Failed to fetch acme-challenge file

My domain is:
powerstarportals.com www.powerstarportals.com

I ran this command:
1. certbot --nginx (obtain the new one)
2. certbot certonly --nginx (set up config by myself)
3. certbot --manual (create acme-challenge file manually)

all of them are not working for me

It produced this output:
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: powerstarportals.com
2: www.powerstarportals.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel):
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for powerstarportals.com
http-01 challenge for www.powerstarportals.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. powerstarportals.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://powerstarportals.com/.well-known/acme-challenge/fZSITY6mRTc-54WaELSmDjbMoTQT-EFC23fUAooUJ9A [184.168.131.241]: “\n\n\n\n Power Star”, www.powerstarportals.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.powerstarportals.com/.well-known/acme-challenge/_5Arg0cWnDI-w8MEWijMjPyPGtpruglDD0suDs8qTpM [184.168.131.241]: “\n\n\n\n Power Star”

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: powerstarportals.com
   Type:   unauthorized
   Detail: Invalid response from
   http://powerstarportals.com/.well-known/acme-challenge/fZSITY6mRTc-54WaELSmDjbMoTQT-EFC23fUAooUJ9A
   [184.168.131.241]: "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML
   4.01//EN\"\n
   \"http://www.w3.org/TR/html4/strict.dtd\">\n<html>\n\n<head>\n
   <title>Power Star"

   Domain: www.powerstarportals.com
   Type:   unauthorized
   Detail: Invalid response from
   http://www.powerstarportals.com/.well-known/acme-challenge/_5Arg0cWnDI-w8MEWijMjPyPGtpruglDD0suDs8qTpM
   [184.168.131.241]: "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML
   4.01//EN\"\n
   \"http://www.w3.org/TR/html4/strict.dtd\">\n<html>\n\n<head>\n
   <title>Power Star"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

The operating system my web server runs on is (include version):
Ubuntu 18.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
N/A

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.31.0

my nginx conf file:
server {

        listen 127.0.0.1:80;
        root /var/www/powerstarportals.com;

        # Add index.php to the list if you are using PHP
        index index.php;

        server_name powerstarportals.com www.powerstarportals.com;

        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                try_files $uri $uri/ = 404;

        }

        # pass PHP scripts to FastCGI server
        #
        location ~ \.php$ {
                include snippets/fastcgi-php.conf;

                # With php-fpm (or other unix sockets):
                fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
        }

        # settings for SSL
        location ~ /.well-known {
                allow all;
                default_type 'text/plain';
                root /var/www/powerstarportals.com/;
        }

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        location ~ /\.ht {
                deny all;
        }

        error_log /var/log/nginx/error.log;
        access_log /var/log/nginx/access.log;


#       listen 94.237.60.121:443 ssl; # managed by Certbot
#       ssl_certificate /etc/letsencrypt/live/powerstarportals.com/fullchain.pem; # managed by Certbot
#       ssl_certificate_key /etc/letsencrypt/live/powerstarportals.com/privkey.pem; # managed by Certbot
#       include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
#       ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

nginx.conf file (/etc/nginx/nginx.conf):
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 768;
        # multi_accept on;
}

http {

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        # server_tokens off;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        ##
        # Gzip Settings
        ##

        gzip on;

        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}

command lsof -i:80 return:
nginx 2479 root 6u IPv4 43831 0t0 TCP *:http (LISTEN)
nginx 2480 www-data 6u IPv4 43831 0t0 TCP *:http (LISTEN)
nginx 2481 www-data 6u IPv4 43831 0t0 TCP *:http (LISTEN)

command ufw status return:
To Action From
– ------ ----
[ 1] Nginx HTTP ALLOW IN Anywhere
[ 2] Nginx HTTPS ALLOW IN Anywhere
[ 3] OpenSSH ALLOW IN Anywhere
[ 4] Nginx HTTP (v6) ALLOW IN Anywhere (v6)
[ 5] Nginx HTTPS (v6) ALLOW IN Anywhere (v6)
[ 6] OpenSSH (v6) ALLOW IN Anywhere (v6)

Chrome browser can display file with extension http://www.powerstarportals.com/.well-known/acme-challenge/test.txt (return test file is OK), but not http://www.powerstarportals.com/.well-known/acme-challenge/test.

DNS settings:
|Type|Name|Value|TTL|Actions|
|A|@|184.168.131.241|600 seconds||
|CNAME|www|@|1 Hour|Edit|
|CNAME|_domainconnect|_domainconnect.gd.domaincontrol.com|1 Hour|Edit|
|NS|@|ns49.domaincontrol.com|1 Hour||
|NS|@|ns50.domaincontrol.com|1 Hour||
|SOA|@|Primary nameserver: ns49.domaincontrol.com.|1 Hour|

I tried to add a A record forward all the traffic to hosting server IP, I managed to generate a problematic SSL certificate, by which means the browser will recognise the address with www. or without it, sometimes it works with both or neither.

Apology for offending your policy and generate so many certificate during my debug:https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_subdomains:false;domain:powerstarportals.com&lu=cert_search. I am banging my head and trying to find a solution, but the posts on site cannot solve my issue. Any tips or help from you will be really appreciated!

