Failing subdomain certificate request. 404


#1

My domain is: ibl.stipworld.com

I ran this command: sudo certbot --nginx -d ibl.stipworld.com
I also tried this: sudo certbot --nginx --webroot-path=/usr/share/nginx/html -d ibl.stipworld.com
and this: sudo certbot --nginx --webroot-path=/var/www/html -d ibl.stipworld.com

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for ibl.stipworld.com
Using default address 80 for authentication.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. ibl.stipworld.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://ibl.stipworld.com/.well-known/acme-challenge/GAd-wK-LmhBKIGk_BsvhbTQin0rNJ7IkMiP1HnnWZME: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: ibl.stipworld.com
   Type:   unauthorized
   Detail: Invalid response from
   http://ibl.stipworld.com/.well-known/acme-challenge/GAd-wK-LmhBKIGk_BsvhbTQin0rNJ7IkMiP1HnnWZME:
   "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>"

    To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: Apache/2.4.6 (CentOS) which proxy pass requests on port 80 to nginx/1.14.0

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

I trying to proxy pass requests on port 80 to nginx with this apache conf:

<VirtualHost *:80>
    ProxyPreserveHost On
    ServerName ibl.stipworld.com

    ProxyPass / http://127.0.0.1:9093/
    ProxyPassReverse / http://127.0.0.1:9093/
</VirtualHost>

<VirtualHost *:443>
    ProxyPreserveHost On
    ServerName ibl.stipworld.com

    ProxyPass / https://127.0.0.1:9093/
    ProxyPassReverse / https://127.0.0.1:9093/
</VirtualHost>

and this is my nginx conf:

upstream dev_stip_company{
    server unix:/var/run/uwsgi.dev_stip_company.sock;
}

# configuration of the server
server {
    listen    9093;

    server_name ibl.stipworld.com;          # server_name @servername
    charset     utf-8;
    # max upload size
    client_max_body_size 75M;   # adjust to taste

    location / {
        uwsgi_pass  dev_stip_company;
        include     /etc/nginx/uwsgi_params;
        uwsgi_param SCRIPT_NAME /;
        uwsgi_modifier1 30;
    }

   location /.well-known/acme-challenge/ {
        root /usr/share/nginx/html;
    }
}

#2

Hi @Jiloc

checking your configuration with the non-existing file /.well-known/acme-challenge/1234

D:\temp>download http://ibl.stipworld.com/.well-known/acme-challenge/1234 -h
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Length: 241
Content-Type: text/html; charset=iso-8859-1
Date: Fri, 26 Oct 2018 14:04:16 GMT
Location: https://ibl.stipworld.com/.well-known/acme-challenge/1234
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16 mod_wsgi/3.4 Python/2.7.5

Status: 302 Redirect

123,00 milliseconds
0,12 seconds

you have a redirect http -> https. This is an Apache redirect. But then:

D:\temp>download https://ibl.stipworld.com/.well-known/acme-challenge/1234 -h
SSL error: RemoteCertificateNameMismatch
Error (1): Der Remoteserver hat einen Fehler zurückgegeben: (404) Nicht gefunden.
ProtocolError
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Length: 229
Content-Type: text/html; charset=iso-8859-1
Date: Fri, 26 Oct 2018 14:04:21 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16 mod_wsgi/3.4 Python/2.7.5

Status: 404 NotFound
404

223,78 milliseconds
0,22 seconds

The wrong certificate isn’t the problem. But your answer comes from your apache.

Are the Apache and the nginx on the same machine? If yes, use the Apache webroot as -w parameter.

A little bit “non standard”, Apache as Authenticator and nginx as Installer. But it should work.


#3

Oh there was an error in the conf file, now it redirects to nginx as it had to do from the start. But still no improvements. same error


#4

Perhaps try to use the

--debug-challenges

option. So Certbot waits after creating the challenge files. Then check, if the file is created in the correct directory.


#5

--webroot-path is part of the webroot plugin. “certbot --nginx” doesn’t use it.

If you use “--http-01-port 9093”, does that help?

It looks like Certbot is using a virtual host on port 80.


#6

–http-01-port 9093 did the trick!
just another question: how to manage the automatic renew of the certificate now? Seems like sudo certbot renew --dry-run fails.

NB: The port 9093 now accepts https


Processing /etc/letsencrypt/renewal/ibl.stipworld.com.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for ibl.stipworld.com
Using default address 9093 for authentication.
nginx: [warn] conflicting server name “ibl.stipworld.com” on 0.0.0.0:9093, ignored
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (ibl.stipworld.com) from /etc/letsencrypt/renewal/ibl.stipworld.com.conf produced an unexpected error: Failed authorization procedure. ibl.stipworld.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://ibl.stipworld.com/.well-known/acme-challenge/D0AGeHbi1HVR58HetgQHbFen6l2_K_qh-VLFI1a5o9k: “\n\n502 Proxy Error\n\n

Proxy Error</h1”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/stipworld.com/fullchain.pem (failure)
/etc/letsencrypt/live/ibl.stipworld.com/fullchain.pem (failure)