Failed to renew certificate skillquest.ai with error: Some challenges have failed

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domains are:
skillquest.ai and softskillsgames.com
I ran this command:
certbot renew --dry-run
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/skillquest.ai.conf

Account registered.
Simulating renewal of an existing certificate for skillquest.ai and www.skillquest.ai

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: skillquest.ai
Type: unauthorized
Detail: 103.72.79.19: Invalid response from https://skillquest.ai/.well-known/acme-challenge/2YIThpy8js0fdn-nsUFdMZXY_Sgr_hQC1WZGtDaFsoM: "<!doctype html><html lang="en">SkillQuest<meta name="viewport" content="width=device-width,initial-scale=1""

Domain: www.skillquest.ai
Type: unauthorized
Detail: 103.72.79.19: Invalid response from https://skillquest.ai/.well-known/acme-challenge/tArT_X-H4GhwmffcmLJV44rjFNsXbeJ3ANqjlbvkZEo: "<!doctype html><html lang="en">SkillQuest<meta name="viewport" content="width=device-width,initial-scale=1""

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Failed to renew certificate skillquest.ai with error: Some challenges have failed.

Processing /etc/letsencrypt/renewal/softskillsgames.com.conf

Simulating renewal of an existing certificate for mail.softskillsgames.com and 3 more domains

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: softskillsgames.com
Type: unauthorized
Detail: 103.72.79.19: Invalid response from https://softskillsgames.com/es/.well-known/acme-challenge/DtugAAbPtErTDLxyBuZAjYDihd1xEQn2xEBddZIt5bs/: 404

Domain: www.softskillsgames.com
Type: unauthorized
Detail: 103.72.79.19: Invalid response from https://www.softskillsgames.com/es/.well-known/acme-challenge/WhApetlUK9oMOhUeKypHrA6KtU5ts05MccUNKLrp1tQ/: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Failed to renew certificate softskillsgames.com with error: Some challenges have failed.

All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/skillquest.ai/fullchain.pem (failure)
/etc/letsencrypt/live/softskillsgames.com/fullchain.pem (failure)

2 renew failure(s), 0 parse failure(s)

My web server is (include version):
I run these from a docker instance running nginx

The operating system my web server runs on is (include version):
Ubuntu x86_64 x86_64 x86_64 GNU/Linux

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes, when I login the docker image where I am trying to renew certificates from I run as root

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.6.0

2

We may need to see the nginx config in that container:
nginx -T

The HTTP ACME challenge requests are being redirected to HTTPS [that's OK]:

curl -Ii http://skillquest.ai/.well-known/acme-challenge/Test_File-1234
HTTP/1.1 301 Moved Permanently
Server: nginx/1.25.1
Date: Thu, 19 Oct 2023 04:17:38 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
Location: https://skillquest.ai/.well-known/acme-challenge/Test_File-1234

But the HTTPS requests are returning [2443 bytes of] content - it should return a 404:

curl -Iik https://skillquest.ai/.well-known/acme-challenge/Test_File-1234
HTTP/1.1 200 OK
Server: nginx/1.25.1
Date: Thu, 19 Oct 2023 04:19:18 GMT
Content-Type: text/html
Content-Length: 2443
Last-Modified: Wed, 18 Oct 2023 20:13:08 GMT
Connection: keep-alive
ETag: "65303c54-98b"
Accept-Ranges: bytes
3 Likes
3

root@c32150fc7d41:/etc/nginx/conf.d# cat skillquest.ai.conf

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    root /usr/share/nginx/skillquest.ai/html;
    index index.html;

    server_name skillquest.ai www.skillquest.ai;

#    return 301 https://$host$request_uri;      # Redirect
    ssl_certificate /etc/letsencrypt/live/skillquest.ai/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/skillquest.ai/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/skillquest.ai/chain.pem;

    location / {
        try_files $uri $uri/ /index.html;
    }
}

server {
    listen 80;
    listen [::]:80;

    server_name skillquest.ai www.skillquest.ai;

    return 301 https://$server_name$request_uri;
}
5

I don't think you need that line.
[but it is not part of the problem at hand]

Please place a test text file in the expected challenge location:

mkdir -p /usr/share/nginx/skillquest.ai/html/.well-known/acme-challenge
echo "test" >> /usr/share/nginx/skillquest.ai/html/.well-known/acme-challenge/Test_File-1234

Then let's see if it can be reached via:
curl -Iik https://skillquest.ai/.well-known/acme-challenge/Test_File-1234

Note: I just realized I had a TYPO in that URL
Previously I wrote ".wwll-known"
[but I just went back and corrected them now]

2 Likes
6

Rudy, did that and it can be reached.

