Z6Y_Btd46OCf7rFCqNNXytEQg0h3EzwQU: HTTP/1.1” 404 169 “-” “Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0” "-"
17.142.142.173 - - [27/Aug/2017:23:20:30 +0200] “GET /.well-known/acme-challenge/9MC2sCrLtCuJwnkAlN5F3UwdhyEHiQVPY2DRMpHK9rg: HTTP/1.1” 404 169 “-” “AppleNewsBot” "-"
17.142.142.173 - - [27/Aug/2017:23:20:30 +0200] “GET /.well-known/acme-challenge/9MC2sCrLtCuJwnkAlN5F3UwdhyEHiQVPY2DRMpHK9rg: HTTP/1.1” 404 169 “-” “AppleNewsBot” "-"
155.94.89.82 - - [27/Aug/2017:23:21:10 +0200] “GET / HTTP/1.0” 200 612 “-” “sysscan/1.0 (https://github.com/robertdavidgraham/sysscan)” "-"
173.12.123.89 - - [27/Aug/2017:23:22:45 +0200] “GET /.well-known/acme-challenge/sYSZcrUqG6Z6Y_Btd46OCf7rFCqNNXytEQg0h3EzwQU HTTP/1.1” 404 169 “-” “Wget/1.17.1 (linux-gnu)” "-"
173.12.123.89 - - [27/Aug/2017:23:22:53 +0200] “GET /.well-known/acme-challenge/sYSZcrUqG6Z6Y_Btd46OCf7rFCqNNXytEQg0h3EzwQU: HTTP/1.1” 404 169 “-” “Wget/1.17.1 (linux-gnu)” "-"
64.78.149.164 - - [27/Aug/2017:23:24:08 +0200] “GET /.well-known/acme-challenge/qH2nLSTSM3c9gkUSCcrgdoPVtEXa0sRedv31rcVCe4U HTTP/1.1” 200 87 “-” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)” "-"
17.133.7.60 - - [27/Aug/2017:23:24:12 +0200] “GET /.well-known/acme-challenge/9MC2sCrLtCuJwnkAlN5F3UwdhyEHiQVPY2DRMpHK9rg: HTTP/1.1” 404 169 “-” “AppleNewsBot” "-"
17.133.7.60 - - [27/Aug/2017:23:24:12 +0200] “GET /.well-known/acme-challenge/9MC2sCrLtCuJwnkAlN5F3UwdhyEHiQVPY2DRMpHK9rg: HTTP/1.1” 404 169 “-” “AppleNewsBot” “-”

That showed the Let’s Encrypt server succeeding in downloading the validation beginning in qH2nL… do you have a corresponding log showing it claiming to fail?

Yes with the same message.

https://mega.nz/#!BZRRFRAB!7dZZBckmWSPr3zeMY3mefhcM1tavKhu6qZLjw_YSxPs

I’d like to check if your system is handling files without extensions incorrectly:
please place a “test3” file without an extension in the challenge folder.

Done. Looks fine. File got downloaded to my tablet

wget http://pool.swtrse.eu/.well-known/acme-challenge/test3
–2017-08-27 17:44:12-- http://pool.swtrse.eu/.well-known/acme-challenge/test3
Resolving pool.swtrse.eu (pool.swtrse.eu)… 195.39.201.12
Connecting to pool.swtrse.eu (pool.swtrse.eu)|195.39.201.12|:80… connected.
HTTP request sent, awaiting response… 403 Forbidden
2017-08-27 17:44:12 ERROR 403: Forbidden.

curl http://pool.swtrse.eu/.well-known/acme-challenge/test3
<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Strict//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd”>
<html lang=“en” xml:lang=“en” xmlns=“http://www.w3.org/1999/xhtml”>
<head>
<title>Request Denied</title>
<style type=“text/css”>body {font-family: Arial, Helvetica, Verdana, Sans-Serif;font-size: small;font-weight: normal;color: #000000;}div {margin-left: auto;margin-right: auto;text-align: center;}.box {width: 600px;background-color: #F2F2F2;border-left: solid 1px #C2C2C2;border-right: solid 1px #C2C2C2;vertical-align: middle;padding: 20px 10px 20px 10px;}p {text-align: left;}.red {font-weight: bold;color: Red;text-align: center;}.band {height: 20px;color: White;background: #333333;width: 600px;border-left: solid 1px #333333;border-right: solid 1px #333333;padding: 3px 10px 0px 10px;}div#wrap {margin-top: 50px;}</style>
</head>
<body>
<div id=“wrap”>
<div class=“band”></div>
<div class=“box”>
<p class=“red”>Request denied by WatchGuard Firewall.</p>
<p><b> Reason: </b> Application “File sharing services and tools/Web File Transfer” not allowed </p>
<p>Please contact your administrator for assistance.</p>
</div>
<div class=“band”>WatchGuard Technologies Inc.</div>
</div>
</body>
</html>

1 Like

Hm it works with the browser…ok let’s dig into the application firewall…grml

Could you please try curl again. I have no external machine to catch that message.

Ok, thanks, it’s working now.
Seems like the reason was a new rule in the Application Firewall after an update.
After allowing that specific Application “File sharing services and tools/Web File Transfer” in the firewall policy everthing is working now.

Sorry for the inconvenience and thanks for the help.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.