Error running certbot Invalid response (was working before)

Help
1

Hello,
I was using certbot to auto renew my ssl, and managed to create my first ssl certificat. Everything was ok (even the dry run test) but now for somereason im stuck.

Thanks for your time :slight_smile:

My domain is: irice.fr

I ran this command: sudo certbot certonly --agree-tos --email admin@irice.fr --webroot -w /var/lib/letsencrypt/ -d irice.fr -d www.irice.fr

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for irice.fr
http-01 challenge for www.irice.fr
Using the webroot path /var/lib/letsencrypt for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. irice.fr (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid r esponse from https://irice.fr/.well-known/acme-challenge/8f_-SOaMLBDje2LEenv08BuHTYWzigtfe91HQaWBE-k [185.216.25.19]: "\n \n \n <html lang=“fr-FR” data-website-id=“1” data-oe-company-name=“IRICE”>\n \n ", www.irice.fr (http-01): urn:ietf:para ms:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://irice.fr/.well-known/acme-challenge/C-o0aX7D A1BEpoA7hsE3VfWjgk1YNtV0bDCr7UR3q-g [185.216.25.19]: "\n \n \n <html lang=“fr-FR” data-website-id=“1” data-oe-com pany-name=“IRICE”>\n \n "

IMPORTANT NOTES:

My web server is (include version): Nginx /1.14.0 ubuntu

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is: PulseHeberg

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): SSH via putty

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): cert 0.27

2

Could you please share the part of your nginx configuration which maps /.well-known/acme-challenge/ to /var/lib/letsencrypt ?

3

Hi @Misseen

you see: Letsencrypt checks port 80 / http, but there is a redirect http -> https, so Letsencrypt can't find the validation file.

So your port 80 config is buggy.

Two options:

  • What says nginx -T to fix your port 80 vHost?
  • Use the webroot of your port 443 vHost in your command
4

I made this in order to map all HTTP requests for .well-known/acme-challenge to a single directory, /var/lib/letsencrypt .

mkdir -p /var/lib/letsencrypt/.well-known
chgrp www-data /var/lib/letsencrypt
chmod g+s /var/lib/letsencrypt


Then I created two snippet : 

/etc/nginx/snippets/letsencrypt.conf

location ^~ /.well-known/acme-challenge/ {
  allow all;
  root /var/lib/letsencrypt/;
  default_type "text/plain";
  try_files $uri =404;
}

sudo nano /etc/nginx/snippets/ssl.conf

ssl_dhparam /etc/ssl/certs/dhparam.pem;

ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 30s;

add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;

Then on my server block **(/etc/nginx/sites-enabled/irice.fr)** i writed this :

# Odoo servers
upstream odoo {
 server 127.0.0.1:8069;
}

upstream odoochat {
 server 127.0.0.1:8072;
}

# HTTP -> HTTPS
server {
    listen 80;
    server_name www.irice.fr irice.fr;

    include snippets/letsencrypt.conf;
    return 301 https://irice.fr$request_uri;
}

# WWW -> NON WWW
server {
    listen 443 ssl http2;
    server_name www.irice.fr;

    ssl_certificate /etc/letsencrypt/live/irice.fr/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/irice.fr/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/irice.fr/chain.pem;
    include snippets/ssl.conf;

    return 301 https://irice.fr$request_uri;
}

server {
    listen 443 ssl http2;
    server_name irice.fr;

    proxy_read_timeout 720s;
    proxy_connect_timeout 720s;
    proxy_send_timeout 720s;

    # Proxy headers
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Real-IP $remote_addr;

    # SSL parameters
    ssl_certificate /etc/letsencrypt/live/irice.fr/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/irice.fr/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/irice.fr/chain.pem;
    include snippets/ssl.conf;

    # log files
    access_log /var/log/nginx/odoo.access.log;
    error_log /var/log/nginx/odoo.error.log;

    # Handle longpoll requests
    location /longpolling {
        proxy_pass http://odoochat;
    }

    # Handle / requests
    location / {
       proxy_redirect off;
       proxy_pass http://odoo;
    }

    # Cache static files
    location ~* /web/static/ {
        proxy_cache_valid 200 90m;
        proxy_buffering on;
        expires 864000;
        proxy_pass http://odoo;
    }

    # Gzip
    gzip_types text/css text/less text/plain text/xml application/xml application/json application/javascript;
    gzip on;
}
5

Hello JuergenAuer, Thanks you for your time

root@server:~# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Use the webroot of your port 443 vHost in your command

Obviously this exceed my knowledge, i have no idea of what to do

6

I wrote -T, not -t.

Please read your command. There you use already a (not working) webroot. Change that value.

