Error nginx Challenge failed for domain www.fovos.be

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: fovos.be

I ran this command: sudo certbot run -a webroot -i nginx -w /var/www/fovos -d www.fovos.be -d fovos.be

It produced this output:
Using the webroot path /var/www/fovos for all unmatched domains.
Waiting for verification...
Challenge failed for domain www.fovos.be
http-01 challenge for www.fovos.be
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

My web server is (include version): Nginx as remote proxy, apache as webserver
Nginx = version 1.18.0

The operating system my web server runs on is (include version): Ubuntu 20.04.1 LTS

My hosting provider, if applicable, is: my own server

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.40.0

My Nginx serves as remote proxy for 5 domains on port 8080. All other domains are working fine. I checked DNS records and they are correct

Thx !!!!!!!!

Usually, the -a webroot -i nginx trick is only used if the nginx plugin doesn't work as authenticator plugin. Have you tried just running certbot with --nginx (two dashes) without mentioning -a and -i? (-w isn't necessary in that case too by the way.)

Thank you for your quick answer.
Herwith teh result. I'm afraid I used all my attempts

erwin@vps655711:~$ sudo certbot run --nginx -w /var/www/fovos -d www.fovos.be -d fovos.be
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx


You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/www.fovos.be.conf)

It contains these names: www.fovos.be

You requested these names for the new certificate: www.fovos.be, fovos.be.

Do you want to expand and replace this existing certificate with the new
certificate?


(E)xpand/(C)ancel: e
Renewing an existing certificate
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/
Please see the logfiles in /var/log/letsencrypt for more details.

You can test by adding --staging. The staging environment has way looser restrictions, but will give you a fake testing certificate. If --staging is working, you can remove that option to go for a real, working certificate, once the failed authz error is gone. (Shouldn't take long, it's an error with just an hour sliding window.)

Also, like I said before: you don't need -w when using --nginx.

here it is

sudo certbot run --nginx --staging --break-my-certs -d www.fovos.be -d fovos.be
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx


You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/www.fovos.be.conf)

It contains these names: www.fovos.be

You requested these names for the new certificate: www.fovos.be, fovos.be.

Do you want to expand and replace this existing certificate with the new
certificate?


(E)xpand/(C)ancel: e
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for fovos.be
http-01 challenge for www.fovos.be
nginx: [warn] conflicting server name "www.fovos.be" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "www.fovos.be" on 0.0.0.0:443, ignored
Waiting for verification...
Challenge failed for domain www.fovos.be
http-01 challenge for www.fovos.be
Cleaning up challenges
nginx: [warn] conflicting server name "www.fovos.be" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "www.fovos.be" on 0.0.0.0:443, ignored
Some challenges have failed.

IMPORTANT NOTES:

OK, well, you didn't say you already had a certificate for these hostnames. The warning about --break-my-certs is a real one: your site would get a fake, not-working certificate installed if it did work.

This isn't good. Please tidy up your nginx configuration.

1 Like

error log

Cache-Control: public, max-age=0, no-cache
Link: https://acme-staging-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 00049_Yvr6ngtF3cdwK_MOXyiCwSSd4ZQyUaNgFnUp9RCIE
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "fovos.be"
},
"status": "valid",
"expires": "2020-11-08T09:48:31Z",
"challenges": [
{
"type": "http-01",
"status": "valid",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/129095050/ZysvjA",
"token": "6jA8DhG_6errkXR-_buBCvCcfD61V9EbWKlb2g4NPR8",
"validationRecord": [
{
"url": "http://fovos.be/.well-known/acme-challenge/6jA8DhG_6errkXR-_buBCvCcfD61V9EbWKlb2g4NPR8",
"hostname": "fovos.be",
"port": "80",
"addressesResolved": [
"51.77.221.33"
],
"addressUsed": "51.77.221.33"
}
]
}
]
}
2020-10-09 11:48:32,155:DEBUG:acme.client:Storing nonce: 00049_Yvr6ngtF3cdwK_MOXyiCwSSd4ZQyUaNgFnUp9RCIE
2020-10-09 11:48:32,156:DEBUG:acme.client:JWS payload:
b''
2020-10-09 11:48:32,161:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/129095051:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC84NTcxOTg0IiwgIm5vbmNlIjogIjAwMDQ5X1l2cjZuZ3RGM2Nkd0tfTU9YeWlDd1NTZDRaUXlVYU5nRm5VcDlSQ0lFIiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzEyOTA5NTA1MSJ9",
"signature": "irOm83dbrcDmw3JJxhAXX4b0n524-WMD0n_JSzlKKUG9O3wVnMRrVq406wSXa4uO-Y5LI9qfjbc6rjaktWWMEhhy-LzAJGgAoe3NPiEaGO2F1yPLq6M9OLCy7D0ZcUwoqu6p4PFck6pvRPvtdytWOCfyGujzHur5xP8pe4EXUeEYsBoFeh0s3_y--9uvtdT4D-fEZNiOJ3nFOdHCJz_WhIYaMSvmAcKGmNGr-6lx_S_CUYqFG3XK7WA0PoWiDOoN5yNWSD7dmlZ3vGsNi2t8kzgKre9MvQ5TAtg7phgds-8CO9-zBtVRigHpjVjTuGbuk0gGOZ1ysKKtwaB4Un01WQ",
"payload": ""
}
2020-10-09 11:48:32,314:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/129095051 HTTP/1.1" 200 811
2020-10-09 11:48:32,316:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 09 Oct 2020 09:48:32 GMT
Content-Type: application/json
Content-Length: 811
Connection: keep-alive
Boulder-Requester: 8571984
Cache-Control: public, max-age=0, no-cache
Link: https://acme-staging-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 0003Z48B4d50Rm_XCDTGkQEPvVj7Cqmpdk9zgZaKwdZ2pm8
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

