Certbot run error with unauthorized

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
www.inorithailand.com
I ran this command:
certbot --nginx --hsts --redirect -n -m chunhong@storehub.com --agree-tos -d www.inorithailand.com
It produced this output:
022-01-12 22:03:22,226:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/67520390950 HTTP/1.1" 200 1267
2022-01-12 22:03:22,227:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 12 Jan 2022 14:03:22 GMT
Content-Type: application/json
Content-Length: 1267
Connection: keep-alive
Boulder-Requester: 37675879
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 0101C4rvqgMhuH5agx7HYaONN6OC7fzGOIe1GGY1y592jdY
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "www.inorithailand.com"
},
"status": "invalid",
"expires": "2022-01-19T14:03:14Z",
"challenges": [
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "Invalid response from http://www.inorithailand.com/.well-known/acme-challenge/MLpJ60SbV1kORzkNwvirotPwRbamzZfpA1dtGmzm_x8 [18.136.18.246]: "\u003c!DOCTYPE html\u003e\n\u003chtml\u003e\n\n\u003chead\u003e\n\t\u003cmeta http-equiv=\"content-type\" content=\"text/html;charset=UTF-8\" /\u003e\n\t\u003cmeta charset=\"utf-8\" /\u003e\n\t"",
"status": 403
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/67520390950/yvaBaA",
"token": "MLpJ60SbV1kORzkNwvirotPwRbamzZfpA1dtGmzm_x8",
"validationRecord": [
{
"url": "http://www.inorithailand.com/.well-known/acme-challenge/MLpJ60SbV1kORzkNwvirotPwRbamzZfpA1dtGmzm_x8",
"hostname": "www.inorithailand.com",
"port": "80",
"addressesResolved": [
"18.136.18.246"
],
"addressUsed": "18.136.18.246"
}
],
"validated": "2022-01-12T14:03:20Z"
}
]
}
My web server is (include version):
nginx/1.10.3
The operating system my web server runs on is (include version):
Ubuntu 16.04.5 LTS
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.39.0

1 Like

Hi @storehubdeploy and welcome to the LE community forum :slight_smile:

It seems like the certbot --nginx plugin is unable to properly place the challenge file.
Let's have a look at that complete config, with:
nginx -T

2 Likes

Sorry the config is too large. we set more than 700 customs domain in the nginx server, this is my specific domain config

server {  
        listen 80;
        listen [::]:80;
        resolver 8.8.8.8;

        # Add index.php to the list if you are using PHP
        # index index.html index.htm index.nginx-debian.html;

        server_name www.inorithailand.com;

        location / {
                proxy_set_header Host inori.storehub.me;
                proxy_set_header X-Forwarded-Proto "https";
                proxy_set_header X-Forwarded-Host $host;
                proxy_pass http://ecommerce-pro$request_uri;
        }
}
1 Like

When nginx conf have a large number of server blocks you may need to add this to your certbot command:

  --nginx-sleep-seconds NGINX_SLEEP_SECONDS
                        Number of seconds to wait for nginx configuration
                        changes to apply when reloading. (default: 1)

Maybe try 10 seconds as the default is just 1

4 Likes

i try with the command i got this info

ginx: [warn] conflicting server name "www.inorithailand.com" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "www.inorithailand.com" on [::]:80, ignored
Waiting for verification...
Challenge failed for domain www.inorithailand.com
http-01 challenge for www.inorithailand.com
Cleaning up challenges
nginx: [warn] conflicting server name "www.inorithailand.com" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "www.inorithailand.com" on [::]:80, ignored
Some challenges have failed.

IMPORTANT NOTES:

1 Like

This says you have two server blocks for the same name. That is wrong and might cause certbot to update the wrong one. You need to remove the duplicate and confirm fixed using:

nginx -t

If that is ok then try certbot with the sleep seconds again.

2 Likes

i'm sure the config is ok! this is the dns record i find


is affected by domain without www?

1 Like

I think you might do well by adding handling for the challenge request within the HTTP vhost config file.

