Failed to authenticate some domains - nginx - netbox

My domain is:
top-floor.net specifically netbox.top-floor.net

I ran this command:
sudo certbot -v --nginx -d netbox.top-floor.net

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Requesting a certificate for netbox.top-floor.net
Performing the following challenges:
http-01 challenge for netbox.top-floor.net
Waiting for verification...
Challenge failed for domain netbox.top-floor.net
http-01 challenge for netbox.top-floor.net

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these
  Domain: netbox.top-floor.net
  Type:   unauthorized
  Detail: 5.161.130.12: Invalid response from https://netbox.top-floor.net/.well-known/acme-challenge/XiEMpU

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. x server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
nginx version: nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version):

Distributor ID: Ubuntu
Description:    Ubuntu 20.04.4 LTS
Release:        20.04
Codename:       focal
user@VPS:~$ uname -a
Linux ubuntu-4gb-ash-1 5.4.0-121-generic #137-Ubuntu SMP Wed Jun 15 13:33:07 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.29.0

Hello again all, having another issue this time. Figured I had some success with my last LE issue, I'd try it again

To provide a little more background, I am trying to spin up a test instance of Digital Oceans netbox. I was able to add it to my VPS, install and configure it correctly, however I have not been able to generate a TLS cert for the website. I followed a couple of guides and my nginx config looks correct but for some odd reason I get the weird 404 error when attempting to request it. Any ideas as to why? I found similar issues, here, here and here with the last one being the most helpful but still not an answer.

Let's have a look at the output of:
nginx -T

Your domain name isn't pointing to your nginx server. It's pointing to a domain parking page.

You need to configure your domain's DNS records so that they point to your DigitalOcean server.

@_az, did you try with the dash?

nginx output looks OK to me.

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 768;
        # multi_accept on;
}

http {

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        # server_tokens off;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        ##
        # Gzip Settings
        ##

        gzip on;

        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}


#mail {
#       # See sample authentication script at:
#       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#       # auth_http localhost/auth.php;
#       # pop3_capabilities "TOP" "USER";
#       # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#       server {
#               listen     localhost:110;
#               protocol   pop3;
#               proxy      on;
#       }
#
#       server {
#               listen     localhost:143;
#               protocol   imap;
#               proxy      on;
#       }
#}

# configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:
load_module modules/ngx_http_image_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:
load_module modules/ngx_http_xslt_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:
load_module modules/ngx_mail_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:
load_module modules/ngx_stream_module.so;

# configuration file /etc/nginx/mime.types:

types {
    text/html                             html htm shtml;
    text/css                              css;
    text/xml                              xml;
    image/gif                             gif;
    image/jpeg                            jpeg jpg;
    application/javascript                js;
    application/atom+xml                  atom;
    application/rss+xml                   rss;

    text/mathml                           mml;
    text/plain                            txt;
    text/vnd.sun.j2me.app-descriptor      jad;
    text/vnd.wap.wml                      wml;
    text/x-component                      htc;

    image/png                             png;
    image/tiff                            tif tiff;
    image/vnd.wap.wbmp                    wbmp;
    image/x-icon                          ico;
    image/x-jng                           jng;
    image/x-ms-bmp                        bmp;
    image/svg+xml                         svg svgz;
    image/webp                            webp;

    application/font-woff                 woff;
    application/java-archive              jar war ear;
    application/json                      json;
    application/mac-binhex40              hqx;
    application/msword                    doc;
    application/pdf                       pdf;
    application/postscript                ps eps ai;
    application/rtf                       rtf;
    application/vnd.apple.mpegurl         m3u8;
    application/vnd.ms-excel              xls;
    application/vnd.ms-fontobject         eot;
    application/vnd.ms-powerpoint         ppt;
    application/vnd.wap.wmlc              wmlc;
    application/vnd.google-earth.kml+xml  kml;
    application/vnd.google-earth.kmz      kmz;
    application/x-7z-compressed           7z;
    application/x-cocoa                   cco;
    application/x-java-archive-diff       jardiff;
    application/x-java-jnlp-file          jnlp;
    application/x-makeself                run;
    application/x-perl                    pl pm;
    application/x-pilot                   prc pdb;
    application/x-rar-compressed          rar;
    application/x-redhat-package-manager  rpm;
    application/x-sea                     sea;
    application/x-shockwave-flash         swf;
    application/x-stuffit                 sit;
    application/x-tcl                     tcl tk;
    application/x-x509-ca-cert            der pem crt;
    application/x-xpinstall               xpi;
    application/xhtml+xml                 xhtml;
    application/xspf+xml                  xspf;
    application/zip                       zip;

