Errors don't go away on a new website (only index file is present yet)

My domain is: bobu.online

I ran this command: letsencrypt certonly --webroot --dry-run -w /var/www -d bobu.online

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for bobu.online
Using the webroot path /var/www for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. bobu.online (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://bobu.online/.well-known/acme-challenge/I1VJm-AiBLi0CdG5CbuBPax7B2a5Aad2jjPicSxMZpI [34.69.83.105]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: bobu.online
   Type:   unauthorized
   Detail: Invalid response from
   http://bobu.online/.well-known/acme-challenge/I1VJm-AiBLi0CdG5CbuBPax7B2a5Aad2jjPicSxMZpI
   [34.69.83.105]: "<html>\r\n<head><title>404 Not
   Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404
   Not Found</h1></center>\r\n<hr><center>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): Nginx 1.14.0

The operating system my web server runs on is (include version): Ubuntu 18.04 LTS

My hosting provider, if applicable, is: GCP

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No control panel.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): Perhaps I’m using ‘Letsencrypt’ command.

1 Like

Hi @BathindaHelper

if you use webroot, then the webroot may be wrong.

What says

nginx -T

PS: Checked your domain - https://check-your-website.server-daten.de/?q=bobu.online#ct-logs

There is a new wildcard certificate, created yesterday.

Issuer not before not after Domain names LE-Duplicate next LE
Let’s Encrypt Authority X3 2020-02-13 2020-05-13 *.bobu.online, bobu.online - 2 entries duplicate nr. 1

But your port 443 doesn’t work. certonly doesn’t install a certificate.

2 Likes

Thanks for your response.

I’ve tried to run the command without ‘webroot’ switch also, then also similary errors show.

nginx -T output:

root@gcp45r:~# nginx -T
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 768;
        # multi_accept on;
}

http {

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        # server_tokens off;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        ##
        # Gzip Settings
        ##

        gzip on;

        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}


#mail {
#       # See sample authentication script at:
#       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#       # auth_http localhost/auth.php;
#       # pop3_capabilities "TOP" "USER";
#       # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#       server {
#               listen     localhost:110;
#               protocol   pop3;
#               proxy      on;
#       }
#
#       server {
#               listen     localhost:143;
#               protocol   imap;
#               proxy      on;
#       }
#}

# configuration file /etc/nginx/modules-enabled/50-mod-http-geoip.conf:
load_module modules/ngx_http_geoip_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:
load_module modules/ngx_http_image_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:
load_module modules/ngx_http_xslt_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:
load_module modules/ngx_mail_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:
load_module modules/ngx_stream_module.so;

# configuration file /etc/nginx/mime.types:

types {
    text/html                             html htm shtml;
    text/css                              css;
    text/xml                              xml;
    image/gif                             gif;
    image/jpeg                            jpeg jpg;
    application/javascript                js;
    application/atom+xml                  atom;
    application/rss+xml                   rss;

    text/mathml                           mml;
    text/plain                            txt;
    text/vnd.sun.j2me.app-descriptor      jad;
    text/vnd.wap.wml                      wml;
    text/x-component                      htc;

    image/png                             png;
    image/tiff                            tif tiff;
    image/vnd.wap.wbmp                    wbmp;
    image/x-icon                          ico;
    image/x-jng                           jng;
    image/x-ms-bmp                        bmp;
    image/svg+xml                         svg svgz;
    image/webp                            webp;

    application/font-woff                 woff;
    application/java-archive              jar war ear;
    application/json                      json;
    application/mac-binhex40              hqx;
    application/msword                    doc;
    application/pdf                       pdf;
    application/postscript                ps eps ai;
    application/rtf                       rtf;
    application/vnd.apple.mpegurl         m3u8;
    application/vnd.ms-excel              xls;
    application/vnd.ms-fontobject         eot;
    application/vnd.ms-powerpoint         ppt;
    application/vnd.wap.wmlc              wmlc;
    application/vnd.google-earth.kml+xml  kml;
    application/vnd.google-earth.kmz      kmz;
    application/x-7z-compressed           7z;
    application/x-cocoa                   cco;
    application/x-java-archive-diff       jardiff;
    application/x-java-jnlp-file          jnlp;
    application/x-makeself                run;
    application/x-perl                    pl pm;
    application/x-pilot                   prc pdb;
    application/x-rar-compressed          rar;
    application/x-redhat-package-manager  rpm;
    application/x-sea                     sea;
    application/x-shockwave-flash         swf;
    application/x-stuffit                 sit;
    application/x-tcl                     tcl tk;
    application/x-x509-ca-cert            der pem crt;
    application/x-xpinstall               xpi;
    application/xhtml+xml                 xhtml;
    application/xspf+xml                  xspf;
    application/zip                       zip;

