Certbot renewal failure - Invalid response from - unauthorized

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: nexus.envio.systems

I ran this command: certbot renew --dry-run

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/nexus.envio.systems.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for nexus.envio.systems
Waiting for verification...
Challenge failed for domain nexus.envio.systems
http-01 challenge for nexus.envio.systems
Cleaning up challenges
Attempting to renew cert (nexus.envio.systems) from /etc/letsencrypt/renewal/nexus.envio.systems.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/nexus.envio.systems/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/nexus.envio.systems/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: nexus.envio.systems
   Type:   unauthorized
   Detail: Invalid response from
   http://nexus.envio.systems/.well-known/acme-challenge/J8GOw-Axb6vnAu--wQjhUtUnAMHCC-jDgAvlVd0bcYE
   [18.134.17.125]: "\n<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n
   <title>404 - Nexus Repository Manager</title>\n  <meta
   http-equiv=\"Content-Type\" conte"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): nginx version: nginx/1.19.6

The operating system my web server runs on is (include version):

The nexus app and nginx both are running on separate docker containers in same docker network. 

certbot is installed on the same server that runs docker. Server OS Ubuntu 20.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.40.0

Additional information
nginx.conf that docker runs.

worker_processes 2;

events { 
	worker_connections 1024; 
}

http {
	error_log /var/log/nginx/error.log warn;
	access_log  /dev/null;
	proxy_intercept_errors off;
	proxy_send_timeout 120;
	proxy_read_timeout 300;
	
	upstream nexus {
        server nexus:8081;
	}

	server {
        listen 80;
        server_name nexus.envio.systems;

        keepalive_timeout  5 5;
        proxy_buffering    off;

        # allow large uploads
        client_max_body_size 1G;

        location / {
		# redirect to docker registry
	#	if ($http_user_agent ~ docker ) {
	#		proxy_pass http://registry;
	#	}
		proxy_pass http://nexus;
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
    }
}

certbot managed nginx configuration on the server.

cat  /etc/nginx/sites-enabled/default
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##

# Default server configuration
#
server {
	listen 80 default_server;
	listen [::]:80 default_server;

	# SSL configuration
	#
	# listen 443 ssl default_server;
	# listen [::]:443 ssl default_server;
	#
	# Note: You should disable gzip for SSL traffic.
	# See: https://bugs.debian.org/773332
	#
	# Read up on ssl_ciphers to ensure a secure configuration.
	# See: https://bugs.debian.org/765782
	#
	# Self signed certs generated by the ssl-cert package
	# Don't use them in a production server!
	#
	# include snippets/snakeoil.conf;

	root /var/www/html;

	# Add index.php to the list if you are using PHP
	index index.html index.htm index.nginx-debian.html;

	server_name _;

	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		try_files $uri $uri/ =404;
	}

	# pass PHP scripts to FastCGI server
	#
	#location ~ \.php$ {
	#	include snippets/fastcgi-php.conf;
	#
	#	# With php-fpm (or other unix sockets):
	#	fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
	#	# With php-cgi (or other tcp sockets):
	#	fastcgi_pass 127.0.0.1:9000;
	#}

	# deny access to .htaccess files, if Apache's document root
	# concurs with nginx's one
	#
	#location ~ /\.ht {
	#	deny all;
	#}
}


# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
#	listen 80;
#	listen [::]:80;
#
#	server_name example.com;
#
#	root /var/www/example.com;
#	index index.html;
#
#	location / {
#		try_files $uri $uri/ =404;
#	}
#}

server {

	# SSL configuration
	#
	# listen 443 ssl default_server;
	# listen [::]:443 ssl default_server;
	#
	# Note: You should disable gzip for SSL traffic.
	# See: https://bugs.debian.org/773332
	#
	# Read up on ssl_ciphers to ensure a secure configuration.
	# See: https://bugs.debian.org/765782
	#
	# Self signed certs generated by the ssl-cert package
	# Don't use them in a production server!
	#
	# include snippets/snakeoil.conf;

	root /var/www/html;

	# Add index.php to the list if you are using PHP
	index index.html index.htm index.nginx-debian.html;
    server_name nexus.envio.systems; # managed by Certbot


	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		try_files $uri $uri/ =404;
	}

	# pass PHP scripts to FastCGI server
	#
	#location ~ \.php$ {
	#	include snippets/fastcgi-php.conf;
	#
	#	# With php-fpm (or other unix sockets):
	#	fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
	#	# With php-cgi (or other tcp sockets):
	#	fastcgi_pass 127.0.0.1:9000;
	#}

	# deny access to .htaccess files, if Apache's document root
	# concurs with nginx's one
	#
	#location ~ /\.ht {
	#	deny all;
	#}


    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/nexus.envio.systems/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/nexus.envio.systems/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot






}
server {
    if ($host = nexus.envio.systems) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


	listen 80 ;
	listen [::]:80 ;
    server_name nexus.envio.systems;
    return 404; # managed by Certbot


