Challenge failed for domain test.frostproxy.com

Frost-Lord · June 7, 2023, 6:33am

My domain is ponting to the vps 166.0.134.19. You can even ping it but it gives me this error. IDK why this is happening at all? I generated the cert before the nginx config but that shouldn't matter. I've never had this problem to now, did something change in the update?

this was my steps to installing nginx and certbot:

apt-get update && apt-get upgrade -y
curl -fsSL https://deb.nodesource.com/setup_19.x | sudo -E bash -
apt-get install -y nodejs unzip certbot nginx

NGINX config

server {
    listen 80;
    server_name test.frostproxy.com;
    
    # ACME-challenge
    location ^~ /.well-known/acme-challenge/ {
        root /var/www/html;
    }

    return 301 https://$server_name$request_uri;
}

LOG from certbot.log:

HTTP 200
Server: nginx
Date: Wed, 07 Jun 2023 06:30:58 GMT
Content-Type: application/json
Content-Length: 1041
Connection: keep-alive
Boulder-Requester: 983099596
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 371CX85F4G2163Q2wERbRrbkgFP4Nth8OsDomeId3iWMTmo
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "test.frostproxy.com"
  },
  "status": "invalid",
  "expires": "2023-06-14T06:30:57Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "166.0.134.19: Invalid response from http://test.frostproxy.com/.well-known/acme-challenge/MF6yWDf09JyXBi54aLDcpMLP8SEHFq9ukmcUFR6U2o0: 404",
        "status": 403
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/234657743817/QmbVgw",
      "token": "MF6yWDf09JyXBi54aLDcpMLP8SEHFq9ukmcUFR6U2o0",
      "validationRecord": [
        {
          "url": "http://test.frostproxy.com/.well-known/acme-challenge/MF6yWDf09JyXBi54aLDcpMLP8SEHFq9ukmcUFR6U2o0",
          "hostname": "test.frostproxy.com",
          "port": "80",
          "addressesResolved": [
            "166.0.134.19"
          ],
          "addressUsed": "166.0.134.19"
        }
      ],
      "validated": "2023-06-07T06:30:57Z"
    }
  ]
}
2023-06-07 08:30:58,701:DEBUG:acme.client:Storing nonce: 371CX85F4G2163Q2wERbRrbkgFP4Nth8OsDomeId3iWMTmo
2023-06-07 08:30:58,703:WARNING:certbot.auth_handler:Challenge failed for domain test.frostproxy.com
2023-06-07 08:30:58,703:INFO:certbot.auth_handler:http-01 challenge for test.frostproxy.com
2023-06-07 08:30:58,703:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: test.frostproxy.com
Type:   unauthorized
Detail: 166.0.134.19: Invalid response from http://test.frostproxy.com/.well-known/acme-challenge/MF6yWDf09JyXBi54aLDcpMLP8SEHFq9ukmcUFR6U2o0: 404

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
2023-06-07 08:30:58,705:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2023-06-07 08:30:58,705:DEBUG:certbot.error_handler:Calling registered functions
2023-06-07 08:30:58,705:INFO:certbot.auth_handler:Cleaning up challenges
2023-06-07 08:30:58,706:DEBUG:certbot.plugins.webroot:Removing /var/www/html/.well-known/acme-challenge/MF6yWDf09JyXBi54aLDcpMLP8SEHFq9ukmcUFR6U2o0
2023-06-07 08:30:58,706:DEBUG:certbot.plugins.webroot:All challenges cleaned up
2023-06-07 08:30:58,707:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.40.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1382, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1265, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 121, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 417, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 348, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 396, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

My domain is: test.frostproxy.com

I ran this command:

certbot certonly --noninteractive --agree-tos --keep-until-expiring -m admin@frostproxy.com -d test.frostproxy.com --webroot -w /var/www/html

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for test.frostproxy.com
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Challenge failed for domain test.frostproxy.com
http-01 challenge for test.frostproxy.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: test.frostproxy.com
   Type:   unauthorized
   Detail: 166.0.134.19: Invalid response from
   http://test.frostproxy.com/.well-known/acme-challenge/pMIW3Je-b92J9qapgwBpGWNi24wDahIXjUGjH4attCA:
   404

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): NGINX/1.18.0

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.40.0

_az · June 7, 2023, 6:38am

Try throw a file in /var/www/html/.well-known/acme-challenge/ and see if you can access it in a browser?

Frost-Lord · June 7, 2023, 6:44am

I get 403 Forbidden and even when I create the dir path and put a test page it wont work, in which I made the dir perms read/write and execute perms to /var/www/html/.well-known/

Frost-Lord · June 7, 2023, 6:50am

Also tried:

Changing Ownership:
sudo chown -R www-data:www-data /var/www/html/.well-known/acme-challenge/
Changing Permissions
sudo chmod -R 644 /var/www/html/.well-known/acme-challenge/

also tried reloading nginx still nothing and still hit the 403 page

rg305 · June 7, 2023, 7:24am

I see the same command [twice].

