Challenge failed for domain

My domain is:
english.readover.online

I ran this command:
sudo certbot certonly --webroot -w /var/app/current/wwwroot -d english.readover.online
(my website framework is Net Core 6)

It produced this output:
Plugins selected: Authenticator webroot, Installer None
Requesting a certificate for english.readover.online
Performing the following challenges:
http-01 challenge for english.readover.online
Using the webroot path /var/app/current/wwwroot for all unmatched domains.
Waiting for verification...
Challenge failed for domain english.readover.online
http-01 challenge for english.readover.online
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: english.readover.online
  Type: unauthorized
  Detail: MY_IP_ADDRESS: Invalid response from
  http://english.readover.online/.well-known/acme-challenge/uHOlooHysf2zzX2sDFFupknHQjLW--OHn3Bbrq-G0Co:
  404

My web server is (include version):
AWS EC2 beanstalk instance

The operating system my web server runs on is (include version):
Amazon Linux 2
nginx

My hosting provider, if applicable, is:
AWS EC2

I can login to a root shell on my machine (yes or no, or I don't know):
yes, using ssh

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
I installed cerbot using the following command
sudo yum install certbot-nginx

My main domain is readover.online and it points to a VPS windows server and I have ssl for this main domine (I run on the windows server wacs.exe)
I added a A Record english so I have a subdomain with the public IP of my AWS EC2 beanstalk instance.
I can get to my site using my subdomain english.readover.online
In order to secure the subdomain I installed cerbot on my amazon-linux
when I request cert it fails. (when I browse the folder I can find .well-known folder inside wwwroot)
the domain and subdomain are up and running and I have access to add/remove/edit records. how can I succeed the challenge?
maybe it is possible to verify that the domain is mine by adding a record, or any other way.

Can you show result of: sudo certbot --version ?

And, do you know which AWS Linux you are using in Beanstalk?

I'll be optimistic and assume recent versions so try the below command. It will show you the URL that the Let's Encrypt server will look for. Certbot pauses so you can check it from another device on the public internet

sudo certbot certonly --dry-run --debug-challenges -v --webroot -w /var/app/current/wwwroot -d english.readover.online

certbot 1.11.0

NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"
SUPPORT_END="2025-06-30"

The result of your command is very long. the end is
Challenges loaded. Press continue to submit to CA. Pass "-v" for more info about
challenges.

Press Enter to Continue

after pressing Enter I got (at the end)

Replay-Nonce: 6EPBbsPCK0yyYBTkG_H8xFyYIW8mp1Py0qy7Z0wVq_K....

{
  "identifier": {
    "type": "dns",
    "value": "english.readover.online"
  },
  "status": "invalid",
  "expires": "2023-11-02T23:09:25Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "MY_IP_ADDRESS: Invalid response from http://english.readover.online/.well-known/acme-challenge/as8dJzFzgcUgSvkeLnpwg_Vn8NX7-0r.... : 404",
        "status": 403
      },
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/9192533854/G_tZqg",
      "token": "as8dJzFzgcUgSvkeLnpwg_Vn8N.............",
      "validationRecord": [
        {
          "url": "http://english.readover.online/.well-known/acme-challenge/as8dJzFzgcUgSvkeLnpwg_Vn8N.........",
          "hostname": "english.readover.online",
          "port": "80",
          "addressesResolved": [
            "MY_IP_ADDRESS"
          ],
          "addressUsed": "MY_IP_ADDRESS"
        }
      ],
      "validated": "2023-10-26T23:12:53Z"
    }
  ]
}
Storing nonce: 6EPBbsPCK0syYBTkG..................
Challenge failed for domain english.readover.online
http-01 challenge for english.readover.online
Reporting to user: The following errors were reported by the server:

Domain: english.readover.online
Type:   unauthorized
Detail: MY_IP_ADDRESS: Invalid response from http://english.readover.online/.well-known/acme-challenge/as8dJzFzgcUgSvkeL...............: 404

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
AuthorizationError: Some challenges have failed.

Calling registered functions
Cleaning up challenges
Removing /var/app/current/wwwroot/.well-known/acme-challenge/as8dJzFzgcUgS.........
All challenges cleaned up
Exiting abnormally:
Traceback (most recent call last):
  File "/bin/certbot", line 9, in <module>
    load_entry_point('certbot==1.11.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 1421, in main
    return config.func(config, plugins)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 1294, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 135, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/client.py", line 441, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/client.py", line 374, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/client.py", line 421, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
AuthorizationError: Some challenges have failed.
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: english.readover.online
   Type:   unauthorized
   Detail: MY_IP_ADDRESS: Invalid response from
   http://english.readover.online/.well-known/acme-challenge/as8dJzFzgcUgSvk.......:
   404

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

First, my advice is to use a different ACME Client like acme.sh or some other bash client (see choices here). With Beanstalk you should install everything using its dev ops config files. You can install things manually but as soon as you rebuild your environ for the next upgrade manual installs and manual config changes are lost.