And please read some basics how you use Certbot:

https://certbot.eff.org/docs/using.html

7

Edit : Important things to note : before running apt update + upgrade the issue was : “The request message was malformed :: Method not allowed”

Woops my bad for -T here is the output

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

configuration file /etc/nginx/nginx.conf:

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
worker_connections 768;
# multi_accept on;
}

http {

    ##
    # Basic Settings
    ##

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    # server_tokens off;

    # server_names_hash_bucket_size 64;
    # server_name_in_redirect off;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    ##
    # SSL Settings
    ##

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
    ssl_prefer_server_ciphers on;

    ##
    # Logging Settings
    ##

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    ##
    # Gzip Settings
    ##

    gzip on;

    # gzip_vary on;
    # gzip_proxied any;
    # gzip_comp_level 6;
    # gzip_buffers 16 8k;
    # gzip_http_version 1.1;
    # gzip_types text/plain text/css application/json application/javascript text/xml applicati                                     on/xml application/xml+rss text/javascript;

    ##
    # Virtual Host Configs
    ##

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;

}

#mail {

# See sample authentication script at:

# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript

# auth_http localhost/auth.php;

# pop3_capabilities “TOP” “USER”;

# imap_capabilities “IMAP4rev1” “UIDPLUS”;

server {

listen localhost:110;

protocol pop3;

proxy on;

}

server {

listen localhost:143;

protocol imap;

proxy on;

}

#}

configuration file /etc/nginx/modules-enabled/50-mod-http-geoip.conf:

load_module modules/ngx_http_geoip_module.so;

configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:

load_module modules/ngx_http_image_filter_module.so;

configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:

load_module modules/ngx_http_xslt_filter_module.so;

configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:

load_module modules/ngx_mail_module.so;

configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:

load_module modules/ngx_stream_module.so;

configuration file /etc/nginx/mime.types:

types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;

text/mathml                           mml;
text/plain                            txt;
text/vnd.sun.j2me.app-descriptor      jad;
text/vnd.wap.wml                      wml;
text/x-component                      htc;

image/png                             png;
image/tiff                            tif tiff;
image/vnd.wap.wbmp                    wbmp;
image/x-icon                          ico;
image/x-jng                           jng;
image/x-ms-bmp                        bmp;
image/svg+xml                         svg svgz;
image/webp                            webp;

application/font-woff                 woff;
application/java-archive              jar war ear;
application/json                      json;
application/mac-binhex40              hqx;
application/msword                    doc;
application/pdf                       pdf;
application/postscript                ps eps ai;
application/rtf                       rtf;
application/vnd.apple.mpegurl         m3u8;
application/vnd.ms-excel              xls;
application/vnd.ms-fontobject         eot;
application/vnd.ms-powerpoint         ppt;
application/vnd.wap.wmlc              wmlc;
application/vnd.google-earth.kml+xml  kml;
application/vnd.google-earth.kmz      kmz;
application/x-7z-compressed           7z;
application/x-cocoa                   cco;
application/x-java-archive-diff       jardiff;
application/x-java-jnlp-file          jnlp;
application/x-makeself                run;
application/x-perl                    pl pm;
application/x-pilot                   prc pdb;
application/x-rar-compressed          rar;
application/x-redhat-package-manager  rpm;
application/x-sea                     sea;
application/x-shockwave-flash         swf;
application/x-stuffit                 sit;
application/x-tcl                     tcl tk;
application/x-x509-ca-cert            der pem crt;
application/x-xpinstall               xpi;
application/xhtml+xml                 xhtml;
application/xspf+xml                  xspf;
application/zip                       zip;

application/octet-stream              bin exe dll;
application/octet-stream              deb;
application/octet-stream              dmg;
application/octet-stream              iso img;
application/octet-stream              msi msp msm;

application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;

audio/midi                            mid midi kar;
audio/mpeg                            mp3;
audio/ogg                             ogg;
audio/x-m4a                           m4a;
audio/x-realaudio                     ra;

video/3gpp                            3gpp 3gp;
video/mp2t                            ts;
video/mp4                             mp4;
video/mpeg                            mpeg mpg;
video/quicktime                       mov;
video/webm                            webm;
video/x-flv                           flv;
video/x-m4v                           m4v;
video/x-mng                           mng;
video/x-ms-asf                        asx asf;
video/x-ms-wmv                        wmv;
video/x-msvideo                       avi;

}

configuration file /etc/nginx/sites-enabled/default:

You should look at the following URL’s in order to grasp a solid understanding

of Nginx configuration files in order to fully unleash the power of Nginx.

https://www.nginx.com/resources/wiki/start/

https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/

https://wiki.debian.org/Nginx/DirectoryStructure

In most cases, administrators will remove this file from sites-enabled/ and

leave it as reference inside of sites-available where it will continue to be

updated by the nginx packaging team.

This file will automatically load configuration files provided by other

applications, such as Drupal or Wordpress. These applications will be made

available underneath a path with that package name, such as /drupal8.

Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.