    application/octet-stream              bin exe dll;
    application/octet-stream              deb;
    application/octet-stream              dmg;
    application/octet-stream              iso img;
    application/octet-stream              msi msp msm;

    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
    application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;

    audio/midi                            mid midi kar;
    audio/mpeg                            mp3;
    audio/ogg                             ogg;
    audio/x-m4a                           m4a;
    audio/x-realaudio                     ra;

    video/3gpp                            3gpp 3gp;
    video/mp2t                            ts;
    video/mp4                             mp4;
    video/mpeg                            mpeg mpg;
    video/quicktime                       mov;
    video/webm                            webm;
    video/x-flv                           flv;
    video/x-m4v                           m4v;
    video/x-mng                           mng;
    video/x-ms-asf                        asx asf;
    video/x-ms-wmv                        wmv;
    video/x-msvideo                       avi;
}

# configuration file /etc/nginx/sites-enabled/netbox:
server {
    listen [::]:443 ssl ipv6only=off;

    # CHANGE THIS TO YOUR SERVER'S NAME
    server_name netbox.top-floor.net;

    ssl_certificate /etc/ssl/certs/netbox.crt;
    ssl_certificate_key /etc/ssl/private/netbox.key;

    client_max_body_size 25m;

    location /static/ {
        alias /opt/netbox/netbox/static/;
    }

    location / {
        proxy_pass http://127.0.0.1:8001;
        proxy_set_header X-Forwarded-Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

server {
    # Redirect HTTP traffic to HTTPS
    listen [::]:80 ipv6only=off;
    server_name _;
    return 301 https://$host$request_uri;
}

@_az I think you may want to check again. netbox.top-floor.net drops me to my netbox instance lol.

https://netbox.top-floor.net/

It seems to be missing the challenge file handling location.

edit this:

to this:

server {
    # Redirect HTTP traffic to HTTPS
    listen [::]:80 ipv6only=off;
    server_name _;
    location ^/(?!\.well-known) {              # skip challenge requests
        return 301 https://$host$request_uri;  # send all requests to HTTPS
    }# location
    root /new/dedicated/challenge/path;        # path for challenge requests
}

And be sure to create, and update, the "/new/dedicated/challenge/path" location/entry.
It can be anything simple like:
/acme-challenges/
/var/acme-challenges/

That doesn't work for me. But adding the regex qualifier does

 location ~ ^/(?!\.well-known) {

hmm...
Which version of nginx ?

1.20.1

So I am assuming I edit the /etc/nginx/sites-enabled/netbox? If so, I did and then I created the /var/acme-challenges directory using the following command:
sudo mkdir /var/acme-challegnes

Now my config looks like this (output from cat /etc/nginx/site-enabled/netbox:

server {
    listen [::]:443 ssl ipv6only=off;

    # CHANGE THIS TO YOUR SERVER'S NAME
    server_name netbox.top-floor.net;

    ssl_certificate /etc/ssl/certs/netbox.crt;
    ssl_certificate_key /etc/ssl/private/netbox.key;

    client_max_body_size 25m;

    location /static/ {
        alias /opt/netbox/netbox/static/;
    }

    location / {
        proxy_pass http://127.0.0.1:8001;
        proxy_set_header X-Forwarded-Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
server {
    # Redirect HTTP traffic to HTTPS
    listen [::]:80 ipv6only=off;
    server_name _;
    location ^/(?!\.well-known) {              # skip challenge requests
        return 301 https://$host$request_uri;  # send all requests to HTTPS
    }# location
    root /var/acme-challenges/;        # path for challenge requests
}

But then I get an error:

 nginx -T
nginx: [alert] could not open error log file: open() "/var/log/nginx/error.log" failed (13: Permission denied)
2022/07/13 12:13:13 [warn] 2304#2304: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:1
2022/07/13 12:13:13 [emerg] 2304#2304: "server" directive is not allowed here in /etc/nginx/sites-enabled/netbox:22
nginx: configuration file /etc/nginx/nginx.conf test failed

So it looks like my config is still screwy. I also made it so that I cannot reload nginx via systemd.