Further, Amazon Linux 2 does not support snap to use Certbot recommended install. There is an unofficial snap which is complicated and I am not sure it is maintained. You could try a pip install but that takes a lot of skill to do with the dev ops config.

If Amazon Linux 3 is available for your platform that might be better. It has snap but I haven't tried it myself. Still, it is a "heavy" client for a dev ops based install.

With that said, Certbot 1.11 should still work although is almost 3 years old now. I just think a slimmer client is a better way forward given your environ.

See my next post as to your 404 failure

So, can you show the nginx server block listening on port 80 for your english.readover.online domain?

We can look at your whole nginx if need be but with --webroot method this might be enough.

If you could paste it with 3 backticks before and after that will improve the formatting like
```
contents of server block
```

Thanks
I will look for another option.
as for nginx server block

I can not find a specific block for english.readover.online
$ cd /etc/nginx
nginx$ ls
conf.d fastcgi.conf fastcgi_params koi-utf mime.types nginx.conf scgi_params uwsgi_params win-utf
default.d fastcgi.conf.default fastcgi_params.default koi-win mime.types.default nginx.conf.default scgi_params.default uwsgi_params.default

nginx$ cat nginx.conf

 server {
        listen        80 default_server;
        access_log    /var/log/nginx/access.log main;

        client_header_timeout 60;
        client_body_timeout   60;
        keepalive_timeout     60;
        gzip                  off;
        gzip_comp_level       4;
        gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;

        # Include the Elastic Beanstalk generated locations
        include conf.d/elasticbeanstalk/*.conf;
    }

It seems the need does be.

The file you seek might be found in this folder:

OR
By reviewing the entire nginx configuration, with:
nginx -T

I have 2 files
1
elasticbeanstalk$ cat 00_application.conf

location / {
    proxy_pass         http://127.0.0.1:5000;
    proxy_http_version 1.1;
    proxy_set_header   Upgrade $http_upgrade;
    proxy_set_header   Connection $http_connection;
    proxy_set_header   Host $host;
    proxy_cache_bypass $http_upgrade;
    proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header   X-Forwarded-Proto $scheme;
}

2
elasticbeanstalk$ cat healthd.conf

if ($time_iso8601 ~ "^(\d{4})-(\d{2})-(\d{2})T(\d{2})") {
    set $year $1;
    set $month $2;
    set $day $3;
    set $hour $4;
}

nginx$ nginx -T

nginx: [alert] could not open error log file: open() "/var/log/nginx/error.log" failed (13: Permission denied)
2023/10/28 21:51:24 [warn] 12575#12575: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:3
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
2023/10/28 21:51:24 [emerg] 12575#12575: open() "/var/run/nginx.pid" failed (13: Permission denied)
nginx: configuration file /etc/nginx/nginx.conf test failed

Probably just need to run like

sudo nginx -T

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
#Elastic Beanstalk Nginx Configuration File

user                    nginx;
error_log               /var/log/nginx/error.log warn;
pid                     /var/run/nginx.pid;
worker_processes        auto;
worker_rlimit_nofile    32367;

events {
    worker_connections  1024;
}

http {
    server_tokens off;

    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    include       conf.d/*.conf;

    map $http_upgrade $connection_upgrade {
        default     "upgrade";
    }

    server {
        listen        80 default_server;
        access_log    /var/log/nginx/access.log main;

        client_header_timeout 60;
        client_body_timeout   60;
        keepalive_timeout     60;
        gzip                  off;
        gzip_comp_level       4;
        gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;

        # Include the Elastic Beanstalk generated locations
        include conf.d/elasticbeanstalk/*.conf;
    }
}
# configuration file /etc/nginx/mime.types:

types {
    text/html                                        html htm shtml;
    text/css                                         css;
    text/xml                                         xml;
    image/gif                                        gif;
    image/jpeg                                       jpeg jpg;
    application/javascript                           js;
    application/atom+xml                             atom;
    application/rss+xml                              rss;

    text/mathml                                      mml;
    text/plain                                       txt;
    text/vnd.sun.j2me.app-descriptor                 jad;
    text/vnd.wap.wml                                 wml;
    text/x-component                                 htc;

    image/avif                                       avif;
    image/png                                        png;
    image/svg+xml                                    svg svgz;
    image/tiff                                       tif tiff;
    image/vnd.wap.wbmp                               wbmp;
    image/webp                                       webp;
    image/x-icon                                     ico;
    image/x-jng                                      jng;
    image/x-ms-bmp                                   bmp;

    font/woff                                        woff;
    font/woff2                                       woff2;