  "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/129095051/ua0O3A",
  "token": "ihPiAYu2Ouaa6T7KrBPIf4IgCGplvjGOV3taWtFhf7E",
  "validationRecord": [
    {
      "url": "http://www.fovos.be/.well-known/acme-challenge/ihPiAYu2Ouaa6T7KrBPIf4IgCGplvjGOV3taWtFhf7E",
      "hostname": "www.fovos.be",
      "port": "80",
      "addressesResolved": [
        "51.77.221.33"
      ],
      "addressUsed": "51.77.221.33"
    },
    {
      "url": "https://www.fovos.be/.well-known/acme-challenge/ihPiAYu2Ouaa6T7KrBPIf4IgCGplvjGOV3taWtFhf7E",
      "hostname": "www.fovos.be",
      "port": "443",
      "addressesResolved": [
        "51.77.221.33"
      ],
      "addressUsed": "51.77.221.33"
    }
  ]
}

]
}
2020-10-09 11:48:35,478:DEBUG:acme.client:Storing nonce: 0002Sp5MkUlI1bwMnghEj18hmrbPoa7VnlZUVH7w3APFmyg
2020-10-09 11:48:35,478:WARNING:certbot.auth_handler:Challenge failed for domain www.fovos.be
2020-10-09 11:48:35,479:INFO:certbot.auth_handler:http-01 challenge for www.fovos.be
2020-10-09 11:48:35,479:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: www.fovos.be
Type: unauthorized
Detail: Invalid response from https://www.fovos.be/.well-known/acme-challenge/ihPiAYu2Ouaa6T7KrBPIf4IgCGplvjGOV3taWtFhf7E [51.77.221.33]: "\r\n404 Not Found\r\n\r\n

404 Not Found

\r\n
nginx/1.18.0 (Ub"

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
2020-10-09 11:48:35,480:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 180, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2020-10-09 11:48:35,480:DEBUG:certbot.error_handler:Calling registered functions
2020-10-09 11:48:35,480:INFO:certbot.auth_handler:Cleaning up challenges
2020-10-09 11:48:36,667:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 11, in
load_entry_point('certbot==0.40.0', 'console_scripts', 'certbot')()
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1382, in main
return config.func(config, plugins)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1132, in run
new_lineage = _get_and_save_cert(le_client, config, domains,
File "/usr/lib/python3/dist-packages/certbot/main.py", line 116, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 307, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 348, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 396, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 180, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
root@vps655711:/var/log/letsencrypt#

I had a certificate but it was not able to be renewed. that's why I was looking to re-do the whole process.
Can I clear the fovos.conf files in the letsencrypt directory?

I would advice against that.

I'm still thinking your nginx configuration needs cleaning up first, see the warnings above.

Then, if your nginx configuration is pristine again, you should just be able to run certbot renew --dry-run and if that succeeds, run certbot renew to actually renew the certificate.

I see your previous certificate was just for the www subdomain, so forget about certbot renew. Just clean up your nginx configuration first, then try sudo certbot run --nginx --staging --break-my-certs -d www.fovos.be -d fovos.be again. As your certificate has already expired back in 2019, breaking your cert isn't really that an issue. If that succeeds, run sudo certbot run --nginx -d www.fovos.be -d fovos.be. If it doesn't succeed, your nginx configuration is still off.

