Error creating Certs

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: gpostman.com

I ran this command: certbot --nginx

It produced this output:

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: gpostman.com
Type: unauthorized
Detail: Invalid response from http://gpostman.com/.well-known/acme-challenge/A9wjhrFh_mbt3TxTfoaNwJk90802-gQsx4tQF0JC5ok [167.114.128.25]: "\r\n404 Not Found\r\n\r\n

404 Not Found

\r\n
nginx/1.20.1</ce"

Domain: host.gpostman.com
Type: unauthorized
Detail: Invalid response from http://host.gpostman.com/.well-known/acme-challenge/VCXXiQKNECF7NvCRbybS2xex5a5VN84-37msXDwNTeM [167.114.128.25]: "\r\n404 Not Found\r\n\r\n

404 Not Found

\r\n
nginx/1.20.1</ce"

Domain: wss.gpostman.com
Type: unauthorized
Detail: Invalid response from http://wss.gpostman.com/.well-known/acme-challenge/yQVyHV8w-x37Qw42Nn1W201ltzEHLzY0lzIZrSbkviU [167.114.128.25]: "\r\n404 Not Found\r\n\r\n

404 Not Found

\r\n
nginx/1.20.1</ce"

Domain: www.gpostman.com
Type: unauthorized
Detail: Invalid response from http://www.gpostman.com/.well-known/acme-challenge/WxWP019_Q-baKqAbs5xo_tjycPsiLKuSHacVvcpFbWE [167.114.128.25]: "\r\n404 Not Found\r\n\r\n

404 Not Found

\r\n
nginx/1.20.1</ce"

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

My web server is (include version): NGINX

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: VPS

I can login to a root shell on my machine (yes or no, or I don't know): YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): CWP

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.16.0

2 Likes

Is there any option within CWP to obtain an SSL cert?

If not, maybe we should have a look at the output of:
nginx -T
certbot certificates
(and the renewal config file)

2 Likes

[root@vps-c2000e86 centos]# nginx -T
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

configuration file /etc/nginx/nginx.conf:

user nobody;
worker_processes auto;
#worker_rlimit_nofile 65535;
error_log /var/log/nginx/error.log crit;
pid /var/run/nginx.pid;

events {
worker_connections 1024;
use epoll;
multi_accept on;

}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
client_header_timeout 3m;
client_body_timeout 3m;
client_max_body_size 256m;
client_header_buffer_size 4k;
client_body_buffer_size 256k;
large_client_header_buffers 4 32k;
send_timeout 3m;
keepalive_timeout 60 60;
reset_timedout_connection on;
server_names_hash_max_size 1024;
server_names_hash_bucket_size 1024;
ignore_invalid_headers on;
connection_pool_size 256;
request_pool_size 4k;
output_buffers 4 32k;
postpone_output 1460;

include mime.types;
default_type application/octet-stream;

# Compression gzip
gzip on;
gzip_vary on;
gzip_disable "MSIE [1-6]\.";
gzip_proxied any;
gzip_min_length 512;
gzip_comp_level 6;
gzip_buffers 8 64k;
gzip_types text/plain text/xml text/css text/js application/x-javascript application/xml image/png image/x-icon image/gif image/jpeg image/svg+xml application/xml+rss text/javascript application/atom+xml application/javascript application/json application/x-font-ttf font/opentype;

# Proxy settings
proxy_redirect      off;
proxy_set_header    Host            $host;
proxy_set_header    X-Real-IP       $remote_addr;
proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass_header   Set-Cookie;
proxy_connect_timeout   300;
proxy_send_timeout  300;
proxy_read_timeout  300;
proxy_buffers       32 4k;
proxy_cache_path /var/cache/nginx levels=2 keys_zone=cache:10m inactive=60m max_size=512m;
proxy_cache_key "$host$request_uri $cookie_user";
proxy_temp_path  /var/cache/nginx/temp;
proxy_ignore_headers Expires Cache-Control;
proxy_cache_use_stale error timeout invalid_header http_502;
proxy_cache_valid any 1d;

open_file_cache_valid 120s;
open_file_cache_min_uses 2;
open_file_cache_errors off;
open_file_cache max=5000 inactive=30s;
open_log_file_cache max=1024 inactive=30s min_uses=2;

# SSL Settings
ssl_session_cache   shared:SSL:10m;
ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers        "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS";

# Logs
log_format  main    '$remote_addr - $remote_user [$time_local] $request '
	                '"$status" $body_bytes_sent "$http_referer" '
	                '"$http_user_agent" "$http_x_forwarded_for"';
log_format  bytes   '$body_bytes_sent';
#access_log          /var/log/nginx/access.log main;
access_log off;