1 Like

Hi @sheeranchan

that looks wrong.

Use

listen 80;

not with an ip address.

PS: And your dns setup is wrong, that can’t never work - https://check-your-website.server-daten.de/?q=powerstarportals.com

Your ip addresses:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
powerstarportals.com A 184.168.131.241 Scottsdale/Arizona/United States (US) - GoDaddy.com, LLC Hostname: ip-184-168-131-241.ip.secureserver.net yes 2 0
AAAA yes
www.powerstarportals.com C powerstarportals.com yes 1 0
A 184.168.131.241 Scottsdale/Arizona/United States (US) - GoDaddy.com, LLC Hostname: ip-184-168-131-241.ip.secureserver.net yes

That’s a GoDaddy server with a frame.

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> 
<html> <head> <title>Power Star Portals | EMS UK Ltd.</title>
 <meta name="description" content=""> <meta name="keywords" content=""> </head> 
<frameset rows="100%,*" border="0"> 
<frame src="http://94.237.60.121/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de" frameborder="0" /> 
</frameset>
 </html> 

That can’t work.

You must use the 94.237.60.121 in your A-record of your domain (both, non-www and www).

1 Like

Hi, @JuergenAuer,

Thanks for your reply and I wish you enjoy your holiday so far. I have tried what you suggested:

  1. Removed 127.0.0.1: in front of port 80;
  2. At GoDaddy, I added two A records (domain w/wo www.) pointing them to my Ubuntu hosting server IP (94…);
  3. I chose ‘forwarding only’ on GoDaddy to remove the frameset, if this is not right please let me know;

I can access the test file’s plain text w/wo file extension via browser now. I also tried a single A record with ‘@’ to forward all traffic to the hosting server IP (then when you ping the domain, return IP address will jump between DNS address and the hosting address, which is incorrect, I modified back to two A records you recommended), the certbot server just keep declining me to produce a new certificate.
The feedback errors are below:

Failed authorization procedure. www.powerstarportals.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.powerstarportals.com/.well-known/acme-challenge/1ZIDe3C2lt7O4-jjVFM9m-qXj5p-Bu8TfTmCuoiGx3Q [184.168.131.241]: "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\"\n   \"http://www.w3.org/TR/html4/strict.dtd\">\n<html>\n\n<head>\n  <title>Power Star", powerstarportals.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://powerstarportals.com/.well-known/acme-challenge/a2PeK3DS3gYs93hmBXzu3VEt0_86GoNlM4WzMeVpCZ4 [184.168.131.241]: "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\"\n   \"http://www.w3.org/TR/html4/strict.dtd\">\n<html>\n\n<head>\n  <title>Power Star"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.powerstarportals.com
   Type:   unauthorized
   Detail: Invalid response from
   http://www.powerstarportals.com/.well-known/acme-challenge/1ZIDe3C2lt7O4-jjVFM9m-qXj5p-Bu8TfTmCuoiGx3Q
   [184.168.131.241]: "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML
   4.01//EN\"\n
   \"http://www.w3.org/TR/html4/strict.dtd\">\n<html>\n\n<head>\n
   <title>Power Star"

   Domain: powerstarportals.com
   Type:   unauthorized
   Detail: Invalid response from
   http://powerstarportals.com/.well-known/acme-challenge/a2PeK3DS3gYs93hmBXzu3VEt0_86GoNlM4WzMeVpCZ4
   [184.168.131.241]: "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML
   4.01//EN\"\n
   \"http://www.w3.org/TR/html4/strict.dtd\">\n<html>\n\n<head>\n
   <title>Power Star"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

On GoDaddy, it has an UNMODIFIABLE A record with ‘@’ to DNS IP [184.168.131.241]. Which seems the acme-challenge always looking at that IP for the .well-known folder where it locates at hosting server IP [94…]. Here are the GoDaddy DNS settings:

|Type|Name|Value|TTL|Actions|
|A|@|184.168.131.241|600 seconds||
|A|powerstarportals.com|94.237.60.121|600 seconds|Edit|
|A|www.powerstarportals.com|94.237.60.121|600 seconds|Edit|
|CNAME|www|@|1 Hour|Edit|
|CNAME|_domainconnect|_domainconnect.gd.domaincontrol.com|1 Hour|Edit|
|NS|@|ns49.domaincontrol.com|1 Hour||
|NS|@|ns50.domaincontrol.com|1 Hour||
|SOA|@|Primary nameserver: ns49.domaincontrol.com.|1 Hour|

Any further suggestions for the DNS settings? Thanks in advance.

hi, @JuergenAuer,

The problem was resolved.
For others who may used Godaddy registrar and encountered the same issue, please remember to do following:

  1. delete your forwarding (This will allow the default A record with host @ to become editable), and point it to your hosting server IP;
  2. add two A records as @JuergenAuer suggested above, point them to your hosting server IP;

regenerate your certificate, this should resolve the issue.

Thanks for your help @JuergenAuer.

3 Likes

Happy to read you have found a solution :+1:

And thanks sharing it. Different hosters -> different solutions.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.