}

Docker containers

docker ps -a
CONTAINER ID   IMAGE             COMMAND                  CREATED             STATUS             PORTS                                      NAMES
4bb3f1f2648c   nginx             "/docker-entrypoint.…"   About an hour ago   Up About an hour   0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp   nginx
385b86be70a5   sonatype/nexus3   "sh -c ${SONATYPE_DI…"   4 hours ago         Up 4 hours         0.0.0.0:8081->8081/tcp                     nexus

Curl test

  1. curl -u "admin:#######" http://localhost:80
<!DOCTYPE html>
<html lang="en">
<head>
  <title>Nexus Repository Manager</title>
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
  <meta name="description" content="Nexus Repository Manager"/>
  <meta http-equiv="X-UA-Compatible" content="IE=edge"/>


  <!--[if lt IE 9]>
    <script>(new Image).src="http://localhost/static/rapture/resources/favicon.ico?_v=3.29.2-02&_e=OSS"</script>
  <![endif]-->
  <link rel="icon" type="image/png" href="http://localhost/static/rapture/resources/favicon-32x32.png?_v=3.29.2-02&_e=OSS" sizes="32x32">
  <link rel="mask-icon" href="http://localhost/static/rapture/resources/safari-pinned-tab.svg?_v=3.29.2-02&_e=OSS" color="#5bbad5">
  <link rel="icon" type="image/png" href="http://localhost/static/rapture/resources/favicon-16x16.png?_v=3.29.2-02&_e=OSS" sizes="16x16">
  <link rel="shortcut icon" href="http://localhost/static/rapture/resources/favicon.ico?_v=3.29.2-02&_e=OSS">
  <meta name="msapplication-TileImage" content="http://localhost/static/rapture/resources/mstile-144x144.png?_v=3.29.2-02&_e=OSS">
  <meta name="msapplication-TileColor" content="#00a300">

  

      <link rel="stylesheet" type="text/css" href="http://localhost/static/rapture/resources/loading-prod.css?_v=3.29.2-02&_e=OSS">
    <link rel="stylesheet" type="text/css" href="http://localhost/static/rapture/resources/baseapp-prod.css?_v=3.29.2-02&_e=OSS">
    <link rel="stylesheet" type="text/css" href="http://localhost/static/rapture/resources/nexus-rapture-prod.css?_v=3.29.2-02&_e=OSS">
    <link rel="stylesheet" type="text/css" href="http://localhost/static/rapture/resources/nexus-proximanova-plugin-prod.css?_v=3.29.2-02&_e=OSS">
    <link rel="stylesheet" type="text/css" href="http://localhost/static/rapture/resources/nexus-coreui-plugin-prod.css?_v=3.29.2-02&_e=OSS">
    <link rel="stylesheet" type="text/css" href="http://localhost/static/rapture/resources/nexus-proui-plugin-prod.css?_v=3.29.2-02&_e=OSS">
    <link rel="stylesheet" type="text/css" href="http://localhost/static/rapture/resources/nexus-onboarding-plugin-prod.css?_v=3.29.2-02&_e=OSS">
    <link rel="stylesheet" type="text/css" href="http://localhost/static/nexus-rapture-bundle.css?_v=3.29.2-02&_e=OSS">
    <link rel="stylesheet" type="text/css" href="http://localhost/static/nexus-coreui-bundle.css?_v=3.29.2-02&_e=OSS">
    <link rel="stylesheet" type="text/css" href="http://localhost/static/nexus-proui-bundle.css?_v=3.29.2-02&_e=OSS">

    <script type="text/javascript">
    function progressMessage(msg) {
      if (console && console.log) {
        console.log(msg);
      }
      document.getElementById('loading-msg').innerHTML=msg;
    }
  </script>
</head>
<body class="x-border-box">

<div id="loading-mask"></div>
<div id="loading">
  <div id="loading-background">
    <img id="loading-logo" src="http://localhost/static/rapture/resources/images/nxrm-logo-white.svg?_v=3.29.2-02&_e=OSS" alt="Product Logo" width='116' height='116' />
    <img id="loading-product" src="http://localhost/static/rapture/resources/images/loading-product.png?_v=3.29.2-02&_e=OSS" alt="Nexus Repository Manager"/>
    <div class="loading-indicator">
      <img id="loading-spinner" src="http://localhost/static/rapture/resources/images/loading-spinner.gif?_v=3.29.2-02&_e=OSS" alt="Loading Spinner"/>
      <span id="loading-msg">Loading ...</span>
    </div>
  </div>