# Cache bypass
map $http_cookie $no_cache {
	default 0;
	~SESS 1;
	~wordpress_logged_in 1;
}

# Include additional configuration
include /etc/nginx/cloudflare.inc;
include /etc/nginx/conf.d/*.conf;

}

configuration file /etc/nginx/mime.types:

types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;

text/mathml                                      mml;
text/plain                                       txt;
text/vnd.sun.j2me.app-descriptor                 jad;
text/vnd.wap.wml                                 wml;
text/x-component                                 htc;

image/png                                        png;
image/svg+xml                                    svg svgz;
image/tiff                                       tif tiff;
image/vnd.wap.wbmp                               wbmp;
image/webp                                       webp;
image/x-icon                                     ico;
image/x-jng                                      jng;
image/x-ms-bmp                                   bmp;

font/woff                                        woff;
font/woff2                                       woff2;

application/java-archive                         jar war ear;
application/json                                 json;
application/mac-binhex40                         hqx;
application/msword                               doc;
application/pdf                                  pdf;
application/postscript                           ps eps ai;
application/rtf                                  rtf;
application/vnd.apple.mpegurl                    m3u8;
application/vnd.google-earth.kml+xml             kml;
application/vnd.google-earth.kmz                 kmz;
application/vnd.ms-excel                         xls;
application/vnd.ms-fontobject                    eot;
application/vnd.ms-powerpoint                    ppt;
application/vnd.oasis.opendocument.graphics      odg;
application/vnd.oasis.opendocument.presentation  odp;
application/vnd.oasis.opendocument.spreadsheet   ods;
application/vnd.oasis.opendocument.text          odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation
                                                 pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
                                                 xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
                                                 docx;
application/vnd.wap.wmlc                         wmlc;
application/x-7z-compressed                      7z;
application/x-cocoa                              cco;
application/x-java-archive-diff                  jardiff;
application/x-java-jnlp-file                     jnlp;
application/x-makeself                           run;
application/x-perl                               pl pm;
application/x-pilot                              prc pdb;
application/x-rar-compressed                     rar;
application/x-redhat-package-manager             rpm;
application/x-sea                                sea;
application/x-shockwave-flash                    swf;
application/x-stuffit                            sit;
application/x-tcl                                tcl tk;
application/x-x509-ca-cert                       der pem crt;
application/x-xpinstall                          xpi;
application/xhtml+xml                            xhtml;
application/xspf+xml                             xspf;
application/zip                                  zip;

application/octet-stream                         bin exe dll;
application/octet-stream                         deb;
application/octet-stream                         dmg;
application/octet-stream                         iso img;
application/octet-stream                         msi msp msm;

audio/midi                                       mid midi kar;
audio/mpeg                                       mp3;
audio/ogg                                        ogg;
audio/x-m4a                                      m4a;
audio/x-realaudio                                ra;

video/3gpp                                       3gpp 3gp;
video/mp2t                                       ts;
video/mp4                                        mp4;
video/mpeg                                       mpeg mpg;
video/quicktime                                  mov;
video/webm                                       webm;
video/x-flv                                      flv;
video/x-m4v                                      m4v;
video/x-mng                                      mng;
video/x-ms-asf                                   asx asf;
video/x-ms-wmv                                   wmv;
video/x-msvideo                                  avi;

}

configuration file /etc/nginx/cloudflare.inc:

Cloudflare https://www.cloudflare.com/ips

set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
#set_real_ip_from 2400:cb00::/32;
#set_real_ip_from 2606:4700::/32;
#set_real_ip_from 2803:f800::/32;
#set_real_ip_from 2405:b500::/32;
#set_real_ip_from 2405:8100::/32;
#set_real_ip_from 2c0f:f248::/32;
#set_real_ip_from 2a06:98c0::/29;
real_ip_header CF-Connecting-IP;

configuration file /etc/nginx/conf.d/167.114.128.25.conf:

server {
listen 167.114.128.25:80;
server_name 167.114.128.25;
access_log /usr/local/apache/domlogs/167.114.128.25.bytes bytes;
access_log /usr/local/apache/domlogs/167.114.128.25.log combined;
error_log /usr/local/apache/domlogs/167.114.128.25.error.log error;

location / {
	location ~.*\.(3gp|gif|jpg|jpeg|png|ico|wmv|avi|asf|asx|mpg|mpeg|mp4|pls|mp3|mid|wav|swf|flv|html|htm|txt|js|css|exe|zip|tar|rar|gz|tgz|bz2|uha|7z|doc|docx|xls|xlsx|pdf|iso|woff|ttf|svg|eot|sh)$ {
		root /usr/local/apache/htdocs/;						
		expires max;
		try_files $uri @backend;
	}

	location ~ ^/~(.+?)(/.*)?$ {
		internal;
		proxy_pass http://167.114.128.25:8181;
		include proxy.inc;
	}
	
	error_page 405 = @backend;
	error_page 500 = @custom;
	add_header X-Cache "HIT from Backend";
	proxy_pass http://167.114.128.25:8181;
	include proxy.inc;
}

location @backend {
	internal;
	proxy_pass http://167.114.128.25:8181;
	include proxy.inc;
}

location @custom {
	internal;
	proxy_pass http://167.114.128.25:8181;
	include proxy.inc;
}

location ~ .*\.(php|jsp|cgi|pl|py)?$ {
	proxy_pass http://167.114.128.25:8181;
	include proxy.inc;
}

location ~ /\.ht    {deny all;}
location ~ /\.svn/  {deny all;}
location ~ /\.git/  {deny all;}
location ~ /\.hg/   {deny all;}
location ~ /\.bzr/  {deny all;}

disable_symlinks if_not_owner from=/usr/local/apache/htdocs/;

location /.well-known/acme-challenge {
	default_type "text/plain";
	alias /usr/local/apache/autossl_tmp/.well-known/acme-challenge;
}

location /pma {
	proxy_pass  https://127.0.0.1:2031;
	include proxy.inc;
}

location /roundcube {
	proxy_pass  https://127.0.0.1:2031;
	include proxy.inc;
}

}

configuration file /etc/nginx/proxy.inc:

