Getting a certificate for the first time

I don't know if there's some concept about certbot that I'm not understanding, but I'm trying to add a certificate for the first time, and certbot is trying to verify my domain through https (which isn't setup yet).

My domain is: ambitx.io

I ran this command: certbot certonly --webroot --webroot-path /var/www/certbot/ -d ambitx.io -d www.ambitx.io -d ws.ambitx.io -d rk.ambitx.io --preferred-challenges http

It produced this output:
...
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: ambitx.io
Type: connection
Detail: Fetching https://ambitx.io/.well-known/acme-challenge/rfSkxEtXFmgTzslfOr1H2mFEu2pY1qUwSkM5M1g55jg: Connection reset by peer
...

My web server is (include version): nginx/1.21.6

The operating system my web server runs on is (include version): Debian Bullseye

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.25.0

That only works if you have set your nginx to serve /var/www/certbot for all of those domains. I mean, it can work but it's probably not the easiest of ways.

Have you tried just using

certbot certonly --nginx -d ambitx.io -d www.ambitx.io -d ws.ambitx.io -d rk.ambitx.io

instead?

If you want to use --webroot you'll have to do something like this: Certbot renew fails even when the challenge HTTP request is working - #22 by 9peppe (or once for all domains, if you don't want to serve them on http: Auto authorisation fails but manual authorisation using --debug-challenges works - #2 by 9peppe)

1 Like

I'm using docker, so I think --webroot is required. Here's my nginx.conf file...

events {
    worker_connections 1024;
}

http {
    # Http redirect
    server {
        listen 80;
        listen [::]:80;

        server_name ambitx.io www.ambitx.io wc.ambitx.io rk.ambitx.io;
        server_tokens off;

        include letsencrypt.conf;

        return 301 https://$server_name$request_uri;
    }

And letsencrypt.conf...

location ^~ /.well-known/acme-challenge/ {
    default_type "text/plain";
    root /var/www/letsencrypt;
    try_files $uri $uri/ =404;
}

But this only works on http (sinces it's on port 80). If I remove any of these configurations, the error message for the certbot command has a http url, but with everthing set above the url in the error message uses https, so I think certbot is trying http first and then https.

By the way, I can also confirm that I have to access my web server in general. If I just skip https and serve static pages over http, it works.

That server block should not redirect to https requests for .well-known/acme-challenge.

Something is not right.

It might be some other server answering, or it might non need ^~ (it probably doesn't).

2 Likes

I've tried it without the redirect and with a normal location block like this...

location /.well-known/acme-challenge/ {
    root /var/www/letsencrypt;
}

But it didn't work. It still tried to connect using https.

It's this. Pitfalls and Common Mistakes | NGINX

You have to put the 301 redirect in a location / block.

2 Likes

It worked! Thanks for the help.

FYI, I also had to change letsencrypt.conf to this:

location /.well-known/acme-challenge/ {
    root /var/www/letsencrypt;
}
1 Like

The ^~ I'm not sure what it does.

The other two lines were probably superfluous but not harmful.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.