What next?

Thank you

Adrian

1 Like
7

Check the folder permissions and retest:
certbot renew --dry-run

OR

Retest and then, if it fails, check the folder permissions.

4 Likes
8

I ran the "certbot renew" and unfortunately it failed.
The folders renewal and renewal-hooks are 755 while accounts, archive and live are 700.
root owns all these folders.
I run the command in the container as a root.

9

Please show the log file.

3 Likes
10 
2023-10-21 22:01:17,247:DEBUG:acme.client:JWS payload:
b''
2023-10-21 22:01:17,248:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/8996529454:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMjIzNDQ4NTQiLCAibm9uY2UiOiAiT2FqM3doaFpWUk5qVmJDVFlEVnNndEFRNTBMRjhhWS1jbG10eWxSRGdNN2gwSEd6TWRzIiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzg5OTY1Mjk0NTQifQ",
  "signature": "HxfrBuAVjBR877x6uh0toNAvXRWko_ypqkhcfV5mshKuwnW_GjCBMUv1Z2PInRi9BDMb_eLIuEyzKw5Tidkm7ICKX5aA2OohkFhu3sculSpHDHcgtq8tEr0FM1pufstkPkVsHXwjz7dXpSz-yOvyhcxylU9eh_O_aMVJyi4NTIeKfGAXbYIBX-dl3J5iQTnRdMFQoJulRkq5HVyhk4gkgADF9zWd22BmaXAFKgguNnxOspd4qMm4_z8HtsTJ0JEpz0GfwU4U7Cg89pfgNFwDNa76DKrEXvIedQeD2LMi7MiS3qEcWf8FJiQIO8q5tMvMiVnDrsQdysAPZ4t3GUaNvA",
  "payload": ""
}
2023-10-21 22:01:17,279:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/8996529454 HTTP/1.1" 200 1702
2023-10-21 22:01:17,280:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 21 Oct 2023 22:01:17 GMT
Content-Type: application/json
Content-Length: 1702
Connection: keep-alive
Boulder-Requester: 122344854
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: Oaj3whhZgfhFscz7XunHgdopkA2AeuhuXtrbdnRGqvW1DVIMSqA
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "softskillsgames.com"
  },
  "status": "invalid",
  "expires": "2023-10-28T22:01:15Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "103.72.79.19: Invalid response from https://softskillsgames.com/es/.well-known/acme-challenge/n5Y_dFd4hWzh4ZIJXB4eWmJRNUxBj57_o-gz6LBz8q8/: 404",
        "status": 403
      },
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/8996529454/_LUwuQ",
      "token": "n5Y_dFd4hWzh4ZIJXB4eWmJRNUxBj57_o-gz6LBz8q8",
      "validationRecord": [
        {
          "url": "http://softskillsgames.com/.well-known/acme-challenge/n5Y_dFd4hWzh4ZIJXB4eWmJRNUxBj57_o-gz6LBz8q8",
          "hostname": "softskillsgames.com",
          "port": "80",
          "addressesResolved": [
            "103.72.79.19"
          ],
          "addressUsed": "103.72.79.19"
        },
        {
          "url": "https://softskillsgames.com/.well-known/acme-challenge/n5Y_dFd4hWzh4ZIJXB4eWmJRNUxBj57_o-gz6LBz8q8",
          "hostname": "softskillsgames.com",
          "port": "443",
          "addressesResolved": [
            "103.72.79.19"
          ],
          "addressUsed": "103.72.79.19"
        },
        {
          "url": "https://softskillsgames.com/es/.well-known/acme-challenge/n5Y_dFd4hWzh4ZIJXB4eWmJRNUxBj57_o-gz6LBz8q8/",
          "hostname": "softskillsgames.com",
          "port": "443",
          "addressesResolved": [
            "103.72.79.19"
          ],
          "addressUsed": "103.72.79.19"
        }
      ],
      "validated": "2023-10-21T22:01:16Z"
    }
  ]
}
2023-10-21 22:01:17,280:DEBUG:acme.client:Storing nonce: Oaj3whhZgfhFscz7XunHgdopkA2AeuhuXtrbdnRGqvW1DVIMSqA
2023-10-21 22:01:17,280:DEBUG:acme.client:JWS payload:
b''
2023-10-21 22:01:17,282:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/8996529464:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMjIzNDQ4NTQiLCAibm9uY2UiOiAiT2FqM3doaFpnZmhGc2N6N1h1bkhnZG9wa0EyQWV1aHVYdHJiZG5SR3F2VzFEVklNU3FBIiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzg5OTY1Mjk0NjQifQ",