More info here: http://wiki.nginx.org/HttpProxyModule

proxy_buffering off;
proxy_connect_timeout 59s;
proxy_send_timeout 600;
proxy_read_timeout 600;
proxy_buffer_size 64k;
proxy_buffers 16 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
proxy_pass_header Set-Cookie;
proxy_redirect off;
proxy_hide_header Vary;
proxy_hide_header X-Powered-By;
proxy_set_header Accept-Encoding '';
#If you want to get the cache-control and expire headers from apache, comment out 'proxy_ignore_headers' and uncomment 'proxy_pass_header Expires;' and 'proxy_pass_header Cache-Control
#proxy_pass_header Expires;
#proxy_pass_header Cache-Control;
proxy_ignore_headers Cache-Control Expires;
proxy_set_header Referer $http_referer;
proxy_set_header Host $host;
proxy_set_header Cookie $http_cookie;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

configuration file /etc/nginx/conf.d/vhosts.conf:

include /etc/nginx/conf.d/vhosts/*.conf;

configuration file /etc/nginx/conf.d/vhosts/gpostman.com.conf:

server {
listen 167.114.128.25:80;
server_name gpostman.com www.gpostman.com;

access_log /usr/local/apache/domlogs/gpostman.com.bytes bytes;
access_log /usr/local/apache/domlogs/gpostman.com.log combined;
error_log /usr/local/apache/domlogs/gpostman.com.error.log error;

location / {
	location ~.*\.(3gp|gif|jpg|jpeg|png|ico|wmv|avi|asf|asx|mpg|mpeg|mp4|pls|mp3|mid|wav|swf|flv|html|htm|txt|js|css|exe|zip|tar|rar|gz|tgz|bz2|uha|7z|doc|docx|xls|xlsx|pdf|iso|woff|ttf|svg|eot|sh|webp)$ {
		root /home/gpostma/public_html;					
		expires max;
		try_files $uri $uri/ @backend;
	}
	
	error_page 405 = @backend;
	error_page 500 = @custom;
	add_header X-Cache "HIT from Backend";
	add_header X-XSS-Protection "1; mode=block" always;
	add_header X-Content-Type-Options "nosniff" always;
	proxy_pass http://167.114.128.25:8181;
	include proxy.inc;
}

location @backend {
	internal;
	proxy_pass http://167.114.128.25:8181;
	include proxy.inc;
}

location @custom {
	internal;
	proxy_pass http://167.114.128.25:8181;
	include proxy.inc;
}

location ~ .*\.(php|jsp|cgi|pl|py)?$ {
	proxy_pass http://167.114.128.25:8181;
	include proxy.inc;
}

location ~ /\.ht    {deny all;}
location ~ /\.svn/  {deny all;}
location ~ /\.git/  {deny all;}
location ~ /\.hg/   {deny all;}
location ~ /\.bzr/  {deny all;}

disable_symlinks if_not_owner from=/home/gpostma/public_html;

location /.well-known/acme-challenge {
	default_type "text/plain";
	alias /usr/local/apache/autossl_tmp/.well-known/acme-challenge;
}

}

server {
listen 167.114.128.25:80;
server_name webmail.gpostman.com;

access_log /usr/local/apache/domlogs/gpostman.com.bytes bytes;
access_log /usr/local/apache/domlogs/gpostman.com.log combined;
error_log /usr/local/apache/domlogs/gpostman.com.error.log error;

location / {
	proxy_pass  http://127.0.0.1:2095;
	include proxy.inc;
}

location ~ /\.ht    {deny all;}
location ~ /\.svn/  {deny all;}
location ~ /\.git/  {deny all;}
location ~ /\.hg/   {deny all;}
location ~ /\.bzr/  {deny all;}

disable_symlinks if_not_owner from=/home/gpostma/public_html;

location /.well-known/acme-challenge {
	default_type "text/plain";
	alias /usr/local/apache/autossl_tmp/.well-known/acme-challenge;
}

}

server {
listen 167.114.128.25:80;
server_name mail.gpostman.com;

access_log /usr/local/apache/domlogs/gpostman.com.bytes bytes;
access_log /usr/local/apache/domlogs/gpostman.com.log combined;
error_log /usr/local/apache/domlogs/gpostman.com.error.log error;

location / {
	proxy_pass  http://127.0.0.1:2095;
	include proxy.inc;
}

location ~ /\.ht    {deny all;}
location ~ /\.svn/  {deny all;}
location ~ /\.git/  {deny all;}
location ~ /\.hg/   {deny all;}
location ~ /\.bzr/  {deny all;}

disable_symlinks if_not_owner from=/home/gpostma/public_html;

location /.well-known/acme-challenge {
	default_type "text/plain";
	alias /usr/local/apache/autossl_tmp/.well-known/acme-challenge;
}