EDIT AGAIN

I tried adding the ~ that @MikeMcQ suggested and I am still getting an error when trying to reload the service. But it looks like a slightly different error:

sudo nginx -T
nginx: [emerg] "server" directive is not allowed here in /etc/nginx/sites-enabled/netbox:22
nginx: configuration file /etc/nginx/nginx.conf test failed

One problem is you are missing the closing } for the server block before this one

@MikeMcQ ~are you sure? Here is the full config and I thought I had the } before the second server section.~

You were correct. I was able to reload the nginx service.

Old config:

server {
    listen [::]:443 ssl ipv6only=off;

    # CHANGE THIS TO YOUR SERVER'S NAME
    server_name netbox.top-floor.net;

    ssl_certificate /etc/ssl/certs/netbox.crt;
    ssl_certificate_key /etc/ssl/private/netbox.key;

    client_max_body_size 25m;

    location /static/ {
        alias /opt/netbox/netbox/static/;
    }

    location / {
        proxy_pass http://127.0.0.1:8001;
        proxy_set_header X-Forwarded-Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
server {
    # Redirect HTTP traffic to HTTPS
    listen [::]:80 ipv6only=off;
    server_name _;
    location ~ ^/(?!\.well-known) {              # skip challenge requests
        return 301 https://$host$request_uri;  # send all requests to HTTPS
    }# location
    root /var/acme-challenges/;        # path for challenge requests
}

New config:

server {
    listen [::]:443 ssl ipv6only=off;

    # CHANGE THIS TO YOUR SERVER'S NAME
    server_name netbox.top-floor.net;

    ssl_certificate /etc/ssl/certs/netbox.crt;
    ssl_certificate_key /etc/ssl/private/netbox.key;

    client_max_body_size 25m;

    location /static/ {
        alias /opt/netbox/netbox/static/;
    }

    location / {
        proxy_pass http://127.0.0.1:8001;
        proxy_set_header X-Forwarded-Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}
server {
    # Redirect HTTP traffic to HTTPS
    listen [::]:80 ipv6only=off;
    server_name _;
    location ~ ^/(?!\.well-known) {              # skip challenge requests
        return 301 https://$host$request_uri;  # send all requests to HTTPS
    }# location
    root /var/acme-challenges/;        # path for challenge requests
}

The redirect to https is working. But, I think you need to change the server_name in your http server block to be like your https server:

server_name netbox.top-floor.net;

Your first post showed using the nginx plug-in and I think it will need to see the server name and not just a default name.

Rudy may have been guiding you towards using webroot instead of the nginx plug-in. So, I don't want to divert those efforts. At least know your nginx config is improving. You could try the command in your first post again and see.

@MikeMcQ Honestly not sure of the difference between using certbot with either webroot or the nginx plugin.

From sudo nginx -T you can see my server name and unless mistaken I believe it is correct:

# configuration file /etc/nginx/sites-enabled/netbox:
server {
    listen [::]:443 ssl ipv6only=off;

    # CHANGE THIS TO YOUR SERVER'S NAME
    server_name netbox.top-floor.net;

    ssl_certificate /etc/ssl/certs/netbox.crt;
    ssl_certificate_key /etc/ssl/private/netbox.key;

    client_max_body_size 25m;

    location /static/ {
        alias /opt/netbox/netbox/static/;
    }

    location / {
        proxy_pass http://127.0.0.1:8001;
        proxy_set_header X-Forwarded-Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}
server {
    # Redirect HTTP traffic to HTTPS
    listen [::]:80 ipv6only=off;
    server_name _;
    location ~ ^/(?!\.well-known) {              # skip challenge requests
        return 301 https://$host$request_uri;  # send all requests to HTTPS
    }# location
    root /var/acme-challenges/;        # path for challenge requests
}

Not to complicate things further but any idea where I can read about the difference between the two? Quick google search lead me here.

