Facing issue with cert activation

bharathganji1 · July 8, 2023, 1:45pm

My domain is:
animebob.in

I ran this command:
sudo certbot certonly --webroot --webroot-path /home/ubuntu/autolycus -d animebob.in

It produced this output:

My web server is (include version):
ubuntu@movies3-storage:~$ sudo certbot certonly --webroot --webroot-path /home/ubuntu/autolycus -d an imebob.in
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for animebob.in

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority report ed these problems:
Domain: animebob.in
Type: unauthorized
Detail: 129.159.20.202: Invalid response from Autolycus s7B9frqtspgjlRAsF1P-2xnN-E9fpS7vGNo: "\n<html lang="en">\n \n <meta charset ="utf-8" />\n <link rel="icon" href="/autolycus/icons/bx-meteor.svg"

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. E nsure that the listed domains serve their content from the provided --webroot-path/-w and that files c reated there can be downloaded from the internet.

The operating system my web server runs on is (include version):
ubuntu 22.04

My hosting provider, if applicable, is:
oracle instance added 80, 443 in ingress rules

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.21.0

can someone help me pls

extra information, : i've installed with same command in other instance 1 day before, now i've deleted that instane and created a new one and trying again
using cloudflare.(no proxy option on in dns records)

MikeMcQ · July 8, 2023, 2:02pm

Welcome @bharathganji1

Can you show us the nginx server block for the animebob.in domain? I want to check that the webroot path in your certbot command is correct given how you redirect the acme challenge request.

curl -IL animebob.in/.well-known/acme-challenge/Test123
HTTP/1.1 302 Found
Server: nginx/1.17.10
Location: /autolycus/.well-known/acme-challenge/Test123

bharathganji1 · July 8, 2023, 2:41pm

upstream api {
    server api:5000;
}

upstream client {
    server ui:3000;
}

server {
    listen 80;

    # listen 443 ssl;
    # ssl_certificate     /etc/ssl/certs/server.crt;
    # ssl_certificate_key /etc/ssl/certs/server.key;

    rewrite_log on;
    error_log   /var/log/nginx/error.log debug;

    location / {
        proxy_pass http://client;
    }

    location /sockjs-node {
        proxy_pass http://client;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
    }

    location /api {
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_redirect off;
        proxy_buffering off;
        rewrite /api/(.*) /$1 break;
        proxy_pass http://api;
        
        # enable WebSockets
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

    }

}

MikeMcQ · July 8, 2023, 3:00pm

After the above location block I suggest adding the below location and then reload nginx. This will cause the acme challenge to be processed right away and not be redirected.

location /.well-known/acme-challenge {
    root /home/ubuntu/autolycus;   
}

You should also add this to that server block

server_name animebob.in www.animebob.in;

Then, try this with both domain names as shown

sudo certbot certonly --dry-run --webroot --w /home/ubuntu/autolycus -d animebob.in -d www.animebob.in

If that works, remove --dry-run and do again to get production certs. If it fails, show us the error message

Osiris · July 8, 2023, 3:08pm

MikeMcQ:

I suggest adding the below location and then reload nginx. This will cause the acme challenge to be processed right away and not be redirected.
location /.well-known/acme-challenge {
    root /home/ubuntu/autolycus;   
}

I have no idea what files are present in that directory. Maybe a lot of stuff that shouldn't be accessible would be accessible to the entire world wide web? I'd recommend to proceed with caution and not to advice such root directive. (Unless absolutely sure there's nothing in it.)

bharathganji1 · July 8, 2023, 3:11pm

there will be important data,
suggest alternative approach pls

MikeMcQ · July 8, 2023, 3:13pm

Just use a different folder name in that location block and the certbot -w command then

MikeMcQ · July 8, 2023, 3:14pm

Fair point but they were already using that folder in their original command

Osiris · July 8, 2023, 3:18pm

I know and when reading that I also thought it was a bad idea To me, it suggested OP didn't know what they were doing.