}

server {
listen 167.114.128.25:80;
server_name cpanel.gpostman.com;

access_log /usr/local/apache/domlogs/gpostman.com.bytes bytes;
access_log /usr/local/apache/domlogs/gpostman.com.log combined;
error_log /usr/local/apache/domlogs/gpostman.com.error.log error;

location / {
	proxy_pass  https://127.0.0.1:2083;
	include proxy.inc;
}

location /pma {
	proxy_pass  https://127.0.0.1:2031;
	include proxy.inc;
}

location /roundcube {
	proxy_pass  https://127.0.0.1:2031;
	include proxy.inc;
}

location ~ /\.ht    {deny all;}
location ~ /\.svn/  {deny all;}
location ~ /\.git/  {deny all;}
location ~ /\.hg/   {deny all;}
location ~ /\.bzr/  {deny all;}

disable_symlinks if_not_owner from=/home/gpostma/public_html;

location /.well-known/acme-challenge {
	default_type "text/plain";
	alias /usr/local/apache/autossl_tmp/.well-known/acme-challenge;
}

}

configuration file /etc/nginx/conf.d/vhosts/gpostman.com.ssl.conf:

server {
listen 167.114.128.25:443 ssl ;
server_name gpostman.com www.gpostman.com;

access_log /usr/local/apache/domlogs/gpostman.com.bytes bytes;
access_log /usr/local/apache/domlogs/gpostman.com.log combined;
error_log /usr/local/apache/domlogs/gpostman.com.error.log error;

ssl_certificate      /etc/pki/tls/certs/gpostman.com.bundle;
ssl_certificate_key  /etc/pki/tls/private/gpostman.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
ssl_prefer_server_ciphers   on;

ssl_session_cache   shared:SSL:10m;
ssl_session_timeout 60m;

location / {
	location ~.*\.(3gp|gif|jpg|jpeg|png|ico|wmv|avi|asf|asx|mpg|mpeg|mp4|pls|mp3|mid|wav|swf|flv|html|htm|txt|js|css|exe|zip|tar|rar|gz|tgz|bz2|uha|7z|doc|docx|xls|xlsx|pdf|iso|woff|ttf|svg|eot|sh|webp)$ {
		root /home/gpostma/public_html;
		expires max;
		try_files $uri $uri/ @backend;
	}
	
	error_page 405 = @backend;
	error_page 500 = @custom;
	add_header X-Cache "HIT from Backend";
	add_header Strict-Transport-Security "max-age=31536000";
	add_header X-XSS-Protection "1; mode=block" always;
	add_header X-Content-Type-Options "nosniff" always;
	proxy_pass http://167.114.128.25:8181;
	include proxy.inc;
}

location @backend {
	internal;
	proxy_pass http://167.114.128.25:8181;
	include proxy.inc;
}

location @custom {
	internal;
	proxy_pass http://167.114.128.25:8181;
	include proxy.inc;
}

location ~ .*\.(php|jsp|cgi|pl|py)?$ {
	proxy_pass http://167.114.128.25:8181;
	include proxy.inc;
}

location ~ /\.ht    {deny all;}
location ~ /\.svn/  {deny all;}
location ~ /\.git/  {deny all;}
location ~ /\.hg/   {deny all;}
location ~ /\.bzr/  {deny all;}

disable_symlinks if_not_owner from=/home/gpostma/public_html;

location /.well-known/acme-challenge {
	default_type "text/plain";
	alias /usr/local/apache/autossl_tmp/.well-known/acme-challenge;
}

}

server {
listen 167.114.128.25:443 ssl ;
server_name webmail.gpostman.com;

access_log /usr/local/apache/domlogs/gpostman.com.bytes bytes;
access_log /usr/local/apache/domlogs/gpostman.com.log combined;
error_log /usr/local/apache/domlogs/gpostman.com.error.log error;

ssl_certificate      /etc/pki/tls/certs/gpostman.com.bundle;
ssl_certificate_key  /etc/pki/tls/private/gpostman.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
ssl_prefer_server_ciphers   on;

ssl_session_cache   shared:SSL:10m;
ssl_session_timeout 60m;

location / {
	proxy_pass  http://127.0.0.1:2095;
	include proxy.inc;
}

location ~ /\.ht    {deny all;}
location ~ /\.svn/  {deny all;}
location ~ /\.git/  {deny all;}
location ~ /\.hg/   {deny all;}
location ~ /\.bzr/  {deny all;}

disable_symlinks if_not_owner from=/home/gpostma/public_html;

location /.well-known/acme-challenge {
	default_type "text/plain";
	alias /usr/local/apache/autossl_tmp/.well-known/acme-challenge;
}