1 Like

Hi Osiris

I'm no specialist of nginx. I have the standard nginx config file, no other config files in conf.d
in sites enabled I have following fovos.conf file

server {
listen 443 ssl;
server_name www.fovos.be fovos.be;

ssl_certificate /etc/letsencrypt/live/www.fovos.be/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.fovos.be/privkey.pem;

# modern configuration. tweak to your needs.

ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECD>

ssl_prefer_server_ciphers on;

# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;

resolver 8.8.8.8;


location / {
    proxy_pass http://localhost:8080;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
}

}

server {
listen 80;
server_name www.fovos.be fovos.be;

location /.well-known/acme-challenge {
    root /var/www/letsencrypt;
}

location / {
    return 301 https://$host$request_uri;
}

}

can your expert eye take a look at it?

herewith the nginx.conf file
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
worker_connections 768;
# multi_accept on;
}

http {

    ##
    # Basic Settings
    ##

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    # server_tokens off;

    # server_names_hash_bucket_size 64;
    # server_name_in_redirect off;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    ##
    # SSL Settings
    ##

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
    ssl_prefer_server_ciphers on;

    ##
    # Logging Settings
    ##

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;


    client_max_body_size 8M;




    ##
    # Gzip Settings
    ##

    gzip on;

    # gzip_vary on;
    # gzip_proxied any;
    # gzip_comp_level 6;
    # gzip_buffers 16 8k;
    # gzip_http_version 1.1;
    # gzip_types text/plain text/css application/json application/javascript text/xml application/xml ap>

    ##
    # Virtual Host Configs
    ##

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;

}

thx for helping me

Perhaps that's not everything where your hostnames are configured. Could you please run and share the output of:

grep -R www.fovos.be /etc/nginx/

/etc/nginx/sites-available/fovos.conf: server_name www.fovos.be fovos.be;
/etc/nginx/sites-available/fovos.conf: ssl_certificate /etc/letsencrypt/live/www.fovos.be/fullchain.pem;
/etc/nginx/sites-available/fovos.conf: ssl_certificate_key /etc/letsencrypt/live/www.fovos.be/privkey.pem;
/etc/nginx/sites-available/fovos.conf: server_name www.fovos.be fovos.be;
/etc/nginx/sites-available/default: server_name www.fovos.be; # managed by Certbot
/etc/nginx/sites-available/default: ssl_certificate /etc/letsencrypt/live/www.fovos.be/fullchain.pem; # managed by Certbot
/etc/nginx/sites-available/default: ssl_certificate_key /etc/letsencrypt/live/www.fovos.be/privkey.pem; # managed by Certbot
/etc/nginx/sites-available/default: if ($host = www.fovos.be) {
/etc/nginx/sites-available/default: server_name www.fovos.be;
/etc/nginx/sites-enabled/default: server_name www.fovos.be; # managed by Certbot
/etc/nginx/sites-enabled/default: ssl_certificate /etc/letsencrypt/live/www.fovos.be/fullchain.pem; # managed by Certbot
/etc/nginx/sites-enabled/default: ssl_certificate_key /etc/letsencrypt/live/www.fovos.be/privkey.pem; # managed by Certbot
/etc/nginx/sites-enabled/default: if ($host = www.fovos.be) {
/etc/nginx/sites-enabled/default: server_name www.fovos.be;
/etc/nginx/sites-enabled/fovos.old: server_name fovos.be www.fovos.be;
/etc/nginx/sites-enabled/fovos.old: server_name fovos.be www.fovos.be;

Well, there's your issue I think: both fovos.conf as default have your site configured.

Please take a good look at both configurations and reduce both configurations into just one. I would suggest to use fovos.conf for clearity, but perhaps default has some essential configuration parts missing from fovos.conf, I don't know. Also, no idea which configuration nginx is actually using.

Also: looking at the include /etc/nginx/sites-enabled/*; it seems nginx includes everything, including .old files. So if you want to disable a complete configuration, you'd need to move it away from the sites-enabled directory.

I just changed fovos.conf to fovos.old

ok, I will remove the default and rename fovos.old to *.conf

Be careful you're not removing essential configuration directives.

everything works fine now. Dank je Osiris !

2 Likes

Although you got things working and I am glad about that.
I see too many files in the /sites-enabled/ to think this is configured correctly.
It may just be working by chance.
Please show the output of:

  • ls -l /etc/nginx/sites-enabled/
  • nginx -T | grep -i include | grep -i sites-enabled
  • nginx -t

Here they are

ls -l /etc/nginx/sites-enabled/
-rw-r--r-- 1 root root 1248 Oct 9 13:01 fovos.conf
-rw-r--r-- 1 root root 1306 Nov 11 2019 gr-advice.conf
lrwxrwxrwx 1 root root 34 Mar 15 2019 ral-europe.conf -> ../sites-available/ral-europe.conf

nginx -T | grep -i include | grep -i sites-enabled
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
include /etc/nginx/sites-enabled/*;

nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
root@vps655711:~#

OK it seems to be all straight now :slight_smile:
But you might want to exercise some caution and modify this line as follows:
(from)
include /etc/nginx/sites-enabled/*;
(to)
include /etc/nginx/sites-enabled/*.conf;

To prevent the dreaded unintentional file inclusions, like:

cp /etc/nginx/sites-enabled/working.conf /etc/nginx/sites-enabled/working.conf.backup

Cheers from Miami :beers:

1 Like