FastAPI+Gunicorn+Nginx -> where is the webroot?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:profreshlink.com

I ran this command: sudo /snap/bin/certbot certonly --webroot --agree-tos --redirect --hsts --staple-ocsp -v -d profreshlink.com

It produced this output:/
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Requesting a certificate for profreshlink.com
Performing the following challenges:
http-01 challenge for profreshlink.com
Input the webroot for profreshlink.com: (Enter 'c' to cancel): /var/www/nginx
Waiting for verification...
Challenge failed for domain profreshlink.com
http-01 challenge for profreshlink.com

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: profreshlink.com
Type: unauthorized
Detail: 2a02:4780:b:967:0:3977:9be2:7: Invalid response from http://profreshlink.com/.well-known/acme-challenge/qan5SSvf_15ZaltuxmKNMI9FyGhjSXGDGoCWWjRz-Lw: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): fastapi 0.1.0

The operating system my web server runs on is (include version): Ubuntu 22.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.8.0


Hello,
I think my problem is that certbot cannot find the specific webroot through http as fastapi is running and it does not point to a webroot. How do I restart the fastapi with a specific webroot path where this cert file can be looked at by going to mydomainname.com is for sale | www.brandforce.com ?

You should check your IPv6 address to ensure points to your nginx server.

5 Likes

where is the webroot?

Your nginx conf will tell you (or you can tell it).

Please don't spam options without being extremely sure what they do. I would go for:

certbot --nginx --redirect --hsts -d example.com

Keep in mind I only kept hsts because it's usually good. Don't keep it if you don't understand what it does.

You'll notice I also removed certonly so certbot can manage the cert installation automagically, the hsts option will do nothing if you tell certbot not to install the cert.

And I removed --staple-ocsp because you should staple but there's no reason to enable the must-staple certificate extension, usually.

4 Likes

Hi @SanD, and welcome to the LE community forum :slight_smile:

I see a problem within the two IP responses:

curl -Ii6 http://profreshlink.com/
HTTP/1.1 301 Moved Permanently
Connection: Keep-Alive
Keep-Alive: timeout=5, max=100
date: Wed, 31 Jan 2024 11:55:00 GMT
server: LiteSpeed     <<<<<<<<<<<<<<<<<<<<<<<<< IPv6
location: https://profreshlink.com/
platform: hostinger
content-security-policy: upgrade-insecure-requests

curl -Ii4 http://profreshlink.com/
HTTP/1.1 405 Method Not Allowed
Server: nginx/1.18.0 (Ubuntu)     <<<<<<<<<<<<<<<<<<<<<<<<< IPv4
Date: Wed, 31 Jan 2024 11:55:15 GMT
Content-Type: application/json
Content-Length: 31
Connection: keep-alive
allow: GET
Name:      profreshlink.com
Addresses: 2a02:4780:b:967:0:3977:9be2:7
           86.38.205.187
4 Likes

Thank you MikeMcQ. How do I do that?

1 Like

There are many ways to learn the public IP for your server.

One is to use this command from it

curl -6 https://ifconfig.io

If that fails then IPv6 is not setup so you should fix IPv6 or remove the AAAA record.

Otherwise, use that value in your AAAA record

5 Likes

Thank you @9peppe! I followed your advice and still not resolved...

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for profreshlink.com

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: profreshlink.com
Type: unauthorized
Detail: 2a02:4780:b:967:0:3977:9be2:7: Invalid response from http://profreshlink.com/.well-known/acme-challenge/10ZDiH8icMn044a-o98oEYu9sm5jQuBSwbnjI1hVd8k: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

1 Like

We should probably have a look at the nginx config file, with the output of:

nginx -T

4 Likes

Thank you so much! Changing the AAAA record with the right IPv6 address worked!

3 Likes

However, there is an issue and it is weird: the https://profreshlink.com is directly hitting nginx server whereas my other set up of fastapi with nginx as reverse proxy (http://profreshlink.com) is hitting the fastapi+gunicorn through nginx. Not sure what config change to do to have both point ot fastapi+gunicorn.

Thanks in advance for any help.

1 Like

Review the nginx config, with the output of:

nginx -T

3 Likes

Thank you @rg305 ,
Glad to be here. Can you please help with the following https vs http issue I am facing?

However, there is an issue and it is weird: the https ://profreshlink.com is directly hitting nginx server whereas my other set up of fastapi with nginx as reverse proxy (http ://profreshlink.com) is hitting the fastapi+gunicorn through nginx. Not sure what config change to do to have both point ot fastapi+gunicorn.

Thanks a lot!

1 Like

If you provide the output of the command already asked twice by Rudy, we might actually get somewhere.

3 Likes

However, there is an issue and it is weird: the https ://profreshlink.com is directly hitting nginx server whereas my other set up of fastapi with nginx as reverse proxy (http ://profreshlink.com) is hitting the fastapi+gunicorn through nginx. Not sure what config change to do to have both point ot fastapi+gunicorn.

Typically you would want a HTTP-only block that only redirects to HTTPS; then a HTTPS-only block that proxies to guinicorn/fastapi. There is no reason to have HTTP go to gunicorn, it should only redirect to HTTPS.

4 Likes