Certbot - Troubleshooting HTTP-01 Challenge Related Issues

kaplannn · June 1, 2017, 4:44pm

Hi Guys,

Using Nginx on Ubuntu 16.04

Long time ago, i setup everything and it worked perfectly now i received an email, that my certificate will expire, so i checked whats not good with my certbot.

when i want to renew: “/opt/certbot/certbot-auto renew”

it says:

"All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mydomain/fullchain.pem (failure)
IMPORTANT NOTES:

The following errors were reported by the server:

Domain: mydomain
Type: unauthorized
Detail: Invalid response from
http://mydomain/.well-known/acme-challenge/JT5eu-5r6ttcQn-T7l4nnuvZkflrSqQoLx9CglQjrxk:
"
404 Not Found
Not Found
<p""

So i added a file in “.well-known/acme-challenge”. if i wanna access it by browser, it says error 403 Forbidden

html root directory permissions: 755

these are my nginx settings:

"server {
listen 80;
server_name Domain IP;
rewrite ^ https://$server_name$request_uri? permanent;
}

server {
listen 443 ssl http2;
server_name Domain IP;

include snippets/ssl-domain.conf;
include snippets/ssl-params.conf;

root /var/www/html;
index index.html index.php;

location ~ .php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
}

Let’s Encrypt Webroot plugin location – allow access

location ^~ /.well-known/acme-challenge/ {
auth_basic off;
autoindex on;
}
"
Probably LE cant authenticate due to some permissions issues. but i don’t know further ):

Has anyone any advice on this?

Thank you guys

ahaw021 · June 2, 2017, 1:53pm

Hi @kaplannn

would have been good for you to share the domain.

Usually with HTTP challenges we ask you to put a test.html and a test file (no extensions) in to the .well-known/acme-challenge/ folder

You then browse to these with a browser. If you are not able to get either check your rules, I know you a directive in your web browser but it’s also good to check HTACCESS files as well (in case there is something blocking it there)

Andrei

rg305 · June 2, 2017, 10:32pm

Try turning this off:
"rewrite ^ https://$server_name$request_uri? permanent;"
renew
then turn it back on

kaplannn · June 4, 2017, 1:52pm

Hi Andrei,

Thanks for your reply

i put a testfile in the location but i am not able to access it. What do you mean with rules?
htaccess file seems to be good.

P.S: my domain is streammachine.ch

Greetings

kaplannn · June 4, 2017, 1:53pm

Hi,

I tried it but ended up with the same error:

"Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for streammachine.ch
Waiting for verification…
Cleaning up challenges
Unable to clean up challenge directory /var/www/html/.well-known/acme-challenge
Attempting to renew cert from /etc/letsencrypt/renewal/streammachine.ch.conf produced an unexpected error: Failed authorization procedure. streammachine.ch (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://streammachine.ch/.well-known/acme-challenge/5TFm0uJ0CC11MV1x_R9ci0x4ezXfrascz28g4Vy9d84: "

404 Not Found

Not Found

<p". Skipping. "

rg305 · June 4, 2017, 9:52pm

put a simple test text file in that folder - like: /var/www/html/.well-known/acme-challenge/test.txt
Then check web logs for (failed) access.

kaplannn · June 5, 2017, 6:14pm

i did that. i am able to access the file via browser. there are no errors in the access log

schoen · June 5, 2017, 6:49pm

Hi @kaplannn,

I'm a little confused because you said at one point

and then at another point

Is this referring to the same test file, or to two different files?

kaplannn · June 5, 2017, 7:36pm

Hi,

This is another Testfile. i fucked up with the first one ):

so yeah i am able to access the file

schoen · June 5, 2017, 7:46pm

OK, what does certbot think the webroot is? Is it correct?

You can find it in the appropriate renewal configuration file in /etc/letsencrypt/renewal.

kaplannn · June 5, 2017, 8:25pm

it’s like this: webroot_path = /var/www/html,

so thats correct

schoen · June 5, 2017, 9:09pm

Can you post your log from /var/log/letsencrypt showing what it was trying to do when the renewal failed?

kaplannn · June 5, 2017, 9:15pm

Domain: streammachine.ch
Type: unauthorized
Detail: Invalid response from http://streammachine.ch/.well-known/acme-challenge/EAvSMG0QxRrneDytxIfY1CetktSoIjROwQ3PJ5IsKgo: "

404 Not Found

Not Found

<p"

To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address.
2017-06-05 18:16:02,805:INFO:certbot.auth_handler:Cleaning up challenges
2017-06-05 18:16:02,805:DEBUG:certbot.plugins.webroot:Removing /var/www/html/.well-known/acme-challenge/EAvSMG0QxRrneDytxIfY1CetktSoIjROwQ3PJ5IsKgo
2017-06-05 18:16:02,806:INFO:certbot.plugins.webroot:Unable to clean up challenge directory /var/www/html/.well-known/acme-challenge
2017-06-05 18:16:02,806:DEBUG:certbot.plugins.webroot:Error was: [Errno 39] Directory not empty: '/var/www/html/.well-known/acme-challenge’
2017-06-05 18:16:02,807:WARNING:certbot.renewal:Attempting to renew cert from /etc/letsencrypt/renewal/streammachine.ch.conf produced an unexpected error: Failed authorization procedure. streammachine.ch (http-01): urn:acme:error:unau$

404 Not Found

Not Found

<p". Skipping. 2017-06-05 18:16:02,983:DEBUG:certbot.renewal:Traceback was: Traceback (most recent call last): File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/renewal.py", line 418, in handle_renewal_request main.renew_cert(lineage_config, plugins, renewal_candidate) File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 640, in renew_cert _get_and_save_cert(le_client, config, lineage=lineage) File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 77, in _get_and_save_cert

schoen · June 5, 2017, 9:17pm

Can you recreate http://streammachine.ch/.well-known/acme-challenge/test.txt by creating a single file at /var/www/html/.well-known/acme-challenge/test.txt?

kaplannn · June 6, 2017, 6:14am

yep, i did it. i can access it.

rg305 · June 6, 2017, 6:37am

well its gone:
wget http://streammachine.ch/.well-known/acme-challenge/test.txt
–2017-06-06 02:36:46-- http://streammachine.ch/.well-known/acme-challenge/test.txt
Resolving streammachine.ch (streammachine.ch)… 5.9.143.45, 2a00:d70:0:a::166
Connecting to streammachine.ch (streammachine.ch)|5.9.143.45|:80… connected.
HTTP request sent, awaiting response… 404 Not Found
2017-06-06 02:36:47 ERROR 404: Not Found.

kaplannn · June 6, 2017, 7:22am

this is strange. it is accessible via Browser.

rg305 · June 6, 2017, 7:26am

not accessible from the Internet…
resolve that and your on your way

That is, at least not accessible from an IPv4 address.
the resolve shows IPv4 & IPv6;
“Resolving streammachine.ch (streammachine.ch)… 5.9.143.45, 2a00:d70:0:a::166”

care to share the http portion of the conf file?

kaplannn · June 6, 2017, 7:33am

ok. But its resolving correct.which conf file do you mean?

kaplannn · June 6, 2017, 7:36am

my nginx settings are shown in my first post.