Then I tried running:

sudo certbot certonly --webroot -w /var/acme-challenges/ -d netbox.top-floor.net --dry-run -v

And it looks like it worked?

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Simulating a certificate request for netbox.top-floor.net
Performing the following challenges:
http-01 challenge for netbox.top-floor.net
Using the webroot path /var/acme-challenges for all unmatched domains.
Waiting for verification...
Cleaning up challenges
The dry run was successful.

So I should just use the webroot option instead?

As to server_name, this is the one I was trying to describe. I think for the nginx plug-in it will want it to be the domain name for the cert like you have in your first server block for https (listen 443).

You can learn more about the different certbot options in the docs here. Much better than random google results

Basically, with webroot you need to do all the config for SSL. I didn't study your nginx config to see what should be improved. The nginx plug-in will update the config for you. Usually easier especially for people new to nginx and/or SSL.

It is a valid option.
[one I tend to use a lot]

It looks like I was able to get the webroot option working but now I cannot acc

So to recap, here is what I did so far to try setup netbox with TLS via LE here is what I did.

Followed the install and configuration guide listed here.

Once I had everything installed and configured I tweak my nginx site config. Located on my VPS at /etc/nginx/sites-enabled/netbox so that my config looked like:

server {
    listen [::]:443 ssl ipv6only=off;

    # CHANGE THIS TO YOUR SERVER'S NAME
    server_name netbox.top-floor.net;

    ssl_certificate /etc/ssl/certs/netbox.crt;
    ssl_certificate_key /etc/ssl/private/netbox.key;

    client_max_body_size 25m;

    location /static/ {
        alias /opt/netbox/netbox/static/;
    }

    location / {
        proxy_pass http://127.0.0.1:8001;
        proxy_set_header X-Forwarded-Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}
server {
    # Redirect HTTP traffic to HTTPS
    listen [::]:80 ipv6only=off;
    server_name _;
    location ~ ^/(?!\.well-known) {              # skip challenge requests
        return 301 https://$host$request_uri;  # send all requests to HTTPS
    }# location
    root /var/acme-challenges/;        # path for challenge requests
}

Then I needed to create the /var/acme-challenges/ directory I had configured in my nginx config. So I ran:

sudo mkdir /var/acme-challegnes

Then I reloaded/restarted nginx to check the config:
sudo nginx -T

And it reloaded/passed the check without issue. Next I ran:
sudo certbot certonly --webroot -w /var/acme-challenges/ -d netbox.top-floor.net --dry-run -v

And got back:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Simulating a certificate request for netbox.top-floor.net
Performing the following challenges:
http-01 challenge for netbox.top-floor.net
Using the webroot path /var/acme-challenges for all unmatched domains.
Waiting for verification...
Cleaning up challenges
The dry run was successful.

Which as far as I understood it, meant the webroot option should work. So then I ran:

sudo certbot certonly --webroot -w /var/acme-challenges/ -d netbox.top-floor.net -v

And got back:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Requesting a certificate for netbox.top-floor.net
Performing the following challenges:
http-01 challenge for netbox.top-floor.net
Using the webroot path /var/acme-challenges for all unmatched domains.
Waiting for verification...
Cleaning up challenges

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/netbox.top-floor.net/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/netbox.top-floor.net/privkey.pem
This certificate expires on 2022-10-11.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Which made it sound like I was able get my cert! But now like I said, my netbox instance gets an "unable to connect" error. And I am willing to take a stab its not LE but nginx itself.

Is that a TYPO?

"certonly" won't change anything within the nginx config.
So, that problem isn't related to the new cert.
Speaking of which, please show:
certbot certificates
[to confirm all that]

As Rudy noted, this is unrelated. Did you stop nginx or some other key component after getting the cert? Because I do not see port 80 or port 443 open but you must have had at least port 80 open to get the cert using webroot.