Hi everyone! Hope you’re all doing well.
I’ve been troubleshooting failed certbot attempts for the last few weeks, and finally have decided to reach out for help. I believe the issue is simple, and I’m just overlooking an obvious issue. My domain name is sethangell.com
The Issue
I’m unable to complete the HTTP-01 challenge. The task fails saying its received an invalid response from sethangell.com/.well-known…, as a result of the page its trying to reach resulting in a 404 error. When attempting certification, I type one of the following two lines:
sudo certbot --nginx
Sudo certbot --nginx --webroot-path:/home/sethangell/portfolio
After which, I receive the following error message:
Performing the following challenges:
http-01 challenge for www.sethangell.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.sethangell.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.sethangell.com/.well-known/acme-challenge/rDwC0qy9xJaZk-_qrX3xi1in5J-KH0wOpaNOCnx3M00 [2600:3c02::f03c:91ff:fe6b:875d]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>"
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: www.sethangell.com
Type: unauthorized
Detail: Invalid response from
http://www.sethangell.com/.well-known/acme-challenge/rDwC0qy9xJaZk-_qrX3xi1in5J-KH0wOpaNOCnx3M00
[2600:3c02::f03c:91ff:fe6b:875d]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404
Not Found</h1></center>\r\n<hr><center>"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
My best guess at the potential Issue
At this point, I have two thoughts as to what the issue could be:
1 - My NGINX configuration is failing to properly route .well-known requests to the necessary location.
2 - The user who I’m running the certbot commands with does not have proper permissions/ownership of the necessary folders.
Based off the errors, it looks like Nginx is not properly sending the acme-challenge requests to the ./.well-known location, or that certbot is failing to write any test information in these locations.
My software stack and other important info
My site is built using the following components: Django, Gunicorn, Ubuntu 18.04, Nginx.
The project is contained in the following directory /home/sethangell/portfolio and the gunicorn socket files lives in the following directory /home/sethangell/run
Troubleshooting steps I’ve taken:
- Set up a self-signed ssl cert to ensure that my nginx configuration properly serves HTTPS requests
- Attempt different nginx configuration lines to catch and route .well-known requests (commented out in my nginx config below)
- Set ownership of the entire project directory to the user I’m trying to run the certbot command with
Configuration and Log files
I’ve included my nginx config file, as well as my certbot and nginx error logs. Along with this, here is the link to my sites source code in case you believe that could also be a potential issue.
Nginx Config
server {
listen 80;
server_name sethangell.com www.sethangell.com 50.116.41.128;
return 301 https://sethangell.com;
location = /favicon.ico { access_log off; log_not_found off; }
location / {
include proxy_params;
proxy_pass http://unix:/home/sethangell/run/homepage.sock;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name sethangell.com www.sethangell.com;
ssl on;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
location /static/ {
root /home/sethangell/portfolio;
}
location / {
include proxy_params;
proxy_pass http://unix:home/sethangell/run/homepage.sock;
}
location /.well-known/acme-challenge/ {
root /home/sethangell/portfolio;
try_files $uri =404;
}
# location ~ /.well-known {
# allow all;
# root /home/sethangell/portfolio;
# }
}
LetsEncrypt.log
2019-12-08 02:29:03,262:DEBUG:acme.client:Storing nonce: 0002eLV6vOFesXLWbHf8jk1LYTewDBznJxjyqHYRtLlDyfY
2019-12-08 02:29:03,263:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:
Domain: www.sethangell.com
Type: unauthorized
Detail: Invalid response from http://www.sethangell.com/.well-known/acme-challenge/7UzOZJtFIfCsttLJ5lffhOQ6WEzMxvxrfGxdFuC6ncw [2600:3c02::f03c:91ff:fe6b:875d]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>"
To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
2019-12-08 02:29:03,263:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 168, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 239, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. www.sethangell.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.sethangell.com/.well-known/acme-challenge/7UzOZJtFIfCsttLJ5lffhOQ6WEzMxvxrfGxdFuC6ncw [2600:3c02::f03c:91ff:fe6b:875d]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>"
2019-12-08 02:29:03,264:DEBUG:certbot.error_handler:Calling registered functions
2019-12-08 02:29:03,264:INFO:certbot.auth_handler:Cleaning up challenges
2019-12-08 02:29:04,393:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 11, in <module>
load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
return config.func(config, plugins)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1119, in run
certname, lineage)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 116, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 310, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 353, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 389, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 168, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 239, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. www.sethangell.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.sethangell.com/.well-known/acme-challenge/7UzOZJtFIfCsttLJ5lffhOQ6WEzMxvxrfGxdFuC6ncw [2600:3c02::f03c:91ff:fe6b:875d]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>"
Nginx error log
2019/12/08 02:28:59 [notice] 28009#28009: signal process started
2019/12/08 02:29:00 [error] 28010#28010: *255 open() "/var/www/letsencrypt/.well-known/acme-challenge/7UzOZJtFIfCsttLJ5lffhOQ6WEzMxvxrfGxdFuC6ncw" failed (2: No such file or directory), client: 2600:1f16:269:da00:4ec6:1cf7:34d5:6263, server: _, request: "GET /.well-known/acme-challenge/7UzOZJtFIfCsttLJ5lffhOQ6WEzMxvxrfGxdFuC6ncw HTTP/1.1", host: "www.sethangell.com"
2019/12/08 02:29:00 [error] 28010#28010: *256 open() "/var/www/letsencrypt/.well-known/acme-challenge/7UzOZJtFIfCsttLJ5lffhOQ6WEzMxvxrfGxdFuC6ncw" failed (2: No such file or directory), client: 2600:3000:2710:200::1e, server: _, request: "GET /.well-known/acme-challenge/7UzOZJtFIfCsttLJ5lffhOQ6WEzMxvxrfGxdFuC6ncw HTTP/1.1", host: "www.sethangell.com"
2019/12/08 02:29:00 [error] 28010#28010: *257 open() "/var/www/letsencrypt/.well-known/acme-challenge/7UzOZJtFIfCsttLJ5lffhOQ6WEzMxvxrfGxdFuC6ncw" failed (2: No such file or directory), client: 2600:1f14:804:fd02:1be3:bfea:ffcc:a21f, server: _, request: "GET /.well-known/acme-challenge/7UzOZJtFIfCsttLJ5lffhOQ6WEzMxvxrfGxdFuC6ncw HTTP/1.1", host: "www.sethangell.com"
2019/12/08 02:29:00 [error] 28010#28010: *258 open() "/var/www/letsencrypt/.well-known/acme-challenge/7UzOZJtFIfCsttLJ5lffhOQ6WEzMxvxrfGxdFuC6ncw" failed (2: No such file or directory), client: 2a05:d014:3ad:702:b5ae:ea8c:29d5:5f5f, server: _, request: "GET /.well-known/acme-challenge/7UzOZJtFIfCsttLJ5lffhOQ6WEzMxvxrfGxdFuC6ncw HTTP/1.1", host: "www.sethangell.com"
2019/12/08 02:29:03 [notice] 28011#28011: signal process started
Let me know if there’s anything else I can include to help! Many thanks in advance for the help, this has been driving me crazy for the last week.