I don't know if there's some concept about certbot that I'm not understanding, but I'm trying to add a certificate for the first time, and certbot is trying to verify my domain through https (which isn't setup yet).

My domain is: ambitx.io

I ran this command: certbot certonly --webroot --webroot-path /var/www/certbot/ -d ambitx.io -d www.ambitx.io -d ws.ambitx.io -d rk.ambitx.io --preferred-challenges http

It produced this output:
...
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: ambitx.io
Type: connection
Detail: Fetching https://ambitx.io/.well-known/acme-challenge/rfSkxEtXFmgTzslfOr1H2mFEu2pY1qUwSkM5M1g55jg: Connection reset by peer
...

My web server is (include version): nginx/1.21.6

The operating system my web server runs on is (include version): Debian Bullseye

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.25.0

That only works if you have set your nginx to serve /var/www/certbot for all of those domains. I mean, it can work but it's probably not the easiest of ways.

Have you tried just using

certbot certonly --nginx -d ambitx.io -d www.ambitx.io -d ws.ambitx.io -d rk.ambitx.io

instead?

If you want to use --webroot you'll have to do something like this: Certbot renew fails even when the challenge HTTP request is working - #22 by 9peppe (or once for all domains, if you don't want to serve them on http: Auto authorisation fails but manual authorisation using --debug-challenges works - #2 by 9peppe)

I'm using docker, so I think --webroot is required. Here's my nginx.conf file...

events {
    worker_connections 1024;
}

http {
    # Http redirect
    server {
        listen 80;
        listen [::]:80;

        server_name ambitx.io www.ambitx.io wc.ambitx.io rk.ambitx.io;
        server_tokens off;

        include letsencrypt.conf;

        return 301 https://$server_name$request_uri;
    }

And letsencrypt.conf...

location ^~ /.well-known/acme-challenge/ {
    default_type "text/plain";
    root /var/www/letsencrypt;
    try_files $uri $uri/ =404;
}

But this only works on http (sinces it's on port 80). If I remove any of these configurations, the error message for the certbot command has a http url, but with everthing set above the url in the error message uses https, so I think certbot is trying http first and then https.

By the way, I can also confirm that I have to access my web server in general. If I just skip https and serve static pages over http, it works.

That server block should not redirect to https requests for .well-known/acme-challenge.

Something is not right.

It might be some other server answering, or it might non need ^~ (it probably doesn't).

I've tried it without the redirect and with a normal location block like this...

location /.well-known/acme-challenge/ {
    root /var/www/letsencrypt;
}

But it didn't work. It still tried to connect using https.

It's this. Pitfalls and Common Mistakes | NGINX

You have to put the 301 redirect in a location / block.

It worked! Thanks for the help.

FYI, I also had to change letsencrypt.conf to this:

location /.well-known/acme-challenge/ {
    root /var/www/letsencrypt;
}

The ^~ I'm not sure what it does.

The other two lines were probably superfluous but not harmful.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.