Default server configuration

server {
listen 80 default_server;
listen [::]:80 default_server;

    # SSL configuration
    #
    # listen 443 ssl default_server;
    # listen [::]:443 ssl default_server;
    #
    # Note: You should disable gzip for SSL traffic.
    # See: https://bugs.debian.org/773332
    #
    # Read up on ssl_ciphers to ensure a secure configuration.
    # See: https://bugs.debian.org/765782
    #
    # Self signed certs generated by the ssl-cert package
    # Don't use them in a production server!
    #
    # include snippets/snakeoil.conf;

    root /var/www/html;

    # Add index.php to the list if you are using PHP
    index index.html index.htm index.nginx-debian.html;

    server_name _;

    location / {
            # First attempt to serve request as file, then
            # as directory, then fall back to displaying a 404.
            try_files $uri $uri/ =404;
    }

    # pass PHP scripts to FastCGI server
    #
    #location ~ \.php$ {
    #       include snippets/fastcgi-php.conf;
    #
    #       # With php-fpm (or other unix sockets):
    #       fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
    #       # With php-cgi (or other tcp sockets):
    #       fastcgi_pass 127.0.0.1:9000;
    #}

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    #location ~ /\.ht {
    #       deny all;
    #}

}

Virtual Host configuration for example.com

You can move that to a different file under sites-available/ and symlink that

to sites-enabled/ to enable it.

#server {

listen 80;

listen [::]:80;

server_name example.com;

root /var/www/example.com;

index index.html;

location / {

try_files $uri $uri/ =404;

}

#}

configuration file /etc/nginx/sites-enabled/irice.fr:

Odoo servers

upstream odoo {
server 127.0.0.1:3697;
}

upstream odoochat {
server 127.0.0.1:8072;
}

HTTP -> HTTPS

server {
listen 80;
server_name www.irice.fr irice.fr;

include snippets/letsencrypt.conf;
return 301 https://irice.fr$request_uri;

}

WWW -> NON WWW

server {
listen 443 ssl http2;
server_name www.irice.fr;

ssl_certificate /etc/letsencrypt/live/irice.fr/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/irice.fr/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/irice.fr/chain.pem;
include snippets/ssl.conf;

return 301 https://irice.fr$request_uri;

}

server {
listen 443 ssl http2;
server_name irice.fr;

proxy_read_timeout 720s;
proxy_connect_timeout 720s;
proxy_send_timeout 720s;

# Proxy headers
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;

# SSL parameters
ssl_certificate /etc/letsencrypt/live/irice.fr/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/irice.fr/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/irice.fr/chain.pem;
include snippets/ssl.conf;

# log files
access_log /var/log/nginx/odoo.access.log;
error_log /var/log/nginx/odoo.error.log;

# Handle longpoll requests
location /longpolling {
    proxy_pass http://odoochat;
}

# Handle / requests
location / {
   proxy_redirect off;
   proxy_pass http://odoo;
}

# Cache static files
location ~* /web/static/ {
    proxy_cache_valid 200 90m;
    proxy_buffering on;
    expires 864000;
    proxy_pass http://odoo;
}

# Gzip
gzip_types text/css text/less text/plain text/xml application/xml application/json application/                                     javascript;
gzip on;

}

configuration file /etc/nginx/snippets/letsencrypt.conf:

location ^~ /.well-known/acme-challenge/ {
allow all;
root /var/lib/letsencrypt/;
default_type “text/plain”;
try_files $uri =404;
}

configuration file /etc/nginx/snippets/ssl.conf:

ssl_dhparam /etc/ssl/certs/dhparam.pem;

ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ‘ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA25 6:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES 128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-EC DSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-A ES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-R SA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA25 6:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS’;
ssl_prefer_server_ciphers on;

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 30s;

add_header Strict-Transport-Security “max-age=15768000; includeSubdomains; preload”;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;

I read the user guide and managed to understand that was my path " --webroot -w /var/lib/letsencrypt/ what is not working in this case ?
Oh ok I understand it, Vhost is what I call server Block that’s why I missunderstood

This looks ok to me

image
image1091×411 9.44 KB

8

I SOLVED THE ISSUE (kind of)

  1. Updated certbot to 0.31.02 with https://launchpad.net/~certbot/+archive/ubuntu/certbot
  2. apt upgrade
  3. Restart services
    4.Changed Block (Vhost) to :
server {
    listen 80;
    listen [::]:80;

    root /var/www/example.com/public_html;

    index index.html;

    server_name example.com www.example.com;

    access_log /var/log/nginx/example.com.access.log;
    error_log /var/log/nginx/example.com.error.log;

    location / {
        try_files $uri $uri/ =404;
    }
}

looks like the issue was the port 443, or reverse proxy mode ? I do not fully understand why.

This allow me to renew my cert manualy, but when Im setting up back my reverse proxy the -dry run fail.
I must find what in my Vhost conf is causing the issue.

9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.