Could not connect to http://domain.name.org/.well-known/acme-challenge/xxxx


#1

I see there have been a few similar posts and I think my issue may match /.well-known directory gets created, but error “Could not connect...”, but I’m not sure how to test if the issue is that port 80 is not allowing connections.

Visiting the mydomain.org shows the nginx welcome page.

This file exists:

/etc/letsencrypt/webrootauth/.well-known/acme-challenge/ping.txt (644 permissions)

I had created the acme-challenge directory manually.

But I cannot connect to mydomain.org/.well-known/acme-challenge/ping.txt.

The nginx config file: https://gist.github.com/MikeiLL/f7fdceb1a2c986bbccc1e016e93d2727

This is the command:

/opt/letsencrypt/letsencrypt-auto certonly -a / webroot --webroot-path=/etc/letsencrypt/webrootauth / --renew-by-default --email admin@mydomain.org / --text --agree-tos -d mydomain.org


#2

Looks like you’re redirecting to HTTPS but serving the challenge files over HTTP only.


#3

Hello @MikeiLL,

Change you nginx conf from:

server {
 listen 80;
 server_name  www.mydomain.org mydomain.org;
 rewrite ^/(.*) https://mydomain.org/$1 permanent;
 
# Do not use a /tmp folder or other users can obtain certificates.
    location '/.well-known/acme-challenge' { 
    default_type "text/plain";
    root        /etc/letsencrypt/webrootauth;
   }
}

to:

server {
 listen 80;
 server_name  www.mydomain.org mydomain.org;
 
# Do not use a /tmp folder or other users can obtain certificates.
    location '/.well-known/acme-challenge' { 
    default_type "text/plain";
    root        /etc/letsencrypt/webrootauth;
   }
    
    location / {
    rewrite ^/(.*) https://mydomain.org/$1 permanent;
    }
}

And try again.

Cheers,
sahsanu


#4

That was it! I had tried simply commenting out the rewrite, but not moving, or putting within a location parameter (is parameter the correct term?).

Requesting root privileges to run certbot...
   sudo CERTBOT_AUTO=/opt/letsencrypt/letsencrypt-auto /home/michael/.local/share/letsencrypt/bin/letsencrypt certonly -a webroot --webroot-path=/etc/letsencrypt/webrootauth --renew-by-default --email admin@mydomain.org --text --agree-tos -d mydomain.org

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/mydomain.org/fullchain.pem. Your
   cert will expire on 2016-08-12. To obtain a new version of the
   certificate in the future, simply run Certbot again.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:

#5

Hello @MikeiLL,

Glad you finally got your certificate ;).

In nginx, location is not a parameter but a directive :slight_smile:

Cheers,
sahsanu


#6

Thank you!

Very happy, but not quite there yet.

Getting this error in Firefox:

An error occurred during a connection to mydomain.org. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG

Curl gives me an NGINX 301 page.

Following(?) the nginx docs, I have tried adding the ssl_certificate and ssl_certificate_key parameters within the two 443 server directives, as well as above them, following the 80 server:

ssl_certificate      /etc/letsencrypt/live/mydomain.org/fullchain.pem;
ssl_certificate_key  /etc/letsencrypt/live/mydomain.org/privkey.pem;

(confirmed existing: cert.pem chain.pem fullchain.pem privkey.pem)

And of course restarting the nginx server, which does not complain.


#7

Solved. Thank you Stack Overflow.

Have to add ssl after 443:

ssl_certificate      /etc/letsencrypt/live/mydomain.org/fullchain.pem;
ssl_certificate_key  /etc/letsencrypt/live/mydomain.org/privkey.pem;

server {
  listen 443 ssl;
 #etc...

#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.