Certificate Renewal Failed: Invalid Response

Hi, my certificate expired a few days ago and I am trying to renew it, but I'm getting a mistake. As an important note, the certificate was not made by me and I know almost nothing about how they are renewed. Thanks in advance

My domain is: viciremote.telsurcallcenter.com

I ran this command: certbot renew

It produced this output:

/usr/lib/python2.7/site-packages/OpenSSL/crypto.py:12: CryptographyDeprecationWa                                                                                                             rning: Python 2 is no longer supported by the Python core team. Support for it i                                                                                                             s now deprecated in cryptography, and will be removed in the next release.
  from cryptography import x509
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/viciremote.telsurcallcenter.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for viciremote.telsurcallcenter.com
Using the webroot path /srv/www/htdocs for all unmatched domains.
Waiting for verification...
Challenge failed for domain viciremote.telsurcallcenter.com
http-01 challenge for viciremote.telsurcallcenter.com
Cleaning up challenges
Attempting to renew cert (viciremote.telsurcallcenter.com) from /etc/letsencrypt/renewal/viciremote.telsurcallcenter.com.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/viciremote.telsurcallcenter.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/viciremote.telsurcallcenter.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: viciremote.telsurcallcenter.com
   Type:   unauthorized
   Detail: Invalid response from
   http://viciremote.telsurcallcenter.com/.well-known/acme-challenge/y7tR6xay7cFnuCbD3U9I5voWRT0KGOF6e_2Xfi1XH7o
   [201.174.234.44]: "<?xml version=\"1.0\"
   encoding=\"UTF-8\"?>\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0
   Strict//EN\"\n  \"http://www.w3.org/TR/xhtml1/D"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): nginx/1.14.0

The operating system my web server runs on is (include version): openSUSE Leap 15.1

My hosting provider, if applicable, is: godaddy

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.0.0


My file /etc/letsencrypt/renewal/viciremote.telsurcallcenter.com.conf

# renew_before_expiry = 30 days
version = 1.0.0
archive_dir = /etc/letsencrypt/archive/viciremote.telsurcallcenter.com
cert = /etc/letsencrypt/live/viciremote.telsurcallcenter.com/cert.pem
privkey = /etc/letsencrypt/live/viciremote.telsurcallcenter.com/privkey.pem
chain = /etc/letsencrypt/live/viciremote.telsurcallcenter.com/chain.pem
fullchain = /etc/letsencrypt/live/viciremote.telsurcallcenter.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 07c6d17378962141770c861fc749fb1d
webroot_path = /srv/www/htdocs,
server = https://acme-v02.api.letsencrypt.org/directory
authenticator = webroot
rsa_key_size = 4096
pref_challs = http-01,
[[webroot_map]]
viciremote.telsurcallcenter.com = /srv/www/htdocs

My file cli.ini

# This is an example of the kind of things you can do in a configuration file.
# All flags used by the client can be configured here. Run Certbot with
# "--help" to learn more about the available options.
#
# Note that these options apply automatically to all use of Certbot for
# obtaining or renewing certificates, so options specific to a single
# certificate on a system with several certificates should not be placed
# here.

# Use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096

# The staging/testing server
#server = https://acme-staging-v02.api.letsencrypt.org/directory
# The production server.
# server = https://acme-v01.api.letsencrypt.org/directory

# Uncomment and update to register with the specified e-mail address
email = ingenieria@c4-technologies.com

# Uncomment and update to generate certificates for the specified
# domains.
domains = viciremote.telsurcallcenter.com

# Uncomment to use a text interface instead of ncurses
# text = True

# Uncomment
# agree-eula = True
agree-tos = True
# renew-by-default = True

# Uncomment to use the standalone authenticator on port 443
# If you want to use port 443, you must use standalone-supported-challenges
# If you want to use port 80, you must use preferred-challenges = http-01
authenticator = webroot
# standalone-supported-challenges = tls-sni-01
# preferred-challenges = tls-sni-01

# Uncomment to use the webroot authenticator. Replace webroot-path with the
# path to the public_html / webroot folder being served by your web server.
authenticator = webroot
#webroot-path = /usr/share/nginx/html
webroot-path = /srv/www/htdocs
2 Likes

You have a long and successful history with Let's Encrypt certificates.

The most recent cert was created on Aug25 and expired Nov23.