  "signature": "cwxX0AIJ8vS2ZNvd56ChnZBQyVs6Q6TOzXmrq9e1QO-sC4kZXoJsFBPD99mJFsLfThCNcIBoDEZGlmrw43sX_6RqKAEMY1dslcmAM7Bl3hVrIfkgA_8NFxwOQy27EbNDRfrhGTpvX3m9S3j_bFvqdwW5iiyArlV6VqmTdqD1E5OvjMSKEfJVGazXFQ01ZrPa1rF2xCSgp1d6x9vZFGr6tdmPbbgXwar9YfTDAJOJUiZourulzZCpc7lXzUXdgwF3H9dpchqEkAnLP18-izO7hXs6sVQuP0Z8kwwbduOOnj7pgOmop_6Qk3kisB53qI3EQ3C0T1Ao6c2-yA3GEHlpxQ",
  "payload": ""
}
2023-10-21 22:01:17,315:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/8996529464 HTTP/1.1" 200 1734
2023-10-21 22:01:17,315:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 21 Oct 2023 22:01:17 GMT
Content-Type: application/json
Content-Length: 1734
Connection: keep-alive
Boulder-Requester: 122344854
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: Oaj3whhZlM-3sH6YRP1UFKv1_D-SAb6sGjEcwr-W06csW1Mv00k
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "www.softskillsgames.com"
  },
  "status": "invalid",
  "expires": "2023-10-28T22:01:15Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "103.72.79.19: Invalid response from https://www.softskillsgames.com/es/.well-known/acme-challenge/hMzTNZF2bLH0T_LRyZN7dd3o1YhrMZViIIGKpttn3NU/: 404",
        "status": 403
      },
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/8996529464/NszBww",
      "token": "hMzTNZF2bLH0T_LRyZN7dd3o1YhrMZViIIGKpttn3NU",
      "validationRecord": [
        {
          "url": "http://www.softskillsgames.com/.well-known/acme-challenge/hMzTNZF2bLH0T_LRyZN7dd3o1YhrMZViIIGKpttn3NU",
          "hostname": "www.softskillsgames.com",
          "port": "80",
          "addressesResolved": [
            "103.72.79.19"
          ],
          "addressUsed": "103.72.79.19"
        },
        {
          "url": "https://www.softskillsgames.com/.well-known/acme-challenge/hMzTNZF2bLH0T_LRyZN7dd3o1YhrMZViIIGKpttn3NU",
          "hostname": "www.softskillsgames.com",
          "port": "443",
          "addressesResolved": [
            "103.72.79.19"
          ],
          "addressUsed": "103.72.79.19"
        },
        {
          "url": "https://www.softskillsgames.com/es/.well-known/acme-challenge/hMzTNZF2bLH0T_LRyZN7dd3o1YhrMZViIIGKpttn3NU/",
          "hostname": "www.softskillsgames.com",
          "port": "443",
          "addressesResolved": [
            "103.72.79.19"
          ],
          "addressUsed": "103.72.79.19"
        }
      ],
      "validated": "2023-10-21T22:01:16Z"
    }
  ]
}
2023-10-21 22:01:17,316:DEBUG:acme.client:Storing nonce: Oaj3whhZlM-3sH6YRP1UFKv1_D-SAb6sGjEcwr-W06csW1Mv00k
2023-10-21 22:01:17,316:DEBUG:acme.client:JWS payload:
b''
2023-10-21 22:01:17,317:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/8996529554:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMjIzNDQ4NTQiLCAibm9uY2UiOiAiT2FqM3doaFpsTS0zc0g2WVJQMVVGS3YxX0QtU0FiNnNHakVjd3ItVzA2Y3NXMU12MDBrIiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzg5OTY1Mjk1NTQifQ",
  "signature": "wPR-blbr2-J3UGMfgvisaPSAQgx_FoJ2ygrdtKdCzwbrzsH1hSDosIT-cBZAJrYhTx19GBvLmHhJUUAB640GBjk7stR-eWeqBmgV6oAeutKF6wVdiK9Fi6qjQtBYTCnLXUJJ2qe5HUiEsQw9LjEiye1CiztHq_pfLlPU8kcYwECd7sybGttxF_40ifPrg8PP8SoJWWYGvIaYFfwtSNNRopxByMvDaOgqlmAo1mKL8vN0-lpDano0A8HXYrdwxnkZKxD7br4CcvUsLYd6-DpXBUYe--DII2bVO2sMBR6gQVrlKDzYAUaW8hT1NFd6EqlZ0etxF69QoaUthBAnM-N69g",
  "payload": ""
}
2023-10-21 22:01:17,347:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/8996529554 HTTP/1.1" 200 791
2023-10-21 22:01:17,348:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 21 Oct 2023 22:01:17 GMT
Content-Type: application/json
Content-Length: 791
Connection: keep-alive
Boulder-Requester: 122344854
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: HzmSNKzx56Y4TN0ua1aUV0SvZwPrQ13VnbmS4zDokjwcWlkrTP0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "mail.softskillsgames.com"
