Certificate installed but --dry-run isn't working


#1

Hello,

I seem to have successfully installed the certificates but the --dry-run isn’t working. I run Ghost/Node.js on Ubuntu 16.04 using Nginx.

When I ran certbot renew --dry-run I got the following:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/notrueindian.com.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for notrueindian.com
http-01 challenge for viz.notrueindian.com
http-01 challenge for www.notrueindian.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/notrueindian.com.conf produced an unexpected error: Failed authorization procedure. notrueindian.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://notrueindian.com/.well-known/acme-challenge/zJtzSjMBPCFpmxzOarWv9xliofjJChhaUKAJGX8PG5M: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>". Skipping.
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/notrueindian.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: notrueindian.com
   Type:   unauthorized
   Detail: Invalid response from
   http://notrueindian.com/.well-known/acme-challenge/zJtzSjMBPCFpmxzOarWv9xliofjJChhaUKAJGX8PG5M:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

This is my ghost/top level domain config https://pastebin.com/9MFJi41c
This is my subdomain config https://pastebin.com/mnLtS7iV

I’m very new to this so sorry if I missed something. Thanks for any help.


#2

Hi @theophilus.mog,

What’s the webroot directory defined in /etc/letsencrypt/renewal/notrueindian.com.conf?


#3

Hello @schoen,

It should be /var/www/ghost

I installed certificates using certbot certonly --webroot -w /var/www/ghost -d notrueindian.com -d www.notrueindian.com -w /var/www/viz.notrueindian.com -d viz.notrueindian.com


#4

If you create a text file called test.txt in /var/www/ghost/.well-known/acme-challenge, can you then see its contents on the web at http://notrueindian.com/.well-known/acme-challenge/test.txt?


#5

Just tried it and no, I can’t.

There also doesn’t seem to be a folder called acme-challenge in .well-known. I just put the file in .well-known and tried https://notrueindian.com/.well-known/test.txt and that’s hitting a 404.


#6

That means that /var/www/ghost isn’t the right webroot for http://notrueindian.com/, or else something in your web server config is treating /.well-known/acme-challenge specially.

You could try putting test.txt in /var/www/ghost itself and seeing if you can see it at the very top of the web site.


#7

Tried putting it /var/www/ghost itself but couldn’t find it at notrueindian.com/test.txt .

I’m pretty sure its the right webroot. That’s where ghost is installed and I was following this guide https://www.robertnealan.com/setting-up-ssl-for-ghost-on-digitalocean-with-lets-encrypt/

Thanks for the help. Any idea on what I can do to find out what’s wrong with my web server config?


#8

Hi, looking at your nginx config. You have the following lines near the end of your notrueindian.com virtual host:

location ~ ^/.well-known {
  root /var/www;
}

As I understand it, this means that any request for a path beginning with /.well-known will be served from the webroot /var/www, rather than proxied to Ghost which is the default for that virtual host.

Can you try setting the webroot directory for certbot to /var/www instead of /var/www/ghost?


#9

If /.well-known itself is being served from /var/www, there is no webroot directory that will work for Certbot with that virtual host (!) because Certbot assumes that it can (and must) explicitly use a subdirectory called .well-known within the webroot in order to cause files to be served under /.well-known on the web site. If you try to “help” Certbot by doing part of this mapping for it, Certbot’s path-mapping logic will never succeed.


#10

(unless you also then undid this mapping on the filesystem side by making a directory /foo and a symlink /foo/.well-known -> /var/www and then used -w /foo, so that the filesystem and nginx configuration were actively canceling each other out… not a recommended technique)


#11

My understanding is that nginx appends the full request path to the webroot directory, rather than the path relative to the specified location (which in this case is a regex anyway) - so I think this should still work…


#12

Oh, I think I misinterpreted what the nginx configuration directive was doing. That makes sense, then; sorry for the false alarm.


#13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.