Hopefully it is something simple. Is your nginx root folder for this server still /srv/www/htdocs ?

3 Likes

Yes, the person who had them before had it programmed to renew itself but deleted in cron

about Is your nginx root folder for this server still / srv / www / htdocs? I'm not sure how I can validate that it is so

2 Likes

The renew command you ran in your first post failed. So, it would not matter if it was in a cron or not it would still fail. There could be several reasons for this.

Your nginx configuration is usually found in /etc/nginx/nginx.conf. Look for a server section for this domain name and look at any root definition. Sometimes these conf files include other files which must also be checked.

We might be able to see if the root is the problem by showing the results of this command:

sudo nginx -T | grep -Ei 'server|root'

Please format the info using the format menu as PreformattedText (Crtl-E).

4 Likes

You can also format the output like this:

```
output
```

which will result in:

output

@MikeMcQ

As a neat trick, if the text to be formatted is a specific type, you can specify it after the initial backticks like so (for PHP in this case):

```php
<?php
echo "Woohoo!"
?>
```

result:

<?php
echo "Woohoo!"
?>

It's pretty that way. :upside_down_face:

4 Likes

Hi, This was the result

sudo nginx -T | grep -Ei 'server|root'
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

server {
        server_name  localhost;
            root   /srv/www/htdocs/;
        # redirect server error pages to the static page /50x.html
            root   /srv/www/htdocs/;
        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #    root           /srv/www/htdocs/;
        # deny access to .htaccess files, if Apache's document root
    #server {
    #    server_name  somename  alias  another.alias;
    #        root   /srv/www/htdocs/;
    # HTTPS server
    #server {
    #    server_name  localhost;
    #    ssl_prefer_server_ciphers  on;
    #        root   /srv/www/htdocs/;
        server web1.telsurcallcenter.com;
        server web2.telsurcallcenter.com;
        server web3.telsurcallcenter.com;
        server web1.telsurcallcenter.com:443;
        server web2.telsurcallcenter.com:443;
        server web3.telsurcallcenter.com:443;
server {
        server_name viciremote.telsurcallcenter.com;
server {
        server_name viciremote.telsurcallcenter.com;
        root /srv/www/vhosts/dynportal/;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
server {
        server_name 192.168.100.60;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;
3 Likes

thanks for that tip :grinning:

3 Likes

Great thanks. I think I see what has gone wrong but the output is messier than I had hoped. Need to see all the output for nginx -T command to be sure.

And use Griffin's tip for that - it will be long :slight_smile:

3 Likes

ok, this is the result :grinning:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:

#user  nginx;
worker_processes  1;

# load_module lib64/nginx/modules/ngx_http_fancyindex_module.so;
# load_module lib64/nginx/modules/ngx_http_geoip_module.so;
# load_module lib64/nginx/modules/ngx_http_headers_more_filter_module.so;
# load_module lib64/nginx/modules/ngx_http_image_filter_module.so;
# load_module lib64/nginx/modules/ngx_http_perl_module.so;
# load_module lib64/nginx/modules/ngx_http_xslt_filter_module.so;
# load_module lib64/nginx/modules/ngx_mail_module.so;
# load_module lib64/nginx/modules/ngx_rtmp_module.so;
# load_module lib64/nginx/modules/ngx_stream_geoip_module.so;
# load_module lib64/nginx/modules/ngx_stream_module.so;
load_module /usr/lib64/nginx/modules/ngx_http_sticky_module.so;

#error_log  /var/log/nginx/error.log;
#error_log  /var/log/nginx/error.log  notice;
#error_log  /var/log/nginx/error.log  info;

#pid        /run/nginx.pid;


events {
    worker_connections  1024;
    use epoll;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;

    include conf.d/*.conf;

    server {
        listen       80;
        server_name  localhost;

        #charset koi8-r;

        #access_log  /var/log/nginx/host.access.log  main;

        location / {
            root   /srv/www/htdocs/;
            index  index.html index.htm;
        }

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   /srv/www/htdocs/;
        }

        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
        #
        #location ~ \.php$ {
        #    proxy_pass   http://127.0.0.1;
        #}

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        #location ~ \.php$ {
        #    root           /srv/www/htdocs/;
        #    fastcgi_pass   127.0.0.1:9000;
        #    fastcgi_index  index.php;
        #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
        #    include        fastcgi_params;
        #}