}

server {
listen 167.114.128.25:443 ssl ;
server_name mail.gpostman.com;

access_log /usr/local/apache/domlogs/gpostman.com.bytes bytes;
access_log /usr/local/apache/domlogs/gpostman.com.log combined;
error_log /usr/local/apache/domlogs/gpostman.com.error.log error;

ssl_certificate      /etc/pki/tls/certs/gpostman.com.bundle;
ssl_certificate_key  /etc/pki/tls/private/gpostman.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
ssl_prefer_server_ciphers   on;

ssl_session_cache   shared:SSL:10m;
ssl_session_timeout 60m;

location / {
	proxy_pass  http://127.0.0.1:2095;
	include proxy.inc;
}

location ~ /\.ht    {deny all;}
location ~ /\.svn/  {deny all;}
location ~ /\.git/  {deny all;}
location ~ /\.hg/   {deny all;}
location ~ /\.bzr/  {deny all;}

disable_symlinks if_not_owner from=/home/gpostma/public_html;

location /.well-known/acme-challenge {
	default_type "text/plain";
	alias /usr/local/apache/autossl_tmp/.well-known/acme-challenge;
}

}

server {
listen 167.114.128.25:443 ssl ;
server_name cpanel.gpostman.com;

access_log /usr/local/apache/domlogs/gpostman.com.bytes bytes;
access_log /usr/local/apache/domlogs/gpostman.com.log combined;
error_log /usr/local/apache/domlogs/gpostman.com.error.log error;

ssl_certificate      /etc/pki/tls/certs/gpostman.com.bundle;
ssl_certificate_key  /etc/pki/tls/private/gpostman.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
ssl_prefer_server_ciphers   on;

ssl_session_cache   shared:SSL:10m;
ssl_session_timeout 60m;

location / {
	proxy_pass  https://127.0.0.1:2083;
	include proxy.inc;
}

location /pma {
	proxy_pass  https://127.0.0.1:2031;
	include proxy.inc;
}

location /roundcube {
	proxy_pass  https://127.0.0.1:2031;
	include proxy.inc;
}

location ~ /\.ht    {deny all;}
location ~ /\.svn/  {deny all;}
location ~ /\.git/  {deny all;}
location ~ /\.hg/   {deny all;}
location ~ /\.bzr/  {deny all;}

disable_symlinks if_not_owner from=/home/gpostma/public_html;

location /.well-known/acme-challenge {
	default_type "text/plain";
	alias /usr/local/apache/autossl_tmp/.well-known/acme-challenge;
}

}

configuration file /etc/nginx/conf.d/vhosts/wss.gpostman.com.conf:

server {

    #if ($host = wss.gpostman.com) {
    #    return 301 https://$host$request_uri;
    #} # managed by Certbot

listen 167.114.128.25:80;	
server_name wss.gpostman.com;

access_log /usr/local/apache/domlogs/wss.gpostman.com.bytes bytes;
access_log /usr/local/apache/domlogs/wss.gpostman.com.log combined;
error_log /usr/local/apache/domlogs/wss.gpostman.com.error.log error;

location / {
	location ~.*\.(3gp|gif|jpg|jpeg|png|ico|wmv|avi|asf|asx|mpg|mpeg|mp4|pls|mp3|mid|wav|swf|flv|html|htm|txt|js|css|exe|zip|tar|rar|gz|tgz|bz2|uha|7z|doc|docx|xls|xlsx|pdf|iso|woff|ttf|svg|eot|sh|webp)$ {
		root /home/wss/public_html;					
		expires max;
		try_files $uri $uri/ @backend;
	}
	
	error_page 405 = @backend;
	error_page 500 = @custom;
	add_header X-Cache "HIT from Backend";
	add_header X-XSS-Protection "1; mode=block" always;
	add_header X-Content-Type-Options "nosniff" always;
	proxy_pass http://167.114.128.25:8181;
	include proxy.inc;
}

    location /send {
           proxy_method POST;
           proxy_http_version 1.1;
           proxy_pass http://127.0.0.1:9000/send;
           client_max_body_size 10M;
    }

location @backend {
	internal;
	proxy_pass http://167.114.128.25:8181;
	include proxy.inc;
}

location @custom {
	internal;
	proxy_pass http://167.114.128.25:8181;
	include proxy.inc;
}

location ~ .*\.(php|jsp|cgi|pl|py)?$ {
	proxy_pass http://167.114.128.25:8181;
	include proxy.inc;
}

location ~ /\.ht    {deny all;}
location ~ /\.svn/  {deny all;}
location ~ /\.git/  {deny all;}
location ~ /\.hg/   {deny all;}
location ~ /\.bzr/  {deny all;}

disable_symlinks if_not_owner from=/home/wss/public_html;

location /.well-known/acme-challenge {
	default_type "text/plain";
	alias /usr/local/apache/autossl_tmp/.well-known/acme-challenge;
}

}

server {
listen 167.114.128.25:80;
server_name webmail.wss.gpostman.com;

access_log /usr/local/apache/domlogs/wss.gpostman.com.bytes bytes;
access_log /usr/local/apache/domlogs/wss.gpostman.com.log combined;
error_log /usr/local/apache/domlogs/wss.gpostman.com.error.log error;

location / {
	proxy_pass  http://127.0.0.1:2095;
	include proxy.inc;
}

location ~ /\.ht    {deny all;}
location ~ /\.svn/  {deny all;}
location ~ /\.git/  {deny all;}
location ~ /\.hg/   {deny all;}
location ~ /\.bzr/  {deny all;}

disable_symlinks if_not_owner from=/home/wss/public_html;

location /.well-known/acme-challenge {
	default_type "text/plain";
	alias /usr/local/apache/autossl_tmp/.well-known/acme-challenge;
}