  },
  "status": "valid",
  "expires": "2023-11-20T22:01:16Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "valid",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/8996529554/DCSbag",
      "token": "VY8tYi68vAm11h1S82xXFcDu88qGYb4-LutY2uFkeeI",
      "validationRecord": [
        {
          "url": "http://mail.softskillsgames.com/.well-known/acme-challenge/VY8tYi68vAm11h1S82xXFcDu88qGYb4-LutY2uFkeeI",
          "hostname": "mail.softskillsgames.com",
          "port": "80",
          "addressesResolved": [
            "103.72.79.19"
          ],
          "addressUsed": "103.72.79.19"
        }
      ],
      "validated": "2023-10-21T22:01:16Z"
    }
  ]
}
2023-10-21 22:01:17,348:DEBUG:acme.client:Storing nonce: HzmSNKzx56Y4TN0ua1aUV0SvZwPrQ13VnbmS4zDokjwcWlkrTP0
2023-10-21 22:01:17,348:DEBUG:acme.client:JWS payload:
b''
2023-10-21 22:01:17,350:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/8996529564:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMjIzNDQ4NTQiLCAibm9uY2UiOiAiSHptU05Leng1Nlk0VE4wdWExYVVWMFN2WndQclExM1ZuYm1TNHpEb2tqd2NXbGtyVFAwIiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzg5OTY1Mjk1NjQifQ",
  "signature": "eLpFAlUU_u6JkrJcPRvOgif7sHuIEIRCW34QcxjFFhLhit3mqPt9j9mYs27yLVklybUfqTnJXsHo-ramd5IV7_TXcFUQGIUwGOQYlLdHO20UeqV_Ia69HQOetuHNZVbhl8nYL76aYag6g5fIY3zpG2e5lbdpKznY60TTDtgq5weAX5eVqKvnPtwhCUqc7uh0_HE8PF6oUKQWRKViC9kEF8dcDICUlMumB8kK7KfJNnQwlVJJ_ZRRBuIFGMbb66fDwEK5RuXuBCr-btjt4kZWNnb8j0yvWziMQ4816Ce3-FdqvJwLNrtYRBZ_HcqxdzbVXzWcXWtCTKVvzSsQ_475uA",
  "payload": ""
}
2023-10-21 22:01:17,380:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/8996529564 HTTP/1.1" 200 800
2023-10-21 22:01:17,381:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 21 Oct 2023 22:01:17 GMT
Content-Type: application/json
Content-Length: 800
Connection: keep-alive
Boulder-Requester: 122344854
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: HzmSNKzx-CZqu7Hnjj9dkmHOYuHtvL6q7t--IYpoj3ulQFBGDW8
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "webmail.softskillsgames.com"
  },
  "status": "valid",
  "expires": "2023-11-20T22:01:16Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "valid",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/8996529564/JG0D7w",
      "token": "EynA-Awxvd6cenf8mCq_MkAsfHWrJxuzJLbAeVd1rUU",
      "validationRecord": [
        {
          "url": "http://webmail.softskillsgames.com/.well-known/acme-challenge/EynA-Awxvd6cenf8mCq_MkAsfHWrJxuzJLbAeVd1rUU",
          "hostname": "webmail.softskillsgames.com",
          "port": "80",
          "addressesResolved": [
            "103.72.79.19"
          ],
          "addressUsed": "103.72.79.19"
        }
      ],
      "validated": "2023-10-21T22:01:16Z"
    }
  ]
}
2023-10-21 22:01:17,381:DEBUG:acme.client:Storing nonce: HzmSNKzx-CZqu7Hnjj9dkmHOYuHtvL6q7t--IYpoj3ulQFBGDW8
2023-10-21 22:01:17,381:INFO:certbot._internal.auth_handler:Challenge failed for domain softskillsgames.com
2023-10-21 22:01:17,381:INFO:certbot._internal.auth_handler:Challenge failed for domain www.softskillsgames.com
2023-10-21 22:01:17,381:INFO:certbot._internal.auth_handler:http-01 challenge for softskillsgames.com
2023-10-21 22:01:17,381:INFO:certbot._internal.auth_handler:http-01 challenge for www.softskillsgames.com
2023-10-21 22:01:17,382:DEBUG:certbot._internal.display.obj:Notifying user:
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: softskillsgames.com
  Type:   unauthorized
  Detail: 103.72.79.19: Invalid response from https://softskillsgames.com/es/.well-known/acme-challenge/n5Y_dFd4hWzh4ZIJXB4eWmJRNUxBj57_o-gz6LBz8q8/: 404

