Http-01 challenge failed

My domain is: secondarycities.geonode.state.gov

I ran this command: sudo certbot certonly -nginx

It produced this output:

Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): secondarycities.geonode.state.gov
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for secondarycities.geonode.state.gov
Using default address 80 for authentication.
Waiting for verification...
Challenge failed for domain secondarycities.geonode.state.gov
http-01 challenge for secondarycities.geonode.state.gov
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

My web server is (include version): NGINX 1.14

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.8.0

I was able to retrieve new certs for this site a few months ago, but I am not sure why I cannot now. I have updated Certbot to the latest version, but it is still not working. I can still access my site using http, and also https://letsdebug.net/ says my site is OK.

when I run this command: sudo nginx -T | grep -Ri 'server_name|root|virtual|listen' /etc/nginx

This is the output:
grep: /etc/nginx/sites-enabled/default: No such file or directory
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

I don't know how to debug this, thanks in advance.

1 Like

Welcome to the Let's Encrypt Community, Tom :slightly_smiling_face:

Let me take a look... :thinking:

Looks like port 80 is closed. That's not going to work.

1 Like

Looks like you're good now!

1 Like

Thank you for taking a look Griffin. I might have been debugging at the same time you were. What I ended up doing to fix my problem was shutting down NGINX temporarily and then retrieving the certificates using the standalone command (https://certbot.eff.org/docs/using.html#standalone):
sudo certbot certonly --standalone

This was able to successfully retrieve my certificates for me, and then I copied them over to where my NGINX docker container looks for them. Then I started NGINX again and everything works fine!

I'm still not sure why I got the error using the nginx plug-in: sudo certbot certonly --nginx

I think when I have more time I can look at the certbot renew command with adding a pre-hook to stop NGINX and a post-hook to start NGINX, so I can renew the certs automatically in the future.

2 Likes

I think the problem may have a conflict in how the webserver is installed on ubuntu.

The server response was "openresty/1.15.8", but you listed nginx as "1.14".

How did you install openresty? The first three numbers of openresty releases are pegged to nginx releases(i.e. openresty 1.15.8 is built on top of the nginx 1.15.8 release )

Not knowing anything about your setup, the likely causes:

  1. you have both OpenResty and Nginx installed
  2. your OpenResty install is not using the standard nginx configuration file structure

An option without downtime:

  • have nginx/resty proxy the ./well-known directories to a higher port -- like 8080
  • invoke certbot in standalone, and specify the higher http port
  • add a post-hook script to kill -HUP the nginx/resty service; that will cause it to reload with the new certs
2 Likes

All reasonable suggestions. :slightly_smiling_face:

@jvanasco

Thanks for the assist Jonathan. Your depth of analysis and creativity of solutions always astounds me.

@gertcert

You're in good hands with @jvanasco. His experience in this regard dwarfs my own.

1 Like

Thanks griffin and jvanasco. Yes, I have OpenResty installed. It was originally installed by someone else who set-up the application, and it is installed in its own docker container. In the past there were problems renewing the certificates, and I did not know how to use OpenResty.

This was a while ago, and forgot exactly what I did to circumvent the issue. I think I installed NGINX outside of docker in the Ubuntu OS so I could to retrieve new certificates and I manually copied them to the directory where the OpenResty/NGINX container looks for the certs.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.