    application/java-archive                         jar war ear;
    application/json                                 json;
    application/mac-binhex40                         hqx;
    application/msword                               doc;
    application/pdf                                  pdf;
    application/postscript                           ps eps ai;
    application/rtf                                  rtf;
    application/vnd.apple.mpegurl                    m3u8;
    application/vnd.google-earth.kml+xml             kml;
    application/vnd.google-earth.kmz                 kmz;
    application/vnd.ms-excel                         xls;
    application/vnd.ms-fontobject                    eot;
    application/vnd.ms-powerpoint                    ppt;
    application/vnd.oasis.opendocument.graphics      odg;
    application/vnd.oasis.opendocument.presentation  odp;
    application/vnd.oasis.opendocument.spreadsheet   ods;
    application/vnd.oasis.opendocument.text          odt;
    application/vnd.openxmlformats-officedocument.presentationml.presentation
                                                     pptx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
                                                     xlsx;
    application/vnd.openxmlformats-officedocument.wordprocessingml.document
                                                     docx;
    application/vnd.wap.wmlc                         wmlc;
    application/wasm                                 wasm;
    application/x-7z-compressed                      7z;
    application/x-cocoa                              cco;
    application/x-java-archive-diff                  jardiff;
    application/x-java-jnlp-file                     jnlp;
    application/x-makeself                           run;
    application/x-perl                               pl pm;
    application/x-pilot                              prc pdb;
    application/x-rar-compressed                     rar;
    application/x-redhat-package-manager             rpm;
    application/x-sea                                sea;
    application/x-shockwave-flash                    swf;
    application/x-stuffit                            sit;
    application/x-tcl                                tcl tk;
    application/x-x509-ca-cert                       der pem crt;
    application/x-xpinstall                          xpi;
    application/xhtml+xml                            xhtml;
    application/xspf+xml                             xspf;
    application/zip                                  zip;

    application/octet-stream                         bin exe dll;
    application/octet-stream                         deb;
    application/octet-stream                         dmg;
    application/octet-stream                         iso img;
    application/octet-stream                         msi msp msm;

    audio/midi                                       mid midi kar;
    audio/mpeg                                       mp3;
    audio/ogg                                        ogg;
    audio/x-m4a                                      m4a;
    audio/x-realaudio                                ra;

    video/3gpp                                       3gpp 3gp;
    video/mp2t                                       ts;
    video/mp4                                        mp4;
    video/mpeg                                       mpeg mpg;
    video/quicktime                                  mov;
    video/webm                                       webm;
    video/x-flv                                      flv;
    video/x-m4v                                      m4v;
    video/x-mng                                      mng;
    video/x-ms-asf                                   asx asf;
    video/x-ms-wmv                                   wmv;
    video/x-msvideo                                  avi;
}

# configuration file /etc/nginx/conf.d/healthd_logformat.conf:
log_format healthd  '$msec"$uri"'
                    '$status"$request_time"$upstream_response_time"'
                    '$http_x_forwarded_for';
# configuration file /etc/nginx/conf.d/elasticbeanstalk/00_application.conf:
location / {
    proxy_pass         http://127.0.0.1:5000;
    proxy_http_version 1.1;
    proxy_set_header   Upgrade $http_upgrade;
    proxy_set_header   Connection $http_connection;
    proxy_set_header   Host $host;
    proxy_cache_bypass $http_upgrade;
    proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header   X-Forwarded-Proto $scheme;
}
# configuration file /etc/nginx/conf.d/elasticbeanstalk/healthd.conf:
if ($time_iso8601 ~ "^(\d{4})-(\d{2})-(\d{2})T(\d{2})") {
    set $year $1;
    set $month $2;
    set $day $3;
    set $hour $4;
}

access_log /var/log/nginx/healthd/application.log.$year-$month-$day-$hour healthd;

The above command told Certbot to create the HTTP Challenge token under the /var/app/current/wwwroot folder.

The 404 (http Not Found) in the error message says your nginx did not return any token at that location.

All of your HTTP requests to nginx are proxied to `http://127.0.0.1:5000' so whatever that is would have to respond properly to the incoming HTTP request. But, it does not.

Why did you choose that webroot path? (the -w folder value)

In any case, it would be cleaner if you did not proxy that request anywhere and allow nginx to handle it directly by changing your server block to this:

server {
    listen        80 default_server;
    access_log    /var/log/nginx/access.log main;

    # Add this.  Best to have server_name stated explicitly
    server_name english.readover.online;   

    # Add this.  root folder here must match -w value in Certbot command
    # Ideally this folder is outside scope of web server files like /var/app/acme
    location /.well-known/acme-challenge/ {
        root /var/app/current/wwwroot;       
    }

    # these remain the same
    client_header_timeout 60;
    client_body_timeout   60;
    keepalive_timeout     60;
    gzip                  off;
    gzip_comp_level       4;
    gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;

    # Include the Elastic Beanstalk generated locations
    include conf.d/elasticbeanstalk/*.conf;
}

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.