Http challenge failing for cname

Help
1

I hate to ask such a simple question. I have review many of the posts here, but noting is helping. So I apologize for a somewhat repetitive question.

My domain is: novasector.net

I ran this command:
certbot --nginx --cert-name novasector.net -d www.novasector.net -d novasector.net

It produced this output:
You are updating certificate novasector.net to include new domain(s):

You are also removing previously included domain(s):
(None)

Did you intend to make this change?

(U)pdate cert/(C)ancel: u
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.novasector.net
Waiting for verification...
Challenge failed for domain www.novasector.net
http-01 challenge for www.novasector.net
Cleaning up challenges
Some challenges have failed.

My web server is (include version): nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version): Linux Mint 20.1 Cinnamon (ubuntu)

My hosting provider, if applicable, is: I am hosting on my own home server. novasector.net has a certificate. Just want to add www.novasector.net but I can't figure out why it is failing http challenge.

I can login to a root shell on my machine (yes or no, or I don't know): absolutely

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): nope.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.40.0

my nginx server config:
server {
listen 80;
listen 443;
listen [::]:443;

    root /home/detrix42/www/novasector/public;
    index index.html;

error_log /home/detrix42/www/novasector.net/log/ngError.log error;
access_log /home/detrix42/www/novasector.net/log/ngAccess.log;

    add_header 'Access-Control-Allow-Origin' '';

    server_name novasector.net www.novasector.net;

client_max_body_size 10M;

    location ~* \.(png|jpg)$ {
             expires 365d;
    }

location ~* ^/images/ {
    root /home/detrix42/www/novasector.net/public/assets;
    gzip_static on;
    expires max;
    add_header Cache-Control public;
}

location / {
proxy_pass http://novasector;
#proxy_pass http://localhost:3000;

  proxy_read_timeout 20;
  include proxy_params;
}

ssl_certificate /etc/letsencrypt/live/novasector.net/fullchain.pem;                                                                              
ssl_certificate_key /etc/letsencrypt/live/novasector.net/privkey.pem; # managed by Certbot                                                      
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot                                                                           
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

upstream novasector {
server unix:/home/detrix42/www/socks/novasector;
}

Right now if you go to novasector.net all you will see is a Vue start up splash screen. The basic "Welcome to Vue" start page.

output of certbot certificates:
Certificate Name: novasector.net
Domains: novasector.net
Expiry Date: 2023-03-09 01:23:31+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/novasector.net/fullchain.pem
Private Key Path: /etc/letsencrypt/live/novasector.net/privkey.pem

domain registrar is godaddy
output of 'dig www.novasector.net':
; <<>> DiG 9.16.1-Ubuntu <<>> www.novasector.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28811
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;www.novasector.net. IN A

;; ANSWER SECTION:
www.novasector.net. 3600 IN CNAME novasector.net.
novasector.net. 599 IN A 24.231.249.49

;; Query time: 23 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Thu Dec 08 22:56:18 EST 2022
;; MSG SIZE rcvd: 77

2

Check these results

1 Like
3

Welcome to the community @detrix42

First, the formatting for your nginx server config could be better. Please update the post so you have 3 backticks before and after the entire nginx config.

I can read it anyway and that nginx config is not the whole picture. The posted config has both domain names in the same server block. But, requests to the two domains have different results.

And, the Let's Debug site (which Bruce linked to) gives different results for each.

Can you show the active nginx config by running:

sudo nginx -T >upload.txt

Then use the upload button on the forum post to upload the upload.txt file (it will be very long).

Example of different results

curl -Ik http://www.novasector.net/.well-known/acme-challenge/Test123
HTTP/1.1 404 Not Found
Server: nginx/1.18.0 (Ubuntu)

curl -Ik http://novasector.net/.well-known/acme-challenge/Test123
HTTP/1.1 301 Moved Permanently
Server: nginx/1.18.0 (Ubuntu)
Location: https://novasector.net/.well-known/acme-challenge/Test123

Note: it's possible your proxy statement is not working right for the www subdomain and that is causing the different results.

