Http-01 challenge failure

Help
1

Hi, I'm unable to get a certificate (problems started with cert renewal, I tried literally everything, from adding a location in nginx configuration, to purging/reinstalling certbot and creating new domain with whole new configuration). Strangely, when I was debugging what's happening with certbot I even managed to get the response on the challenge url (with the correct string), but acme challenge was failing with 403 response status.

My domain is:
filok.ml

I ran this command:
certbot certonly -v --dry-run --nginx -d filok.ml

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Simulating a certificate request for filok.ml
Performing the following challenges:
http-01 challenge for filok.ml
Waiting for verification...
Challenge failed for domain filok.ml
http-01 challenge for filok.ml

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: filok.ml
Type: unauthorized
Detail: Invalid response from filok.ml [195.20.53.96]: " \n \n filok.ml\n <meta http-equiv="refresh" content="1; URL=http://domain.dot.tk/p/?d=FILOK.ML&i"

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
nginx/1.18.0

The operating system my web server runs on is (include version):
Ubuntu 20.04.2 LT

My hosting provider, if applicable, is:
my vps

I can login to a root shell on my machine (yes or no, or I don't know):
yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.16.0

snippet of the letsencrypt log:
2021-06-17 13:22:07,778:DEBUG:acme.client:Received response: HTTP 200
Server: nginx
Date: Thu, 17 Jun 2021 11:22:07 GMT
Content-Type: application/json
Content-Length: 1196
Connection: keep-alive
Boulder-Requester: 19938934
Cache-Control: public, max-age=0, no-cache
Link: https://acme-staging-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 0002PrLuxjRn2g8L7B7qfMkuUBkRWj4LR9Fcb3IQ2cdpBO0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "filok.ml"
},
"status": "invalid",
"expires": "2021-06-24T11:22:04Z",
"challenges": [
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "Invalid response from filok.ml [195.20.53.96]: "\u003chtml\u003e \n \u003chead\u003e\n \u003cti
tle\u003efilok.ml\u003c/title\u003e\n \u003cmeta http-equiv=\"refresh\" content=\"1; URL=http://domain.dot.tk/p/?d=FILOK.ML\u0026i"",
"status": 403
},
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/70248474/r3msbA",
"token": "HSIlg4B0wtA7850Vlssnanzzq3TAHc3Knbi5VtsFVrc",
"validationRecord": [
{
"url": "filok.ml",
"hostname": "filok.ml",
"port": "80",
"addressesResolved": [
"195.20.53.96"
],
"addressUsed": "195.20.53.96"
}
],
"validated": "2021-06-17T11:22:06Z"
}
]
}

2

Your site filok.ml isn't operational: it's redirecting to the freenom site.

1 Like
3

Is this the IP of your web server?:

Name:    filok.ml
Address:  195.20.53.96
4 
inetnum:        195.20.48.0 - 195.20.55.255
netname:        OPENTLD
descr:          OpenTLD Web Network Freenom

Probably not :wink:

1 Like
5

yup, thats my ip, if there is a problem with domain i can spin up another. tried that already with same result

Waiting for verification...
Challenge failed for domain filmof.ml
http-01 challenge for filmof.ml

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: filmof.ml
  Type:   unauthorized
  Detail: Invalid response from http://filmof.ml/.well-known/acme-challenge/hk-wQrzn-qLTj1PxG2LQaaolXEwtoSdM3mQYOpsNV7w [195.20.53.96]: "<html> \n  <head>\n    <title>filmof.ml</title>\n    <meta http-equiv=\"refresh\" content=\"1; URL=http://domain.dot.tk/p/?d=FILMOF.ML"

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.
6

What do you see when you run this on your server:

curl icanhazip.com
1 Like
7 
curl -v icanhazip.com
*   Trying 104.18.6.156:80...
* TCP_NODELAY set
* Connected to icanhazip.com (104.18.6.156) port 80 (#0)
> GET / HTTP/1.1
> Host: icanhazip.com
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Fri, 18 Jun 2021 05:37:29 GMT
< Content-Type: text/plain
< Content-Length: 15
< Connection: keep-alive
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Methods: GET
< cf-request-id: 0abf38e45200004107a7afb000000001
< Set-Cookie: __cf_bm=2562fe03b1ddc35cf00af0e82fca5464e3b2171d-1623994649-1800-ASthkZviQkIhVxMj1BEc4yNmmtxLD4l/JyO1+uLw8HNYjGS+tEa/CZRmIfNbuKevF2JYn5P84rjW2L2UnYdux94=; path=/; expires=Fri, 18-Jun-21 06:07:29 GMT; domain=.icanhazip.com; HttpOnly; SameSite=None
< Server: cloudflare
< CF-RAY: 66122a808a1d4107-PRG
< alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
<
193.86.121.186
* Connection #0 to host icanhazip.com left intact
8

OK. So it would appear that this is your server's IP address.

To get a certificate, your domain needs to point to the server where you are running nginx.

Right now, your domain is pointing to an IP address which is Freenom's domain parking page, which wouldn't help you host your website or get a certificate.

You would want to change that to your server's IP address. You will also need to make sure ports 80 and 443 are open on your IP address and that they connect to your Linux server where you're running nginx.

1 Like
9

maybe my isp is doing some trickery on their network, thanks for direction, will try to investigate

10

it was realy it, that i would gues, isp after 4 years changed my static ip without any notice, strangely enough old one is still working, sort of

11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.