Help: Type: unauthorized Detail: Invalid response from

der_tom · February 19, 2018, 5:44pm

hi, i am running multiple domains on the same server. all handled by nginx. some are php/wordpress, some are ruby on rails.

all domains getting the same problem. i am redirecting from http to https with this code:
server {
listen 80;## default_server;
server_name campscouts.com www.campscouts.com;
return 301 https://www.campscouts.com$request_uri;
error_page 500 502 503 504 /50x.html;
}

My domain is: campscouts.com

I ran this command:
/usr/bin/certbot certonly --dry-run --webroot --webroot-path /somepathhere -d campscouts.com -d www.campscouts.com --expand --post-hook “service nginx start”

It produced this output:
Domain: www.campscouts.com
Type: unauthorized
Detail: Invalid response from
http://www.campscouts.com/.well-known/acme-challenge/Dp_K8HMeUT1cGEdxqhTmGKEX4JD3ysl-uEjvjqX3VMc:
"

404 Not Found

"

–> file path permission are all set to 777.

i have the location / root block under server config:
location ^~ /.well-known {
allow all;
root /var/www/html/wordpress/campscouts/;
}

My web server is (include version):
nginx

The operating system my web server runs on is (include version):
debian7

My hosting provider, if applicable, is:
digital ocean

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

any ideas why all domains fail for the same reasons??

thx

stevenzhu · February 19, 2018, 5:56pm

Hi,

This might be the problem.
You should have a root block in the config, why do you add another one under well-known?
(This is the issue! Seems you override your location of ./well-known to your root, which is /var/www/html/wordpress/campscouts/. You should remove root /var/www/html/wordpress/campscouts/; in this location block.
Refer to :
Pitfalls and Common Mistakes | NGINX)
This is what i have for well-known:

location ~ /.well-known {
        allow all;
}

P.S.

This might not be the problem, but i just want to show a (maybe better) config for redirecting from 80 to 443.

server {
        #Listen 80
        listen       80;
        #Listen 80, IPV6 (Remove this if you don''t have it)
        listen       [::]:80;
        #Your domain
        server_name   campscouts.com www.campscouts.com;
        # tell users to go to SSL version this time
        if ($ssl_protocol = "") {
        rewrite     ^   https://$server_name$request_uri? permanent;
        }
}

Thank you

sahsanu · February 19, 2018, 7:11pm

Hi @der_tom,

What is the real path of /somepathhere?.

Also, --post-hook "service nginx start", you should not use it because you have not stop nginx previously, I recommend using --renew-hook "service nginx reload"

Note: I don't know what certbot you are using but --renew-hook parameter has changed to --deploy-hook, I explicitily used --renew-hook because it will work on old and new versions.

Regarding your validation issue, could you please share the server block for domain campscouts.com on port 443?.

Anyway, you can remove the return directive on your server block, validate your domain, get the cert and then create the right conf to serve your domain on port 443 and put back the return directive.

server {
	listen 80;
	server_name campscouts.com www.campscouts.com;
#	return 301 https://www.campscouts.com$request_uri;
	root /var/www/html/wordpress/campscouts;
}

Or you can redirect to https all urls but the ones serving the challenge.

server {
    listen 80;
    server_name campscouts.com www.campscouts.com;
    location / {
	return 301 https://www.campscouts.com$request_uri;
    }
    location ~ /.well-known/acme-challenge/ {
        allow all;
        default_type "text/plain";
        root /var/www/html/wordpress/campscouts;
    }
}

Note: If you change your nginx conf you should restart or reload it.

For both options, your certbot command will look like:

/usr/bin/certbot certonly --dry-run --webroot --webroot-path /var/www/html/wordpress/campscouts -d campscouts.com -d www.campscouts.com --expand --renew-hook "service nginx reload"

Cheers,
sahsanu

der_tom · February 19, 2018, 8:40pm

hi,

thank you.
/somepathhere refers to a path within a rails-application. i am issuing a
a few certificates (5 domains) with the command, but all are failing. thats
basically a 'shared directory.

i did comment the return directive, but no luck…

im at a loss
thx

der_tom · February 19, 2018, 9:13pm

what --webroot should i pass on if i want to run certbot for 5 domains?

sahsanu · February 19, 2018, 9:23pm

You want 1 certificate covering 5 domains or 5 different certs for every domain?

der_tom · February 19, 2018, 9:29pm

so i chage strategy to issue one certbot command per domain, but now i am
getting NET::ERR_CERT_COMMON_NAME_INVALID errors.

how can i start all over?

sahsanu · February 19, 2018, 9:36pm

If you use /somepathhere in certbot command then your nginx root should point there, I think it will be easier if you use the second option I posted above:

 server {
    listen 80;
    server_name campscouts.com www.campscouts.com;
    location / {
	return 301 https://www.campscouts.com$request_uri;
    }
    location ~ /.well-known/acme-challenge/ {
        allow all;
        default_type "text/plain";
        root /somepathhere;
    }
}

And use this certbot command:

/usr/bin/certbot certonly --dry-run --webroot --webroot-path /somepathhere -d campscouts.com -d www.campscouts.com --expand --renew-hook "service nginx reload"

Where are you getting those errors?, Did you finally issued your certificate?. Keep in mind that you need to add a server block for your domain listening on port 443 ssl, with the right SSL directives pointing to your certificate, etc.

system · March 21, 2018, 9:37pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.