}

server {
listen 167.114.128.25:80;
server_name mail.wss.gpostman.com;

access_log /usr/local/apache/domlogs/wss.gpostman.com.bytes bytes;
access_log /usr/local/apache/domlogs/wss.gpostman.com.log combined;
error_log /usr/local/apache/domlogs/wss.gpostman.com.error.log error;

location / {
	proxy_pass  http://127.0.0.1:2095;
	include proxy.inc;
}

location ~ /\.ht    {deny all;}
location ~ /\.svn/  {deny all;}
location ~ /\.git/  {deny all;}
location ~ /\.hg/   {deny all;}
location ~ /\.bzr/  {deny all;}

disable_symlinks if_not_owner from=/home/wss/public_html;

location /.well-known/acme-challenge {
	default_type "text/plain";
	alias /usr/local/apache/autossl_tmp/.well-known/acme-challenge;
}

}

server {
listen 167.114.128.25:80;
server_name cpanel.wss.gpostman.com;

access_log /usr/local/apache/domlogs/wss.gpostman.com.bytes bytes;
access_log /usr/local/apache/domlogs/wss.gpostman.com.log combined;
error_log /usr/local/apache/domlogs/wss.gpostman.com.error.log error;

location / {
	proxy_pass  https://127.0.0.1:2083;
	include proxy.inc;
}

location /pma {
	proxy_pass  https://127.0.0.1:2031;
	include proxy.inc;
}

location /roundcube {
	proxy_pass  https://127.0.0.1:2031;
	include proxy.inc;
}

location ~ /\.ht    {deny all;}
location ~ /\.svn/  {deny all;}
location ~ /\.git/  {deny all;}
location ~ /\.hg/   {deny all;}
location ~ /\.bzr/  {deny all;}

disable_symlinks if_not_owner from=/home/wss/public_html;

location /.well-known/acme-challenge {
	default_type "text/plain";
	alias /usr/local/apache/autossl_tmp/.well-known/acme-challenge;
}

}

configuration file /etc/nginx/conf.d/vhosts/wss.gpostman.com.ssl.conf:

server {
listen 167.114.128.25:443 ssl ;
server_name wss.gpostman.com;

access_log /usr/local/apache/domlogs/wss.gpostman.com.bytes bytes;
access_log /usr/local/apache/domlogs/wss.gpostman.com.log combined;
error_log /usr/local/apache/domlogs/wss.gpostman.com.error.log error;

ssl_certificate      /etc/pki/tls/certs/wss.gpostman.com.bundle;
ssl_certificate_key  /etc/pki/tls/private/wss.gpostman.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
ssl_prefer_server_ciphers   on;

ssl_session_cache   shared:SSL:10m;
ssl_session_timeout 60m;

location / {
	location ~.*\.(3gp|gif|jpg|jpeg|png|ico|wmv|avi|asf|asx|mpg|mpeg|mp4|pls|mp3|mid|wav|swf|flv|html|htm|txt|js|css|exe|zip|tar|rar|gz|tgz|bz2|uha|7z|doc|docx|xls|xlsx|pdf|iso|woff|ttf|svg|eot|sh|webp)$ {
		root /home/wss/public_html;
		expires max;
		try_files $uri $uri/ @backend;
	}
	
	error_page 405 = @backend;
	error_page 500 = @custom;
	add_header X-Cache "HIT from Backend";
	add_header Strict-Transport-Security "max-age=31536000";
	add_header X-XSS-Protection "1; mode=block" always;
	add_header X-Content-Type-Options "nosniff" always;
	proxy_pass http://167.114.128.25:8181;
	include proxy.inc;
}

location @backend {
	internal;
	proxy_pass http://167.114.128.25:8181;
	include proxy.inc;
}

location @custom {
	internal;
	proxy_pass http://167.114.128.25:8181;
	include proxy.inc;
}

location ~ .*\.(php|jsp|cgi|pl|py)?$ {
	proxy_pass http://167.114.128.25:8181;
	include proxy.inc;
}

location ~ /\.ht    {deny all;}
location ~ /\.svn/  {deny all;}
location ~ /\.git/  {deny all;}
location ~ /\.hg/   {deny all;}
location ~ /\.bzr/  {deny all;}

disable_symlinks if_not_owner from=/home/wss/public_html;

location /.well-known/acme-challenge {
	default_type "text/plain";
	alias /usr/local/apache/autossl_tmp/.well-known/acme-challenge;
}