Frost-Lord · June 7, 2023, 7:26am

I've changed the perms changed to 777 for the whole html folder: but I still cant gen cert due to it not being public so I can gen SSL.
https://frostproxy.com/.well-known/acme-challenge/test.txt

rg305 · June 7, 2023, 7:28am

I see two different FQDNs.

Let's begin at the beginning.
Show us:
nginx -T

Frost-Lord · June 7, 2023, 7:30am

.............................
# configuration file /etc/nginx/sites-enabled/proxy-useless.yeetdesigns.xyz:
# {"version":"v1.0","domain":"useless.yeetdesigns.xyz","target":"http://128.110.219.42:1045","ssl":true,"letsencryptDir":"/var/www/html"}
server {
    listen 80;
    server_name useless.yeetdesigns.xyz;
    
    # ACME-challenge
    location ^~ /.well-known/acme-challenge/ {
        root /var/www/html;
    }

    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    server_name useless.yeetdesigns.xyz;

    access_log /var/log/nginx/useless.yeetdesigns.xyz-access.log;
    error_log  /var/log/nginx/useless.yeetdesigns.xyz-error.log error;

    # allow larger file uploads and longer script runtimes
    client_max_body_size 100m;
    client_body_timeout 120s;

    sendfile off;

    # SSL Configuration
    ssl_certificate           /etc/letsencrypt/live/useless.yeetdesigns.xyz/fullchain.pem;
    ssl_certificate_key       /etc/letsencrypt/live/useless.yeetdesigns.xyz/privkey.pem;
    ssl_session_cache         shared:SSL:10m;
    ssl_protocols             TLSv1.2 TLSv1.3;
    ssl_ciphers               ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers on;

    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection          "1; mode=block" always;
    add_header X-Content-Type-Options    "nosniff" always;
    add_header Referrer-Policy           "no-referrer-when-downgrade" always;
    add_header Content-Security-Policy   "default-src 'self' http: https: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always;
    add_header Permissions-Policy        "interest-cohort=()" always;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    # ACME-challenge
    location ^~ /.well-known/acme-challenge/ {
        root /var/www/html;
    }

    location / {
      proxy_pass http://128.110.219.42:1045;
      proxy_http_version                 1.1;
      proxy_cache_bypass                 $http_upgrade;
      proxy_set_header Upgrade           $http_upgrade;
      proxy_set_header Host              $host;
      proxy_set_header X-Real-IP         $remote_addr;
      proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-Forwarded-Host  $host;
      proxy_set_header X-Forwarded-Port  $server_port;
  }
}

# configuration file /etc/nginx/sites-enabled/proxy-watcherbot.net:
# {"version":"v1.0","domain":"watcherbot.net","target":"http://166.0.134.19:8087","ssl":true,"letsencryptDir":"/var/www/html"}
server {
    listen 80;
    server_name watcherbot.net;
    
    # ACME-challenge
    location ^~ /.well-known/acme-challenge/ {
        root /var/www/html;
    }

    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    server_name watcherbot.net;

    access_log /var/log/nginx/watcherbot.net-access.log;
    error_log  /var/log/nginx/watcherbot.net-error.log error;

    # allow larger file uploads and longer script runtimes
    client_max_body_size 100m;
    client_body_timeout 120s;

    sendfile off;

    # SSL Configuration
    ssl_certificate           /etc/letsencrypt/live/watcherbot.net/fullchain.pem;
    ssl_certificate_key       /etc/letsencrypt/live/watcherbot.net/privkey.pem;
    ssl_session_cache         shared:SSL:10m;
    ssl_protocols             TLSv1.2 TLSv1.3;
    ssl_ciphers               ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers on;

    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection          "1; mode=block" always;
    add_header X-Content-Type-Options    "nosniff" always;
    add_header Referrer-Policy           "no-referrer-when-downgrade" always;
    add_header Content-Security-Policy   "default-src 'self' http: https: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always;
    add_header Permissions-Policy        "interest-cohort=()" always;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    # ACME-challenge
    location ^~ /.well-known/acme-challenge/ {
        root /var/www/html;
    }

    location / {
      proxy_pass http://166.0.134.19:8087;
      proxy_http_version                 1.1;
      proxy_cache_bypass                 $http_upgrade;
      proxy_set_header Upgrade           $http_upgrade;
      proxy_set_header Host              $host;
      proxy_set_header X-Real-IP         $remote_addr;
      proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-Forwarded-Host  $host;
      proxy_set_header X-Forwarded-Port  $server_port;
  }
}