Also, it is best to not combine port 80 and port 443 in the same server block. Much harder to configure properly

3 Likes
4

thanks. that gives me something to think about. At quick glance I can not see where it is redirecting. I used to have a server clause that would redirect port 80 to 443, but removed before posting this question. My app is just a Vue landing page. I don't think there is an redirects there. But thanks again. I will did into it.

2 Likes
5

Thank you very much. looking at the output of the nginx -T is shedding some light on the redirects. Yeah, it's a bit ugly. To embarrassed to post it here. sheesh. Thanks again.

3 Likes
6

Well, after cleaning up my nginx server files (somewhat) I got the letdebug to pass for both https://novasector.net and https://www.novasector.net. I may have a misunderstanding here. Since I have novasector.net certified, and www.novasector.net is just a CNAME, and the DNS automatically redirects www.novasector.net to novasector.net, I don't think I need to have www.novasector.net in the certification.

Well I just tried http://www.novasector.net and I get a 404 not found. ugh. Almost there. Thanks to those that responded rather quickly....@Bruce5051 and @MikeMcQ

2 Likes
7

Cname doesn't "redirect" you, just reply it's same IP address as DNS name X. you do need certificate for www version: (as latest browser try https version as default when given without protocol header

5 Likes
8

There is nothing embarrassing about making mistakes.
Embarrassing is not admitting to having made any :wink: [no one is perfect]
As long as you are willing to learn, we are willing to teach :slight_smile:

4 Likes
9

CNAMEs are on the DNS level. Browsers don't have any knowledge of that and will keep using the "first" hostname. So you do want to include all hostnames in the certificate.

4 Likes
10

Update: got up this morning and with a refreshed brain, ran the following command:

certbot certonly --standalone --cert-name novasector.net -d novasector.net -d www.novasector.net

had a conflict, binding to port 80 (nginx still running doh); shut down nginx, tried again and it worked. Woohoo!!!

If I still try going to http://www.novasector.net I still get a Not Found error.

Thanks for all the help.

1 Like
11

Looks a certificate has been issued recently crt.sh | 8160466099

12

Still seeing what @MikeMcQ previously found.

$ curl -Ik http://www.novasector.net/.well-known/acme-challenge/Test123
HTTP/1.1 404 Not Found
Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 09 Dec 2022 14:50:07 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive

$ curl -Ik http://novasector.net/.well-known/acme-challenge/Test123
HTTP/1.1 301 Moved Permanently
Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 09 Dec 2022 14:50:16 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive
Location: https://novasector.net/.well-known/acme-challenge/Test123

$ curl -Ik https://novasector.net/.well-known/acme-challenge/Test123
HTTP/1.1 502 Bad Gateway
Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 09 Dec 2022 14:50:28 GMT
Content-Type: text/html
Content-Length: 166
Connection: keep-alive
13

@detrix42, @MikeMcQ's requested information may still be the most useful to supply.

1 Like
14

That won't install the certificate.

2 Likes
15

Thanks for checking up on this. It is all working. I just did the test above:

curl -Ik http://www.novasector.net/.well-known/acme-challenge/Test12

and got the following response:

HTTP/1.1 301 Moved Permanently
Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 10 Dec 2022 12:37:18 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive
Location: https://www.novasector.net/.well-known/acme-challenge/Test123

For the moment, this server is not active all the time. I had more content here, but revamping it. So my rails/vue app is not up all the time. Which would be why it failed earlier. I will leave it running for a few days for those that want to try it.

Again thanks for the great help. I am very impressed with the quick responses. You all did save me a lot of time finding out that I was getting recursive redirects.

P.S. now realizing that even though my rails/vue app was down, nginx would still have redirected with the 301 moved permanently. hmmm. So those who want to, please try again. should be working.

1 Like
16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.