}

server {
listen 167.114.128.25:443 ssl ;
server_name webmail.wss.gpostman.com;

access_log /usr/local/apache/domlogs/wss.gpostman.com.bytes bytes;
access_log /usr/local/apache/domlogs/wss.gpostman.com.log combined;
error_log /usr/local/apache/domlogs/wss.gpostman.com.error.log error;

ssl_certificate      /etc/pki/tls/certs/wss.gpostman.com.bundle;
ssl_certificate_key  /etc/pki/tls/private/wss.gpostman.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
ssl_prefer_server_ciphers   on;

ssl_session_cache   shared:SSL:10m;
ssl_session_timeout 60m;

location / {
	proxy_pass  http://127.0.0.1:2095;
	include proxy.inc;
}

location ~ /\.ht    {deny all;}
location ~ /\.svn/  {deny all;}
location ~ /\.git/  {deny all;}
location ~ /\.hg/   {deny all;}
location ~ /\.bzr/  {deny all;}

disable_symlinks if_not_owner from=/home/wss/public_html;

location /.well-known/acme-challenge {
	default_type "text/plain";
	alias /usr/local/apache/autossl_tmp/.well-known/acme-challenge;
}

}

server {
listen 167.114.128.25:443 ssl ;
server_name mail.wss.gpostman.com;

access_log /usr/local/apache/domlogs/wss.gpostman.com.bytes bytes;
access_log /usr/local/apache/domlogs/wss.gpostman.com.log combined;
error_log /usr/local/apache/domlogs/wss.gpostman.com.error.log error;

ssl_certificate      /etc/pki/tls/certs/wss.gpostman.com.bundle;
ssl_certificate_key  /etc/pki/tls/private/wss.gpostman.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
ssl_prefer_server_ciphers   on;

ssl_session_cache   shared:SSL:10m;
ssl_session_timeout 60m;

location / {
	proxy_pass  http://127.0.0.1:2095;
	include proxy.inc;
}

location ~ /\.ht    {deny all;}
location ~ /\.svn/  {deny all;}
location ~ /\.git/  {deny all;}
location ~ /\.hg/   {deny all;}
location ~ /\.bzr/  {deny all;}

disable_symlinks if_not_owner from=/home/wss/public_html;

location /.well-known/acme-challenge {
	default_type "text/plain";
	alias /usr/local/apache/autossl_tmp/.well-known/acme-challenge;
}

}

server {
listen 167.114.128.25:443 ssl ;
server_name cpanel.wss.gpostman.com;

access_log /usr/local/apache/domlogs/wss.gpostman.com.bytes bytes;
access_log /usr/local/apache/domlogs/wss.gpostman.com.log combined;
error_log /usr/local/apache/domlogs/wss.gpostman.com.error.log error;

ssl_certificate      /etc/pki/tls/certs/wss.gpostman.com.bundle;
ssl_certificate_key  /etc/pki/tls/private/wss.gpostman.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
ssl_prefer_server_ciphers   on;

ssl_session_cache   shared:SSL:10m;
ssl_session_timeout 60m;

location / {
	proxy_pass  https://127.0.0.1:2083;
	include proxy.inc;
}

location /pma {
	proxy_pass  https://127.0.0.1:2031;
	include proxy.inc;
}

location /roundcube {
	proxy_pass  https://127.0.0.1:2031;
	include proxy.inc;
}

location ~ /\.ht    {deny all;}
location ~ /\.svn/  {deny all;}
location ~ /\.git/  {deny all;}
location ~ /\.hg/   {deny all;}
location ~ /\.bzr/  {deny all;}

disable_symlinks if_not_owner from=/home/wss/public_html;

location /.well-known/acme-challenge {
	default_type "text/plain";
	alias /usr/local/apache/autossl_tmp/.well-known/acme-challenge;
}

}

2 Likes

[root@vps-c2000e86 centos]# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


No certificates found.


2 Likes

I must say that this is a fresh new installation.

2 Likes

I'm not sure what this code does exactly:
[where did you get it from?]
[it has "apache" in the path and yet the server is running nginx]

And where/how did you get this LE cert?:
[you say it's a new install and certbot shows no certs - what are we missing?]

2 Likes

Could this be a problem with a conflict between the control panel's management of the site and manual command-line management, like CWP did something related to certificates?

2 Likes

Yes I did a previous bad installation so I get everything done from the scratch again. I'm using Apache2 + Nginx as reverse proxy. But I guess all the problem is the vhost conf I'm using. But I don't know how to fix it.

2 Likes

I guess the problem is here:

When I look for Token on my domain it is there
[root@vps-c2000e86 vhosts]# ls -a /home/wss/public_html/.well-known/pki-validation/
. .. 0F330168792F1B1B953CA77F86840816.txt

But in the vhost there is this one pointing here whicj is not.

location /.well-known/acme-challenge {
default_type "text/plain";
alias /usr/local/apache/autossl_tmp/.well-known/acme-challenge;
}

[root@vps-c2000e86 vhosts]# ls -a /usr/local/apache/autossl_tmp/.well-known/acme-challenge
. ..

2 Likes

I try copying my TOKEN into /usr/local/apache/autossl_tmp/.well-known/acme-challenge/ but Im still getting the same error.

2 Likes

/.well-known/pki-validation is different from /.well-known/acme-challenge.