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #    deny  all;
        #}
    }


    # another virtual host using mix of IP-, name-, and port-based configuration
    #
    #server {
    #    listen       8000;
    #    listen       somename:8080;
    #    server_name  somename  alias  another.alias;

    #    location / {
    #        root   /srv/www/htdocs/;
    #        index  index.html index.htm;
    #    }
    #}


    # HTTPS server
    #
    #server {
    #    listen       443 ssl;
    #    server_name  localhost;

    #    ssl_certificate      cert.pem;
    #    ssl_certificate_key  cert.key;

    #    Allow TLS version 1.2 only, which is a recommended default these days
    #    by international information security standards.
    #    ssl_protocols        TLSv1.2;

    #    ssl_session_cache    shared:SSL:1m;
    #    ssl_session_timeout  5m;

    #    ssl_ciphers  HIGH:!aNULL:!MD5;
    #    ssl_prefer_server_ciphers  on;

    #    location / {
    #        root   /srv/www/htdocs/;
    #        index  index.html index.htm;
    #    }
    #}

    include vhosts.d/*.conf;

}

# configuration file /etc/nginx/mime.types:

types {
    text/html                                        html htm shtml;
    text/css                                         css;
    text/xml                                         xml;
    image/gif                                        gif;
    image/jpeg                                       jpeg jpg;
    application/javascript                           js;
    application/atom+xml                             atom;
    application/rss+xml                              rss;

    text/mathml                                      mml;
    text/plain                                       txt;
    text/vnd.sun.j2me.app-descriptor                 jad;
    text/vnd.wap.wml                                 wml;
    text/x-component                                 htc;

    image/png                                        png;
    image/svg+xml                                    svg svgz;
    image/tiff                                       tif tiff;
    image/vnd.wap.wbmp                               wbmp;
    image/webp                                       webp;
    image/x-icon                                     ico;
    image/x-jng                                      jng;
    image/x-ms-bmp                                   bmp;

    application/font-woff                            woff;
    application/java-archive                         jar war ear;
    application/json                                 json;
    application/mac-binhex40                         hqx;
    application/msword                               doc;
    application/pdf                                  pdf;
    application/postscript                           ps eps ai;
    application/rtf                                  rtf;
    application/vnd.apple.mpegurl                    m3u8;
    application/vnd.google-earth.kml+xml             kml;
    application/vnd.google-earth.kmz                 kmz;
    application/vnd.ms-excel                         xls;
    application/vnd.ms-fontobject                    eot;
    application/vnd.ms-powerpoint                    ppt;
    application/vnd.oasis.opendocument.graphics      odg;
    application/vnd.oasis.opendocument.presentation  odp;
    application/vnd.oasis.opendocument.spreadsheet   ods;
    application/vnd.oasis.opendocument.text          odt;
    application/vnd.openxmlformats-officedocument.presentationml.presentation
                                                     pptx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
                                                     xlsx;
    application/vnd.openxmlformats-officedocument.wordprocessingml.document
                                                     docx;
    application/vnd.wap.wmlc                         wmlc;
    application/x-7z-compressed                      7z;
    application/x-cocoa                              cco;
    application/x-java-archive-diff                  jardiff;
    application/x-java-jnlp-file                     jnlp;
    application/x-makeself                           run;
    application/x-perl                               pl pm;
    application/x-pilot                              prc pdb;
    application/x-rar-compressed                     rar;
    application/x-redhat-package-manager             rpm;
    application/x-sea                                sea;
    application/x-shockwave-flash                    swf;
    application/x-stuffit                            sit;
    application/x-tcl                                tcl tk;
    application/x-x509-ca-cert                       der pem crt;
    application/x-xpinstall                          xpi;
    application/xhtml+xml                            xhtml;
    application/xspf+xml                             xspf;
    application/zip                                  zip;

    application/octet-stream                         bin exe dll;
    application/octet-stream                         deb;
    application/octet-stream                         dmg;
    application/octet-stream                         iso img;
    application/octet-stream                         msi msp msm;

    audio/midi                                       mid midi kar;
    audio/mpeg                                       mp3;
    audio/ogg                                        ogg;
    audio/x-m4a                                      m4a;
    audio/x-realaudio                                ra;

    video/3gpp                                       3gpp 3gp;
    video/mp2t                                       ts;
    video/mp4                                        mp4;
    video/mpeg                                       mpeg mpg;
    video/quicktime                                  mov;
    video/webm                                       webm;
    video/x-flv                                      flv;
    video/x-m4v                                      m4v;
    video/x-mng                                      mng;
    video/x-ms-asf                                   asx asf;
    video/x-ms-wmv                                   wmv;
    video/x-msvideo                                  avi;
}

