Challenge failed for domain

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: jitsi.kalatiitananda.net

I ran this command:
/usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh

It produced this output:
… …
… …
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for jitsi.kalatiitananda.net
Using the webroot path /usr/share/jitsi-meet for all unmatched domains.
Waiting for verification…
Challenge failed for domain jitsi.kalatiitananda.net
http-01 challenge for jitsi.kalatiitananda.net
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: jitsi.kalatiitananda.net
  Type: unauthorized
  Detail: Invalid response from
  http://jitsi.kalatiitananda.net/.well-known/acme-challenge/3Ix0fJWHOLgvY6W6KokNliVVHeAF1uTI8OHySc1VCJs
  [198.251.81.225]: "\n<html
  style=“height:100%”>\n 404 Not
  Found\r\n\n<body style=“color: #444;
  margin:0;font:”

  To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.

My web server is (include version): nginx/1.14.2

The operating system my web server runs on is (include version): Debian 10

My hosting provider, if applicable, is: asurahosting.com
I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): cPanel 88.0.7

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 1.5.0

If you have cPanel, use that to get certs.
[using cerbot with cPanel is not recommended]

The Let’s Encrypt cert is installed for the domain using cPanel, but I still get the same “Challenge failed for domain …” message.

Ok let’s try to find where the problem is…

Please show:
grep -R server_name /etc/nginx

root@jitsi:/home/dada# grep -R server_name /etc/nginx
/etc/nginx/uwsgi_params:uwsgi_param SERVER_NAME $server_name;
/etc/nginx/fastcgi_params:fastcgi_param SERVER_NAME $server_name;
/etc/nginx/nginx.conf: # server_names_hash_bucket_size 64;
/etc/nginx/nginx.conf: # server_name_in_redirect off;
/etc/nginx/fastcgi.conf:fastcgi_param SERVER_NAME $server_name;
/etc/nginx/scgi_params:scgi_param SERVER_NAME $server_name;
/etc/nginx/sites-enabled/default: server_name _;
/etc/nginx/sites-enabled/default:# server_name example.com;
/etc/nginx/sites-enabled/jitsi.kalatiitananda.net.conf:server_names_hash_bucket_size 64;
/etc/nginx/sites-enabled/jitsi.kalatiitananda.net.conf: server_name jitsi.kalatiitananda.net;
/etc/nginx/sites-enabled/jitsi.kalatiitananda.net.conf: server_name jitsi.kalatiitananda.net;
/etc/nginx/sites-available/default: server_name _;
/etc/nginx/sites-available/default:# server_name example.com;
/etc/nginx/sites-available/jitsi.kalatiitananda.net.conf:server_names_hash_bucket_size 64;
/etc/nginx/sites-available/jitsi.kalatiitananda.net.conf: server_name jitsi.kalatiitananda.net;
/etc/nginx/sites-available/jitsi.kalatiitananda.net.conf: server_name jitsi.kalatiitananda.net;
root@jitsi:/home/dada#

OK, let’s have a look at this file:
/etc/nginx/sites-enabled/jitsi.kalatiitananda.net.conf

root@jitsi:/home/dada# /etc/nginx/sites-enabled/jitsi.kalatiitananda.net.conf
bash: /etc/nginx/sites-enabled/jitsi.kalatiitananda.net.conf: Permission denied
root@jitsi:/home/dada#

cat /etc/nginx/sites-enabled/jitsi.kalatiitananda.net.conf

root@jitsi:/home/dada# cat /etc/nginx/sites-enabled/jitsi.kalatiitananda.net.conf
server_names_hash_bucket_size 64;

server {
listen 80;
listen [::]:80;
server_name jitsi.kalatiitananda.net;

location ^~ /.well-known/acme-challenge/ {
   default_type "text/plain";
   root         /usr/share/jitsi-meet;
}
location = /.well-known/acme-challenge/ {
   return 404;
}
location / {
   return 301 https://$host$request_uri;
}

}
server {
listen 4444 ssl http2;
listen [::]:4444 ssl http2;
server_name jitsi.kalatiitananda.net;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED";

add_header Strict-Transport-Security "max-age=31536000";

ssl_certificate /etc/jitsi/meet/jitsi.kalatiitananda.net.crt;
ssl_certificate_key /etc/jitsi/meet/jitsi.kalatiitananda.net.key;

root /usr/share/jitsi-meet;

# ssi on with javascript for multidomain variables in config.js
ssi on;
ssi_types application/x-javascript application/javascript;

index index.html index.htm;
error_page 404 /static/404.html;

gzip on;
gzip_types text/plain text/css application/javascript application/json;
gzip_vary on;

location = /config.js {
    alias /etc/jitsi/meet/jitsi.kalatiitananda.net-config.js;
}

location = /external_api.js {
    alias /usr/share/jitsi-meet/libs/external_api.min.js;
}

#ensure all static content can always be found first
location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$
{
    add_header 'Access-Control-Allow-Origin' '*';
    alias /usr/share/jitsi-meet/$1/$2;
}

# BOSH
location = /http-bind {
    proxy_pass      http://localhost:5280/http-bind;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header Host $http_host;
}

# xmpp websockets
location = /xmpp-websocket {
    proxy_pass http://127.0.0.1:5280/xmpp-websocket?prefix=$prefix&$args;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $http_host;
    tcp_nodelay on;
}

location ~ ^/([^/?&:'"]+)$ {
    try_files $uri @root_path;
}

location @root_path {
    rewrite ^/(.*)$ / break;
}

location ~ ^/([^/?&:'"]+)/config.js$
{
   set $subdomain "$1.";
   set $subdir "$1/";

   alias /etc/jitsi/meet/jitsi.kalatiitananda.net-config.js;
}

#Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
location ~ ^/([^/?&:'"]+)/(.*)$ {
    set $subdomain "$1.";
    set $subdir "$1/";
    rewrite ^/([^/?&:'"]+)/(.*)$ /$2;
}

# BOSH for subdomains
location ~ ^/([^/?&:'"]+)/http-bind {
    set $subdomain "$1.";
    set $subdir "$1/";
    set $prefix "$1";

    rewrite ^/(.*)$ /http-bind;
}

# websockets for subdomains
location ~ ^/([^/?&:'"]+)/xmpp-websocket {
    set $subdomain "$1.";
    set $subdir "$1/";
    set $prefix "$1";

    rewrite ^/(.*)$ /xmpp-websocket;
}

}
root@jitsi:/home/dada#

The problem seems to be within these two location sections:

I don't know why there are two.
I think it should only be one.
I don't know what content is within /usr/share/jitsi-meet, so I can't be certain that is the best place place to use.
We should try using a specific unique path dedicated to handle just acme challenge requests.
I would create a folder like:
mkdir /usr/share/ACME-challenges
And use that folder instead and combine the two locations into one as follows:

location ^~ /.well-known/acme-challenge/ {
   default_type "text/plain";
   root         /usr/share/ACME-challenges;
   try_files    $uri =405;
}

I’m sorry, it got so complicated I got lost. Anyway, I uninstalled Jitsi Server already and I’ll try to reinstall it again later this week. Thank you very much for your help.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.