  Domain: www.softskillsgames.com
  Type:   unauthorized
  Detail: 103.72.79.19: Invalid response from https://www.softskillsgames.com/es/.well-known/acme-challenge/hMzTNZF2bLH0T_LRyZN7dd3o1YhrMZViIIGKpttn3NU/: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

2023-10-21 22:01:17,382:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/local/lib/python3.11/dist-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/usr/local/lib/python3.11/dist-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2023-10-21 22:01:17,382:DEBUG:certbot._internal.error_handler:Calling registered functions
2023-10-21 22:01:17,382:INFO:certbot._internal.auth_handler:Cleaning up challenges
2023-10-21 22:01:17,382:DEBUG:certbot._internal.plugins.webroot:Removing /var/www/letsencrypt/.well-known/acme-challenge/n5Y_dFd4hWzh4ZIJXB4eWmJRNUxBj57_o-gz6LBz8q8
2023-10-21 22:01:17,383:DEBUG:certbot._internal.plugins.webroot:Removing /var/www/letsencrypt/.well-known/acme-challenge/hMzTNZF2bLH0T_LRyZN7dd3o1YhrMZViIIGKpttn3NU
2023-10-21 22:01:17,383:DEBUG:certbot._internal.plugins.webroot:Removing /var/www/letsencrypt/.well-known/acme-challenge/VY8tYi68vAm11h1S82xXFcDu88qGYb4-LutY2uFkeeI
2023-10-21 22:01:17,383:DEBUG:certbot._internal.plugins.webroot:Removing /var/www/letsencrypt/.well-known/acme-challenge/EynA-Awxvd6cenf8mCq_MkAsfHWrJxuzJLbAeVd1rUU
2023-10-21 22:01:17,383:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2023-10-21 22:01:17,384:ERROR:certbot._internal.renewal:Failed to renew certificate softskillsgames.com with error: Some challenges have failed.
2023-10-21 22:01:17,385:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
  File "/usr/local/lib/python3.11/dist-packages/certbot/_internal/renewal.py", line 533, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/usr/local/lib/python3.11/dist-packages/certbot/_internal/main.py", line 1547, in renew_cert
    renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/certbot/_internal/main.py", line 129, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/usr/local/lib/python3.11/dist-packages/certbot/_internal/renewal.py", line 395, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
                                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/certbot/_internal/client.py", line 428, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/usr/local/lib/python3.11/dist-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2023-10-21 22:01:17,386:DEBUG:certbot._internal.display.obj:Notifying user:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2023-10-21 22:01:17,387:ERROR:certbot._internal.renewal:All simulated renewals failed. The following certificates could not be renewed:
2023-10-21 22:01:17,387:ERROR:certbot._internal.renewal:  /etc/letsencrypt/live/skillquest.ai/fullchain.pem (failure)
  /etc/letsencrypt/live/softskillsgames.com/fullchain.pem (failure)
2023-10-21 22:01:17,387:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2023-10-21 22:01:17,387:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 8, in <module>
    sys.exit(main())
             ^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/certbot/_internal/main.py", line 1864, in main
    return config.func(config, plugins)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/certbot/_internal/main.py", line 1636, in renew
    renewal.handle_renewal_request(config)
  File "/usr/local/lib/python3.11/dist-packages/certbot/_internal/renewal.py", line 559, in handle_renewal_request
    raise errors.Error(
certbot.errors.Error: 2 renew failure(s), 0 parse failure(s)
2023-10-21 22:01:17,388:ERROR:certbot._internal.log:2 renew failure(s), 0 parse failure(s)
11