# configuration file /etc/nginx/conf.d/load-balancer.conf:
upstream backend {
        server web1.telsurcallcenter.com;
        server web2.telsurcallcenter.com;
        server web3.telsurcallcenter.com;
}

upstream backendssl {
        server web1.telsurcallcenter.com:443;
        server web2.telsurcallcenter.com:443;
        server web3.telsurcallcenter.com:443;
}


server {

        listen 443 ssl;
        server_name viciremote.telsurcallcenter.com;

        ssl on;
        ssl_certificate         /etc/certbot/live/viciremote.telsurcallcenter.com/cert.pem;
        ssl_certificate_key     /etc/certbot/live/viciremote.telsurcallcenter.com/privkey.pem;
        ssl_trusted_certificate /etc/certbot/live/viciremote.telsurcallcenter.com/fullchain.pem;

        location / {

                proxy_pass https://backendssl;

                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
        }

}


server {

        listen 446 ssl;
        server_name viciremote.telsurcallcenter.com;

        ssl on;
        ssl_certificate         /etc/certbot/live/viciremote.telsurcallcenter.com/cert.pem;
        ssl_certificate_key     /etc/certbot/live/viciremote.telsurcallcenter.com/privkey.pem;
        ssl_trusted_certificate /etc/certbot/live/viciremote.telsurcallcenter.com/fullchain.pem;

        root /srv/www/vhosts/dynportal/;
        index index.php index.html index.htm index.nginx-debian.html;


        location / {
                try_files $uri $uri/ =404;
        }

        location ~ \.php$ {
                try_files $uri =404;
                include fastcgi_params;
                fastcgi_pass unix:/var/run/php7-fpm.sock;
                fastcgi_index index.php;
                fastcgi_intercept_errors on;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        }

        location ~ /\.ht {
                deny all;
        }
}

server {

        listen 80;
        server_name 192.168.100.60;

        location / {
                proxy_pass http://backend;

                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;

        }
}


# configuration file /etc/nginx/fastcgi_params:

fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  REQUEST_SCHEME     $scheme;
fastcgi_param  HTTPS              $https if_not_empty;

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;

3 Likes
ssl_trusted_certificate

That directive is used to verify client certificates. I'm pretty sure it's not being used correctly here and should probably be removed.

https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_trusted_certificate

Additionally and more importantly, this:

ssl_certificate /etc/certbot/live/viciremote.telsurcallcenter.com/cert.pem;

should be this:

ssl_certificate /etc/certbot/live/viciremote.telsurcallcenter.com/fullchain.pem;

https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate


@lestaff

On the upside, https://nginx.org is using Let's Encrypt certificates. :smiley: On the downside, http://nginx.org doesn't have a redirect to https://nginx.org. :frowning_face:

It seems that https://www.nginx.com is the official landing website, but links to https://nginx.org for documentation.

3 Likes

But there is no explicit HTTP vhost that handles that name.
Only two HTTP vhosts are in use:

    server {
        listen       80;
        server_name  localhost;
        location / {
            root   /srv/www/htdocs/;
            index  index.html index.htm;
        }
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   /srv/www/htdocs/;
        }
    }

server {
        listen 80;
        server_name 192.168.100.60;
        location / {
                proxy_pass http://backend;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
        }
}

I would place a test file in that folder to see if it can be reached via the Internet.
Something like:
echo "root-location" > /srv/www/htdocs/root-test.txt
http://viciremote.telsurcallcenter.com/root-test.txt

3 Likes

Hmm. Well, it was not as easy as I was hoping :slight_smile:

@griffin's ssl certificate changes are needed but they are not affecting the certbot renew.

I am also curious to see the results of the test shown by @rg305

And, just to be sure:

  1. Did you run the Certbot renew from the server running this nginx?
  2. Can you show result of curl ifconfig.co command from the nginx server?

