I don't know if there's some concept about certbot that I'm not understanding, but I'm trying to add a certificate for the first time, and certbot is trying to verify my domain through https (which isn't setup yet).
My domain is: ambitx.io
I ran this command: certbot certonly --webroot --webroot-path /var/www/certbot/ -d ambitx.io -d www.ambitx.io -d ws.ambitx.io -d rk.ambitx.io --preferred-challenges http
It produced this output:ambitx.io https://ambitx.io/.well-known/acme-challenge/rfSkxEtXFmgTzslfOr1H2mFEu2pY1qUwSkM5M1g55jg: Connection reset by peer
My web server is (include version): nginx/1.21.6
The operating system my web server runs on is (include version): Debian Bullseye
My hosting provider, if applicable, is: Linode
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.25.0
9peppe
March 16, 2022, 4:56pm
2
That only works if you have set your nginx to serve /var/www/certbot for all of those domains. I mean, it can work but it's probably not the easiest of ways.
Have you tried just using
certbot certonly --nginx -d ambitx.io -d www.ambitx.io -d ws.ambitx.io -d rk.ambitx.io
instead?
If you want to use --webroot you'll have to do something like this: Certbot renew fails even when the challenge HTTP request is working - #22 by 9peppe (or once for all domains, if you don't want to serve them on http: Auto authorisation fails but manual authorisation using --debug-challenges works - #2 by 9peppe )
I'm using docker, so I think --webroot is required. Here's my nginx.conf file...
events {
worker_connections 1024;
}
http {
# Http redirect
server {
listen 80;
listen [::]:80;
server_name ambitx.io www.ambitx.io wc.ambitx.io rk.ambitx.io;
server_tokens off;
include letsencrypt.conf;
return 301 https://$server_name$request_uri;
}
And letsencrypt.conf...
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /var/www/letsencrypt;
try_files $uri $uri/ =404;
}
But this only works on http (sinces it's on port 80). If I remove any of these configurations, the error message for the certbot command has a http url, but with everthing set above the url in the error message uses https, so I think certbot is trying http first and then https.
By the way, I can also confirm that I have to access my web server in general. If I just skip https and serve static pages over http, it works.
9peppe
March 16, 2022, 5:42pm
4
That server block should not redirect to https requests for .well-known/acme-challenge.
Something is not right.
It might be some other server answering, or it might non need ^~ (it probably doesn't).
I've tried it without the redirect and with a normal location block like this...
location /.well-known/acme-challenge/ {
root /var/www/letsencrypt;
}
But it didn't work. It still tried to connect using https.
9peppe
March 16, 2022, 6:03pm
6
It's this. Pitfalls and Common Mistakes | NGINX
You have to put the 301 redirect in a location / block.
It worked! Thanks for the help.
FYI, I also had to change letsencrypt.conf to this:
location /.well-known/acme-challenge/ {
root /var/www/letsencrypt;
}
9peppe
March 16, 2022, 8:27pm
8
The ^~ I'm not sure what it does.
The other two lines were probably superfluous but not harmful.