    application/octet-stream              bin exe dll;
    application/octet-stream              deb;
    application/octet-stream              dmg;
    application/octet-stream              iso img;
    application/octet-stream              msi msp msm;

    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
    application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;

    audio/midi                            mid midi kar;
    audio/mpeg                            mp3;
    audio/ogg                             ogg;
    audio/x-m4a                           m4a;
    audio/x-realaudio                     ra;

    video/3gpp                            3gpp 3gp;
    video/mp2t                            ts;
    video/mp4                             mp4;
    video/mpeg                            mpeg mpg;
    video/quicktime                       mov;
    video/webm                            webm;
    video/x-flv                           flv;
    video/x-m4v                           m4v;
    video/x-mng                           mng;
    video/x-ms-asf                        asx asf;
    video/x-ms-wmv                        wmv;
    video/x-msvideo                       avi;
}

# configuration file /etc/nginx/conf.d/bobu.online.conf:
server {
        listen 80 default_server; ## Remove the words 'default_server' if its the 2nd domain, from both/two lines.
        listen [::]:80 default_server;

        server_name bobu.online;
        root /var/www/html;

        # Add index.php to the list if you are using PHP
        index index.html index.htm index.nginx-debian.html;

        location / {
                # First attempt to serve request as file, then as directory, then fall back to displaying a 404.
                try_files $uri $uri/ =404;
        }
}
server {
    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot

#    ssl_certificate /etc/letsencrypt/live/bobu.online/fullchain.pem; # managed by Certbot
#    ssl_certificate_key /etc/letsencrypt/live/bobu.online/privkey.pem; # managed by Certbot
#    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
#    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

        server_name bobu.online;
        root /var/www/4;

        # Add index.php to the list if you are using PHP
        index index.html index.htm index.nginx-debian.html;

        location / {
                # First attempt to serve request as file, then as directory, then fall back to displaying a 404.
                try_files $uri $uri/ =404;
        }

}

I tried yesterday (and today), but didn’t succeed.

1 Like

There

is your webroot. Not /var/www -> wrong webroot, not working.

2 Likes

Thank you very much for pointing/finding this out. I couldn’t have detected this error.

Two small doubts, if you’ll.

  1. In the command there is this word/switch: “Certonly”. Does it mean that only certificate is generated? Not the key file?
  2. What’s the diff of ‘Nginx’ being on or off? If I choose ‘web-server’ method (rather than ‘webroot’), then I’ve to keep Nginx ‘off’.

Thanks again.

Hi @BathindaHelper,

In Certbot, certonly means “only generate the certificate; don’t install it (into a web server application)”. It does generate a key. But it does not attempt to reconfigure your server to use the newly obtained certificate; you have to do that yourself by editing configuration files.

The --nginx method tries to integrate with an existing nginx installation.

With certonly --nginx, it tries to reconfigure the existing nginx temporarily in order to prove your control over the domain name, as requested by the certificate authority, but once this is complete, it does not try to reconfigure nginx permanently to use the new certificate.

With --nginx (without certonly), it does this and also tries to reconfigure nginx permanently to use the new certificate.

With --webroot, it tries to create files at a specific path (assuming that this path is being served publicly by an existing web server application) in order to prove your control over the domain name(s) to the certificate authority. This does not make any assumptions about which web server application is in use, so it could work with any kind of existing web server, as long as it’s able to serve static files from the filesystem.

1 Like

This is the old name of Certbot. It was renamed in May 2016.

If you run Certbot as letsencrypt, you are still running Certbot, but you’re probably following documentation or tutorials that were created before May 2016.

1 Like