Challenge failed for domain

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: jitsi.kalatiitananda.net

I ran this command:
/usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh

It produced this output:
… …
… …
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for jitsi.kalatiitananda.net
Using the webroot path /usr/share/jitsi-meet for all unmatched domains.
Waiting for verification…
Challenge failed for domain jitsi.kalatiitananda.net
http-01 challenge for jitsi.kalatiitananda.net
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

My web server is (include version): nginx/1.14.2

The operating system my web server runs on is (include version): Debian 10

My hosting provider, if applicable, is: asurahosting.com
I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): cPanel 88.0.7

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 1.5.0

1 Like

If you have cPanel, use that to get certs.
[using cerbot with cPanel is not recommended]

1 Like

The Let’s Encrypt cert is installed for the domain using cPanel, but I still get the same “Challenge failed for domain …” message.

Ok let’s try to find where the problem is…

Please show:
grep -R server_name /etc/nginx

root@jitsi:/home/dada# grep -R server_name /etc/nginx
/etc/nginx/uwsgi_params:uwsgi_param SERVER_NAME $server_name;
/etc/nginx/fastcgi_params:fastcgi_param SERVER_NAME $server_name;
/etc/nginx/nginx.conf: # server_names_hash_bucket_size 64;
/etc/nginx/nginx.conf: # server_name_in_redirect off;
/etc/nginx/fastcgi.conf:fastcgi_param SERVER_NAME $server_name;
/etc/nginx/scgi_params:scgi_param SERVER_NAME $server_name;
/etc/nginx/sites-enabled/default: server_name _;
/etc/nginx/sites-enabled/default:# server_name example.com;
/etc/nginx/sites-enabled/jitsi.kalatiitananda.net.conf:server_names_hash_bucket_size 64;
/etc/nginx/sites-enabled/jitsi.kalatiitananda.net.conf: server_name jitsi.kalatiitananda.net;
/etc/nginx/sites-enabled/jitsi.kalatiitananda.net.conf: server_name jitsi.kalatiitananda.net;
/etc/nginx/sites-available/default: server_name _;
/etc/nginx/sites-available/default:# server_name example.com;
/etc/nginx/sites-available/jitsi.kalatiitananda.net.conf:server_names_hash_bucket_size 64;
/etc/nginx/sites-available/jitsi.kalatiitananda.net.conf: server_name jitsi.kalatiitananda.net;
/etc/nginx/sites-available/jitsi.kalatiitananda.net.conf: server_name jitsi.kalatiitananda.net;
root@jitsi:/home/dada#

OK, let’s have a look at this file:
/etc/nginx/sites-enabled/jitsi.kalatiitananda.net.conf

root@jitsi:/home/dada# /etc/nginx/sites-enabled/jitsi.kalatiitananda.net.conf
bash: /etc/nginx/sites-enabled/jitsi.kalatiitananda.net.conf: Permission denied
root@jitsi:/home/dada#

cat /etc/nginx/sites-enabled/jitsi.kalatiitananda.net.conf

root@jitsi:/home/dada# cat /etc/nginx/sites-enabled/jitsi.kalatiitananda.net.conf
server_names_hash_bucket_size 64;

server {
listen 80;
listen [::]:80;
server_name jitsi.kalatiitananda.net;

location ^~ /.well-known/acme-challenge/ {
   default_type "text/plain";
   root         /usr/share/jitsi-meet;
}
location = /.well-known/acme-challenge/ {
   return 404;
}
location / {
   return 301 https://$host$request_uri;
}

}
server {
listen 4444 ssl http2;
listen [::]:4444 ssl http2;
server_name jitsi.kalatiitananda.net;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED";

add_header Strict-Transport-Security "max-age=31536000";

ssl_certificate /etc/jitsi/meet/jitsi.kalatiitananda.net.crt;
ssl_certificate_key /etc/jitsi/meet/jitsi.kalatiitananda.net.key;

root /usr/share/jitsi-meet;

# ssi on with javascript for multidomain variables in config.js
ssi on;
ssi_types application/x-javascript application/javascript;

index index.html index.htm;
error_page 404 /static/404.html;

gzip on;
gzip_types text/plain text/css application/javascript application/json;
gzip_vary on;

location = /config.js {
    alias /etc/jitsi/meet/jitsi.kalatiitananda.net-config.js;
}

location = /external_api.js {
    alias /usr/share/jitsi-meet/libs/external_api.min.js;
}

#ensure all static content can always be found first
location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$
{
    add_header 'Access-Control-Allow-Origin' '*';
    alias /usr/share/jitsi-meet/$1/$2;
}

# BOSH
location = /http-bind {
    proxy_pass      http://localhost:5280/http-bind;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header Host $http_host;
}

# xmpp websockets
location = /xmpp-websocket {
    proxy_pass http://127.0.0.1:5280/xmpp-websocket?prefix=$prefix&$args;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $http_host;
    tcp_nodelay on;
}

location ~ ^/([^/?&:'"]+)$ {
    try_files $uri @root_path;
}

location @root_path {
    rewrite ^/(.*)$ / break;
}

location ~ ^/([^/?&:'"]+)/config.js$
{
   set $subdomain "$1.";
   set $subdir "$1/";

   alias /etc/jitsi/meet/jitsi.kalatiitananda.net-config.js;
}

#Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
location ~ ^/([^/?&:'"]+)/(.*)$ {
    set $subdomain "$1.";
    set $subdir "$1/";
    rewrite ^/([^/?&:'"]+)/(.*)$ /$2;
}

# BOSH for subdomains
location ~ ^/([^/?&:'"]+)/http-bind {
    set $subdomain "$1.";
    set $subdir "$1/";
    set $prefix "$1";

    rewrite ^/(.*)$ /http-bind;
}

# websockets for subdomains
location ~ ^/([^/?&:'"]+)/xmpp-websocket {
    set $subdomain "$1.";
    set $subdir "$1/";
    set $prefix "$1";

    rewrite ^/(.*)$ /xmpp-websocket;
}

}
root@jitsi:/home/dada#

The problem seems to be within these two location sections:

I don’t know why there are two.
I think it should only be one.
I don’t know what content is within /usr/share/jitsi-meet, so I can’t be certain that is the best place place to use.
We should try using a specific unique path dedicated to handle just acme challenge requests.
I would create a folder like:
mkdir /usr/share/ACME-challenges
And use that folder instead and combine the two locations into one as follows:

location ^~ /.well-known/acme-challenge/ {
   default_type "text/plain";
   root         /usr/share/ACME-challenges;
   try_files    $uri =405;
}

I’m sorry, it got so complicated I got lost. Anyway, I uninstalled Jitsi Server already and I’ll try to reinstall it again later this week. Thank you very much for your help.

1 Like