    <div id="code-load" class="x-hide-display">

        <script type="text/javascript">progressMessage('Loading baseapp-prod.js');</script>
      <script type="text/javascript" src="http://localhost/static/rapture/baseapp-prod.js?_v=3.29.2-02&_e=OSS"></script>
    <script type="text/javascript">progressMessage('Loading extdirect-prod.js');</script>
      <script type="text/javascript" src="http://localhost/static/rapture/extdirect-prod.js?_v=3.29.2-02&_e=OSS"></script>
    <script type="text/javascript">progressMessage('Loading bootstrap.js');</script>
      <script type="text/javascript" src="http://localhost/static/rapture/bootstrap.js?_v=3.29.2-02&_e=OSS"></script>
    <script type="text/javascript">progressMessage('Loading d3.v4.min.js');</script>
      <script type="text/javascript" src="http://localhost/static/rapture/d3.v4.min.js?_v=3.29.2-02&_e=OSS"></script>
    <script type="text/javascript">progressMessage('Loading nexus-rapture-bundle.js');</script>
      <script type="text/javascript" src="http://localhost/static/nexus-rapture-bundle.js?_v=3.29.2-02&_e=OSS"></script>
    <script type="text/javascript">progressMessage('Loading nexus-coreui-bundle.js');</script>
      <script type="text/javascript" src="http://localhost/static/nexus-coreui-bundle.js?_v=3.29.2-02&_e=OSS"></script>
    <script type="text/javascript">progressMessage('Loading nexus-proui-bundle.js');</script>
      <script type="text/javascript" src="http://localhost/static/nexus-proui-bundle.js?_v=3.29.2-02&_e=OSS"></script>
    <script type="text/javascript">progressMessage('Loading nexus-rapture-prod.js');</script>
      <script type="text/javascript" src="http://localhost/static/rapture/nexus-rapture-prod.js?_v=3.29.2-02&_e=OSS"></script>
    <script type="text/javascript">progressMessage('Loading nexus-blobstore-s3-prod.js');</script>
      <script type="text/javascript" src="http://localhost/static/rapture/nexus-blobstore-s3-prod.js?_v=3.29.2-02&_e=OSS"></script>
    <script type="text/javascript">progressMessage('Loading nexus-rutauth-plugin-prod.js');</script>
      <script type="text/javascript" src="http://localhost/static/rapture/nexus-rutauth-plugin-prod.js?_v=3.29.2-02&_e=OSS"></script>
    <script type="text/javascript">progressMessage('Loading nexus-coreui-plugin-prod.js');</script>
      <script type="text/javascript" src="http://localhost/static/rapture/nexus-coreui-plugin-prod.js?_v=3.29.2-02&_e=OSS"></script>
    <script type="text/javascript">progressMessage('Loading nexus-proui-plugin-prod.js');</script>
      <script type="text/javascript" src="http://localhost/static/rapture/nexus-proui-plugin-prod.js?_v=3.29.2-02&_e=OSS"></script>
    <script type="text/javascript">progressMessage('Loading nexus-repository-maven-prod.js');</script>
      <script type="text/javascript" src="http://localhost/static/rapture/nexus-repository-maven-prod.js?_v=3.29.2-02&_e=OSS"></script>
    <script type="text/javascript">progressMessage('Loading nexus-onboarding-plugin-prod.js');</script>
      <script type="text/javascript" src="http://localhost/static/rapture/nexus-onboarding-plugin-prod.js?_v=3.29.2-02&_e=OSS"></script>
    <script type="text/javascript">progressMessage('Loading nexus-repository-npm-prod.js');</script>
      <script type="text/javascript" src="http://localhost/static/rapture/nexus-repository-npm-prod.js?_v=3.29.2-02&_e=OSS"></script>
    <script type="text/javascript">progressMessage('Loading nexus-repository-pypi-prod.js');</script>
      <script type="text/javascript" src="http://localhost/static/rapture/nexus-repository-pypi-prod.js?_v=3.29.2-02&_e=OSS"></script>
    <script type="text/javascript">progressMessage('Loading nexus-repository-nuget-prod.js');</script>
      <script type="text/javascript" src="http://localhost/static/rapture/nexus-repository-nuget-prod.js?_v=3.29.2-02&_e=OSS"></script>
    <script type="text/javascript">progressMessage('Loading nexus-repository-rubygems-prod.js');</script>
      <script type="text/javascript" src="http://localhost/static/rapture/nexus-repository-rubygems-prod.js?_v=3.29.2-02&_e=OSS"></script>
    <script type="text/javascript">progressMessage('Loading nexus-repository-docker-prod.js');</script>
      <script type="text/javascript" src="http://localhost/static/rapture/nexus-repository-docker-prod.js?_v=3.29.2-02&_e=OSS"></script>
    <script type="text/javascript">progressMessage('Loading app.js');</script>
      <script type="text/javascript" src="http://localhost/static/rapture/app.js?_v=3.29.2-02&_e=OSS"></script>

        <script type="text/javascript">progressMessage('Initializing ...');</script>
  </div>
</div>

<form id="history-form" class="x-hide-display" tabindex="-1">
  <input type="hidden" id="x-history-field"/>
  <iframe id="x-history-frame" title="Browse history form"></iframe>
</form>

</body>
</html>
  1. curl -u "admin:#######" http://localhost:443
url: (56) Recv failure: Connection reset by peer
  1. curl -u "admin:#######" https://localhost:443
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to localhost:443
  1. curl -u "admin:#######" https://localhost:80
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number
1 Like

So /etc/nginx/sites-enabled/default and nginx.conf both have a HTTP vhost for nexus.envio.systems? A simple redirect in default and one containing a set of proxy directives in nginx.conf.

You should only have a single vhost.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.