That boils down to:

      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "103.72.79.19: Invalid response from https://softskillsgames.com/es/.well-known/acme-challenge/n5Y_dFd4hWzh4ZIJXB4eWmJRNUxBj57_o-gz6LBz8q8/: 404",
        "status": 403
      },
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "103.72.79.19: Invalid response from https://www.softskillsgames.com/es/.well-known/acme-challenge/hMzTNZF2bLH0T_LRyZN7dd3o1YhrMZViIIGKpttn3NU/: 404",
        "status": 403
      },

404 errors while using HTTPS.

We should switch to handling the ACME challenge requests in HTTP.

2 Likes
12

I am not clear what "We should switch to handling the ACME requests in HTTP" means.
What do I have to do to make it work?

Thank you

13

We need to exempt the ACME challenge requests from being redirected to HTTPS.
That can be done by using a location block to handle them differently than all the other HTTP requests.

3 Likes
14

I understand the principle, but what do I have to do to use the "location block"? Where do I set it?

15

Within this section:

2 Likes
16

You could try something really simple, like:

        location ^~ /.well-known/acme-challenge/ {
            #don't do anything "special"
        }

Which might exclude it from being redirected like all the other requests.
But you would have to include some sort of root path for those requests.
I'm not sure if nginx allows root statements within a location block or not.
Try adding that root line both ways - one of them should work.

Security Note: Do NOT use a root path that may lead to privileged files or subfolders.
I would create a [dead-end] ACME only path for this sole purpose.

2 Likes
17

I will try over the weekend.
In the mean time I wanted to ask: should I try to generate the certificates from scratch instead of renew? What would be the difference?

19

Essentially, they [new issuances and renewals] are the same.
The only possible difference is that a renewal will simply use the last know authentication method [and repeat the last known "proven working" method].
Whereas a new cert does not have any such constraint - it is free to choose from all the available authentication methods.
That said, each authentication method has its' own pro's and con's [you will have to choose which is best in your particular case - from the ones that can be automated (mileage may vary)].

3 Likes
20

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.