# configuration file /etc/nginx/sites-enabled/proxy-yeetdesigns.xyz:
# {"version":"v1.0","domain":"yeetdesigns.xyz","target":"http://147.182.183.139:19137","ssl":true,"letsencryptDir":"/var/www/html"}
server {
    listen 80;
    server_name yeetdesigns.xyz;
    
    # ACME-challenge
    location ^~ /.well-known/acme-challenge/ {
        root /var/www/html;
    }

    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    server_name yeetdesigns.xyz;

    access_log /var/log/nginx/yeetdesigns.xyz-access.log;
    error_log  /var/log/nginx/yeetdesigns.xyz-error.log error;

    # allow larger file uploads and longer script runtimes
    client_max_body_size 100m;
    client_body_timeout 120s;

    sendfile off;

    # SSL Configuration
    ssl_certificate           /etc/letsencrypt/live/yeetdesigns.xyz/fullchain.pem;
    ssl_certificate_key       /etc/letsencrypt/live/yeetdesigns.xyz/privkey.pem;
    ssl_session_cache         shared:SSL:10m;
    ssl_protocols             TLSv1.2 TLSv1.3;
    ssl_ciphers               ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers on;

    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection          "1; mode=block" always;
    add_header X-Content-Type-Options    "nosniff" always;
    add_header Referrer-Policy           "no-referrer-when-downgrade" always;
    add_header Content-Security-Policy   "default-src 'self' http: https: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always;
    add_header Permissions-Policy        "interest-cohort=()" always;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    # ACME-challenge
    location ^~ /.well-known/acme-challenge/ {
        root /var/www/html;
    }

    location / {
      proxy_pass http://147.182.183.139:19137;
      proxy_http_version                 1.1;
      proxy_cache_bypass                 $http_upgrade;
      proxy_set_header Upgrade           $http_upgrade;
      proxy_set_header Host              $host;
      proxy_set_header X-Real-IP         $remote_addr;
      proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-Forwarded-Host  $host;
      proxy_set_header X-Forwarded-Port  $server_port;
  }
}

rg305 · June 7, 2023, 7:32am

There is nothing shown there for "frostproxy".

That doesn't look like the output of:
nginx -T

Frost-Lord · June 7, 2023, 7:39am

it's in their, just 777 the whole www dir and its now its working

rg305 · June 7, 2023, 7:40am

Nope, not it what you posted.

Frost-Lord · June 7, 2023, 7:41am

like the weirdest thing is that this is a fresh install of ubuntu -> install nginx and certbot, exposed ports 80 and 443 -> gen cert then failed, change /var/www/ to 777 (read, write, exec) and it works. That's just weird. (EDIT) DO NOT RUN 777 for this I just used it for debugging!

rg305 · June 7, 2023, 7:43am

I'm glad you got it working.

But:

advising anyone to chmod the entire www with 777 is terrible advice.
nothing in what you have shown explains why it failed nor why it now works.

Frost-Lord · June 7, 2023, 7:49am

Found the correct fix for me:

sudo chown -R www-data:www-data /var/www

www-data is the default nginx user - allowing it perms to edit and manage the dir etc DO NOT DO 777 as I was using that for testing purposes

rg305 · June 7, 2023, 7:52am

Even if that is the fix...
What does it fix exactly?
I don't see how anyone will find "their fix" here; As the problem is not clearly defined and thus can't be matched to any specific problem anyone is searching on.

Again, I'm very glad you got the outcome you needed.
But it is a very long shot in the dark that this topic will help anyone else.

Cheers from Miami

Frost-Lord · June 7, 2023, 7:56am

Thanks @rg305!

yeh I should of more clearly defined the issue at hand etc. I will definitely do so next time. How do I close this thread as I don't thnk marking a msg as a solution will help the problem etc. Is their a way to del the thread?

rg305 · June 7, 2023, 8:00am

Just mark one as the solution.
It won't be the first topic of that kind.

rg305 · June 7, 2023, 8:02am

Maybe one of these might have also worked [we'll never know - LOL]:
sudo chown -R www-data:www-data /var/www/html/.well-known/acme-challenge
sudo chown -R www-data:www-data /var/www/html/.well-known
sudo chown -R www-data:www-data /var/www/html

But looking for files/folders with setting NOT www-data:www-data BEFORE making such a change could have shown why this failed.

MikeMcQ · June 7, 2023, 11:24am

Your server blocks for port 80 could be improved so they do not redirect to HTTPS. Your nginx server blocks need another location

You have:

server {
    ...
    
    # ACME-challenge
    location ^~ /.well-known/acme-challenge/ {
        root /var/www/html;
    }
    return 301 https://$server_name$request_uri;
}

But, need a location around the redirect too like:

server {
    ...
    # ACME-challenge (can simplify to this)
    location /.well-known/acme-challenge/ {
        root /var/www/html;
    }
    location / {
        return 301 https://$server_name$request_uri;
    }
}

system · July 7, 2023, 11:25am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.