The former is used by other CAs, but never by Let's Encrypt.

location /.well-known/acme-challenge {
	default_type "text/plain";
	alias /usr/local/apache/autossl_tmp/.well-known/acme-challenge;
}

I wouldn't be surprised if this directive conflicted with what Certbot is trying to do, since Certbot adds a very similar directive except pointing to its own temporary directory (not autossl_tmp, autossl being some other non-Certbot software). Perhaps the autossl one is taking precedence here because it's so specific, or something.

I'm not going to criticize autossl here because of the "people who live in glass houses shouldn't throw stones" principle—after all, if you use Certbot to get certificates and then uninstall it, it doesn't remove its changes to your web server configuration—but you have a very complex configuration that includes some specific things related to other non-Certbot tooling that you have previously used to get certificates on this server. (I mean both the nginx directive above and whatever references you have to /.well-known/pki-validation that must have been used by software, maybe also autossl, interacting with a different CA!) In order for Certbot to work, you may need to first undo some of the peculiarities that relate to other software.

@rg305's question about how this reference to Apache got into your nginx configuration is also one that I'm really curious about. :slight_smile:

3 Likes

See the path below where certbot is looking for the challenge? Hint, hint. :slightly_smiling_face: That's where the challenge file Certbot expected it to be and why the challenge continues to fail. You got the same error for each of your subdomains as well.

Invalid response from http://gpostman.com/.well-known/acme-challenge/A9wjhrFh_mbt3TxTfoaNwJk90802-gQsx4tQF0JC5ok [167.114.128.25]: "\r\n404 Not Found\r\n\r\n

I see that a CentOS-WebPanel test page shows up on host.gpostman.com. I haven't looked at the other subdomains. Here's a result of gpostman.com scan from last night using Juergen's software.

https://check-your-website.server-daten.de/?i=be85b72b-618f-4667-95cb-160640e07eb6

I see you have TLS1.0, 1.1 & 1.2 enabled in your encryption protocol list. TLS1.0 should definitely be removed as it's been deprecated for quite some time. For TLS1.1, meh, keep only if you have users with older browsers. But v1.1 is also deprecated and really should not be used. Otherwise, TLS1.2 is what you should be using.

2 Likes

Most orgs have deprecated TLS 1.1 too, so if you consider 1.0 outdated, 1.1 is too.

Also, TLS 1.2 is only two years younger than TLS 1.1. I haven't seen a single client in 2020/2021 that spoke TLS 1.1, but not TLS 1.2*. There are very, very old things out there that still do SSLv2/v3/TLS1.0, but in all of my research I did not encounter a single internet-facing client that advertised 1.1 as highest available (except clients that were manually configured this way).

For servers this is also backed up by SSL Labs data, as only 4 servers are known where 1.1 is best protocol available - I presume those 4 machines are test systems.

In security terms, TLS 1.1 is only slightly better than 1.0 and is nowhere as hardened as 1.2 (e.g 1.1 does not have AEAD support). 1.1 was basically a patch release for 1.0 to fix some CBC and padding issues.

Remember that TLS 1.2 is almost thirteen years old. Sadly, clients were slow to adopt TLS 1.2, but since 2013/2014 TLS 1.2 was widely supported in all major browsers and I see no excuse for running a 9 year old browser today.

*Many TLS implementations such as NSS in Firefox or OpenSSL turned on TLS 1.1 & 1.2 support at the same time, which is likely one of the reasons why "1.1 only" is so rare.

3 Likes

True, that's why these were my last two sentences. :wink:

I agree. Backward compatability is a terrible thing when the whole world doesn't move on. But the wheels of change turn slowly.

1 Like

Yeah, I remember being surprised by that at the time, like "wow, you implemented two new versions, not just one—that was quick!".

3 Likes

Ok people but this is not helping too much I have installed others certs over same configured machines. This time I ran over failure and I need to figure out the real problem. I guess it's about a path missing or something like that.

1 Like

Please confirm the usability of this location:

Place a test-file-1234 in that alias location and let's see if it can be reached via the following:
http://gpostman.com/.well-known/acme-challenge/test-file-1234
OR
http://host.gpostman.com/.well-known/acme-challenge/test-file-1234

2 Likes

[root@vps-c2000e86 acme-challenge]# pwd
/home/gpostma/public_html/.well-known/acme-challenge
[root@vps-c2000e86 acme-challenge]# ll
total 0
-rw-r--r-- 1 root root 0 Jun 9 20:59 test-file-1234
[root@vps-c2000e86 acme-challenge]# cd ..
[root@vps-c2000e86 .well-known]# cd ..
[root@vps-c2000e86 public_html]# touch hola
[root@vps-c2000e86 public_html]# chmod 755 .well-known/
[root@vps-c2000e86 public_html]# chmod 755 .well-known/acme-challenge/

[root@vps-c2000e86 public_html]# chmod 755 .well-known/acme-challenge/test-file-1234

But still 404 under .well-known/

1 Like

Doesn't seem to equal:

Or am I missing something?

2 Likes

I also replace the location /.well-known entry

location /.well-known/acme-challenge {
default_type "text/plain";
allow all;
#alias /usr/local/apache/autossl_tmp/.well-known/acme-challenge;
alias /home/gpostman/public_html/.well-known/acme-challenge;

}

But still reporting 404

1 Like