Certbot not working (anymore) on centos7 with nginx

swtrse · August 27, 2017, 9:25pm

This are the last entries

17.133.3.12 - - [27/Aug/2017:23:14:37 +0200] "GET /.well-known/acme-challenge/9MC2sCrLtCuJwnkAlN5F3UwdhyEHiQVPY2DRMpHK9rg: HTTP/1.1" 404 169 "-" "AppleNewsBot" "-"
198.27.189.127 - - [27/Aug/2017:23:17:18 +0200] "GET /.well-known/acme-challenge/sYSZcrUqG6Z6Y_Btd46OCf7rFCqNNXytEQg0h3EzwQU: HTTP/1.1" 404 169 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0" "-"
17.142.142.173 - - [27/Aug/2017:23:20:30 +0200] "GET /.well-known/acme-challenge/9MC2sCrLtCuJwnkAlN5F3UwdhyEHiQVPY2DRMpHK9rg: HTTP/1.1" 404 169 "-" "AppleNewsBot" "-"
17.142.142.173 - - [27/Aug/2017:23:20:30 +0200] "GET /.well-known/acme-challenge/9MC2sCrLtCuJwnkAlN5F3UwdhyEHiQVPY2DRMpHK9rg: HTTP/1.1" 404 169 "-" "AppleNewsBot" "-"
155.94.89.82 - - [27/Aug/2017:23:21:10 +0200] "GET / HTTP/1.0" 200 612 "-" "sysscan/1.0 (https://github.com/robertdavidgraham/sysscan)" "-"
173.12.123.89 - - [27/Aug/2017:23:22:45 +0200] "GET /.well-known/acme-challenge/sYSZcrUqG6Z6Y_Btd46OCf7rFCqNNXytEQg0h3EzwQU HTTP/1.1" 404 169 "-" "Wget/1.17.1 (linux-gnu)" "-"
173.12.123.89 - - [27/Aug/2017:23:22:53 +0200] "GET /.well-known/acme-challenge/sYSZcrUqG6Z6Y_Btd46OCf7rFCqNNXytEQg0h3EzwQU: HTTP/1.1" 404 169 "-" "Wget/1.17.1 (linux-gnu)" "-"
64.78.149.164 - - [27/Aug/2017:23:24:08 +0200] "GET /.well-known/acme-challenge/qH2nLSTSM3c9gkUSCcrgdoPVtEXa0sRedv31rcVCe4U HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"
17.133.7.60 - - [27/Aug/2017:23:24:12 +0200] "GET /.well-known/acme-challenge/9MC2sCrLtCuJwnkAlN5F3UwdhyEHiQVPY2DRMpHK9rg: HTTP/1.1" 404 169 "-" "AppleNewsBot" "-"
17.133.7.60 - - [27/Aug/2017:23:24:12 +0200] "GET /.well-known/acme-challenge/9MC2sCrLtCuJwnkAlN5F3UwdhyEHiQVPY2DRMpHK9rg: HTTP/1.1" 404 169 "-" "AppleNewsBot" "-"

schoen · August 27, 2017, 9:27pm

That showed the Let’s Encrypt server succeeding in downloading the validation beginning in qH2nL… do you have a corresponding log showing it claiming to fail?

swtrse · August 27, 2017, 9:31pm

Yes with the same message.

https://mega.nz/#!BZRRFRAB!7dZZBckmWSPr3zeMY3mefhcM1tavKhu6qZLjw_YSxPs

rg305 · August 27, 2017, 9:37pm

I’d like to check if your system is handling files without extensions incorrectly:
please place a “test3” file without an extension in the challenge folder.

swtrse · August 27, 2017, 9:42pm

Done. Looks fine. File got downloaded to my tablet

rg305 · August 27, 2017, 9:44pm

wget http://pool.swtrse.eu/.well-known/acme-challenge/test3
–2017-08-27 17:44:12-- http://pool.swtrse.eu/.well-known/acme-challenge/test3
Resolving pool.swtrse.eu (pool.swtrse.eu)… 195.39.201.12
Connecting to pool.swtrse.eu (pool.swtrse.eu)|195.39.201.12|:80… connected.
HTTP request sent, awaiting response… 403 Forbidden
2017-08-27 17:44:12 ERROR 403: Forbidden.

curl http://pool.swtrse.eu/.well-known/acme-challenge/test3
<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Strict//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd”>
<html lang=“en” xml:lang=“en” xmlns=“http://www.w3.org/1999/xhtml”>
<head>
<title>Request Denied</title>
<style type=“text/css”>body {font-family: Arial, Helvetica, Verdana, Sans-Serif;font-size: small;font-weight: normal;color: #000000;}div {margin-left: auto;margin-right: auto;text-align: center;}.box {width: 600px;background-color: #F2F2F2;border-left: solid 1px #C2C2C2;border-right: solid 1px #C2C2C2;vertical-align: middle;padding: 20px 10px 20px 10px;}p {text-align: left;}.red {font-weight: bold;color: Red;text-align: center;}.band {height: 20px;color: White;background: #333333;width: 600px;border-left: solid 1px #333333;border-right: solid 1px #333333;padding: 3px 10px 0px 10px;}div#wrap {margin-top: 50px;}</style>
</head>
<body>
<div id=“wrap”>
<div class=“band”></div>
<div class=“box”>
<p class=“red”>Request denied by WatchGuard Firewall.</p>
<p><b> Reason: </b> Application “File sharing services and tools/Web File Transfer” not allowed </p>
<p>Please contact your administrator for assistance.</p>
</div>
<div class=“band”>WatchGuard Technologies Inc.</div>
</div>
</body>
</html>

swtrse · August 27, 2017, 9:47pm

Hm it works with the browser…ok let’s dig into the application firewall…grml

swtrse · August 27, 2017, 9:50pm

Could you please try curl again. I have no external machine to catch that message.

swtrse · August 27, 2017, 9:53pm

Ok, thanks, it’s working now.
Seems like the reason was a new rule in the Application Firewall after an update.
After allowing that specific Application “File sharing services and tools/Web File Transfer” in the firewall policy everthing is working now.

Sorry for the inconvenience and thanks for the help.

Topic		Replies	Views
Certbot, nginx, OL8, 'failed to authenticate' - invalid response from acme-challenge Help	30	2493	March 12, 2022
The Certificate Authority failed to download the temporary challenge files created by Certbot -- Connection refused Help	41	51167	October 9, 2021
The client lacks sufficient authorization :: Invalid response from [Again] Help	21	1884	November 4, 2020
Certbot certonly --webroot ... Exit 1 Help	18	1892	July 13, 2022
Certbot --nginx failed with 404 Help	12	4478	March 7, 2023

Certbot not working (anymore) on centos7 with nginx

Related topics