Http-01 challenge failure

laqroix · June 17, 2021, 11:38am

Hi, I'm unable to get a certificate (problems started with cert renewal, I tried literally everything, from adding a location in nginx configuration, to purging/reinstalling certbot and creating new domain with whole new configuration). Strangely, when I was debugging what's happening with certbot I even managed to get the response on the challenge url (with the correct string), but acme challenge was failing with 403 response status.

My domain is:
filok.ml

I ran this command:
certbot certonly -v --dry-run --nginx -d filok.ml

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Simulating a certificate request for filok.ml
Performing the following challenges:
http-01 challenge for filok.ml
Waiting for verification...
Challenge failed for domain filok.ml
http-01 challenge for filok.ml

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: filok.ml
Type: unauthorized
Detail: Invalid response from filok.ml [195.20.53.96]: " \n \n filok.ml\n <meta http-equiv="refresh" content="1; URL=http://domain.dot.tk/p/?d=FILOK.ML&i"

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
nginx/1.18.0

The operating system my web server runs on is (include version):
Ubuntu 20.04.2 LT

My hosting provider, if applicable, is:
my vps

I can login to a root shell on my machine (yes or no, or I don't know):
yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.16.0

snippet of the letsencrypt log:
2021-06-17 13:22:07,778:DEBUG:acme.client:Received response: HTTP 200
Server: nginx
Date: Thu, 17 Jun 2021 11:22:07 GMT
Content-Type: application/json
Content-Length: 1196
Connection: keep-alive
Boulder-Requester: 19938934
Cache-Control: public, max-age=0, no-cache
Link: https://acme-staging-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 0002PrLuxjRn2g8L7B7qfMkuUBkRWj4LR9Fcb3IQ2cdpBO0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "filok.ml"
},
"status": "invalid",
"expires": "2021-06-24T11:22:04Z",
"challenges": [
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "Invalid response from filok.ml [195.20.53.96]: "\u003chtml\u003e \n \u003chead\u003e\n \u003cti
tle\u003efilok.ml\u003c/title\u003e\n \u003cmeta http-equiv=\"refresh\" content=\"1; URL=http://domain.dot.tk/p/?d=FILOK.ML\u0026i"",
"status": 403
},
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/70248474/r3msbA",
"token": "HSIlg4B0wtA7850Vlssnanzzq3TAHc3Knbi5VtsFVrc",
"validationRecord": [
{
"url": "filok.ml",
"hostname": "filok.ml",
"port": "80",
"addressesResolved": [
"195.20.53.96"
],
"addressUsed": "195.20.53.96"
}
],
"validated": "2021-06-17T11:22:06Z"
}
]
}

Osiris · June 17, 2021, 6:37pm

Your site filok.ml isn't operational: it's redirecting to the freenom site.

rg305 · June 17, 2021, 7:35pm

Is this the IP of your web server?:

Name:    filok.ml
Address:  195.20.53.96

Osiris · June 17, 2021, 7:45pm

inetnum:        195.20.48.0 - 195.20.55.255
netname:        OPENTLD
descr:          OpenTLD Web Network Freenom

Probably not

laqroix · June 18, 2021, 5:11am

yup, thats my ip, if there is a problem with domain i can spin up another. tried that already with same result

Waiting for verification...
Challenge failed for domain filmof.ml
http-01 challenge for filmof.ml

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: filmof.ml
  Type:   unauthorized
  Detail: Invalid response from http://filmof.ml/.well-known/acme-challenge/hk-wQrzn-qLTj1PxG2LQaaolXEwtoSdM3mQYOpsNV7w [195.20.53.96]: "<html> \n  <head>\n    <title>filmof.ml</title>\n    <meta http-equiv=\"refresh\" content=\"1; URL=http://domain.dot.tk/p/?d=FILMOF.ML"

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

_az · June 18, 2021, 5:34am

What do you see when you run this on your server:

curl icanhazip.com

laqroix · June 18, 2021, 5:37am

curl -v icanhazip.com
*   Trying 104.18.6.156:80...
* TCP_NODELAY set
* Connected to icanhazip.com (104.18.6.156) port 80 (#0)
> GET / HTTP/1.1
> Host: icanhazip.com
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Fri, 18 Jun 2021 05:37:29 GMT
< Content-Type: text/plain
< Content-Length: 15
< Connection: keep-alive
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Methods: GET
< cf-request-id: 0abf38e45200004107a7afb000000001
< Set-Cookie: __cf_bm=2562fe03b1ddc35cf00af0e82fca5464e3b2171d-1623994649-1800-ASthkZviQkIhVxMj1BEc4yNmmtxLD4l/JyO1+uLw8HNYjGS+tEa/CZRmIfNbuKevF2JYn5P84rjW2L2UnYdux94=; path=/; expires=Fri, 18-Jun-21 06:07:29 GMT; domain=.icanhazip.com; HttpOnly; SameSite=None
< Server: cloudflare
< CF-RAY: 66122a808a1d4107-PRG
< alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
<
193.86.121.186
* Connection #0 to host icanhazip.com left intact

_az · June 18, 2021, 5:42am

OK. So it would appear that this is your server's IP address.

To get a certificate, your domain needs to point to the server where you are running nginx.

Right now, your domain is pointing to an IP address which is Freenom's domain parking page, which wouldn't help you host your website or get a certificate.

You would want to change that to your server's IP address. You will also need to make sure ports 80 and 443 are open on your IP address and that they connect to your Linux server where you're running nginx.

laqroix · June 18, 2021, 5:47am

maybe my isp is doing some trickery on their network, thanks for direction, will try to investigate

laqroix · June 18, 2021, 5:57am

it was realy it, that i would gues, isp after 4 years changed my static ip without any notice, strangely enough old one is still working, sort of

system · July 18, 2021, 5:58am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.