Like:

        location /.well-known/acme-challenge/ {
            try_files $uri 404;
            root /unique-ACMEchallenge-folder/; # this folder needs to be created
        }#location
1 Like

still get error

IMPORTANT NOTES:

1 Like

@rg305 you probably intended to use your recommendation in combination with the webroot plugin, right?

2 Likes

Using --webroot would increase the chance of success, but it shouldn't be required.
It just looks like the HTTP vhost has nowhere to handle the challenge requests.

1 Like

But the --nginx configuration adds its own challenge handeling nginx configuration piece, right? Doesn't that "bite" with your suggested part?

1 Like

Possibly:

[that could use some attention]

We've yet to see the entire nginx config...
And this is usually difficult to deal with:

1 Like

Your suggested location section should fix that. But I would use it with the webroot authenticator and not with the nginx authenticator, just to be sure.

1 Like

I would like to see it fail (if it does) before using --webroot, so that they might look further into the other 700 vhosts for the overlap/problem.

1 Like

the all conifg

user www-data;
worker_processes auto;
pid /run/nginx.pid;

events {
        worker_connections 768;
        # multi_accept on;
    }

http {
        # Basic Settings
        server_names_hash_bucket_size 512;
        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;

        types_hash_max_size 2048;
        server_tokens off;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        # SSL Settings

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        # Logging Settings

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        # Gzip Settings

        gzip on;
        gzip_disable "msie6";

        gzip_vary on;
        gzip_proxied any;
        gzip_comp_level 6;
        gzip_buffers 16 8k;
        gzip_http_version 1.1;
        gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

    upstream ecommerce-uat{
        server 192.168.0.206:28910;
        server 192.168.0.17:28910;
    }

    upstream ecommerce-pro{
        server 192.168.0.86:28910;
        server 192.168.0.17:28910;
    }
        # Virtual Host Configs
        server {
        server_name storehub.me;
        server_name ~^(.*)\.storehub.me;
        resolver 8.8.8.8;
        
        if ($host = "gossipbarnkitchen.storehub.me"){
            return 404;
        }
        if ($host = "suriaaminudinenterprise.storehub.me"){
            return 404;
        }
        if ($host = "pearltitaniumenterprise.storehub.me"){
            return 404;
        }
        location /
        {
            include proxy_params;
            proxy_pass http://ecommerce-pro$request_uri;
        }

        listen [::]:443 ssl ipv6only=on;
        listen 443 ssl;
        ssl_certificate /etc/letsencrypt/live/storehub.me/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/storehub.me/privkey.pem;
        include /etc/letsencrypt/options-ssl-nginx.conf;
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

        proxy_buffer_size  128k;
        proxy_buffers   32 32k;
        proxy_busy_buffers_size 128k;
    }

    server {

        listen 80;

        server_name ~^(?<name>.+)\.storehub\.me$;
        return 301 https://$name.storehub.me$request_uri;
    }
    server {  
        listen 80;
        listen [::]:80;
        resolver 8.8.8.8;

        # Add index.php to the list if you are using PHP
        # index index.html index.htm index.nginx-debian.html;

        server_name www.inorithailand.com;

        location / {
                proxy_set_header Host inori.storehub.me;
                proxy_set_header X-Forwarded-Proto "https";
                proxy_set_header X-Forwarded-Host $host;
                proxy_pass http://ecommerce-pro$request_uri;
        }
    }

}
1 Like

I have not studied the regex server_name syntax but could this problem be related to this? Sorry don't have much time tonite but at least found this much.

3 Likes

If you created the directory with the HTTP vhost for www.inorithailand.com, you can now test it with:

echo "test-file-full-path"  > /unique-ACMEchallenge-folder/.well-known/acme-challenge/Test_File-1234
echo "test-file-short-path" > /unique-ACMEchallenge-folder/Test_File-1234

then browse to:
http://www.inorithailand.com/.well-known/acme-challenge/Test_file-1234
[hopefully something will be returned (other than a 404 error)]

1 Like

i set as you advise but reponse still is 404

1 Like

I'm sure not that syntax problem,because i add other domains is ok!this domain www.inorithailand.com i added successfully before with the same config,but not used for a while i deleted it, then i re-added the domain i got the error.

2 Likes