bharathganji1 · July 8, 2023, 3:40pm

ubuntu@movie3-storage:~$ sudo certbot certonly --dry-run --webroot --webroot-path /home/ubuntu/autolycus/temp -d animebob.in -d www.animebob.in
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Account registered.
Simulating a certificate request for animebob.in and www.animebob.in

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: animebob.in
Type: unauthorized
Detail: 68.233.118.212: Invalid response from http://animebob.in/.well-known/acme-challenge/1aniLb-f7NjdblfTp6vWgjL4JeZIMR41pOnF-rEJQss: 404

Domain: www.animebob.in
Type: unauthorized
Detail: 68.233.118.212: Invalid response from http://www.animebob.in/.well-known/acme-challenge/Np5Wm7TH-uvNunxNZwBlsfpezTDHLo-9sXnl-xiMo10: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.


upstream api {
    server api:5000;
}

upstream client {
    server ui:3000;
}

server {
    listen 80;
    server_name animebob.in www.animebob.in;

    # listen 443 ssl;
    # ssl_certificate     /etc/ssl/certs/server.crt;
    # ssl_certificate_key /etc/ssl/certs/server.key;

    rewrite_log on;
    error_log   /var/log/nginx/error.log debug;

    location / {
        proxy_pass http://client;
    }

        location /.well-known/acme-challenge {
        root /home/ubuntu/autolycus/temp;
        }
    location /sockjs-node {
        proxy_pass http://client;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
    }

    location /api {
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_redirect off;
        proxy_buffering off;
        rewrite /api/(.*) /$1 break;
        proxy_pass http://api;

        # enable WebSockets
"nginx.conf" 50L, 1169B                                                                                                                    25,10-13      Top

bharathganji1 · July 8, 2023, 3:53pm

pls check the result and server block

rg305 · July 8, 2023, 4:04pm

Please show that folder does exist, with:
ls -l /home/ubuntu/autolycus/temp

bharathganji1 · July 8, 2023, 4:05pm

rg305 · July 8, 2023, 4:05pm

Please post this log file:
/var/log/letsencrypt/letsencrypt.log

rg305 · July 8, 2023, 4:07pm

And also, while we review that log file, place a test file in that webroot path:
echo "test-file" >> /home/ubuntu/autolycus/temp/test-file

It should then be accessible via:
http://animebob.in/.well-known/acme-challenge/test-file
http://www.animebob.in/.well-known/acme-challenge/test-file

Osiris · July 8, 2023, 4:16pm

Personally I would use a completely separate directory such as /var/lib/letsencrypt/http_challenges/ (which is also used by the Certbot apache plugin, so probably a good fit) for the challenge directory.

bharathganji1 · July 8, 2023, 4:21pm

log.txt (12.5 KB)
not getting possible to export log file send some of it

bharathganji1 · July 8, 2023, 4:25pm

i dont have much knowledge,

i'm trying to run a git project GitHub - imneonizer/autolycus: A seedr.cc inspired web application to download and stream torrent files from hosted web servers.
through oracle instance via docker

earlier on different instrance i hve connected same website with different ip it worked same command , yesterday only..

sudo certbot certonly --webroot --webroot-path /home/ubuntu/autolycus/temp -d animebob.in

i deleted that instance and trying to do same today in new instance now, getting error

rg305 · July 8, 2023, 4:41pm

???
I see nginx:

curl -Ii http://animebob.in/.well-known/acme-challenge/test-file  HTTP/1.1 404 Not Found
Server: nginx/1.17.10
Date: Sat, 08 Jul 2023 16:40:26 GMT
Content-Type: text/html
Content-Length: 154
Connection: keep-alive

And the "test-file" is NOT accessible.

MikeMcQ · July 8, 2023, 4:49pm

I would have liked to recommend certbot certonly --nginx instead of --webroot and avoid issues with any paths. But, when I see a config with lots of proxy I am less inclined. Especially when there are other apparent issues with the config. And, when using a somewhat older certbot version as well. The --nginx plug-in would be cleaner but potentially a lot more work to get them sorted out.