GERTIFICATE - Invalid response from

Help
1

hello, !!

I have a problem generating the certificate, today I normally access my web via port 80 with my subdomain.
However, when trying to generate the certificate "Invalid response from mydomain"
I have other subdomains working with certificates, only this one has a problem.

*due to company rules, I need to change the real domain.

Errors and logs follow.

thanks

root@srv-supersrv:/etc/ssl/certs# sudo certbot --nginx -d web.mydom.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for web.mydom.com

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: web.mydom.com
Type: unauthorized
Detail: X.X.X.X: Invalid response from http://web.mydom.com/.well-known/acme-challenge/VoGiY_KMd-u203x6Zeh_pr50HliW4xRBtd8gqp3O0Aw: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

LOG:
cat /var/log/letsencrypt/letsencrypt.log

2024-05-24 11:13:20,387:DEBUG:certbot._internal.error_handler:Calling registered functions
2024-05-24 11:13:20,387:INFO:certbot._internal.auth_handler:Cleaning up challenges
2024-05-24 11:13:21,459:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 33, in
sys.exit(load_entry_point('certbot==2.1.0', 'console_scripts', 'certbot')())
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/certbot/main.py", line 19, in main
return internal_main.main(cli_args)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1736, in main
return config.func(config, plugins)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1440, in run
new_lineage = _get_and_save_cert(le_client, config, domains,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 138, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 516, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 428, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 106, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 206, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2024-05-24 11:13:21,460:ERROR:certbot._internal.log:Some challenges have failed.

2

Since you cannot provide your domain name I assume you could not also share your nginx config. Without these there is not much we can say specifically.

The part of the log you showed is not helpful. The key info is much earlier. The entire log would be helpful.

But, I will explain what is happening and maybe that is enough for you to find what is wrong with your system.

The Certbot --nginx plugin adds temporary config into your nginx server block for this domain. It places the needed challenge token directly into your server block's config. The 404 is an HTTP "Not Found". That says when the Let's Encrypt Server made that HTTP request to your domain that your nginx said it couldn't find the challenge token.

This usually works very well. Some things that go wrong are:

  1. The IP address in the error is no longer your public IP for your nginx
  2. There is something incompatible in your nginx config that caused Certbot to place the challenge token in the wrong place. (this is rare)
  3. You are no longer routing HTTP port 80 requests to that nginx. Maybe a router or port forwarding has gone wrong.

We normally help debug by looking at the entire log or viewing the output of sudo nginx -T. If you can provide these we can say more.

3 Likes
3

Hello @KopBotIA, welcome to the Let's Encrypt community. :slightly_smiling_face:

OK; so you are not permitted to share the domain name :frowning: but please fill out as much of the questionnaire as possible.

When you opened this thread in the Help section, you should have been provided with a questionnaire. Maybe you didn't get it somehow (which is weird), or you've decided to delete it. In any case, all the answers to this questionnaire are required:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Thank you for assisting us in helping YOU!

Edit:

Also try sudo certbot -vv --nginx -d web.mydom.com to add more details to the logging;
by default Certbot stores status logs in /var/log/letsencrypt.
See User Guide — Certbot 2.10.0 documentation for details about where the log files are..

4 Likes
4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.