Challenge failed for domain

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: ```
docker run -it --rm --name certbot
-v “/data/certbot/conf:/etc/letsencrypt”
-v “/data/certbot/www:/var/www/certbot”
certbot/certbot certonly

It produced this output:Challenge failed for domain
http-01 challenge for
Cleaning up challenges
Some challenges have failed.

 - The following errors were reported by the server:

   Type:   unauthorized
   Detail: Invalid response from
   [ip]: "<html>\r\n<head><title>404 Not
   Found</title></head>\r\n<body>\r\n<center><h1>404 Not

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): Nginx infront of Tomcat

The operating system my web server runs on is (include version): Ubuntu 18

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of `certbot --version` or `certbot-auto --version` if you're using Certbot):
1 Like

It seems like your cerbot command is missing the document root path (or it doesn’t match the provided).
You should be able to modify your nginx config to direct the challenge requests to a specific folder.
In the port 80 vhost config for servername, try adding (something like):

        location /.well-known/acme-challenge/ {
            root /ACMEchallenge/;
            try_files $uri 404;

Where /ACMEchallenge/ is any path you specify for this one specific purpose.
[path must exist - create it if necessary - and must be accessible to certbot]

1 Like

I tried this

location /.well-known/acme-challenge/ {
root /etc/letsencrypt;
And provided the webroot to /etc/letsencrypt and I am getting the same error again.

Let’s see if that location is actually in effect.
Please place a test text file in that location and see if it can be reached form the Internet.
[create file - many ways to do this- here is one way]
sudo touch /etc/letsencrypt/test1234
echo 'test file 1234' > /etc/letsencrypt/test1234

[from somewhere on the Internet try this link]

The second command is redundant with the first ( > will create the file if it doesn’t exist and delete and recreate it if it does), but the sudo may be necessary in the second case too. In that case you might want something like

echo 'test file 1234' | sudo tee -a /etc/letsencryp/test1234

in order to write to that file as the root user.

1 Like

perhaps “>>” would have been more appropriate (than “>”).

Yes, but the version with >> still won’t work if you need to be root to modify that file and you aren’t root.

1 Like

I tried this above code, created the file there, but when I try to access it like this

It said 404 not found

Did you put this part in the right place? Because surfing to also gives a 404 file not found. I assume it would give me a 403 Forbidden-error if the location/root part to /etc/letsencrypt (which by the way isn’t a very good path I’d recon, now people could download content of that directory if they’d like) is working.

Hmm, this is also a very curious reply from your webserver:

``` osiris@erazer ~ $ curl -v * Trying * TCP_NODELAY set * Connected to ( port 80 (#0) > GET /.well-known/ HTTP/1.1 > Host: > User-Agent: curl/7.66.0 > Accept: */* > * Mark bundle as not supporting multiuse < HTTP/1.1 401 < Server: nginx/1.17.8 < Date: Sun, 02 Feb 2020 15:39:58 GMT < Content-Type: application/json < Content-Length: 81 < Connection: keep-alive < X-Content-Type-Options: nosniff < X-XSS-Protection: 1; mode=block < Cache-Control: no-cache, no-store, max-age=0, must-revalidate < Pragma: no-cache < Expires: 0 < X-Frame-Options: DENY < * Connection #0 to host left intact {"error":"Authentication Error.","message":"Username or Password doesn't match."}osiris@erazer ~ $ ```

It outputs a JSON file? Why? I’d say we’d need your entire relevant nginx configuration, because there’s a lot more going on than just that location directive.

this is my nginx config file

server {
listen 80;
listen [::]:80;

        location / {
             proxy_pass        http://docker-container-name:8088;
             proxy_set_header  X-Real-IP $remote_addr;
             proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_set_header  Host $http_host;
        location /.well-known/acme-challenge/ {
            root /etc/letsencrypt;

events {  }

Hmm, according to the nginx documentation, “(…) the location with the longest matching prefix is selected and remembered.” So that should be the /.well-known/acme-challenge/ prefix.

:sob: I understand why /.well-known/ was redirected… Because that URI doesn’t match the location directive…

My bad…

I added ^~ this modifier to skip the longest matching prefix for nginx but still the same problem.

I’m pretty sure nginx isn’t the problem here.

Unfortunately, I don’t have experience with docker. However, it looks like you’re running certbot certonly without any other options, correct?

If that is so, certbot should have asked you a few questions. However, you didn’t include those in your cerrbot output in your first post. Could you perhaps copy/paste the whole output of certbot?

I am running this command
docker run -it --rm --name certbot certbot/certbot certonly
It then asks for standalone or webroot
I select webroot method > email > TOS > domain name and after I enter the domain name > it asks for webroot which is /etc/letsencrypt and then I get the error

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.