You have a variety of machines, just double-checking. Thanks

3 Likes
  1. yes
  2. sure, this is the result
telsur-lb:~ # curl ifconfig.co
201.174.234.44
2 Likes

@Karely90 Thanks. IP looks right. Can you try Rudy's test? Do the echo and show what happens with

curl -i http://viciremote.telsurcallcenter.com/root-test.txt
3 Likes

Ok, I'm not sure if I got it right, create a file named root-test.txt that has

echo "root-location"> /srv/www/htdocs/root-test.txt
http://viciremote.telsurcallcenter.com/root-test.txt

and when running
curl -i http://viciremote.telsurcallcenter.com/root-test.txt

HTTP/1.1 404 Not Found
Server: nginx/1.14.0
Date: Wed, 08 Dec 2021 21:23:57 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: accept-language,accept-charset,Accept-Encoding
Accept-Ranges: bytes
Content-Language: en
Expires: Wed, 08 Dec 2021 21:23:57 GMT

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<title>Object not found!</title>
<link rev="made" href="mailto:admin@company.com" />
<style type="text/css"><!--/*--><![CDATA[/*><!--*/
    body { color: #000000; background-color: #FFFFFF; }
    a:link { color: #0000CC; }
    p, address {margin-left: 3em;}
    span {font-size: smaller;}
/*]]>*/--></style>
</head>

<body>
<h1>Object not found!</h1>
<p>


    The requested URL was not found on this server.



    If you entered the URL manually please check your
    spelling and try again.



</p>
<p>
If you think this is a server error, please contact
the <a href="mailto:admin@company.com">webmaster</a>.

</p>

<h2>Error 404</h2>
<address>
  <a href="/">viciremote.telsurcallcenter.com</a><br />
  <span>Apache</span>
</address>
</body>
</html>
2 Likes

@Karely90 Very interesting. You could confirm you setup the test file right by showing:

ls -l /srv/www/htdocs/root-test*

But, let's assume you did it right. The curl test could not find it which means neither would the Let's Encrypt servers. This nginx conf only has two port 80 listeners so let's try adjusting the second one and see if that changes the symptom. Add this to the server with listen 80 with the server name using a local IP address starting with "192.168...". Place this before the existing lines for location / for the proxypass.

        location /.well-known/acme-challenge/ {
          root  /srv/www/htdocs;
        }

Restart nginx and retry the same test curl. Leave that root-test file in place until we resolve this.

curl -i http://viciremote.telsurcallcenter.com/root-test.txt

Something peculiar is happening. We have to try things to unlock the mystery.

2 Likes

the result was

telsur-lb:~ # ls -l /srv/www/htdocs/root-test*
-rw-r--r-- 1 root root 106 Dec  8 13:23 /srv/www/htdocs/root-test.txt
You have new mail in /var/mail/root

does it mean if it was ok?

on the test would it be like this?

server {
        listen       80;
        server_name  192.168.100.60;

        #charset koi8-r;
        #access_log  /var/log/nginx/host.access.log  main;

        location /.well-known/acme-challenge/ {
            root   /srv/www/htdocs/;
            index  index.html index.htm;
        }
1 Like

Yes, the test file looks correct.

You should keep the below lines in that server as it was shown earlier. Just add the 3 new lines just before these lines.

No need to add the "index" page line in the location I provided.

        location / {
                proxy_pass http://backend;

                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;

        }

Don't forget to restart nginx after this change

2 Likes

You may have already figured this out, but here it is for future readers:

No.
The echo line creates the root-test.txt file for you.
The http line is the test to see if the file is accessible from the Internet.

2 Likes

ok, I already made the change, the file looks like this:

       listen       80;
       server_name  192.168.100.60;

       #charset koi8-r;
       #access_log  /var/log/nginx/host.access.log  main;

       location / {
           proxy_pass http://backend;
           proxy_set_header Host $host;
           proxy_set_header X-Real-IP $remote_addr;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header X-Forwarded-Proto $scheme;
       } 

and restart NGINX but still can't find the file
http://viciremote.telsurcallcenter.com/root-test.txt

# Object not located!

The requested URL could not be located on this server. If you have entered the URL manually, please check your spelling and try again.

If you believe this is a server error, please report it to [the portal administrator](mailto:admin@company.com) .

## Error 404

[viciremote.telsurcallcenter.com](http://viciremote.telsurcallcenter.com/)
Apache

is it normal to say apache?

1 Like